I am having a hard time figuring out how exactly a decision is taken when multiple UTM profiles and multiple rules are in play.
But let's have a simple example:
I have a HTTP request that goes into category "Information Technology".
However it is being allowed by the rule with the following security profile: Webfilter
* "Content Servers" -> Allow
* All the others (including "Information Technology") -> Monitor
1) What is the actual meaning of "Monitor" anyway?
2) If a rule contains multiple security profiles, where do I see exactly which one was matched, if the rule matched?
Is there some detailed documentation on this?
Thanks
Marki
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Usually you'd configure
* Group allow FTP
* Everyone allow HTTPSo, if Group doesn't match FTP then it will still do HTTP.
This is exactly what you do on FortiGate as well. You have two policies as you just defined:
1. One Policy allows FTP traffic from "Group" members.
2. Another policy, allows HTTP traffic for everyone
Someone in the "Group" trying to access a web page will not hit the FTP policy and they'll just go to the HTTP policy which is allowing it for all users.
Please do not get confused about Application Control and Services. Application Control allows you to apply NGFW functionality on top of your Firewall Policy. Services are used to select your policy. That is "FTP" is a service (TCP/21), and "HTTP" is a service (TCP/80), etc etc.
Once your HTTP policy is selected you can optionally have Web Filter, App Control, etc to further enforce or monitor the traffic in that policy.
It sounds like you are trying to restrict traffic using App Control and Web Filtering profiles. You need to use Services in the policy to do this.
So your policy for the Group will reference the Group as a source and TCP/21 as the service. (no one else will be allowed to use FTP).
Your policy to allow Proxy.HTTP will reference HTTP (TCP/80) as the service and have an optional Web Filter profile attached to it. If you're not trying to restrict or block or monitor Web categories or URLs you don't need a profile.
To block sites please use ISDB, TCP/UDP Services and/or Address Objects and do not use App Control or other security profiles. App Control profiles should be applied holistically to an entire user class. That is, each class of users ideally has just one Application Profile, one Web Profile, etc.
So for your VIP users use ISDB object to block Dropbox and that's it. No profiles needed. This policy will only hit when VIP try to go to Dropbox. You can use wildcard address objects but not as effective.
And please remember your more specific rules will always go at the top. So blocking of Dropbox will hit before anything else because it's more specific. Therefore it does not matter if the broader "allow all" rule allows Dropbox because if a VIP user is hitting the broader rule they will only be doing so if the traffic is *not* Dropbox (as it would have otherwise been blocked by the more specific policy).
There are no best practice docs as far as I know that talk about policy creation. I would assume because there is no best practice. Not everyone will have VIP users or the same restrictions necessarily. All we can do is learn how the Firewall works in terms of policy lookups and application of security profiles, etc and go from there.
I suggest you read through the Admin Guide and also check out NSE 4 and NSE 7 training courses which are 100% free of charge.
You need to order your policies from most specific to least specific. The first policy in the list that matches will win and the rest will be ignored. So that's how the firewall picks the policy.
Here's some relevant documentation: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/656084/firewall-policy
Also note that per the above link, policies are picked on a number of criteria that do not include security profiles. Security Profiles are applied to policies after they are selected and not part of the decision criteria.
Therefore your HTTP request is probably being matched by thte Content Servers rule because the policies have similar criteria and the Content Servers policy is higher in the list.
To answer your specific questions:
1. Monitor means categories in the Web Filter profile that are matched will be logged but still allowed.
2. A rule can only contain one profile of each type. You cannot have a rule with two Web Filter profiles. To see which rule was matched you can review your traffic logs and security (utm) logs or your session table. Some details in these docs:
https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/738890/log-and-report
https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/615462/url-filter
https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/562859/using-a-session-table
Hmm, consider the following scenario:
* All users are supposed to be allowed to use Proxy.HTTP application
* A certain group of users *additionally* is allowed to do FTP
Usually you'd configure
* Group allow FTP
* Everyone allow HTTP
So, if Group doesn't match FTP then it will still do HTTP.
On this platform I have to
* Group allow FTP and HTTP (because I cannot just exclude HTTP from being decided upon at this stage)
* Everyone allow HTTP
But if I change the Appctrl profile for "Everyone" in the future, I would have to remember to change the Appctrl profile for "Group" too, otherwise they won't have the same general access.
