- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy order
Hi,
it appears to me that setting the firewall policies generating the largest traffic volumes on top of the rule set would make most sense. However, this is not mentioned in the "Forti OS Handbook - Firewall" nor in any best practice document I've found. Is this of no concern or is it even so obvious that it is not mentioned?
Thanks!
Ueli
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ueli It's (more or less) of concern (depends of traffic/modell) and it still make sense.
Best,
Markus
________________________________________________________
--- NSE 4 ---
________________________________________________________
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A few important notes on this.
If your policies are all specified by interface --> interface (that is, you don't have policies that include "any" interface) then I think (others may correct me) that the FortiGate can quickly focus on just the rules for the incoming and outgoing interface.
Probably obvious, but remember that though you can try to have policies that involve larger traffic volumes listed earlier, you must have the more specific rules come before more general rules, otherwise the more specific rules won't get matched.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there!
You´re correct fernet17. You can found the same criteria in this oficial document:
https://docs.fortinet.com/uploaded/files/1954/Best_Practices_52.pdf
Page 20:
"...Arrange firewall policies in the policy list from more specific to more general. The firewall searches for a matching policy starting from the top of the policy list and working down. For example, a very general policy matches all connection attempts. When you create exceptions to a general policy, you must add them to the policy list above the general policy..."
Hope it helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fernet17 wrote:What is being missed here is the assumption that the most general policy(s) is also the largest volume policy. We need to compare apple to apples. The amount of volume may not be necessarily the most general policy. The amount of volume a policy handles shouldn't be the basis of your criteria for ordering policies.Hi,
it appears to me that setting the firewall policies generating the largest traffic volumes on top of the rule set would make most sense. However, this is not mentioned in the "Forti OS Handbook - Firewall" nor in any best practice document I've found. Is this of no concern or is it even so obvious that it is not mentioned?
Thanks!
Ueli
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agreed,
Example , I could have file transfer that generates tons of volume ( SMB/SFTP/FTP/NFS/etc..... ) but that does not make it the more general policy.
2nd, example
In my day job we have fwppolicy in excess of 40k secs and some times 80k sec and numerous data ( SQL ), again that does not make it the most general policy.
just my 2cts input ;)
Ken
PCNSE
NSE
StrongSwan