Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johnlloyd_13
Contributor II

Created on ‎12-20-2024 06:31 PM Edited on ‎12-21-2024 01:18 AM

Exempt traffic/public IP subnet for FW Policy inspection

hi,

i'm trying to create a FW policy (top most rule) to exempt/bypass selected public IP host/subnet for FW policy inspection. this for troubleshooting/logging purpose and to quickly react if a client escalated a complex issue.

can someone confirm if below logic is correct? do i use the same source address ("extempted-subnet" address group) for both inbound and outbound rule?

 

Rule #NameSource InterfaceDestination InterfaceSource AddressDestination AddressServiceAction
 Exemption Traffic - Inbound/Outbound      
1Allow Exempted Subnet Inboundinternet (egress interface)anyTo add customer public IP subnet in "extempted-subnet" Address GroupallN/AAccept
2Allow Exempted Subnet Outboundanyinternet (egress interface)To add customer Public IP subnet in "extempted-subnet" Address GroupallN/AAccept
Labels:
732
0 Kudos
9 REPLIES 9
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-20-2024 11:06 PM Edited on ‎12-20-2024 11:09 PM

Obviously Rule#1's Source and Destination addresses are reversed.

 

Toshi

699
johnlloyd_13
Contributor II
In response to Toshi_Esumi

Created on ‎12-21-2024 01:14 AM

hi,

thanks for your reply!

the logic for rule 1 inbound is that source address coming from the public internet are my public ip subnet/range.

so, should it be source address "all" to destination address "my public ip subnets"?

666
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to johnlloyd_13

Created on ‎12-21-2024 09:08 AM Edited on ‎12-21-2024 09:08 AM

Hi @johnlloyd_13 ,

 

Your info is not clear.

 

I assume that "extempted-subnet"  is for the internal local network. 

 

If so, you need to use it for the destination address in the inbound firewall policy and use it for the source address in the outbound firewall policy.

 

Imagine the traffic flow:

 

Inbound traffic flow is from Internet to access the internal local network;

Outbound traffic flow is from the internal local network to access the Internet.

Regards,

Jerry
612
johnlloyd_13
Contributor II
In response to dingjerry_FTNT

Created on ‎01-01-2025 04:21 AM

hi,

your assumption is correct. the "exempted-subnet" is the RIR public IP subnet that we own.

so for "inbound" FW policy (internet to LAN), i'll use "exempted-subnet" as the "source" address.

then for "outbound" policy (LAN to internet), i'll also use "extempted-subnet" as the "source" address as well.

please confirm. happy NY and thanks in advance!

413
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to johnlloyd_13

Created on ‎01-01-2025 08:59 AM Edited on ‎01-01-2025 08:59 AM

Hi @johnlloyd_13 ,

 

NO.

 

Please imagine the traffic flow, you will see the "exempted-subnet" can be the source for only one direction.  So why are you using it as the source for both directions?

 

My assumption is that the Exempted Subnet is on your internal local network since you did not share any configurations.

 

You have to confirm it first for yourself:  What is the Exempted Subnet? Is it for your internal local subnet or for someone from the Internet? Then you can use it as the source for that direction only.

Regards,

Jerry
396
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to johnlloyd_13

Created on ‎01-01-2025 09:00 AM

It's better to provide a simple network diagram marking the Exempted Subnet.

Regards,

Jerry
392
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to johnlloyd_13

Created on ‎12-21-2024 09:40 AM Edited on ‎12-21-2024 09:43 AM

Need to match the routing table. all=0/0. x/x=x/x. And which direction/interface they're routed to.

 

Toshi

591
0 Kudos
Durga_Ashwath
Staff
Staff

Created on ‎12-20-2024 11:51 PM

To create a top-most firewall policy on a FortiGate to exempt/bypass inspection for a selected public IP host or subnet (e.g., for troubleshooting or logging purposes), your approach can vary depending on the direction of the traffic and whether it is inbound or outbound. Here's a breakdown of the logic:

1. Key Considerations
Inbound traffic: This is traffic initiated from the Internet towards your internal resources.
Outbound traffic: This is traffic initiated from your internal network towards the Internet.
The source address and destination address depend on the direction of traffic you want to exempt from inspection.

2. General Rule Logic
Inbound Traffic Exemption (From Internet to Internal Network)
Source Address: Public IP or subnet of the external client/device initiating the traffic (e.g., exempted-traffic-subnet).
Destination Address: Public IP or internal mapped IP of your FortiGate or servers behind it.
Action: Accept (or deny if needed for troubleshooting).
NAT: Disabled (unless you require SNAT).
Inspection: Set profiles to "None" to bypass inspection.
Example:
Source: exempted-traffic-subnet
Destination: internal-server (mapped public IP or real IP)
Schedule: Always
Action: Accept
Profiles: None
Outbound Traffic Exemption (From Internal Network to Internet)
Source Address: Internal subnet/IP of the device generating the traffic.
Destination Address: Public IP/subnet you want to exempt (e.g., exempted-traffic-subnet).
Action: Accept.
NAT: Enabled (to masquerade internal traffic as the FortiGate's WAN IP).
Inspection: Set profiles to "None" to bypass inspection.
Example:
Source: internal-network
Destination: exempted-traffic-subnet
Schedule: Always
Action: Accept
Profiles: None
3. For Both Directions (Bi-Directional Exemption)
If you need to exempt the same exempted-traffic-subnet for both inbound and outbound traffic:
Create two separate rules:
One for inbound traffic.
One for outbound traffic.
Alternatively, create a single rule covering both directions by defining both source and destination as exempted-traffic-subnet. This works if the same subnet is both the source (outbound) and destination (inbound).
4. Example Rule Placement
Place the exemption rule at the top of the policy list to ensure it is evaluated first.
Subsequent rules will not apply to traffic matching this exemption rule.
5. Verification
Use FortiGate's logging to ensure traffic matches the exemption rule:
diagnose debug flow
Monitor real-time logs in Log & Report > Traffic Logs to confirm the traffic bypasses inspection.

678
johnlloyd_13
Contributor II
In response to Durga_Ashwath

Created on ‎12-21-2024 01:17 AM

hi,

just to confirm your item 2 (inbound rule), i should use the "extempted-subnet" address group (my public ip subnet/range/host) both as a source and destination address?

 

2. General Rule Logic
Inbound Traffic Exemption (From Internet to Internal Network)
Source Address: Public IP or subnet of the external client/device initiating the traffic (e.g., exempted-traffic-subnet).
Destination Address: Public IP or internal mapped IP of your FortiGate or servers behind it.

663
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.