Let's discuss!
There are various methods of defining the Internet within a firewall security policy.
What are the Pro's and Con's of each method?
Method 1: Destination "all"
Pro: Easy to use and understandable for humans within normal firewall administration.
Con: "all" is not the Internet. In an ideal security world, you shouldn't use "all" or "any" in any of your firewall rules.
Method 2: Object "Internet with excluded networks (e.g. internal, VPN and RFC1918, ..)
Pro: Can be used within NAT. Allows for proper verification checks by FortiGate.
Con: Keeping the object up-to-date requires regular maintenance.
Method 3: Negated internal, VPN and RFC1918, .. networks in Destination field
Pro: Allows for proper verification checks by FortiGate.
Con: Hard to read/understand/maintain for admin staff.
Any more methods, pro's, con's?
How do you define the Internet in your security policies?
Hi Danny,
For more granular control you can define well know ISDB services in the destination in place of all.
Pros:- The data comes from the FortiGuard service system
Cons:- For Internet services which does not have ISDB defined need a separate policy
Below ISDB defined policy you can create one more policy with all destinations and apply UTM profiles.
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/680955/security-profiles
Please check the below link for the best practices while creating a security policy on Foritgate
https://docs.fortinet.com/document/fortigate/7.4.0/best-practices/862226/policies
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
So lucky to have policies that were supported by senior management. Years ago, at an organization I worked at, we also had some good policies, however my boss's boss broke them on a regular basis. Made for lots of IT spaghetti that came to bite us down the road.
Hi Danny,
In all the methods specified, firewall policy defines the rule to allow the traffic to the destination.
Based on the order of preference, security policies would be checked and if it matches the rule, traffic will be allowed.
Be aware, mapping the destinations are based on your requirements.
+ Allow all is for the LAN users to access all the internet services.
+ Similarly, if you want to restrict the LAN users to access specific Internet sites, you can user IP objects/ISDB.
+ To restrict specific LAN users to specific destination, ensure to add the source and destination objects and place the firewall policy in right order for hits.
Basically, these methods define the way you want to construct your network communication.
However, it is just a criteria for a match to allow the respective traffic to parse through FortiGate firewall.
Regards,
Kruthi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.