- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Policy with Webfilter and Destination Any
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy with Webfilter and Destination Any
Hello everyone!
Giving the following scenario:
I have two policies with the same source and destination "all", but each policy has a different Webfilter profile.
If a request doesn't match any url in the webfilter for the first policy, will this request be denied or the second policy will be evaluated?
I ask that because we are migrating policies from another firewall vendor to Fortigate and in that other vendor, there is some similares policy rules, with exact same source and destination "any", but with distincts URL Categories and all policies are evaluated until a match or the request is denied just on the implicit deny.
As I can see, the Fortigate will block the request in the first policy if no match in the Webfilter and will not evaluate the second policy, because it already have matched the first policy by source and destination address. Is that correct?
Cheers,
Gui
Gui
Solved! Go to Solution.
Cheers,Gui
Labels:
- Labels:
-
FortiGate
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it will match the first policy due to the destination and if it doesn't match the webfilter profile it will be blocked (or whatever is configured in the webfilter profile)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Gui,
sorry for only now getting back to you.
If you change the firewall mode to policy-based, that can significantly screw up your existing policies, so I would recommend against doing that if the FortiGate is in production. It would essentially be a redesign of all policies and applicable security profiles, not something you can test for five minutes and easily reverse.
If you are looking for your FortiGate to work like that in principle (traffic policies, and then separate security policies to apply webfilter/other UTM more granularly), I would suggest either a VDOM on your FortiGate, or a lab/VM/... FortiGate to test the options thoroughly and get familiar with policy-based mode, and only then make a decision whether to reconfigure your production FortiGate to work in policy-based mode.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
- « Previous
-
- 1
- 2
- Next »
17 REPLIES 17
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Gui,
sorry for only now getting back to you.
If you change the firewall mode to policy-based, that can significantly screw up your existing policies, so I would recommend against doing that if the FortiGate is in production. It would essentially be a redesign of all policies and applicable security profiles, not something you can test for five minutes and easily reverse.
If you are looking for your FortiGate to work like that in principle (traffic policies, and then separate security policies to apply webfilter/other UTM more granularly), I would suggest either a VDOM on your FortiGate, or a lab/VM/... FortiGate to test the options thoroughly and get familiar with policy-based mode, and only then make a decision whether to reconfigure your production FortiGate to work in policy-based mode.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If a request does not match any URL in the webfilter profile specified in the first policy, the request will be evaluated based on the rules of that specific policy. If there is no explicit deny rule in the first policy, the default action would likely be to allow the traffic. In this case, the second policy may not be evaluated because the request has already been matched by the source and destination addresses of the first policy.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I still think those current Palo Alto policies are not exactly the same not only the webfilter profiles, like applications and services, etc. And only one of them matches and be executed.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are right. In Palo Alto there are differents Application (not services). But, even this different applications use the same ports (80 and 443). But, if the "application" in Palo Alto doesn't gives only the port used by application, but the ports and dest address, I think this is the case.
But in Fortigate we doesn't have the option Application same as PA.
An important point: This policies is not for users traffic/internet access, but is related to some devices accessing external resources to do software updates, dns sync, etc. There are a few static URLs allow list (with some wildcards) like for exemple *.windowsupdate.microsoft.com. So I think that in this case, if I copy the urls in the webfilter and create fqdn objects to add as destinations it will works. What do you think?
Cheers,
Gui
Gui
Cheers,Gui
Created on 07-07-2023 08:42 AM Edited on 07-07-2023 08:43 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Last time, long time ago, when I tested PA-220 I didn't test that part of behavior. I guess I have to learn more about PAN.
To me, most of those requirements can be done by one policy in a way, and it would apply to your case. When the process hit that policy, it just look for the first match in all addresses and profiles. So should work fine.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Gui,
Traffic is matching only single policy. For example firewall policy A and webfilter profile A1 and firewall policy B and webfilter profile B1. Traffic will hit either policy A or policy B, but not both. Therefore either webfilter profile A1 will applied or webfilter profile B1, but not both.
FortiGate
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To clarify:
- policies are matched on source interface, destination interface, source address, destination address and service ONLY. They are not matched on any UTM profile.
That is, if the traffic is matched on the first policy, the second one will never be evaluated.
This is different from PA where the web filter is part of the match criteria.
Regarding policy UTM mode, have a close look at the cited article. It forces you to enable Central NAT, among other stuff. This alone requires reworking your NAT policies which will not happen live on a production FGT.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the context of network security a policy with a web filter and a destination set to any typiclly means that the policy will apply
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Group multiple IPsec tunnels as a... 145 Views
- Assistance to allow external access to... 830 Views
- New to fortigate, how to authorize... 166 Views
- Help Needed: DDNS Not Working and... 553 Views
- Fortinet external AD Connector and retrieving... 460 Views
Labels
-
FortiGate
7,164 -
FortiClient
1,415 -
5.2
801 -
5.4
639 -
FortiManager
620 -
FortiAnalyzer
456 -
6.0
416 -
FortiAP
376 -
FortiSwitch
374 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
108 -
SSL-VPN
105 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
49 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
LDAP
19 -
FortiPortal
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Routing
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
SSL SSH inspection
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1063 | |
| 889 | |
| 527 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.