Hello everyone!
Giving the following scenario:
I have two policies with the same source and destination "all", but each policy has a different Webfilter profile.
If a request doesn't match any url in the webfilter for the first policy, will this request be denied or the second policy will be evaluated?
I ask that because we are migrating policies from another firewall vendor to Fortigate and in that other vendor, there is some similares policy rules, with exact same source and destination "any", but with distincts URL Categories and all policies are evaluated until a match or the request is denied just on the implicit deny.
As I can see, the Fortigate will block the request in the first policy if no match in the Webfilter and will not evaluate the second policy, because it already have matched the first policy by source and destination address. Is that correct?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
it will match the first policy due to the destination and if it doesn't match the webfilter profile it will be blocked (or whatever is configured in the webfilter profile)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hey Gui,
sorry for only now getting back to you.
If you change the firewall mode to policy-based, that can significantly screw up your existing policies, so I would recommend against doing that if the FortiGate is in production. It would essentially be a redesign of all policies and applicable security profiles, not something you can test for five minutes and easily reverse.
If you are looking for your FortiGate to work like that in principle (traffic policies, and then separate security policies to apply webfilter/other UTM more granularly), I would suggest either a VDOM on your FortiGate, or a lab/VM/... FortiGate to test the options thoroughly and get familiar with policy-based mode, and only then make a decision whether to reconfigure your production FortiGate to work in policy-based mode.
With FGTs, you would need to concatenate, or merge, two Webfilter profiles into one then put it in one policy. I still don't know why you have to split it into two policies anyway. Can you tell us more about that?
Toshi
Hello Toshi.
We are migrating the rules from Palo Alto, and there are some rules with the same src and dest, but with different web filter profiles. I asking that just to confirm the Fortigate doesn't work in this way, once the flow will match only the first policy.
it will match the first policy due to the destination and if it doesn't match the webfilter profile it will be blocked (or whatever is configured in the webfilter profile)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
I hava a great article for you that can allow you to get maximum premium feature without spending money. So, visit here to explore it more Source
Hi.
Please follow the KBfor more details on How policy order in works on FortiGate
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/497952/policy-views-and-policy-lookup
Best Regards,
Erlin
Hey gcarvalho,
you could consider looking into policy-based mode; that splits the security/UTM part into a separate policy. You would have one traffic policy (any->any, allow) and then one or more security policies where you can apply different webfilter profiles based on additional criteria. Have a look here:
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/978598/profile-based-ngfw-vs-policy-bas...
Hi Debbie.
What is the impact changing the firewall mode from profile-based to policy-based in a Fortigate that is in production?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.