Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
polarpanda
New Contributor II

General Policy Question

Hi there,

 

               I'm trying to learn the policy setup of fortigate product. Can anyone tell me why I need some specific policy for allowing traffic? I saw some allowing policies in my current environment has specific source and destination ip address (assuming all settings are same except source and destination). Why cannot allowing "all" source to "all" destination policy take care of the traffic? Thank you.

8 REPLIES 8
neonbit
Valued Contributor

You can certainly create an all > all policy to match everything, but in the security world this is not best practice. Ideally should only create policies/enable access for as specific IP and services as possible.

polarpanda
New Contributor II

neonbit wrote:

You can certainly create an all > all policy to match everything, but in the security world this is not best practice. Ideally should only create policies/enable access for as specific IP and services as possible.

Thank you for the answer Neonbit. Now I'm confused that an issue I encountered. We need a v server connects to an external ip address. We do have the policy of "all" to "all" from inside to outside. The traffic flow wasn't stable, it's on and off, and super slow. But as soon as I created a specific policy for this task. The issue was gone. Do you know the reason?

emnoc
Esteemed Contributor III

I highly doubt a specific policy was the issue. What was you any/any policy did you have any UTM features enabled.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
polarpanda
New Contributor II

emnoc wrote:

I highly doubt a specific policy was the issue. What was you any/any policy did you have any UTM features enabled.

 

Ken Felix

Hi Ken,

       Thank you for helping me out on this post as well. Comparing the two policies, the only difference is any/any policy has few security profiles enabled. Can you explain why that might cause the issue? Thanks.

emnoc
Esteemed Contributor III

what is in your security policy ? "

 

 i.e   show full firewall policy <id> 

 

What out knowing what you had enabled, it would be hard to make a determination of the issue(s).

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
poundy

is this thread no longer needed because as per the other thread from the OP https://forum.fortinet.com/tm.aspx?m=181788 there was a misconfiguration elsewhere, not the FW? 

sw2090
Honored Contributor

generally this is because all FortiGate do have one policy (#0) that blocks everything to everything.

So one needs policies that match before #0 to alow traffic.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
emnoc
Esteemed Contributor III

Correct a implicit deny exist. So if you do not match any of the other policyid ( greater than 0 .....per se ) , than the ultimate action is to drop.

 

Without seeing what he had enabled, we would not know the difference between the two policyIDs

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors