Hi, we have couple of deny rules that deny certain ip addresses (lot of them) and services, for example for trust to untrust, and then deny and logging. So we wonder if put that rule on top will cause more memory used, or we should put it on the bottom?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I place my blocks at the top. Would rather have them filtered out and removed before they even get to the UTM side of things.
Mike Pruett
To do it predictably and robustly (?) you order policies from most specific to least specific. That is, if your deny rule is 'all services from all to all', putting it on top of the list will block everything, even trusted traffic. OTOH, putting 'deny traffic for service xyz from source abc to destination ghi' at the end while there is a more common policy above allowing this (among other traffic), you won't see any effect.
So, in short, policies with the most specific specifiers on top, and the more general the specs are, the lower in the list.
@Mike can put DENY policies on top of his list with good results probably because DENY policies are often very specific - one single service, one single evil host etc. Just to counter the impression that grouping DENY and ACCEPT policies is a cosmetic issue only.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.