- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiADC
- FortiAnalyzer
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Policy with Webfilter and Destination Any
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy with Webfilter and Destination Any
Hello everyone!
Giving the following scenario:
I have two policies with the same source and destination "all", but each policy has a different Webfilter profile.
If a request doesn't match any url in the webfilter for the first policy, will this request be denied or the second policy will be evaluated?
I ask that because we are migrating policies from another firewall vendor to Fortigate and in that other vendor, there is some similares policy rules, with exact same source and destination "any", but with distincts URL Categories and all policies are evaluated until a match or the request is denied just on the implicit deny.
As I can see, the Fortigate will block the request in the first policy if no match in the Webfilter and will not evaluate the second policy, because it already have matched the first policy by source and destination address. Is that correct?
Cheers,
Gui
Gui
Solved! Go to Solution.
Cheers,Gui
Labels:
- Labels:
-
FortiGate
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it will match the first policy due to the destination and if it doesn't match the webfilter profile it will be blocked (or whatever is configured in the webfilter profile)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Gui,
sorry for only now getting back to you.
If you change the firewall mode to policy-based, that can significantly screw up your existing policies, so I would recommend against doing that if the FortiGate is in production. It would essentially be a redesign of all policies and applicable security profiles, not something you can test for five minutes and easily reverse.
If you are looking for your FortiGate to work like that in principle (traffic policies, and then separate security policies to apply webfilter/other UTM more granularly), I would suggest either a VDOM on your FortiGate, or a lab/VM/... FortiGate to test the options thoroughly and get familiar with policy-based mode, and only then make a decision whether to reconfigure your production FortiGate to work in policy-based mode.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
17 REPLIES 17
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With FGTs, you would need to concatenate, or merge, two Webfilter profiles into one then put it in one policy. I still don't know why you have to split it into two policies anyway. Can you tell us more about that?
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Toshi.
We are migrating the rules from Palo Alto, and there are some rules with the same src and dest, but with different web filter profiles. I asking that just to confirm the Fortigate doesn't work in this way, once the flow will match only the first policy.
Cheers,
Gui
Gui
Cheers,Gui
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it will match the first policy due to the destination and if it doesn't match the webfilter profile it will be blocked (or whatever is configured in the webfilter profile)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I hava a great article for you that can allow you to get maximum premium feature without spending money. So, visit here to explore it more Source
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
Please follow the KBfor more details on How policy order in works on FortiGate
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/497952/policy-views-and-policy-lookup
Best Regards,
Erlin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey gcarvalho,
you could consider looking into policy-based mode; that splits the security/UTM part into a separate policy. You would have one traffic policy (any->any, allow) and then one or more security policies where you can apply different webfilter profiles based on additional criteria. Have a look here:
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/978598/profile-based-ngfw-vs-policy-bas...
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Debbie.
What is the impact changing the firewall mode from profile-based to policy-based in a Fortigate that is in production?
Cheers,
Gui
Gui
Cheers,Gui
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Group multiple IPsec tunnels as a... 119 Views
- Assistance to allow external access to... 758 Views
- New to fortigate, how to authorize... 142 Views
- Help Needed: DDNS Not Working and... 528 Views
- Fortinet external AD Connector and retrieving... 429 Views
Labels
-
FortiGate
7,115 -
FortiClient
1,401 -
5.2
801 -
5.4
639 -
FortiManager
616 -
FortiAnalyzer
451 -
6.0
416 -
FortiAP
373 -
FortiSwitch
369 -
5.6
362 -
FortiClient EMS
288 -
FortiMail
277 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
6.4
128 -
FortiNAC
126 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
100 -
FortiGateCloud
95 -
FortiSIEM
92 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
47 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
38 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiExtender
34 -
FortiSandbox
33 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
Interface
18 -
FortiSwitch v6.2
17 -
LDAP
17 -
VDOM
17 -
FortiMonitor
15 -
Routing
15 -
Authentication
14 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
Logging
14 -
FortiDDoS
13 -
RADIUS
12 -
NAT
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSL SSH inspection
10 -
SSO
10 -
FortiRecorder
10 -
Application control
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
OSPF
7 -
Web application firewall profile
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
IPS signature
5 -
Packet capture
5 -
Automation
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDirector
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
FortiTester
4 -
3.6
4 -
FortiScan
4 -
Web rating
4 -
FortiDeceptor
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Fortinet Engage Partner Program
3 -
Traffic shaping profile
3 -
FortiDB
3 -
DLP sensor
3 -
DoS policy
3 -
Email filter profile
3 -
Fabric connector
2 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
DLP Dictionary
2 -
VoIP profile
2 -
DLP profile
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Internet Service Database
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1057 | |
| 874 | |
| 521 | |
| 441 | |
| 146 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.