Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
michaelshi2006
New Contributor

how to use "any" as outgoing interface in firewall poliicy

Hi Guys:

I am migrating a Cisco ASA to Fortigate 900D (ver6.2.3). my original ASA has one physical outside interface and 5 sub-interfaces as inside interface. while ASA only defined inbound interface in firewall rules , Fortigate will need to define in/out bound interface in firewall rules. my question is can I use "any" as the outbound interface ? so I copy cisco firewall rule one by one without extra rule needed? because some address group include ip addresses belong to different sub-interfaces.

Thanks a lot

9 REPLIES 9
emnoc
Esteemed Contributor III

Not sure what you mean but you can write a policy with any as the interface for src or dst.

e.g

 

config firewall policy 9909

        set srcintf "any"

        set dstintf "wan1"

        set srcaddr "LOCL_LAN_GROUP"

        set dstaddr "all"

        set action accept

        set schedule all

        set service HTTP HTTPS ICMP SSH

    next

 

I would avoid using  a "any" unless you had too. So in the above LOCL_LAN_GROUP members are allowed to wan1 for service define. Later if you had mode sub_iinterfaces, you would add te network into that address group

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

michaelshi2006

Thanks emnoc for you help, can you explain why you avoid to use "any" as the inbound or outbound interface ? what is the problem if use it like that?

 I do not have NAT in any rules.

romanr

Hey,

 

i would really agree on not using "any" in firewall policies. Fortigates are zone based firewalls. You group your interfaces in zones and write policies like:

srcintf INTERNAL

dstintf EXTERNAL or DMZ and so on...

 

Just copying rules from a ASA/Pix will bring you an unmaintainable ruleset over time. Migration is the best time for a redesign.

 

Br,

Roman

 

Dave_Hall
Honored Contributor

From a security point of view, you really do not want people (e.g. company or office visitors) plugging in 3rd party routers into your network and as a deterrent to that, defining firewall rules with well defined source/dest interfaces - as well - defined addresses (e.g. All_internal or All_external) can go a long way in mitigating this type of activity.  If you can help it try to stay away from defining private subnets that are popular on retail routers as well (e.g. 192.168.0.x, 192.168.1.x). 

 

Personally, it's not fun trying to remote troubleshoot an educational institute network when teachers decide to plug in cheap wifi routers to act as "switches" or APs.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Toshi_Esumi
Esteemed Contributor II

I think OP was asking multiple interfaces in one policy, not multiple subnets/addresses. The immediate down-side is it would lose "interface pair view" in GUI at the Policy page. 

While all concerns above are valid, IMO, it's up to how complex the served org is and what the purpose of 5 internal interfaces are. Depending on that, I might user a "zone" for those internal interfaces to aggregate. For example, I have more than 5 internal interfaces at home, I use a zone for some of them because there is no difference in policy. 

 

harmesh88
New Contributor

I would suggest to do first analysis of all rule of ASA and then please do migrate to fortigate firewall configuration and do additional security top of it .

 

If you need help you can reply on this same post

Heyro
New Contributor

Hi michael,

 

We had the same situation in our company where we also migrated from asa to fortigate. You can use any interface in both the inbound and the outbound. This all depends on which traffic you're eventually allowing through in the source and destination and if the routes are available. Although the any interface is not recommended for security point of view.

 

What we did is configure SD-WAN for the outside interface even though you only have 1 outside interface. In the future you can always add more interfaces to the SD-WAN

By doing this it will automatically create a default route 0.0.0.0/0 with gateway 0.0.0.0 as interface SD-WAN. In case it doesn't create the route, you can always manually create it.

 

Afterwards you can create multiple policies using the SD-WAN as the outbound interface and all other configured interfaces as inbound.

 

And if your fortigate is acting as a core router to communicate between internal interfaces, then you can create different policies for each internal communication.

 

You can also enable the feature multiple interface polcies in the GUI:

SYSTEM->Feature visibility-> Multiple interface policies.

 

With this you can combine both internal policies together.

 

I hope this helps.

 

 

michaelshi2006

Thank you all guys for the comment. I am going to look deeper to the original config and specify the in/out bound interface while migrating them.

again you guys amazing.

emnoc
Esteemed Contributor III

 Fortigates are zone based firewalls

 

I have to disagree, the firewall by default has no concept of a zone. It can be used a ZBFW,but out the box no zones or the requirements of zones are enforced. Zone based are typically  PaloNW, CHKP, Forcepoint ( that's even loose  with these last two ), and SRX,etc........

 

Back to OP,  using "any" really means "any" and layer if you add specific policies and have "any" everything  will match "any". I try to always reduce the amount of "any" by being specific in rulesets.

 

proceed with caution and monitor  the logs & hit-counts

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan