Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Markus_Albisser
New Contributor II

Access list versus Next-Gen firewall?

Hi all

 

We soon will start with Fortinet NGFW devices in our company. We have an internal discussions about how to protect the inside -> out traffic which pass this new Fortinet. Until now, we had a Cisco device with "ip inspect" or "ZBFW" enabled. But this was not a NGFW with addtional security features, therefore we had an access list on the inside interface which just allowed the well-known traffic to the Internet. And in general, this was the source address of the proxy server plus several applications which needed a direct access.

 

Now it comes to the question, do we still need this ACL on the inside interface? There are NGFW features now which protects and controls the traffic. And is an ACL still the correct way as this "only" goes on destination IP addresses/Ports and not on applications? Is it worth to do this additional work to have another security layer from inside -> out?

 

I am wondering how other companies handles this topic, if it is good enough to have the NGFW in place or if any other features are in place.

 

I really appreciate your feedback. Thanks a lot!

Markus

1 Solution
emnoc
Esteemed Contributor III

The firewall will only allow the traffic that you allow in the policy rules and will conduct the inspections based on  what you tell it to inspect ( URL AV AS  etc....)

 

BTW:  You are confusing the two due to a cisco VBFW is not a layer7 aware security function

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
4 REPLIES 4
lobstercreed
Valued Contributor

I'm not sure I've fully wrapped my head around your old setup, but I definitely see no reason for that additional layer with a FortiGate.  We actually do use very restrictive firewall policies for outbound traffic to only allow the well-known traffic you're talking about.  Basically in my experience if there's a design you want to achieve, the FortiGate is capable of doing it...it just might take some learning how it works.

emnoc
Esteemed Contributor III

The firewall will only allow the traffic that you allow in the policy rules and will conduct the inspections based on  what you tell it to inspect ( URL AV AS  etc....)

 

BTW:  You are confusing the two due to a cisco VBFW is not a layer7 aware security function

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Markus_Albisser

Hi Lobstercreed and Kevin

 

Thank you for your inputs here. Indeed, there is this new inspection we will have with Fortigate, our current setup with the Cisco ISR routers is not L7 aware, it is only up to layer 4. And because we then have the Fortigate as a NGFW I would assume a further restriction to destination IP address/ports is no longer needed. 

 

So did I got it right from your statement that you support a setup where the NGFW features are enabled in the Fortigate and no additional restrictions on the inside -> out path based on destination IP addresses and ports are needed?

 

Thank you

Markus

Markus_Albisser

Dear all

 

I just want to ask again here if other Fortinet customers have the same experience? So that there are no longer inside->out access lists which are continuously updated to have this additional security in place? And only "relies" on the NGFW features provided by the Fortigate appliance?

 

Thank you

Markus

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors