Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lhsit
New Contributor III

Created on ‎12-12-2017 04:14 PM

Do I really need 4 rules here?

Hello All,

 

I have two VDOMs, one for my servers and one for my desktops.  I have an inter-vdom link between them.

It seems that if I want to allow traffic between a desktop and a server, I need to have 4 rules.

 

Desktop ==> Server

1 on the incoming interface on the desktop VDOM, and

1 on the "incoming interface" (the inter-vdom link) on the server VDOM

 

Server ==> Desktop

the exact opposites of the above.

 

Is this correct?

 

Thanks in advance,

Chris.

3076
0 Kudos
1 Solution
ede_pfau
SuperUser
SuperUser

Created on ‎12-13-2017 02:58 AM

hi,

 

stateful firewall such as the FGT only need to control who is allowed to open a session - this will cover the reply traffic as well.

As you have 2 firewalls now ("servers" and "desktops") you need 2 policies for each intended flow of control, that is, one egress policy on "desktops" and one ingress policy on "servers".

 

If you additionally want to open connections from a server to a desktop (e.g. for monitoring, or central backup) then you need to add 2 more policies.

If you look at a VDOM as an independent firewall or location, and the inter-VDOM-link as an "WAN" or external interface then it's quite clear how sessions are initiated by whom and how you need policies to allow this.

Or so I hope.

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

Ede Kernel panic: Aiee, killing interrupt handler!
1433
0 Kudos
2 REPLIES 2
ede_pfau
SuperUser
SuperUser

Created on ‎12-13-2017 02:58 AM

hi,

 

stateful firewall such as the FGT only need to control who is allowed to open a session - this will cover the reply traffic as well.

As you have 2 firewalls now ("servers" and "desktops") you need 2 policies for each intended flow of control, that is, one egress policy on "desktops" and one ingress policy on "servers".

 

If you additionally want to open connections from a server to a desktop (e.g. for monitoring, or central backup) then you need to add 2 more policies.

If you look at a VDOM as an independent firewall or location, and the inter-VDOM-link as an "WAN" or external interface then it's quite clear how sessions are initiated by whom and how you need policies to allow this.

Or so I hope.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
1434
0 Kudos
lhsit
New Contributor III
In response to ede_pfau

Created on ‎12-13-2017 01:01 PM

Hi Ede,

Thanks for that explanation.

Cheers,

Chris.

1400
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.