Hi all
We soon will start with Fortinet NGFW devices in our company. We have an internal discussions about how to protect the inside -> out traffic which pass this new Fortinet. Until now, we had a Cisco device with "ip inspect" or "ZBFW" enabled. But this was not a NGFW with addtional security features, therefore we had an access list on the inside interface which just allowed the well-known traffic to the Internet. And in general, this was the source address of the proxy server plus several applications which needed a direct access.
Now it comes to the question, do we still need this ACL on the inside interface? There are NGFW features now which protects and controls the traffic. And is an ACL still the correct way as this "only" goes on destination IP addresses/Ports and not on applications? Is it worth to do this additional work to have another security layer from inside -> out?
I am wondering how other companies handles this topic, if it is good enough to have the NGFW in place or if any other features are in place.
I really appreciate your feedback. Thanks a lot!
Markus
Solved! Go to Solution.
The firewall will only allow the traffic that you allow in the policy rules and will conduct the inspections based on what you tell it to inspect ( URL AV AS etc....)
BTW: You are confusing the two due to a cisco VBFW is not a layer7 aware security function
Ken Felix
PCNSE
NSE
StrongSwan
I'm not sure I've fully wrapped my head around your old setup, but I definitely see no reason for that additional layer with a FortiGate. We actually do use very restrictive firewall policies for outbound traffic to only allow the well-known traffic you're talking about. Basically in my experience if there's a design you want to achieve, the FortiGate is capable of doing it...it just might take some learning how it works.
The firewall will only allow the traffic that you allow in the policy rules and will conduct the inspections based on what you tell it to inspect ( URL AV AS etc....)
BTW: You are confusing the two due to a cisco VBFW is not a layer7 aware security function
Ken Felix
PCNSE
NSE
StrongSwan
Hi Lobstercreed and Kevin
Thank you for your inputs here. Indeed, there is this new inspection we will have with Fortigate, our current setup with the Cisco ISR routers is not L7 aware, it is only up to layer 4. And because we then have the Fortigate as a NGFW I would assume a further restriction to destination IP address/ports is no longer needed.
So did I got it right from your statement that you support a setup where the NGFW features are enabled in the Fortigate and no additional restrictions on the inside -> out path based on destination IP addresses and ports are needed?
Thank you
Markus
Dear all
I just want to ask again here if other Fortinet customers have the same experience? So that there are no longer inside->out access lists which are continuously updated to have this additional security in place? And only "relies" on the NGFW features provided by the Fortigate appliance?
Thank you
Markus
User | Count |
---|---|
2674 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.