That's kind of weird.
Usually you'd configure
* Group allow FTP
* Everyone allow HTTPSo, if Group doesn't match FTP then it will still do HTTP.
This is exactly what you do on FortiGate as well. You have two policies as you just defined:
1. One Policy allows FTP traffic from "Group" members.
2. Another policy, allows HTTP traffic for everyone
Someone in the "Group" trying to access a web page will not hit the FTP policy and they'll just go to the HTTP policy which is allowing it for all users.
Please do not get confused about Application Control and Services. Application Control allows you to apply NGFW functionality on top of your Firewall Policy. Services are used to select your policy. That is "FTP" is a service (TCP/21), and "HTTP" is a service (TCP/80), etc etc.
Once your HTTP policy is selected you can optionally have Web Filter, App Control, etc to further enforce or monitor the traffic in that policy.
It sounds like you are trying to restrict traffic using App Control and Web Filtering profiles. You need to use Services in the policy to do this.
So your policy for the Group will reference the Group as a source and TCP/21 as the service. (no one else will be allowed to use FTP).
Your policy to allow Proxy.HTTP will reference HTTP (TCP/80) as the service and have an optional Web Filter profile attached to it. If you're not trying to restrict or block or monitor Web categories or URLs you don't need a profile.
Alternatively, you have two policies, one for members in the "Group" and one for everyone that allow all traffic. Now you can use separate security profiles to restrict what those users can access. One App Control profile for "Group" members and one for "Everyone" applied to the relevant FW Policy.
Hello,
So if I want to do the following, how do I do it without losing overview of my rules?
All users have access to everything, restricted by webfilter and appcontrol:
* Source: IP/Usergroup
* Destination: all
* Service: HTTP/HTTPS
* Security Profiles: WEB & APP
Now I have VIP users that should be able to use box.com, but not dropbox.com.
So I guess I have to add a rule before the rule above:
* Source: VipUsers
* Destination: ? I cannot use "Destination: *.box.com" since I don't know if that is the only domain box.com are using. This is AppControl's job anyway.
* Service: HTTP/HTTPS
* Security Profiles: ? Since this is the only rule that will ever match for this user, I would have to copy the generic rule settings (see above) and add "Application: Box" to it.
But it is more complicated:
* Since there is a WebFilter in place I'd have to allow "File Sharing" category.
* However, is seems that would also allow Dropbox besides Box.com. AppControl wouldn't block Dropbox anymore, as Webfilter already allows it.
* Also, if the generic AppControl profile changes, I'd have to remember to adapt the other more specific AppControl profiles, since there is no inheritance.
--> How do I simply add an exception for a specific user/group/IP, while not breaking everything else potentially?
Is there some best practice document how to create efficient policies?
Thanks.
To block sites please use ISDB, TCP/UDP Services and/or Address Objects and do not use App Control or other security profiles. App Control profiles should be applied holistically to an entire user class. That is, each class of users ideally has just one Application Profile, one Web Profile, etc.
So for your VIP users use ISDB object to block Dropbox and that's it. No profiles needed. This policy will only hit when VIP try to go to Dropbox. You can use wildcard address objects but not as effective.
And please remember your more specific rules will always go at the top. So blocking of Dropbox will hit before anything else because it's more specific. Therefore it does not matter if the broader "allow all" rule allows Dropbox because if a VIP user is hitting the broader rule they will only be doing so if the traffic is *not* Dropbox (as it would have otherwise been blocked by the more specific policy).
There are no best practice docs as far as I know that talk about policy creation. I would assume because there is no best practice. Not everyone will have VIP users or the same restrictions necessarily. All we can do is learn how the Firewall works in terms of policy lookups and application of security profiles, etc and go from there.
I suggest you read through the Admin Guide and also check out NSE 4 and NSE 7 training courses which are 100% free of charge.
Created on 01-16-2023 04:41 AM Edited on 01-16-2023 04:44 AM
I didn't even realize there was another DB besides Webfilter and Appcontrol, namely "internet services".... :flushed_face:
Thanks for all the valuable information so far.
UPDATE Oh that's because they are not shown on the quick edit pane. You have to edit the policy rule and in there you only see the different tabs "Address", "IPv6", "Internet Service"...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.