Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jammac
New Contributor III

How exactly are security profiles matched?

I am having a hard time figuring out how exactly a decision is taken when multiple UTM profiles and multiple rules are in play.

 

But let's have a simple example:

 

I have a HTTP request that goes into category "Information Technology".

However it is being allowed by the rule with the following security profile: Webfilter
* "Content Servers" -> Allow
* All the others (including "Information Technology") -> Monitor

 

1) What is the actual meaning of "Monitor" anyway?

 

2) If a rule contains multiple security profiles, where do I see exactly which one was matched, if the rule matched?

 

Is there some detailed documentation on this?

 

Thanks

Marki

2 Solutions
gfleming


Usually you'd configure

* Group allow FTP
* Everyone allow HTTP

So, if Group doesn't match FTP then it will still do HTTP.

This is exactly what you do on FortiGate as well. You have two policies as you just defined:

1. One Policy allows FTP traffic from "Group" members.

2. Another policy, allows HTTP traffic for everyone

 

Someone in the "Group" trying to access a web page will not hit the FTP policy and they'll just go to the HTTP policy which is allowing it for all users.

 

Please do not get confused about Application Control and Services. Application Control allows you to apply NGFW functionality on top of your Firewall Policy. Services are used to select your policy. That is "FTP" is a service (TCP/21), and "HTTP" is a service (TCP/80), etc etc. 

 

Once your HTTP policy is selected you can optionally have Web Filter, App Control, etc to further enforce or monitor the traffic in that policy. 

 

It sounds like you are trying to restrict traffic using App Control and Web Filtering profiles. You need to use Services in the policy to do this. 

 

So your policy for the Group will reference the Group as a source and TCP/21 as the service. (no one else will be allowed to use FTP). 

 

Your policy to allow Proxy.HTTP will reference HTTP (TCP/80) as the service and have an optional Web Filter profile attached to it. If you're not trying to restrict  or block or monitor Web categories or URLs you don't need a profile.

 

 

 

Cheers,
Graham

View solution in original post

gfleming

To block sites please use ISDB, TCP/UDP Services and/or Address Objects and do not use App Control or other security profiles. App Control profiles should be applied holistically to an entire user class. That is, each class of users ideally has just one Application Profile, one Web Profile, etc.

 

So for your VIP users use ISDB object to block Dropbox and that's it. No profiles needed. This policy will only hit when VIP try to go to Dropbox. You can use wildcard address objects but not as effective.

 

And please remember your more specific rules will always go at the top. So blocking of Dropbox will hit before anything else because it's more specific. Therefore it does not matter if the broader "allow all" rule allows Dropbox because if a VIP user is hitting the broader rule they will only be doing so if the traffic is *not* Dropbox (as it would have otherwise been blocked by the more specific policy).

 

There are no best practice docs as far as I know that talk about policy creation. I would assume because there is no best practice. Not everyone will have VIP users or the same restrictions necessarily. All we can do is learn how the Firewall works in terms of policy lookups and application of security profiles, etc and go from there.

 

I suggest you read through the Admin Guide and also check out NSE 4 and NSE 7 training courses which are 100% free of charge.

Cheers,
Graham

View solution in original post

7 REPLIES 7
gfleming
Staff
Staff

You need to order your policies from most specific to least specific. The first policy in the list that matches will win and the rest will be ignored. So that's how the firewall picks the policy.

 

Here's some relevant documentation: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/656084/firewall-policy

 

Also note that per the above link, policies are picked on a number of criteria that do not include security profiles. Security Profiles are applied to policies after they are selected and not part of the decision criteria.

 

Therefore your HTTP request is probably being matched by thte Content Servers rule because the policies have similar criteria and the Content Servers policy is higher in the list. 

 

To answer your specific questions:

 

1. Monitor means categories in the Web Filter profile that are matched will be logged but still allowed.

 

2. A rule can only contain one profile of each type. You cannot have a rule with two Web Filter profiles. To see which rule was matched you can review your traffic logs and security (utm) logs or your session table. Some details in these docs:

 

https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/738890/log-and-report

 

https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/615462/url-filter

 

https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/562859/using-a-session-table

Cheers,
Graham
jammac
New Contributor III

Hmm, consider the following scenario:

* All users are supposed to be allowed to use Proxy.HTTP application
* A certain group of users *additionally* is allowed to do FTP

 

Usually you'd configure

* Group allow FTP
* Everyone allow HTTP

So, if Group doesn't match FTP then it will still do HTTP.

