Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
polerese
New Contributor

Fotigate - Global Deny rules

Hi Everyone,

 

I'm actually thinking about the best way to achieve something with my fortigates..

Need :

I want to have a deny rule (or several) that allow me to block some IPs from everywhere to everywhere (so from/to all my zones). We are on Interface-per-view (and we want to keep it that way)

So if i want to achieve it i have to create for each zone : x rules depending on the number of destination (and it's a lot !).

I was wondering if we can take another way to achieve this with less rules without losing the Interface-per-view.. Maybe with some header policy which i don't quite understand.

 

Thank you.

10 REPLIES 10
ozkanaltas
Valued Contributor III

Hello @polerese ,

 

Why do you need this? If you don't give access to these IP addresses, they don't access anywhere. Because the normal behavior of FortiGate is "deny".

 

Still, if you want to make this request. I think there is no option like a global policy without breaking the interface pair appearance. You can create easily these policies on the command line compared with the GUI. But still, you need to create a lot of policies. :( 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
polerese

Hi @ozkanaltas ,

 

We need it to deny IP with strange behaviour. So we can't know in advance what the IP will be..

 

So yeah, the script solution seems to be the only option but i still have to reorder each policy to be on top of the others as it is a deny one :(

ozkanaltas
Valued Contributor III

Hello @polerese ,

 

You are right, even if create a policy with the script you need to reorder each policy. But if you want, you can also reorder a policy with the script. But I think this way is more difficult than the GUI method.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-CLI-to-change-the-order-of-the-I...

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
polerese

Yes, but with the script we use 'edit 0' with no name, so no way to have the ID (in fact there is a way but it take too much time.) and it implies to have the ID of the 1st rule in every section (zone to zone) that we have which is not possible to get easily...

 

hbac
Staff
Staff

Hi @polerese,

 

You can enable "Multiple Interface Policies" and use 'any' as Incoming and Outgoing interface. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-allow-the-configuration-of-policies...

 

Regards,

polerese
New Contributor

Hi @hbac 

 

I could but, that will shut down the interface-per-view appearance right ?

hbac

@polerese,

 

No, I tested in my lab 7.4.2.

pair.PNG

Regards,

polerese
New Contributor

I just tried, and in 7.0 i instantly loose the interface-per-view mode.

ozkanaltas
Valued Contributor III

I think this is related to the new policy layout. This feature comes with a 7.4 version. I didn't see anything about this in the documents. But they say we did a lot of enhancement in policy view. 

 

Also, I tried my lab with a multiple interface policy option. My lab instantly lost the interface-per-view mode. I am using version 7.2 in my lab.

 

https://docs.fortinet.com/document/fortigate/7.4.0/new-features/446830/policy-list-enhancements-7-4-...

 

@hbac ,

 

Can you try this, with classic layout in your lab?

 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors