I have two policies with the same source and destination "all", but each policy has a different Webfilter profile.
If a request doesn't match any url in the webfilter for the first policy, will this request be denied or the second policy will be evaluated?
I ask that because we are migrating policies from another firewall vendor to Fortigate and in that other vendor, there is some similares policy rules, with exact same source and destination "any", but with distincts URL Categories and all policies are evaluated until a match or the request is denied just on the implicit deny.
As I can see, the Fortigate will block the request in the first policy if no match in the Webfilter and will not evaluate the second policy, because it already have matched the first policy by source and destination address. Is that correct?
If you change the firewall mode to policy-based, that can significantly screw up your existing policies, so I would recommend against doing that if the FortiGate is in production. It would essentially be a redesign of all policies and applicable security profiles, not something you can test for five minutes and easily reverse.
If you are looking for your FortiGate to work like that in principle (traffic policies, and then separate security policies to apply webfilter/other UTM more granularly), I would suggest either a VDOM on your FortiGate, or a lab/VM/... FortiGate to test the options thoroughly and get familiar with policy-based mode, and only then make a decision whether to reconfigure your production FortiGate to work in policy-based mode.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
With FGTs, you would need to concatenate, or merge, two Webfilter profiles into one then put it in one policy. I still don't know why you have to split it into two policies anyway. Can you tell us more about that?
We are migrating the rules from Palo Alto, and there are some rules with the same src and dest, but with different web filter profiles. I asking that just to confirm the Fortigate doesn't work in this way, once the flow will match only the first policy.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.