Hi,
The security auditor came to our office to check the Firewall Policies. The guy suggests to configure the Firewall Access Rule to "DROP" the unwanted traffic instead of "DENY".
When setup Firewall Access Rule, I can select "ACCEPT" or "DENY" only.
Is it possible to configure the Fortinet Firewall do "DROP" instead of "DENY" ?
Regards,
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
emnoc wrote:
IMHO you will never ever send a tcp reset for a deny policy ( I can't think of one validate case that would warrant it )
Been running FortiGates for most of the last 7 years and literally JUST found the use case for it today. Something in the Windows logon process is causing PCs in our classroom computer labs to try to connect to our domain controllers on TCP port 80. They don't have anything running on 80, but when this traffic was allowed (by the firewall) the DCs would send rejects quickly and the PCs would move on and complete the logon. When I isolated these computer labs in the firewall and dropped the port 80 traffic logon times increased exponentially. A packet capture revealed that the PCs waited for about 10-15 seconds per DC before timing out. So I put in a new deny rule with send-deny-packet enabled and voila! Logon times went back to normal.
lobstercreed wrote:Leave it to M$ to totally go their own convoluted way...emnoc wrote:
IMHO you will never ever send a tcp reset for a deny policy ( I can't think of one validate case that would warrant it )
Been running FortiGates for most of the last 7 years and literally JUST found the use case for it today. Something in the Windows logon process is causing PCs in our classroom computer labs to try to connect to our domain controllers on TCP port 80. They don't have anything running on 80, but when this traffic was allowed (by the firewall) the DCs would send rejects quickly and the PCs would move on and complete the logon. When I isolated these computer labs in the firewall and dropped the port 80 traffic logon times increased exponentially. A packet capture revealed that the PCs waited for about 10-15 seconds per DC before timing out. So I put in a new deny rule with send-deny-packet enabled and voila! Logon times went back to normal.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.