firewall policy creation

Fullmoon · ‎11-13-2018

trying my best to adopt how fortigate works in my network most esp in firewall policy. this questions boggles me , in which section of Life of Packet could explain why do we need to create reverse policy if traffic is originated from LAN to other local network and vice-versa. Whereas, as LAN-External traffic doesn't require a reverse rule to send back the reply from the original sender.

anyone could shed me to the right direction? thank you

Fortigate Newbie

emnoc · ‎11-13-2018

What do you mean reverse-policy, traffic is stateful and the firewall maintains "state" ( tcp.ack.seq.src/dst-port ...) I never have created reverse-policy btw.

Maybe if you where running asymmerical which is not good and defeats the purpose of a stateful-FW

Ken Felix

PCNSE

NSE

StrongSwan

sw2090 · ‎11-13-2018

you need a reverse rule/policy ony if you have native traffic coming this direction.

to simplify:

if just you want to reach a pc in the other subnet you need a forward policy from your net to the other one but no reverse rule/policy. THat would be native traffic from you to there. This includes answers on your packets.

if the pc in the other net should be able to contact you itself you need a reverse rule too since that would be native traffic from there to you.

Additionally if you enabled NAT in your policy you also don't need a reverse rule/policy at all since NAT does that for you already ;)

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

firewall policy creation

Nominate a Forum Post for Knowledge Article Creation