Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Infotech22
Contributor

Created on ‎02-20-2024 06:54 AM

Fortigate Firewall Policies Best Practices

Hello everybody,

I would like to get some info's how you are dealing with Firewall Policies.
In our infrastructure we have multiple VLANs (clients, printers, servers, voip, etc), and from vlan to vlan I created separate firewall policies.
Example would be:
Sequience grouping: VLAN_CLIENTS to VLAN_SERVERS
1. Clients_To_FileServers - then I restricted from which VLAN to which VLAN, source and destination also, and we also restrict only the needed services.
It's the same principle for every other traffic that is needed.

Now when I look at the Firewall Policies, for somebody else it can be difficult to manage it way trough policies.
How I can make it less complicated but still as secure as it can be.

Example of our policies:

 

Example.png





Labels:
673
0 Kudos
4 REPLIES 4
AEK
SuperUser
SuperUser

Created on ‎02-20-2024 07:12 AM

Hello

From the screenshot I think you are already doing it the right way, by using good naming conventions for policy names and object names, and by keeping one single source interface and one single destination interface per policy, so you can see policies by interface pairs.

I think this is the less complicated way.

AEK
AEK
656
jse_ainsley
New Contributor

Created on ‎03-21-2024 12:41 PM

I am looking to do the same thing but was wondering if you are using security profiles (e.g., IPS, AV, etc.) on those policies to inspect traffic? For example, I would want to inspect traffic going from the client workstation VLAN to my server VLAN and watch for malware/ransomware like activity/signatures.

 

Just curious to see how you are doing this. I worry about bit about the performance/throughput hit.

459
0 Kudos
AEK
SuperUser
SuperUser
In response to jse_ainsley

Created on ‎03-21-2024 12:48 PM

You can use "default" IPS and AV profiles, they are good ones.

If there is HTTPS traffic then you need to enable deep inspection, otherwise you will catch malware on unencrypted traffic only. Same for many IPS signatures.

For performance info you need to check your FG's datasheet to see how much it can support.

AEK
AEK
456
Genobaseball10
New Contributor III

Created on ‎03-21-2024 03:37 PM

Hello Infotech! From the looks of this screenshot, your policies do not look complicated at all. What I would just make sure of is that each of your policies is being used and there are no redundant policies. When it comes to handling routing on the FortiGate, I have been guilty of accidentally creating redundant policies for specific hosts to access specific services. Other than that, your naming convention for everything here looks solid and I'm sure anyone with any firewall experience could navigate this just fine! 

CCNA | FCP | CWNA
CCNA | FCP | CWNA
439
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.