Hi Guys:
I am migrating a Cisco ASA to Fortigate 900D (ver6.2.3). my original ASA has one physical outside interface and 5 sub-interfaces as inside interface. while ASA only defined inbound interface in firewall rules , Fortigate will need to define in/out bound interface in firewall rules. my question is can I use "any" as the outbound interface ? so I copy cisco firewall rule one by one without extra rule needed? because some address group include ip addresses belong to different sub-interfaces.
Thanks a lot
Not sure what you mean but you can write a policy with any as the interface for src or dst.
e.g
config firewall policy 9909 set srcintf "any" set dstintf "wan1" set srcaddr "LOCL_LAN_GROUP" set dstaddr "all" set action accept set schedule all set service HTTP HTTPS ICMP SSH next I would avoid using a "any" unless you had too. So in the above LOCL_LAN_GROUP members are allowed to wan1 for service define. Later if you had mode sub_iinterfaces, you would add te network into that address group Ken Felix
PCNSE
NSE
StrongSwan
Thanks emnoc for you help, can you explain why you avoid to use "any" as the inbound or outbound interface ? what is the problem if use it like that?
I do not have NAT in any rules.
Hey,
i would really agree on not using "any" in firewall policies. Fortigates are zone based firewalls. You group your interfaces in zones and write policies like:
srcintf INTERNAL
dstintf EXTERNAL or DMZ and so on...
Just copying rules from a ASA/Pix will bring you an unmaintainable ruleset over time. Migration is the best time for a redesign.
Br,
Roman
From a security point of view, you really do not want people (e.g. company or office visitors) plugging in 3rd party routers into your network and as a deterrent to that, defining firewall rules with well defined source/dest interfaces - as well - defined addresses (e.g. All_internal or All_external) can go a long way in mitigating this type of activity. If you can help it try to stay away from defining private subnets that are popular on retail routers as well (e.g. 192.168.0.x, 192.168.1.x).
Personally, it's not fun trying to remote troubleshoot an educational institute network when teachers decide to plug in cheap wifi routers to act as "switches" or APs.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
I think OP was asking multiple interfaces in one policy, not multiple subnets/addresses. The immediate down-side is it would lose "interface pair view" in GUI at the Policy page.
While all concerns above are valid, IMO, it's up to how complex the served org is and what the purpose of 5 internal interfaces are. Depending on that, I might user a "zone" for those internal interfaces to aggregate. For example, I have more than 5 internal interfaces at home, I use a zone for some of them because there is no difference in policy.
I would suggest to do first analysis of all rule of ASA and then please do migrate to fortigate firewall configuration and do additional security top of it .
If you need help you can reply on this same post
Hi michael,
We had the same situation in our company where we also migrated from asa to fortigate. You can use any interface in both the inbound and the outbound. This all depends on which traffic you're eventually allowing through in the source and destination and if the routes are available. Although the any interface is not recommended for security point of view.
What we did is configure SD-WAN for the outside interface even though you only have 1 outside interface. In the future you can always add more interfaces to the SD-WAN
By doing this it will automatically create a default route 0.0.0.0/0 with gateway 0.0.0.0 as interface SD-WAN. In case it doesn't create the route, you can always manually create it.
Afterwards you can create multiple policies using the SD-WAN as the outbound interface and all other configured interfaces as inbound.
And if your fortigate is acting as a core router to communicate between internal interfaces, then you can create different policies for each internal communication.
You can also enable the feature multiple interface polcies in the GUI:
SYSTEM->Feature visibility-> Multiple interface policies.
With this you can combine both internal policies together.
I hope this helps.
Thank you all guys for the comment. I am going to look deeper to the original config and specify the in/out bound interface while migrating them.
again you guys amazing.
Fortigates are zone based firewalls
I have to disagree, the firewall by default has no concept of a zone. It can be used a ZBFW,but out the box no zones or the requirements of zones are enforced. Zone based are typically PaloNW, CHKP, Forcepoint ( that's even loose with these last two ), and SRX,etc........
Back to OP, using "any" really means "any" and layer if you add specific policies and have "any" everything will match "any". I try to always reduce the amount of "any" by being specific in rulesets.
proceed with caution and monitor the logs & hit-counts
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.