Hello all
Quite new to fortinet. I am faced with a manual effort in setting in/out interfaces across >700 lines converted from a check point FW. Do i need to do this? I thought it was the Forti version of anti-spoofing however I read that this is enabled regardless.
I have not been able to find anything related to my question and fortinet docs dont explain it or give adequate exampled besides using the 'any' interface
So what is the point in setting them in firewall policy?
thanks
To give an example, if you use "any" in the interface setting that really means just that "any". If you do not want that or require this , then set the srcintf/dstintf.
What is driving this requirement? Security audits? And yes the converter tool does an okay job but in chkpoint your interface is bound to a zone, the same in palo and jnpr also. So the policy are src/dst zone based.
A fortinet is not a zone-base firewall ( by default ) but you could enable zone-based if so desired but once you go to zone you can't peel a single interface out if you ever want to or think you need todo that
You can also intermix src/dst-zones and src/dst-interfaces in a policy , so you do NOT have to put all interfaces into a zone. Also if your planning to go go zones, any interface tied with a policy has to be deleted. So keep that in mind, zone in some cases does have advantage based on your topology and the number of policies or in some case some people are tired of seeing numerous interfaces on a single-line
e.g
config firewall policy edit 834 set uuid 6109d3c2-b4e4-51eb-548f-7b34dbca756a set srcintf "vlan19" "vlan10" "vlan11" "vlan189" set dstintf "vpntun_802" set srcaddr "B2B_GROUP_20130111-L2K3" set dstaddr "B2B_GROUP_20130112-LNM2" set action accept set schedule "always" set service "B2B_GENERIC_POLICY1-SRV" nextend
YMMV but you have to weigh out what you really want, what you and your team need are. Typically if you come from checkpoint/forcepoint/palo/juniper you stay with zones from my experience. If your doing this more for cosmetic or ease of auditing.
I personally hate seeing src/dst interfaces with any and any src/dst address. You can accidentally open up things if you do not pay attention.
Ken Felix
PCNSE
NSE
StrongSwan
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.