Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- Lacework
- FortiAppSec Cloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Exempt traffic/public IP subnet for FW Policy ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exempt traffic/public IP subnet for FW Policy inspection
hi,
i'm trying to create a FW policy (top most rule) to exempt/bypass selected public IP host/subnet for FW policy inspection. this for troubleshooting/logging purpose and to quickly react if a client escalated a complex issue.
can someone confirm if below logic is correct? do i use the same source address ("extempted-subnet" address group) for both inbound and outbound rule?
| Rule # | Name | Source Interface | Destination Interface | Source Address | Destination Address | Service | Action |
| Exemption Traffic - Inbound/Outbound | |||||||
| 1 | Allow Exempted Subnet Inbound | internet (egress interface) | any | To add customer public IP subnet in "extempted-subnet" Address Group | all | N/A | Accept |
| 2 | Allow Exempted Subnet Outbound | any | internet (egress interface) | To add customer Public IP subnet in "extempted-subnet" Address Group | all | N/A | Accept |
Labels:
- Labels:
-
FortiManager
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Obviously Rule#1's Source and Destination addresses are reversed.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
thanks for your reply!
the logic for rule 1 inbound is that source address coming from the public internet are my public ip subnet/range.
so, should it be source address "all" to destination address "my public ip subnets"?
Created on 12-21-2024 09:08 AM Edited on 12-21-2024 09:08 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @johnlloyd_13 ,
Your info is not clear.
I assume that "extempted-subnet" is for the internal local network.
If so, you need to use it for the destination address in the inbound firewall policy and use it for the source address in the outbound firewall policy.
Imagine the traffic flow:
Inbound traffic flow is from Internet to access the internal local network;
Outbound traffic flow is from the internal local network to access the Internet.
Regards,
Jerry
Jerry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
your assumption is correct. the "exempted-subnet" is the RIR public IP subnet that we own.
so for "inbound" FW policy (internet to LAN), i'll use "exempted-subnet" as the "source" address.
then for "outbound" policy (LAN to internet), i'll also use "extempted-subnet" as the "source" address as well.
please confirm. happy NY and thanks in advance!
Created on 01-01-2025 08:59 AM Edited on 01-01-2025 08:59 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @johnlloyd_13 ,
NO.
Please imagine the traffic flow, you will see the "exempted-subnet" can be the source for only one direction. So why are you using it as the source for both directions?
My assumption is that the Exempted Subnet is on your internal local network since you did not share any configurations.
You have to confirm it first for yourself: What is the Exempted Subnet? Is it for your internal local subnet or for someone from the Internet? Then you can use it as the source for that direction only.
Regards,
Jerry
Jerry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's better to provide a simple network diagram marking the Exempted Subnet.
Regards,
Jerry
Jerry
Created on 12-21-2024 09:40 AM Edited on 12-21-2024 09:43 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need to match the routing table. all=0/0. x/x=x/x. And which direction/interface they're routed to.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To create a top-most firewall policy on a FortiGate to exempt/bypass inspection for a selected public IP host or subnet (e.g., for troubleshooting or logging purposes), your approach can vary depending on the direction of the traffic and whether it is inbound or outbound. Here's a breakdown of the logic:
1. Key Considerations
Inbound traffic: This is traffic initiated from the Internet towards your internal resources.
Outbound traffic: This is traffic initiated from your internal network towards the Internet.
The source address and destination address depend on the direction of traffic you want to exempt from inspection.
2. General Rule Logic
Inbound Traffic Exemption (From Internet to Internal Network)
Source Address: Public IP or subnet of the external client/device initiating the traffic (e.g., exempted-traffic-subnet).
Destination Address: Public IP or internal mapped IP of your FortiGate or servers behind it.
Action: Accept (or deny if needed for troubleshooting).
NAT: Disabled (unless you require SNAT).
Inspection: Set profiles to "None" to bypass inspection.
Example:
Source: exempted-traffic-subnet
Destination: internal-server (mapped public IP or real IP)
Schedule: Always
Action: Accept
Profiles: None
Outbound Traffic Exemption (From Internal Network to Internet)
Source Address: Internal subnet/IP of the device generating the traffic.
Destination Address: Public IP/subnet you want to exempt (e.g., exempted-traffic-subnet).
Action: Accept.
NAT: Enabled (to masquerade internal traffic as the FortiGate's WAN IP).
Inspection: Set profiles to "None" to bypass inspection.
Example:
Source: internal-network
Destination: exempted-traffic-subnet
Schedule: Always
Action: Accept
Profiles: None
3. For Both Directions (Bi-Directional Exemption)
If you need to exempt the same exempted-traffic-subnet for both inbound and outbound traffic:
Create two separate rules:
One for inbound traffic.
One for outbound traffic.
Alternatively, create a single rule covering both directions by defining both source and destination as exempted-traffic-subnet. This works if the same subnet is both the source (outbound) and destination (inbound).
4. Example Rule Placement
Place the exemption rule at the top of the policy list to ensure it is evaluated first.
Subsequent rules will not apply to traffic matching this exemption rule.
5. Verification
Use FortiGate's logging to ensure traffic matches the exemption rule:
diagnose debug flow
Monitor real-time logs in Log & Report > Traffic Logs to confirm the traffic bypasses inspection.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
just to confirm your item 2 (inbound rule), i should use the "extempted-subnet" address group (my public ip subnet/range/host) both as a source and destination address?
2. General Rule Logic
Inbound Traffic Exemption (From Internet to Internal Network)
Source Address: Public IP or subnet of the external client/device initiating the traffic (e.g., exempted-traffic-subnet).
Destination Address: Public IP or internal mapped IP of your FortiGate or servers behind it.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,781 -
FortiClient
1,783 -
5.2
801 -
FortiManager
739 -
5.4
639 -
FortiAnalyzer
565 -
FortiSwitch
479 -
Fortiap
475 -
FortiClient EMS
438 -
6.0
416 -
5.6
362 -
FortiMail
323 -
SSL-VPN
254 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
214 -
FortiWeb
210 -
5.0
196 -
FortiNAC
193 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
108 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
61 -
Fortivoice
57 -
High Availability
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
45 -
DNS
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
36 -
NAT
36 -
Certificate
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiGate-VM
22 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1742 | |
| 1110 | |
| 758 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.