Hi,
it appears to me that setting the firewall policies generating the largest traffic volumes on top of the rule set would make most sense. However, this is not mentioned in the "Forti OS Handbook - Firewall" nor in any best practice document I've found. Is this of no concern or is it even so obvious that it is not mentioned?
Thanks!
Ueli
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Ueli It's (more or less) of concern (depends of traffic/modell) and it still make sense.
Best,
Markus
________________________________________________________
--- NSE 4 ---
________________________________________________________
A few important notes on this.
If your policies are all specified by interface --> interface (that is, you don't have policies that include "any" interface) then I think (others may correct me) that the FortiGate can quickly focus on just the rules for the incoming and outgoing interface.
Probably obvious, but remember that though you can try to have policies that involve larger traffic volumes listed earlier, you must have the more specific rules come before more general rules, otherwise the more specific rules won't get matched.
Hi there!
You´re correct fernet17. You can found the same criteria in this oficial document:
https://docs.fortinet.com/uploaded/files/1954/Best_Practices_52.pdf
Page 20:
"...Arrange firewall policies in the policy list from more specific to more general. The firewall searches for a matching policy starting from the top of the policy list and working down. For example, a very general policy matches all connection attempts. When you create exceptions to a general policy, you must add them to the policy list above the general policy..."
Hope it helps!
fernet17 wrote:What is being missed here is the assumption that the most general policy(s) is also the largest volume policy. We need to compare apple to apples. The amount of volume may not be necessarily the most general policy. The amount of volume a policy handles shouldn't be the basis of your criteria for ordering policies.Hi,
it appears to me that setting the firewall policies generating the largest traffic volumes on top of the rule set would make most sense. However, this is not mentioned in the "Forti OS Handbook - Firewall" nor in any best practice document I've found. Is this of no concern or is it even so obvious that it is not mentioned?
Thanks!
Ueli
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Agreed,
Example , I could have file transfer that generates tons of volume ( SMB/SFTP/FTP/NFS/etc..... ) but that does not make it the more general policy.
2nd, example
In my day job we have fwppolicy in excess of 40k secs and some times 80k sec and numerous data ( SQL ), again that does not make it the most general policy.
just my 2cts input ;)
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.