Created on 03-22-2022 10:42 PM Edited on 08-30-2024 02:59 AM By Jean-Philippe_P
Description
This article describes how policy order works on FortiGate.
Scope
FortiGate all versions.
Solution
After a policy is created, reorder the policy rules as necessary.
The policies are consulted from top to bottom.
The first rule that matches is applied and subsequent rules are not evaluated.
On FortiGate firewall how firewall policies work is the concept of precedence of order or a more recognizable term, 'first come, first served'.
It is highly likely that even after only a relatively small number of policies have been created that there will be some that overlap or are subsets of the parameters that the policies used to determine which policy should be matched against the incoming traffic.
When this happens there has to be a method to determine which policy should be applied to the packet.
The method which is used by most firewalls is based on the order of the sequence of the policies.
If all of the policies were placed in a sequential list, the process to match up the packet would start at the top of the list and work its way down.
It would compare information about the packet, specifically these points of information:
As soon as a policy is reached that matches all of the applicable parameters, the instructions of that policy are applied and the search for any other matching policies is stopped.
All subsequent policies are disregarded.
Only 1 policy is applied to the packet.
If there is no matching policy among the policies that have been configured for traffic the packet finally drops down to what is always the last policy.
It is an implicit policy. One of a few that are referred to by the term 'policy0'. The default action for the implicit policy is to deny every traffic.
.
The only setting that is editable in the implicit policy is the logging of violation traffic.
A logical best practice that comes from the knowledge of how this process works is to make sure that the more specific or specialized a policy is, the closer to the beginning of the sequence it should be.
The more general a policy is the higher the likelihood that it could include in its range of parameters a more specifically targeted policy. The more specific a policy is, the higher the probability that there is a requirement for treating that traffic in a specific way.
Related article:
Technical Tip: Firewall policy lookups
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.