Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nikolaj
New Contributor

IPSEC IN to OUT

Hello,

I am not very practice with Fortigate and I am analyzing the company firewall policies, so I would like to know the meaning of the policies in the attached file.

The direction of the policies is IN >> OUT

Thank you

--

Nicola

1 Solution
MikePruett
Valued Contributor

You only need a policy to allow traffic from the initiator. So if devices behind FortiGate A are going to be initiating traffic you would have

 

FortiGate A: INSIDE to VPN policy for traffic to flow

FortiGate B: VPN to INSIDE policy for traffic to come through

 

from there the reverse traffic will come back due to the session tables knowing they are the return traffic to that initial communication.

View solution in original post

Mike Pruett Fortinet GURU | Fortinet Training Videos
13 REPLIES 13
MikePruett
Valued Contributor

Those policies are the policies saying what traffic uses what tunnel.

 

Policy based VPNs use that (I prefer interface based) to make traffic traverse.

 

Route based (interface based) you would have a route saying where the interesting traffic goes and then your policy would be inside to IPSEC_INTERFACE_NAME etc

Mike Pruett Fortinet GURU | Fortinet Training Videos
nikolaj

Maybe I understand what you are saying.

It's correct interpreting these policies as a permission for client-to-site VPNs from inside the LAN towards remote VPN terminators?

We have what you call route based (interface based) VPNs, but isnt't it a site-to-site VPN (which is a different thing compared to client-to-site)?

IPSEC_INTERFACE_NAME is a virtual interface that insist on to OUTSIDE (real) interface: correct?

Thank you.

--

Nicola

 

naama
New Contributor

as it is your first time to configure VPN ipsec in fortigate device then Iam recommended you to take care of below:

Phase1- NAT Traversal must be enable or disable in both side depends on two-party agreed.(dont forget normal config)

Phase2- take care of PFS must be enable or disable in both side depends on two-party agreed, (dont forget normal config)

-Routeing is important to be add , and I prefer to add static route.

In phase 2 it is clear to add your servers ips as a source and  the destination:contains customer servers ips.

in the policy you have to put reverse step based on the direction :

example : in the policy you add customer ips as a source, your ips as destination . 

but if the direction"in to out"then the policy will be"your ips as a source, customer ips  as destination"

I hope the above comments can give you clear idea

Naama Salim Al-siyabi

 

Naama Salim Al-siyabi
nikolaj
New Contributor

It's not very clear.

Anyway I can ask about concrete cases.

For example in a VPN site-to-site I have this policy:

VPN --> INSIDE source: 10.50.237.102 destination: 10.128.4.44 service: RDP

I don't need to put the reverse policy:

INSIDE --> VPN source: 10.128.4.44 destination: 10.50.237.102 service: ANY ?

 

MikePruett
Valued Contributor

You only need a policy to allow traffic from the initiator. So if devices behind FortiGate A are going to be initiating traffic you would have

 

FortiGate A: INSIDE to VPN policy for traffic to flow

FortiGate B: VPN to INSIDE policy for traffic to come through

 

from there the reverse traffic will come back due to the session tables knowing they are the return traffic to that initial communication.

Mike Pruett Fortinet GURU | Fortinet Training Videos
nikolaj

Thank you.

This is an important concept about firewall paradigms.

Sometimes this is misunderstood.

Another important paradigm is (I am asking) that traffic from and to the outside is denied by default unless you set the rules. Is it correct?

MikePruett
Valued Contributor

Deny By Default is the best way to operate. Traffic shouldn't traverse unless you explicity allow it yourself.

Mike Pruett Fortinet GURU | Fortinet Training Videos
nikolaj

Hello,

Can you explain me what is NAT traversal?

Thank you.

MikePruett
Valued Contributor

https://en.wikipedia.org/wiki/NAT_traversal

 

That will give you the skinny on NAT Traversal

Mike Pruett Fortinet GURU | Fortinet Training Videos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors