how to use "any" as outgoing interface in firewall poliicy
I am migrating a Cisco ASA to Fortigate 900D (ver6.2.3). my original ASA has one physical outside interface and 5 sub-interfaces as inside interface. while ASA only defined inbound interface in firewall rules , Fortigate will need to define in/out bound interface in firewall rules. my question is can I use "any" as the outbound interface ? so I copy cisco firewall rule one by one without extra rule needed? because some address group include ip addresses belong to different sub-interfaces.
Not sure what you mean but you can write a policy with any as the interface for src or dst.
config firewall policy 9909 set srcintf "any" set dstintf "wan1" set srcaddr "LOCL_LAN_GROUP" set dstaddr "all" set action accept set schedule all set service HTTP HTTPS ICMP SSH next I would avoid using a "any" unless you had too. So in the above LOCL_LAN_GROUP members are allowed to wan1 for service define. Later if you had mode sub_iinterfaces, you would add te network into that address group Ken Felix
From a security point of view, you really do not want people (e.g. company or office visitors) plugging in 3rd party routers into your network and as a deterrent to that, defining firewall rules with well defined source/dest interfaces - as well - defined addresses (e.g. All_internal or All_external) can go a long way in mitigating this type of activity. If you can help it try to stay away from defining private subnets that are popular on retail routers as well (e.g. 192.168.0.x, 192.168.1.x).
Personally, it's not fun trying to remote troubleshoot an educational institute network when teachers decide to plug in cheap wifi routers to act as "switches" or APs.
I think OP was asking multiple interfaces in one policy, not multiple subnets/addresses. The immediate down-side is it would lose "interface pair view" in GUI at the Policy page.
While all concerns above are valid, IMO, it's up to how complex the served org is and what the purpose of 5 internal interfaces are. Depending on that, I might user a "zone" for those internal interfaces to aggregate. For example, I have more than 5 internal interfaces at home, I use a zone for some of them because there is no difference in policy.
We had the same situation in our company where we also migrated from asa to fortigate. You can use any interface in both the inbound and the outbound. This all depends on which traffic you're eventually allowing through in the source and destination and if the routes are available. Although the any interface is not recommended for security point of view.
What we did is configure SD-WAN for the outside interface even though you only have 1 outside interface. In the future you can always add more interfaces to the SD-WAN
By doing this it will automatically create a default route 0.0.0.0/0 with gateway 0.0.0.0 as interface SD-WAN. In case it doesn't create the route, you can always manually create it.
Afterwards you can create multiple policies using the SD-WAN as the outbound interface and all other configured interfaces as inbound.
And if your fortigate is acting as a core router to communicate between internal interfaces, then you can create different policies for each internal communication.
You can also enable the feature multiple interface polcies in the GUI:
I have to disagree, the firewall by default has no concept of a zone. It can be used a ZBFW,but out the box no zones or the requirements of zones are enforced. Zone based are typically PaloNW, CHKP, Forcepoint ( that's even loose with these last two ), and SRX,etc........
Back to OP, using "any" really means "any" and layer if you add specific policies and have "any" everything will match "any". I try to always reduce the amount of "any" by being specific in rulesets.
proceed with caution and monitor the logs & hit-counts