Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

Properly defining the Internet within a security policy

Let's discuss!


There are various methods of defining the Internet within a firewall security policy.

What are the Pro's and Con's of each method?


Method 1: Destination "all"


Pro: Easy to use and understandable for humans within normal firewall administration.

Con: "all" is not the Internet. In an ideal security world, you shouldn't use "all" or "any" in any of your firewall rules.


Method 2: Object "Internet with excluded networks (e.g. internal, VPN and RFC1918, ..)


Pro: Can be used within NAT. Allows for proper verification checks by FortiGate.

Con: Keeping the object up-to-date requires regular maintenance.


Method 3: Negated internal, VPN and RFC1918, .. networks in Destination field

Pro: Allows for proper verification checks by FortiGate.

Con: Hard to read/understand/maintain for admin staff.


Any more methods, pro's, con's?

How do you define the Internet in your security policies?


Hi Danny,


For more granular control you can define well know ISDB services in the destination in place of all.

Pros:- The data comes from the FortiGuard service system
Cons:- For Internet services which does not have ISDB defined need a separate policy

Below ISDB defined policy you can create one more policy with all destinations and apply UTM profiles.

Please check the below link for the best practices while creating a security policy on Foritgate



- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

New Contributor

So lucky to have policies that were supported by senior management. Years ago, at an organization I worked at, we also had some good policies, however my boss's boss broke them on a regular basis. Made for lots of IT spaghetti that came to bite us down the road.

router login 192.168.l.l

Hi Danny,


In all the methods specified, firewall policy defines the rule to allow the traffic to the destination.

Based on the order of preference, security policies would be checked and if it matches the rule, traffic will be allowed.


Be aware, mapping the destinations are based on your requirements.

+ Allow all is for the LAN users to access all the internet services.

+ Similarly, if you want to restrict the LAN users to access specific Internet sites, you can user IP objects/ISDB.

+ To restrict specific LAN users to specific destination, ensure to add the source and destination objects and place the firewall policy in right order for hits.


Basically, these methods define the way you want to construct your network communication.

However, it is just a criteria for a match to allow the respective traffic to parse through FortiGate firewall.





Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors