Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gcarvalho
New Contributor III

Policy with Webfilter and Destination Any

Hello everyone!

 

Giving the following scenario:

I have two policies with the same source and destination "all", but each policy has a different Webfilter profile.

 

If a request doesn't match any url in the webfilter for the first policy, will this request be denied or the second policy will be evaluated?

 

I ask that because we are migrating policies from another firewall vendor to Fortigate and in that other vendor, there is some similares policy rules, with exact same source and destination "any", but with distincts URL Categories and all policies are evaluated until a match or the request is denied just on the implicit deny.

 

As I can see, the Fortigate will block the request in the first policy if no match in the Webfilter and will not evaluate the second policy, because it already have matched the first policy by source and destination address. Is that correct?

Cheers,
Gui
Cheers,Gui
2 Solutions
sw2090
Honored Contributor

it will match the first policy due to the destination and if it doesn't match the webfilter profile it will be blocked (or whatever is configured in the webfilter profile)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Debbie_FTNT

Hey Gui,

sorry for only now getting back to you.

If you change the firewall mode to policy-based, that can significantly screw up your existing policies, so I would recommend against doing that if the FortiGate is in production. It would essentially be a redesign of all policies and applicable security profiles, not something you can test for five minutes and easily reverse.

If you are looking for your FortiGate to work like that in principle (traffic policies, and then separate security policies to apply webfilter/other UTM more granularly), I would suggest either a VDOM on your FortiGate, or a lab/VM/... FortiGate to test the options thoroughly and get familiar with policy-based mode, and only then make a decision whether to reconfigure your production FortiGate to work in policy-based mode.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

17 REPLIES 17
Debbie_FTNT

Hey Gui,

sorry for only now getting back to you.

If you change the firewall mode to policy-based, that can significantly screw up your existing policies, so I would recommend against doing that if the FortiGate is in production. It would essentially be a redesign of all policies and applicable security profiles, not something you can test for five minutes and easily reverse.

If you are looking for your FortiGate to work like that in principle (traffic policies, and then separate security policies to apply webfilter/other UTM more granularly), I would suggest either a VDOM on your FortiGate, or a lab/VM/... FortiGate to test the options thoroughly and get familiar with policy-based mode, and only then make a decision whether to reconfigure your production FortiGate to work in policy-based mode.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Conor3232
New Contributor

If a request does not match any URL in the webfilter profile specified in the first policy, the request will be evaluated based on the rules of that specific policy. If there is no explicit deny rule in the first policy, the default action would likely be to allow the traffic. In this case, the second policy may not be evaluated because the request has already been matched by the source and destination addresses of the first policy.

Toshi_Esumi
Esteemed Contributor III

I still think those current Palo Alto policies are not exactly the same not only the webfilter profiles, like applications and services, etc. And only one of them matches and be executed.

 

Toshi 

gcarvalho

@Toshi_Esumi ,

You are right. In Palo Alto there are differents Application (not services). But, even this different applications use the same ports (80 and 443). But, if the "application" in Palo Alto doesn't gives only the port used by application, but the ports and dest address, I think this is the case.

 

But in Fortigate we doesn't have the option Application same as PA.

 

An important point: This policies is not for users traffic/internet access, but is related to some devices accessing external resources to do software updates, dns sync, etc. There are a few static URLs allow list (with some wildcards) like for exemple *.windowsupdate.microsoft.com. So I think that in this case, if I copy the urls in the webfilter and create fqdn objects to add as destinations it will works. What do you think?

 

Cheers,
Gui
Cheers,Gui
Toshi_Esumi
Esteemed Contributor III

Last time, long time ago, when I tested PA-220 I didn't test that part of behavior. I guess I have to learn more about PAN.

 

To me, most of those requirements can be done by one policy in a way, and it would apply to your case. When the process hit that policy, it just look for the first match in all addresses and profiles. So should work fine.

 

Toshi

abarushka
Staff
Staff

Hello Gui,

 

Traffic is matching only single policy. For example firewall policy A and webfilter profile A1 and firewall policy B and webfilter profile B1. Traffic will hit either policy A or policy B, but not both. Therefore either webfilter profile A1 will applied or webfilter profile B1, but not both.

FortiGate
ede_pfau
SuperUser
SuperUser

To clarify:

- policies are matched on source interface, destination interface, source address, destination address and service ONLY. They are not matched on any UTM profile.

That is, if the traffic is matched on the first policy, the second one will never be evaluated.

 

This is different from PA where the web filter is part of the match criteria.

Regarding policy UTM mode, have a close look at the cited article. It forces you to enable Central NAT, among other stuff. This alone requires reworking your NAT policies which will not happen live on a production FGT.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
asifnaveed8527
New Contributor

In the context of network security a policy with a web filter and a destination set to any typiclly means that the policy will apply

Labels
Top Kudoed Authors