Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Infotech22
Contributor

Created on ‎11-28-2023 08:55 AM

Firewall Policies

Hello to all,

I would like to know you're best practices and approaches on configuring Firewall Policies to be as restricted as possible.

I want to restrict access as much as I can.

  • Examples would be to allow only certain Services for certain Servers (for DNS servers only port 53 etc), For Pirnters only SMB and so on.
  • From Clients to Servers also only needed services for specific Servers (AD, Print Servers, File Servers)
  • IT to have adminsitration rights for all servers
  • Restricted for others that don't need anything else that services

I think you get the point what I want to achieve.
We already have something like that for  our branch office, but I want to see if there are some better recommendations.

And also I don't have zoning concept. Don't know if granular restrictions can be a lot of work with zoning since I'm going to have few VLANs etc.

 

This is an example of our branch office:
Firewall_Rules.png

 

Like this our Firewall Rules are getting larger and more difficult to manage.
over 100 rules

Best Regards,
Nemanja



 

Labels:
557
0 Kudos
1 Solution
Nchandan
Staff
Staff

Created on ‎11-29-2023 08:12 PM

You can achieve this by restricting access as much as possible and implementing granular firewall policies. The best approach to achieve this is by implementations like giving users least privileges using application control, users authentication, roal-based access control, Granular Firewall Policies (create policies that allow specific clients to access specific servers on designated ports),  Logging and Monitoring etc, hope this helps

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-practices-for-policy-configuration/ta...

View solution in original post

487
4 REPLIES 4
AEK
SuperUser
SuperUser

Created on ‎11-29-2023 12:41 PM

Hi Nemanja

Here are some recommendations:

  • Use zones
  • Use one interface in and one interface out, in order to see your rules by interface pairs, so even 1000 rules will remain easy to manage
  • Use naming conventions for rules and objects
  • Use security profiles
  • Avoid using any to any, all to all
AEK
AEK
509
DPadula
Staff
Staff

Created on ‎11-29-2023 01:18 PM

Just adding to AEK reply, you can check our best practices guide. I am pasting the link to the policies section, but you should check other relevant section as well.

 

https://docs.fortinet.com/document/fortigate/7.2.0/best-practices/862226/policies

505
0 Kudos
Nchandan
Staff
Staff

Created on ‎11-29-2023 08:12 PM

You can achieve this by restricting access as much as possible and implementing granular firewall policies. The best approach to achieve this is by implementations like giving users least privileges using application control, users authentication, roal-based access control, Granular Firewall Policies (create policies that allow specific clients to access specific servers on designated ports),  Logging and Monitoring etc, hope this helps

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-practices-for-policy-configuration/ta...

488
TysonHauck
New Contributor

Created on ‎12-06-2023 11:05 PM

Great to see that you are prioritizing security. It is recommended to use zones and naming conventions for clarity. AEK's suggestion on interface pairs is smart. Keep it granular and efficient. Check out the link shared by Nchandan for detailed best practices.

If you want to solve assignment problem then I would suggest to hire an essay writer from assignment writing service and you can find it on this https://bigassignments.com/ website link. I am also using it.
If you want to solve assignment problem then I would suggest to hire an essay writer from assignment writing service and you can find it on this https://bigassignments.com/ website link. I am also using it.
407
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.