Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sims
New Contributor III

Created on ‎08-10-2020 12:31 AM

Policy direction

Hi, Interface1 interface2

I have created the policy source is interface 1 and destination is interface 2

Why do I have to create a policy in reverse direction ( I mean source is interface 2 and destination is interface 1)

Thanks

 

2843
0 Kudos
2 Solutions
James_G
Contributor III

Created on ‎08-10-2020 01:36 AM

sims wrote:

 

 

Why do I have to create a policy in reverse direction ( I mean source is interface 2 and destination is interface 1)

 

Umm, you don't, unless you have sessions starting from interface 2

 

Too little info here to help

View solution in original post

2016
0 Kudos
lobstercreed
Valued Contributor
In response to sims

Created on ‎08-12-2020 04:09 AM

Of course not, as James said.  Unless the server A in VLAN 101 initiates connections to client A in VLAN 100, no policy in the reverse direction would be needed.  That's one of the most basic things that should be understood about stateful firewalls. 

 

If you're defining stateless ACLs (like on a Cisco switch or something) then you need all that reverse stuff, but the whole point of firewalls is that they are far superior to that.

View solution in original post

2016
0 Kudos
3 REPLIES 3
James_G
Contributor III

Created on ‎08-10-2020 01:36 AM

sims wrote:

 

 

Why do I have to create a policy in reverse direction ( I mean source is interface 2 and destination is interface 1)

 

Umm, you don't, unless you have sessions starting from interface 2

 

Too little info here to help

2017
0 Kudos
sims
New Contributor III
In response to James_G

Created on ‎08-12-2020 02:21 AM

Hi,

Sorry for the confusion . 

My question was this client A from VLAN100 is accessing 443 on server A which is in VLAN 101,

in that case do I need reverse policy from VLAN 101 to VLAN 100 

sorry for my english 

Thanks

 

 

 

 

 

1981
0 Kudos
lobstercreed
Valued Contributor
In response to sims

Created on ‎08-12-2020 04:09 AM

Of course not, as James said.  Unless the server A in VLAN 101 initiates connections to client A in VLAN 100, no policy in the reverse direction would be needed.  That's one of the most basic things that should be understood about stateful firewalls. 

 

If you're defining stateless ACLs (like on a Cisco switch or something) then you need all that reverse stuff, but the whole point of firewalls is that they are far superior to that.

2017
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.