 

On this platform I have to

* Group allow FTP and HTTP (because I cannot just exclude HTTP from being decided upon at this stage)
* Everyone allow HTTP

 

But if I change the Appctrl profile for "Everyone" in the future, I would have to remember to change the Appctrl profile for "Group" too, otherwise they won't have the same general access.

That's kind of weird.

gfleming


Usually you'd configure

* Group allow FTP
* Everyone allow HTTP

So, if Group doesn't match FTP then it will still do HTTP.

This is exactly what you do on FortiGate as well. You have two policies as you just defined:

1. One Policy allows FTP traffic from "Group" members.

2. Another policy, allows HTTP traffic for everyone

 

Someone in the "Group" trying to access a web page will not hit the FTP policy and they'll just go to the HTTP policy which is allowing it for all users.

 

Please do not get confused about Application Control and Services. Application Control allows you to apply NGFW functionality on top of your Firewall Policy. Services are used to select your policy. That is "FTP" is a service (TCP/21), and "HTTP" is a service (TCP/80), etc etc. 

 

Once your HTTP policy is selected you can optionally have Web Filter, App Control, etc to further enforce or monitor the traffic in that policy. 

 

It sounds like you are trying to restrict traffic using App Control and Web Filtering profiles. You need to use Services in the policy to do this. 

 

So your policy for the Group will reference the Group as a source and TCP/21 as the service. (no one else will be allowed to use FTP). 

 

Your policy to allow Proxy.HTTP will reference HTTP (TCP/80) as the service and have an optional Web Filter profile attached to it. If you're not trying to restrict  or block or monitor Web categories or URLs you don't need a profile.

 

 

 

Cheers,
Graham
gfleming

Alternatively, you have two policies, one for members in the "Group" and one for everyone that allow all traffic. Now you can use separate security profiles to restrict what those users can access. One App Control profile for "Group" members and one for "Everyone" applied to the relevant FW Policy.

Cheers,
Graham
jammac
New Contributor III

Hello,

 

So if I want to do the following, how do I do it without losing overview of my rules?

 

All users have access to everything, restricted by webfilter and appcontrol:
* Source: IP/Usergroup
* Destination: all
* Service: HTTP/HTTPS
* Security Profiles: WEB & APP

 

Now I have VIP users that should be able to use box.com, but not dropbox.com.

So I guess I have to add a rule before the rule above:
* Source: VipUsers
* Destination: ? I cannot use "Destination: *.box.com" since I don't know if that is the only domain box.com are using. This is AppControl's job anyway.
* Service: HTTP/HTTPS
* Security Profiles: ? Since this is the only rule that will ever match for this user, I would have to copy the generic rule settings (see above) and add "Application: Box" to it.

 

But it is more complicated:
* Since there is a WebFilter in place I'd have to allow "File Sharing" category.
* However, is seems that would also allow Dropbox besides Box.com. AppControl wouldn't block Dropbox anymore, as Webfilter already allows it.
* Also, if the generic AppControl profile changes, I'd have to remember to adapt the other more specific AppControl profiles, since there is no inheritance.

 

--> How do I simply add an exception for a specific user/group/IP, while not breaking everything else potentially?

 

Is there some best practice document how to create efficient policies?

 

Thanks.

gfleming

To block sites please use ISDB, TCP/UDP Services and/or Address Objects and do not use App Control or other security profiles. App Control profiles should be applied holistically to an entire user class. That is, each class of users ideally has just one Application Profile, one Web Profile, etc.

 

So for your VIP users use ISDB object to block Dropbox and that's it. No profiles needed. This policy will only hit when VIP try to go to Dropbox. You can use wildcard address objects but not as effective.

 

And please remember your more specific rules will always go at the top. So blocking of Dropbox will hit before anything else because it's more specific. Therefore it does not matter if the broader "allow all" rule allows Dropbox because if a VIP user is hitting the broader rule they will only be doing so if the traffic is *not* Dropbox (as it would have otherwise been blocked by the more specific policy).

 

There are no best practice docs as far as I know that talk about policy creation. I would assume because there is no best practice. Not everyone will have VIP users or the same restrictions necessarily. All we can do is learn how the Firewall works in terms of policy lookups and application of security profiles, etc and go from there.

 

I suggest you read through the Admin Guide and also check out NSE 4 and NSE 7 training courses which are 100% free of charge.

Cheers,
Graham
jammac
New Contributor III

I didn't even realize there was another DB besides Webfilter and Appcontrol, namely "internet services"....  :flushed_face:
Thanks for all the valuable information so far.

 

UPDATE Oh that's because they are not shown on the quick edit pane. You have to edit the policy rule and in there you only see the different tabs "Address", "IPv6", "Internet Service"...

Labels
Top Kudoed Authors