- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
why outgoing interface is not used in firewall policy matching
Thanks for the help!
When firewall receives traffic, it will match the firewall policy by Source_interfaces/Protocol/Source_Address/Destination_Address. I'd like to know why destination interface or outgoing interface is NOT used in policy matching? and if so, why it is to be specified when creating a firewall policy, is it used for NAT or something other than policy lookup?
Thanks again.
Solved! Go to Solution.
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, FortiGate determines the outgoing interface based on its routing table.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is an option for outgoing interface, which we can use as a condition.
https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/656084/firewall-policy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sean3,
What make you think that Outgoing interface is not used for policy matching? Are you referring to policy lookup?
For traffic to flow through the FortiGate firewall, there must be a policy that matches its parameters:
Incoming interface(s)
Outgoing interface(s)
Source address(es)
User(s) identity
Destination address(es)
Internet service(s)
Schedule
Service
https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/656084/firewall-policy
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for your help.
then another question is , how firewall match traffic and policies speaking of outgoing interfaces?
for incoming interfaces, firewall receive traffic from it, and source/destination address is also something firewall can identify. So for outgoing interface, how firewall tell what traffic belong to what outgoing interface? by looking up the routing table using destination IP address in traffic packet?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sean3,
Please refer to this document for route lookup process https://community.fortinet.com/t5/FortiGate/Technical-Tip-Routing-in-FortiGate-route-lookup-process/...
Regards,
Minh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The firewall should always needs to know the destination interface of a packet to perform policy match/lookup.
I presume, you got your question from the Policy Lookup section of the doc,
https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/656084/firewall-policy
wherein it says "Firewall policy lookup is based on the Source_interfaces/Protocol/Source_Address/Destination_Address
that matches the source-port
and dst-port
of the protocol." This section just takes about the policy lookup tool available in the GUI but not the policy lookup functionality of the FortiOS itself.
Basically when a packet hits the firewall, firewall will have src_intf/protocol/src_addr/dst_addr/src_port/dst_port of the packet and the packet is put into the below checks in order,
- Dos policy Lookup
- Session Lookup
- DNAT Lookup
- Session Lookup
- ...,
If the packet doesn't match any of the first 4, then a new session needs to be created. For which firewall does route lookup, routing uses the routing table to determine the interface to be used by the packet as it leaves the FortiGate. The source interface is known when the packet is received and the destination interface is determined by routing. Then firewall policies are matched with packets depending on the source and destination interface used by the packet along with other parameters such as
- Source address
- Destination address
- Service(Protocol and port number)
- ..,
Cheers,