Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: How exactly are security profiles matched?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How exactly are security profiles matched?
I am having a hard time figuring out how exactly a decision is taken when multiple UTM profiles and multiple rules are in play.
But let's have a simple example:
I have a HTTP request that goes into category "Information Technology".
However it is being allowed by the rule with the following security profile: Webfilter
* "Content Servers" -> Allow
* All the others (including "Information Technology") -> Monitor
1) What is the actual meaning of "Monitor" anyway?
2) If a rule contains multiple security profiles, where do I see exactly which one was matched, if the rule matched?
Is there some detailed documentation on this?
Thanks
Marki
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
-
FortiProxy
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Usually you'd configure
* Group allow FTP
* Everyone allow HTTPSo, if Group doesn't match FTP then it will still do HTTP.
This is exactly what you do on FortiGate as well. You have two policies as you just defined:
1. One Policy allows FTP traffic from "Group" members.
2. Another policy, allows HTTP traffic for everyone
Someone in the "Group" trying to access a web page will not hit the FTP policy and they'll just go to the HTTP policy which is allowing it for all users.
Please do not get confused about Application Control and Services. Application Control allows you to apply NGFW functionality on top of your Firewall Policy. Services are used to select your policy. That is "FTP" is a service (TCP/21), and "HTTP" is a service (TCP/80), etc etc.
Once your HTTP policy is selected you can optionally have Web Filter, App Control, etc to further enforce or monitor the traffic in that policy.
It sounds like you are trying to restrict traffic using App Control and Web Filtering profiles. You need to use Services in the policy to do this.
So your policy for the Group will reference the Group as a source and TCP/21 as the service. (no one else will be allowed to use FTP).
Your policy to allow Proxy.HTTP will reference HTTP (TCP/80) as the service and have an optional Web Filter profile attached to it. If you're not trying to restrict or block or monitor Web categories or URLs you don't need a profile.
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To block sites please use ISDB, TCP/UDP Services and/or Address Objects and do not use App Control or other security profiles. App Control profiles should be applied holistically to an entire user class. That is, each class of users ideally has just one Application Profile, one Web Profile, etc.
So for your VIP users use ISDB object to block Dropbox and that's it. No profiles needed. This policy will only hit when VIP try to go to Dropbox. You can use wildcard address objects but not as effective.
And please remember your more specific rules will always go at the top. So blocking of Dropbox will hit before anything else because it's more specific. Therefore it does not matter if the broader "allow all" rule allows Dropbox because if a VIP user is hitting the broader rule they will only be doing so if the traffic is *not* Dropbox (as it would have otherwise been blocked by the more specific policy).
There are no best practice docs as far as I know that talk about policy creation. I would assume because there is no best practice. Not everyone will have VIP users or the same restrictions necessarily. All we can do is learn how the Firewall works in terms of policy lookups and application of security profiles, etc and go from there.
I suggest you read through the Admin Guide and also check out NSE 4 and NSE 7 training courses which are 100% free of charge.
Cheers,
Graham
Graham
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to order your policies from most specific to least specific. The first policy in the list that matches will win and the rest will be ignored. So that's how the firewall picks the policy.
Here's some relevant documentation: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/656084/firewall-policy
Also note that per the above link, policies are picked on a number of criteria that do not include security profiles. Security Profiles are applied to policies after they are selected and not part of the decision criteria.
Therefore your HTTP request is probably being matched by thte Content Servers rule because the policies have similar criteria and the Content Servers policy is higher in the list.
To answer your specific questions:
1. Monitor means categories in the Web Filter profile that are matched will be logged but still allowed.
2. A rule can only contain one profile of each type. You cannot have a rule with two Web Filter profiles. To see which rule was matched you can review your traffic logs and security (utm) logs or your session table. Some details in these docs:
https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/738890/log-and-report
https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/615462/url-filter
https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/562859/using-a-session-table
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm, consider the following scenario:
* All users are supposed to be allowed to use Proxy.HTTP application
* A certain group of users *additionally* is allowed to do FTP
Usually you'd configure
* Group allow FTP
* Everyone allow HTTP
So, if Group doesn't match FTP then it will still do HTTP.
On this platform I have to
* Group allow FTP and HTTP (because I cannot just exclude HTTP from being decided upon at this stage)
* Everyone allow HTTP
But if I change the Appctrl profile for "Everyone" in the future, I would have to remember to change the Appctrl profile for "Group" too, otherwise they won't have the same general access.
That's kind of weird.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Usually you'd configure
* Group allow FTP
* Everyone allow HTTPSo, if Group doesn't match FTP then it will still do HTTP.
This is exactly what you do on FortiGate as well. You have two policies as you just defined:
1. One Policy allows FTP traffic from "Group" members.
2. Another policy, allows HTTP traffic for everyone
Someone in the "Group" trying to access a web page will not hit the FTP policy and they'll just go to the HTTP policy which is allowing it for all users.
