Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nikolaj
New Contributor

Created on ‎02-02-2017 10:55 AM

IPSEC IN to OUT

Hello,

I am not very practice with Fortigate and I am analyzing the company firewall policies, so I would like to know the meaning of the policies in the attached file.

The direction of the policies is IN >> OUT

Thank you

--

Nicola

Preview file
29 KB
11471
0 Kudos
1 Solution
MikePruett
Valued Contributor
In response to nikolaj

Created on ‎02-07-2017 05:28 AM

You only need a policy to allow traffic from the initiator. So if devices behind FortiGate A are going to be initiating traffic you would have

 

FortiGate A: INSIDE to VPN policy for traffic to flow

FortiGate B: VPN to INSIDE policy for traffic to come through

 

from there the reverse traffic will come back due to the session tables knowing they are the return traffic to that initial communication.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

View solution in original post

Mike Pruett Fortinet GURU | Fortinet Training Videos
5767
0 Kudos
13 REPLIES 13
MikePruett
Valued Contributor

Created on ‎02-02-2017 01:16 PM

Those policies are the policies saying what traffic uses what tunnel.

 

Policy based VPNs use that (I prefer interface based) to make traffic traverse.

 

Route based (interface based) you would have a route saying where the interesting traffic goes and then your policy would be inside to IPSEC_INTERFACE_NAME etc

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Mike Pruett Fortinet GURU | Fortinet Training Videos
4528
0 Kudos
nikolaj
New Contributor
In response to MikePruett

Created on ‎02-03-2017 12:54 AM

Maybe I understand what you are saying.

It's correct interpreting these policies as a permission for client-to-site VPNs from inside the LAN towards remote VPN terminators?

We have what you call route based (interface based) VPNs, but isnt't it a site-to-site VPN (which is a different thing compared to client-to-site)?

IPSEC_INTERFACE_NAME is a virtual interface that insist on to OUTSIDE (real) interface: correct?

Thank you.

--

Nicola

 

4528
0 Kudos
naama
New Contributor
In response to nikolaj

Created on ‎02-04-2017 08:49 PM

as it is your first time to configure VPN ipsec in fortigate device then Iam recommended you to take care of below:

Phase1- NAT Traversal must be enable or disable in both side depends on two-party agreed.(dont forget normal config)

Phase2- take care of PFS must be enable or disable in both side depends on two-party agreed, (dont forget normal config)

-Routeing is important to be add , and I prefer to add static route.

In phase 2 it is clear to add your servers ips as a source and  the destination:contains customer servers ips.

in the policy you have to put reverse step based on the direction :

example : in the policy you add customer ips as a source, your ips as destination . 

but if the direction"in to out"then the policy will be"your ips as a source, customer ips  as destination"

I hope the above comments can give you clear idea

Naama Salim Al-siyabi

 

Naama Salim Al-siyabi
4539
0 Kudos
nikolaj
New Contributor
In response to naama

Created on ‎02-07-2017 01:32 AM

It's not very clear.

Anyway I can ask about concrete cases.

For example in a VPN site-to-site I have this policy:

VPN --> INSIDE source: 10.50.237.102 destination: 10.128.4.44 service: RDP

I don't need to put the reverse policy:

INSIDE --> VPN source: 10.128.4.44 destination: 10.50.237.102 service: ANY ?

 

4539
0 Kudos
MikePruett
Valued Contributor
In response to nikolaj

Created on ‎02-07-2017 05:28 AM

You only need a policy to allow traffic from the initiator. So if devices behind FortiGate A are going to be initiating traffic you would have

 

FortiGate A: INSIDE to VPN policy for traffic to flow

FortiGate B: VPN to INSIDE policy for traffic to come through

 

from there the reverse traffic will come back due to the session tables knowing they are the return traffic to that initial communication.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Mike Pruett Fortinet GURU | Fortinet Training Videos
5768
0 Kudos
nikolaj
New Contributor
In response to MikePruett

Created on ‎02-07-2017 06:40 AM

Thank you.

This is an important concept about firewall paradigms.

Sometimes this is misunderstood.

Another important paradigm is (I am asking) that traffic from and to the outside is denied by default unless you set the rules. Is it correct?

4550
0 Kudos
MikePruett
Valued Contributor
In response to nikolaj

Created on ‎02-07-2017 10:49 AM

Deny By Default is the best way to operate. Traffic shouldn't traverse unless you explicity allow it yourself.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Mike Pruett Fortinet GURU | Fortinet Training Videos
4550
0 Kudos
nikolaj
New Contributor
In response to nikolaj

Created on ‎03-02-2017 03:08 AM

Hello,

Can you explain me what is NAT traversal?

Thank you.

4539
0 Kudos
MikePruett
Valued Contributor
In response to nikolaj

Created on ‎03-02-2017 08:34 AM

https://en.wikipedia.org/wiki/NAT_traversal

 

That will give you the skinny on NAT Traversal

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Mike Pruett Fortinet GURU | Fortinet Training Videos
4484
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.