Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sims
New Contributor III

Policy direction

Hi, Interface1 interface2

I have created the policy source is interface 1 and destination is interface 2

Why do I have to create a policy in reverse direction ( I mean source is interface 2 and destination is interface 1)

Thanks

 

2 Solutions
James_G
Contributor III

sims wrote:

 

 

Why do I have to create a policy in reverse direction ( I mean source is interface 2 and destination is interface 1)

 

Umm, you don't, unless you have sessions starting from interface 2

 

Too little info here to help

View solution in original post

lobstercreed
Valued Contributor

Of course not, as James said.  Unless the server A in VLAN 101 initiates connections to client A in VLAN 100, no policy in the reverse direction would be needed.  That's one of the most basic things that should be understood about stateful firewalls. 

 

If you're defining stateless ACLs (like on a Cisco switch or something) then you need all that reverse stuff, but the whole point of firewalls is that they are far superior to that.

View solution in original post

3 REPLIES 3
James_G
Contributor III

sims wrote:

 

 

Why do I have to create a policy in reverse direction ( I mean source is interface 2 and destination is interface 1)

 

Umm, you don't, unless you have sessions starting from interface 2

 

Too little info here to help

sims
New Contributor III

Hi,

Sorry for the confusion . 

My question was this client A from VLAN100 is accessing 443 on server A which is in VLAN 101,

in that case do I need reverse policy from VLAN 101 to VLAN 100 

sorry for my english 

Thanks

 

 

 

 

 

lobstercreed
Valued Contributor

Of course not, as James said.  Unless the server A in VLAN 101 initiates connections to client A in VLAN 100, no policy in the reverse direction would be needed.  That's one of the most basic things that should be understood about stateful firewalls. 

 

If you're defining stateless ACLs (like on a Cisco switch or something) then you need all that reverse stuff, but the whole point of firewalls is that they are far superior to that.