Hi All,
I am new to the Fortigate world. In the past, the firewalls I worked with had an explicit rule for traffic from the WAN to LAN. The Fortigate does not have this by default, but instead has an implicit deny all. So unless traffic matches a rule, it is blocked by the implicit rule. My question is surrounding security policies then. If I do not have a rule for WAN to LAN, how do I apply security policies, like SSL filtering, to traffic coming from WAN to LAN? Do I need to on the Fortigate? Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
TL;DR - no you don't need those if no traffic is allowed from outside to inside.
Best way to answer this that I can think of is to think of the OSI model. If you're already blocking traffic at a lower layer (by IP address or TCP/UDP port) you don't need to consider the higher layers of that traffic. So it wouldn't matter that someone was trying to inject a virus or something if they couldn't get in the door in the first place. Where you want security profiles is to dig into traffic that is otherwise allowed at those lower layers.
Otherwise, if you're thinking about the "reverse" traffic from WAN to LAN for web browsing and the likes, that is always handled on the LAN to WAN policy (this would be the case on any stateful firewall). You'll want to apply any AV or web filtering, etc to the connections initiated by your users to the outside world.
Last thing: if you want to have logs of who's knocking on your door, you can always define an explicit deny from WAN -> LAN but honestly if you don't have any VIPs it won't be matching anything anyway.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.