Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Infotech22
Contributor

Firewall Policies

Hello to all,

I would like to know you're best practices and approaches on configuring Firewall Policies to be as restricted as possible.

I want to restrict access as much as I can.

  • Examples would be to allow only certain Services for certain Servers (for DNS servers only port 53 etc), For Pirnters only SMB and so on.
  • From Clients to Servers also only needed services for specific Servers (AD, Print Servers, File Servers)
  • IT to have adminsitration rights for all servers
  • Restricted for others that don't need anything else that services

I think you get the point what I want to achieve.
We already have something like that for  our branch office, but I want to see if there are some better recommendations.

And also I don't have zoning concept. Don't know if granular restrictions can be a lot of work with zoning since I'm going to have few VLANs etc.

 

This is an example of our branch office:
Firewall_Rules.png

 

Like this our Firewall Rules are getting larger and more difficult to manage.
over 100 rules

Best Regards,
Nemanja



 

1 Solution
Nchandan
Staff
Staff

You can achieve this by restricting access as much as possible and implementing granular firewall policies. The best approach to achieve this is by implementations like giving users least privileges using application control, users authentication, roal-based access control, Granular Firewall Policies (create policies that allow specific clients to access specific servers on designated ports),  Logging and Monitoring etc, hope this helps

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-practices-for-policy-configuration/ta...

View solution in original post

4 REPLIES 4
AEK
Honored Contributor

Hi Nemanja

Here are some recommendations:

  • Use zones
  • Use one interface in and one interface out, in order to see your rules by interface pairs, so even 1000 rules will remain easy to manage
  • Use naming conventions for rules and objects
  • Use security profiles
  • Avoid using any to any, all to all
AEK
AEK
DPadula
Staff
Staff

Just adding to AEK reply, you can check our best practices guide. I am pasting the link to the policies section, but you should check other relevant section as well.

 

https://docs.fortinet.com/document/fortigate/7.2.0/best-practices/862226/policies

Nchandan
Staff
Staff

You can achieve this by restricting access as much as possible and implementing granular firewall policies. The best approach to achieve this is by implementations like giving users least privileges using application control, users authentication, roal-based access control, Granular Firewall Policies (create policies that allow specific clients to access specific servers on designated ports),  Logging and Monitoring etc, hope this helps

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-practices-for-policy-configuration/ta...

TysonHauck
New Contributor

Great to see that you are prioritizing security. It is recommended to use zones and naming conventions for clarity. AEK's suggestion on interface pairs is smart. Keep it granular and efficient. Check out the link shared by Nchandan for detailed best practices.

If you want to solve assignment problem then I would suggest to hire an essay writer from assignment writing service and you can find it on this https://bigassignments.com/ website link. I am also using it.
If you want to solve assignment problem then I would suggest to hire an essay writer from assignment writing service and you can find it on this https://bigassignments.com/ website link. I am also using it.
Top Kudoed Authors