Please do not get confused about Application Control and Services. Application Control allows you to apply NGFW functionality on top of your Firewall Policy. Services are used to select your policy. That is "FTP" is a service (TCP/21), and "HTTP" is a service (TCP/80), etc etc.
Once your HTTP policy is selected you can optionally have Web Filter, App Control, etc to further enforce or monitor the traffic in that policy.
It sounds like you are trying to restrict traffic using App Control and Web Filtering profiles. You need to use Services in the policy to do this.
So your policy for the Group will reference the Group as a source and TCP/21 as the service. (no one else will be allowed to use FTP).
Your policy to allow Proxy.HTTP will reference HTTP (TCP/80) as the service and have an optional Web Filter profile attached to it. If you're not trying to restrict or block or monitor Web categories or URLs you don't need a profile.
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alternatively, you have two policies, one for members in the "Group" and one for everyone that allow all traffic. Now you can use separate security profiles to restrict what those users can access. One App Control profile for "Group" members and one for "Everyone" applied to the relevant FW Policy.
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
So if I want to do the following, how do I do it without losing overview of my rules?
All users have access to everything, restricted by webfilter and appcontrol:
* Source: IP/Usergroup
* Destination: all
* Service: HTTP/HTTPS
* Security Profiles: WEB & APP
Now I have VIP users that should be able to use box.com, but not dropbox.com.
So I guess I have to add a rule before the rule above:
* Source: VipUsers
* Destination: ? I cannot use "Destination: *.box.com" since I don't know if that is the only domain box.com are using. This is AppControl's job anyway.
* Service: HTTP/HTTPS
* Security Profiles: ? Since this is the only rule that will ever match for this user, I would have to copy the generic rule settings (see above) and add "Application: Box" to it.
But it is more complicated:
* Since there is a WebFilter in place I'd have to allow "File Sharing" category.
* However, is seems that would also allow Dropbox besides Box.com. AppControl wouldn't block Dropbox anymore, as Webfilter already allows it.
* Also, if the generic AppControl profile changes, I'd have to remember to adapt the other more specific AppControl profiles, since there is no inheritance.
--> How do I simply add an exception for a specific user/group/IP, while not breaking everything else potentially?
Is there some best practice document how to create efficient policies?
Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To block sites please use ISDB, TCP/UDP Services and/or Address Objects and do not use App Control or other security profiles. App Control profiles should be applied holistically to an entire user class. That is, each class of users ideally has just one Application Profile, one Web Profile, etc.
So for your VIP users use ISDB object to block Dropbox and that's it. No profiles needed. This policy will only hit when VIP try to go to Dropbox. You can use wildcard address objects but not as effective.
And please remember your more specific rules will always go at the top. So blocking of Dropbox will hit before anything else because it's more specific. Therefore it does not matter if the broader "allow all" rule allows Dropbox because if a VIP user is hitting the broader rule they will only be doing so if the traffic is *not* Dropbox (as it would have otherwise been blocked by the more specific policy).
There are no best practice docs as far as I know that talk about policy creation. I would assume because there is no best practice. Not everyone will have VIP users or the same restrictions necessarily. All we can do is learn how the Firewall works in terms of policy lookups and application of security profiles, etc and go from there.
I suggest you read through the Admin Guide and also check out NSE 4 and NSE 7 training courses which are 100% free of charge.
Cheers,
Graham
Graham
Created on 01-16-2023 04:41 AM Edited on 01-16-2023 04:44 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't even realize there was another DB besides Webfilter and Appcontrol, namely "internet services".... :flushed_face:
Thanks for all the valuable information so far.
UPDATE Oh that's because they are not shown on the quick edit pane. You have to edit the policy rule and in there you only see the different tabs "Address", "IPv6", "Internet Service"...
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,607 -
FortiClient
1,735 -
5.2
801 -
FortiManager
719 -
5.4
639 -
FortiAnalyzer
552 -
FortiSwitch
468 -
FortiAP
464 -
FortiClient EMS
421 -
6.0
416 -
5.6
362 -
FortiMail
315 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
234 -
Fortiweb
203 -
IPsec
201 -
5.0
196 -
FortiNAC
185 -
FortiGuard
138 -
6.4
128 -
SD-WAN
113 -
FortiGateCloud
102 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiAuthenticator
94 -
FortiToken
89 -
Customer Service
79 -
Firewall policy
78 -
Wireless Controller
77 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
55 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
48 -
FortiExtender
45 -
FortiSandbox
44 -
Routing
44 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
Authentication
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
NAT
34 -
Certificate
34 -
RADIUS
32 -
SSO
31 -
Interface
31 -
FortiLink
29 -
FortiConnect
28 -
FortiWAN
27 -
VDOM
27 -
Web profile
26 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Automation
14 -
Static route
14 -
System settings
14 -
IP address management - IPAM
14 -
snmp
13 -
FortiCASB
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
FortiManager v4.0
10 -
IPS signature
10 -
Security profile
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Proxy policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiGate-VM
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1688 | |
| 1087 | |
| 752 | |
| 446 | |
| 226 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.