Fortigate Firewall Policies Best Practices

Infotech22 · ‎02-20-2024

Hello everybody,

I would like to get some info's how you are dealing with Firewall Policies.
In our infrastructure we have multiple VLANs (clients, printers, servers, voip, etc), and from vlan to vlan I created separate firewall policies.
Example would be:
Sequience grouping: VLAN_CLIENTS to VLAN_SERVERS
1. Clients_To_FileServers - then I restricted from which VLAN to which VLAN, source and destination also, and we also restrict only the needed services.
It's the same principle for every other traffic that is needed.

Now when I look at the Firewall Policies, for somebody else it can be difficult to manage it way trough policies.
How I can make it less complicated but still as secure as it can be.

Example of our policies:

AEK · ‎02-20-2024

Hello

From the screenshot I think you are already doing it the right way, by using good naming conventions for policy names and object names, and by keeping one single source interface and one single destination interface per policy, so you can see policies by interface pairs.

I think this is the less complicated way.

AEK

jse_ainsley · ‎03-21-2024

I am looking to do the same thing but was wondering if you are using security profiles (e.g., IPS, AV, etc.) on those policies to inspect traffic? For example, I would want to inspect traffic going from the client workstation VLAN to my server VLAN and watch for malware/ransomware like activity/signatures.

Just curious to see how you are doing this. I worry about bit about the performance/throughput hit.

AEK · ‎03-21-2024

You can use "default" IPS and AV profiles, they are good ones.

If there is HTTPS traffic then you need to enable deep inspection, otherwise you will catch malware on unencrypted traffic only. Same for many IPS signatures.

For performance info you need to check your FG's datasheet to see how much it can support.

AEK

jse_ainsley · ‎05-01-2024

I forgot to ask what your thoughts are on whether I should use flow- or proxy-based policies?

AEK · ‎05-01-2024

You can use flow based for general purpose as it is has better performance and needs less resources, and use proxy based when you protect your published servers, like Web server, mail server, etc..., so you can use WAF profile, Antispam profile, and so.

Check this page for full comparison.

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/922096/inspection-mode-featu...

AEK

jse_ainsley · ‎05-01-2024

Thanks for the response! Given this will be primarily for traffic between Windows clients and shared folders or applications on Windows server (internal), flow based seems like the obvious choice. :)

AEK · ‎05-01-2024

Yes I'd set it flow based.

AEK

jse_ainsley · ‎05-03-2024

Another possible wrinkle: due to some application errors and excessive tcp connection resets, I want to turn off SSL inspection. I shouldn't need it internally anyway, but it won't let me. Is this only possible with a proxy-based policy?

AEK · ‎05-03-2024

You can turn it off, but first, you need to remove all security profiles and validate, then turn you can select "no inspection".

AEK