Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sean3
New Contributor

Created on ‎01-09-2024 03:17 AM Edited on ‎01-09-2024 03:18 AM

why outgoing interface is not used in firewall policy matching

Thanks for the help!

When firewall receives traffic, it will match the firewall policy by Source_interfaces/Protocol/Source_Address/Destination_Address. I'd like to know why destination interface or outgoing interface is NOT used in policy matching? and if so, why it is to be specified when creating a firewall policy,  is it used for NAT or something other than policy lookup?

Thanks again.

Labels:
531
0 Kudos
1 Solution
hbac
Staff
Staff
In response to sean3

Created on ‎01-11-2024 05:53 AM

@sean3,

 

Yes, FortiGate determines the outgoing interface based on its routing table. 

 

Regards, 

View solution in original post

457
6 REPLIES 6
akanibek
Staff
Staff

Created on ‎01-09-2024 03:23 AM

There is an option for outgoing interface, which we can use as a condition.

https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/656084/firewall-policy

Asset
521
hbac
Staff
Staff

Created on ‎01-09-2024 07:02 AM

Hi @sean3,

 

What make you think that Outgoing interface is not used for policy matching? Are you referring to policy lookup? 

 

For traffic to flow through the FortiGate firewall, there must be a policy that matches its parameters:

Incoming interface(s)
Outgoing interface(s)
Source address(es)
User(s) identity
Destination address(es)
Internet service(s)
Schedule
Service

 

https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/656084/firewall-policy

 

Regards, 

497
sean3
New Contributor
In response to hbac

Created on ‎01-10-2024 11:53 PM

thanks for your help.

then another question is , how firewall match traffic and policies speaking of outgoing interfaces?

for incoming interfaces, firewall receive traffic from it, and source/destination address is also something firewall can identify. So for outgoing interface, how firewall tell what traffic belong to what outgoing interface? by looking up the routing table using destination IP address in traffic packet?

466
0 Kudos
hbac
Staff
Staff
In response to sean3

Created on ‎01-11-2024 05:53 AM

@sean3,

 

Yes, FortiGate determines the outgoing interface based on its routing table. 

 

Regards, 

458
mle2802
Staff
Staff
In response to sean3

Created on ‎01-11-2024 06:02 AM

Hi @sean3,
Please refer to this document for route lookup process https://community.fortinet.com/t5/FortiGate/Technical-Tip-Routing-in-FortiGate-route-lookup-process/...

Regards,
Minh

453
0 Kudos
rarumugam
Staff
Staff

Created on ‎01-10-2024 01:51 AM

Hi,

The firewall should always  needs to know the destination interface of a packet to perform policy match/lookup.

 

I presume, you got  your question from the Policy Lookup section of the doc,
https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/656084/firewall-policy
wherein it says "Firewall policy lookup is based on the Source_interfaces/Protocol/Source_Address/Destination_Address that matches the source-port and dst-port of the protocol." This section just takes about the policy lookup tool available in the GUI but not the policy lookup functionality of the FortiOS itself. 

Basically when a packet hits the firewall, firewall will have src_intf/protocol/src_addr/dst_addr/src_port/dst_port of the packet and the packet is put into the below checks in order,

  1. Dos policy Lookup
  2. Session Lookup
  3. DNAT Lookup
  4. Session Lookup
  5. ...,

If the packet doesn't match any of the first 4, then a new session needs to be created. For which firewall does route lookup, routing uses the routing table to determine the interface to be used by the packet as it leaves the FortiGate. The source interface is known when the packet is received and the destination interface is determined by routing. Then firewall policies are matched with packets depending on the source and destination interface used by the packet along with other parameters such as

  • Source address
  • Destination address
  • Service(Protocol and port number)
  • ..,

Cheers,

 

Rambharathi Arumugam
484
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.