Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dannу
Contributor

Created on ‎07-31-2023 06:27 AM Edited on ‎07-31-2023 06:38 AM

Properly defining the Internet within a security policy

Let's discuss!

 

There are various methods of defining the Internet within a firewall security policy.

What are the Pro's and Con's of each method?

 

Method 1: Destination "all"

image.png

Pro: Easy to use and understandable for humans within normal firewall administration.

Con: "all" is not the Internet. In an ideal security world, you shouldn't use "all" or "any" in any of your firewall rules.

 

Method 2: Object "Internet with excluded networks (e.g. internal, VPN and RFC1918, ..)

image.png

Pro: Can be used within NAT. Allows for proper verification checks by FortiGate.

Con: Keeping the object up-to-date requires regular maintenance.

 

Method 3: Negated internal, VPN and RFC1918, .. networks in Destination field

Pro: Allows for proper verification checks by FortiGate.

Con: Hard to read/understand/maintain for admin staff.

 

Any more methods, pro's, con's?

How do you define the Internet in your security policies?

Labels:
904
3 REPLIES 3
pgautam
Staff
Staff

Created on ‎07-31-2023 06:58 AM

Hi Danny,

 

For more granular control you can define well know ISDB services in the destination in place of all.

https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/179236/using-internet-servic...

Pros:- The data comes from the FortiGuard service system
Cons:- For Internet services which does not have ISDB defined need a separate policy


Below ISDB defined policy you can create one more policy with all destinations and apply UTM profiles.

https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/680955/security-profiles

Please check the below link for the best practices while creating a security policy on Foritgate

https://docs.fortinet.com/document/fortigate/7.4.0/best-practices/862226/policies


Regards

Priyanka  


- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

890
0 Kudos
domnik968
New Contributor

Created on ‎07-31-2023 07:07 AM

So lucky to have policies that were supported by senior management. Years ago, at an organization I worked at, we also had some good policies, however my boss's boss broke them on a regular basis. Made for lots of IT spaghetti that came to bite us down the road.

router login 192.168.l.l
router login 192.168.l.l
887
0 Kudos
YBKruthi
Staff
Staff

Created on ‎07-31-2023 10:45 PM

Hi Danny,

 

In all the methods specified, firewall policy defines the rule to allow the traffic to the destination.

Based on the order of preference, security policies would be checked and if it matches the rule, traffic will be allowed.

 

Be aware, mapping the destinations are based on your requirements.

+ Allow all is for the LAN users to access all the internet services.

+ Similarly, if you want to restrict the LAN users to access specific Internet sites, you can user IP objects/ISDB.

+ To restrict specific LAN users to specific destination, ensure to add the source and destination objects and place the firewall policy in right order for hits.

 

Basically, these methods define the way you want to construct your network communication.

However, it is just a criteria for a match to allow the respective traffic to parse through FortiGate firewall.

 

Regards,

Kruthi

858
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.