Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gcarvalho
New Contributor III

Policy with Webfilter and Destination Any

Hello everyone!

 

Giving the following scenario:

I have two policies with the same source and destination "all", but each policy has a different Webfilter profile.

 

If a request doesn't match any url in the webfilter for the first policy, will this request be denied or the second policy will be evaluated?

 

I ask that because we are migrating policies from another firewall vendor to Fortigate and in that other vendor, there is some similares policy rules, with exact same source and destination "any", but with distincts URL Categories and all policies are evaluated until a match or the request is denied just on the implicit deny.

 

As I can see, the Fortigate will block the request in the first policy if no match in the Webfilter and will not evaluate the second policy, because it already have matched the first policy by source and destination address. Is that correct?

Cheers,
Gui
2 Solutions
sw2090
Honored Contributor

it will match the first policy due to the destination and if it doesn't match the webfilter profile it will be blocked (or whatever is configured in the webfilter profile)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

Debbie_FTNT

Hey Gui,

sorry for only now getting back to you.

If you change the firewall mode to policy-based, that can significantly screw up your existing policies, so I would recommend against doing that if the FortiGate is in production. It would essentially be a redesign of all policies and applicable security profiles, not something you can test for five minutes and easily reverse.

If you are looking for your FortiGate to work like that in principle (traffic policies, and then separate security policies to apply webfilter/other UTM more granularly), I would suggest either a VDOM on your FortiGate, or a lab/VM/... FortiGate to test the options thoroughly and get familiar with policy-based mode, and only then make a decision whether to reconfigure your production FortiGate to work in policy-based mode.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

17 REPLIES 17
Toshi_Esumi
Esteemed Contributor III

With FGTs, you would need to concatenate, or merge, two Webfilter profiles into one then put it in one policy. I still don't know why you have to split it into two policies anyway. Can you tell us more about that?

 

Toshi

gcarvalho

Hello Toshi.

We are migrating the rules from Palo Alto, and there are some rules with the same src and dest, but with different web filter profiles. I asking that just to confirm the Fortigate doesn't work in this way, once the flow will match only the first policy.

Cheers,
Gui
sw2090
Honored Contributor

it will match the first policy due to the destination and if it doesn't match the webfilter profile it will be blocked (or whatever is configured in the webfilter profile)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

gcarvalho
New Contributor III

Thank you very much, @sw2090 .

Cheers,
Gui
asifnaveed8527

I hava a great article for you that can allow you to get maximum premium feature without spending money. So, visit here to explore it more Source

gcarvalho
New Contributor III

Thanks, @esalija 

Cheers,
Gui
Debbie_FTNT
Staff
Staff

Hey gcarvalho,

you could consider looking into policy-based mode; that splits the security/UTM part into a separate policy. You would have one traffic policy (any->any, allow) and then one or more security policies where you can apply different webfilter profiles based on additional criteria. Have a look here:
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/978598/profile-based-ngfw-vs-policy-bas...

 

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
gcarvalho

Hi Debbie.

What is the impact changing the firewall mode from profile-based to policy-based in a Fortigate that is in production?

Cheers,
Gui