When I look at the policies in my Fortigate 60D, I don't see what I expect to see.
I expect to see the policies listed in the order they are applied from top (#1) to bottom (#44). I am forced to use the global view due to how one or more policies are setup.
The problem for me is, the policy I expect to see at #1 is actually the last policy #44. Is it possible that the policies are listed in reverse order? Meaning that what I see as policy #44 is applied first then policy 43 then... etc.
I expect the policies to be applied the in the same order they are listed in the view, and the way I see it now is not good.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hi,
policies on top of list will always be applied before the last ( if policy matches) if you believe #44 should be on top then move it manually, numbers wont reflect the order its just a reference (except the policy ID)
FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.
Firewall polices are auto-assigned IDs when you use the GUI to create them, but usually the ID column is not shown in the default view. In most firmware versions you can change/define the columns to show by clicking on a column setting option at the top of the policy page. (In 5.x. you can right-click on column bar). If you are using 5.x, you can set the default column view, by using...
config system settings
set gui-default-policy-columns "#" "col name1" "col name2" "col name3" "col name4" "...."
end
Policy IDs are just "labels" assigned to policies -- they do not determine the seq order that they are executed by Fortigate. (Though you can always use a text editor to "renumber" the IDs to match the seq order.)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Policy (firewall) rules are executed from top-to-bottom. Generally, broader policies are near the bottom of the list with more restrictive or targeted policies at the top... but it depends more on what you are trying to accomplish. In the sample firewall set (below) is one possible way of setting up the Fortigate.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
I have to agreed. Also, when in doubt login into the cli and issues a "show firewall policy ". The sequence that's displayed in the CLI is the sequence of the firewall policys. The ID#s are a place holder and have nothing todo with the sequence and inspection.
All fwpolicies are then inspect by the src int, then dst int , src address then dst address, and finally and the service & action.
I hope that helps
Ken
PCNSE
NSE
StrongSwan
hi,
policies on top of list will always be applied before the last ( if policy matches) if you believe #44 should be on top then move it manually, numbers wont reflect the order its just a reference (except the policy ID)
FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.
Firewall polices are auto-assigned IDs when you use the GUI to create them, but usually the ID column is not shown in the default view. In most firmware versions you can change/define the columns to show by clicking on a column setting option at the top of the policy page. (In 5.x. you can right-click on column bar). If you are using 5.x, you can set the default column view, by using...
config system settings
set gui-default-policy-columns "#" "col name1" "col name2" "col name3" "col name4" "...."
end
Policy IDs are just "labels" assigned to policies -- they do not determine the seq order that they are executed by Fortigate. (Though you can always use a text editor to "renumber" the IDs to match the seq order.)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Thank you for your replies.
I didn't realize there was both SEQ and ID columns. The numbers I was referring to were sequence numbers (I didn't have the ID column displayed).
If the ID is just a label then I presume policies are applied based on the SEQ column?
Hmm. Maybe my thinking is what is wrong.
The reason I think the policy order is backwards is the DENY ALL policy is last.
I thought the DENY ALL policy should be the first policy to be applied and all the other policies are then opening a path for the specified traffic.
Policy (firewall) rules are executed from top-to-bottom. Generally, broader policies are near the bottom of the list with more restrictive or targeted policies at the top... but it depends more on what you are trying to accomplish. In the sample firewall set (below) is one possible way of setting up the Fortigate.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
I have to agreed. Also, when in doubt login into the cli and issues a "show firewall policy ". The sequence that's displayed in the CLI is the sequence of the firewall policys. The ID#s are a place holder and have nothing todo with the sequence and inspection.
All fwpolicies are then inspect by the src int, then dst int , src address then dst address, and finally and the service & action.
I hope that helps
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1698 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.