Thanks for the help!
When firewall receives traffic, it will match the firewall policy by Source_interfaces/Protocol/Source_Address/Destination_Address. I'd like to know why destination interface or outgoing interface is NOT used in policy matching? and if so, why it is to be specified when creating a firewall policy, is it used for NAT or something other than policy lookup?
Thanks again.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yes, FortiGate determines the outgoing interface based on its routing table.
Regards,
There is an option for outgoing interface, which we can use as a condition.
https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/656084/firewall-policy
Hi @sean3,
What make you think that Outgoing interface is not used for policy matching? Are you referring to policy lookup?
For traffic to flow through the FortiGate firewall, there must be a policy that matches its parameters:
Incoming interface(s)
Outgoing interface(s)
Source address(es)
User(s) identity
Destination address(es)
Internet service(s)
Schedule
Service
https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/656084/firewall-policy
Regards,
thanks for your help.
then another question is , how firewall match traffic and policies speaking of outgoing interfaces?
for incoming interfaces, firewall receive traffic from it, and source/destination address is also something firewall can identify. So for outgoing interface, how firewall tell what traffic belong to what outgoing interface? by looking up the routing table using destination IP address in traffic packet?
Hi @sean3,
Please refer to this document for route lookup process https://community.fortinet.com/t5/FortiGate/Technical-Tip-Routing-in-FortiGate-route-lookup-process/...
Regards,
Minh
Hi,
The firewall should always needs to know the destination interface of a packet to perform policy match/lookup.
I presume, you got your question from the Policy Lookup section of the doc,
https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/656084/firewall-policy
wherein it says "Firewall policy lookup is based on the Source_interfaces/Protocol/Source_Address/Destination_Address
that matches the source-port
and dst-port
of the protocol." This section just takes about the policy lookup tool available in the GUI but not the policy lookup functionality of the FortiOS itself.
Basically when a packet hits the firewall, firewall will have src_intf/protocol/src_addr/dst_addr/src_port/dst_port of the packet and the packet is put into the below checks in order,
If the packet doesn't match any of the first 4, then a new session needs to be created. For which firewall does route lookup, routing uses the routing table to determine the interface to be used by the packet as it leaves the FortiGate. The source interface is known when the packet is received and the destination interface is determined by routing. Then firewall policies are matched with packets depending on the source and destination interface used by the packet along with other parameters such as
Cheers,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.