Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown1020
New Contributor III

all ports enabled - FortiGate

Good morning friends, based on your experience:
Why is it important to not have all "ALL" ports enabled in fortigate firewall policies?

 

I greatly appreciate your comments.

1 Solution
pminarik
Staff
Staff

In an ideal world, a firewall will strictly block everything that isn't explicitly required for things to function. This is where using the service "ALL" or src/dst address "all" is potentially over-permissive.

 

In the real world, where process owners don't know what IPs:ports their applications talk to, where service providers don't know where exactly they serve their services from or straight up refuse to provide this information, or where everything is vaguely served from "the cloud", it is not always possible to strictly adhere to this philosophy of "only allow what's required".

 

You will have to carefully find the right place where there's sufficient balance between "things working" and "unneeded/unwanted traffic blocked", and that is different for each situation.

[ corrections always welcome ]

View solution in original post

2 REPLIES 2
pminarik
Staff
Staff

In an ideal world, a firewall will strictly block everything that isn't explicitly required for things to function. This is where using the service "ALL" or src/dst address "all" is potentially over-permissive.

 

In the real world, where process owners don't know what IPs:ports their applications talk to, where service providers don't know where exactly they serve their services from or straight up refuse to provide this information, or where everything is vaguely served from "the cloud", it is not always possible to strictly adhere to this philosophy of "only allow what's required".

 

You will have to carefully find the right place where there's sufficient balance between "things working" and "unneeded/unwanted traffic blocked", and that is different for each situation.

[ corrections always welcome ]
AEK

One of the actual cases I saw is one company has avoided a ransomware propagation to VMware ESXi, just because they were not allowing ALL services from user VLAN to server VLAN.

AEK
AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors