Hi there,
I'm trying to learn the policy setup of fortigate product. Can anyone tell me why I need some specific policy for allowing traffic? I saw some allowing policies in my current environment has specific source and destination ip address (assuming all settings are same except source and destination). Why cannot allowing "all" source to "all" destination policy take care of the traffic? Thank you.
You can certainly create an all > all policy to match everything, but in the security world this is not best practice. Ideally should only create policies/enable access for as specific IP and services as possible.
neonbit wrote:You can certainly create an all > all policy to match everything, but in the security world this is not best practice. Ideally should only create policies/enable access for as specific IP and services as possible.
Thank you for the answer Neonbit. Now I'm confused that an issue I encountered. We need a v server connects to an external ip address. We do have the policy of "all" to "all" from inside to outside. The traffic flow wasn't stable, it's on and off, and super slow. But as soon as I created a specific policy for this task. The issue was gone. Do you know the reason?
I highly doubt a specific policy was the issue. What was you any/any policy did you have any UTM features enabled.
Ken Felix
PCNSE
NSE
StrongSwan
emnoc wrote:I highly doubt a specific policy was the issue. What was you any/any policy did you have any UTM features enabled.
Ken Felix
Hi Ken,
Thank you for helping me out on this post as well. Comparing the two policies, the only difference is any/any policy has few security profiles enabled. Can you explain why that might cause the issue? Thanks.
what is in your security policy ? "
i.e show full firewall policy <id>
What out knowing what you had enabled, it would be hard to make a determination of the issue(s).
Ken Felix
PCNSE
NSE
StrongSwan
is this thread no longer needed because as per the other thread from the OP https://forum.fortinet.com/tm.aspx?m=181788 there was a misconfiguration elsewhere, not the FW?
generally this is because all FortiGate do have one policy (#0) that blocks everything to everything.
So one needs policies that match before #0 to alow traffic.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Correct a implicit deny exist. So if you do not match any of the other policyid ( greater than 0 .....per se ) , than the ultimate action is to drop.
Without seeing what he had enabled, we would not know the difference between the two policyIDs
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.