The firewall policies of the FortiGate are one of the most important aspects of the appliance. There are a lot of building blocks and configurations involved in setting up a firewall and it within the policies that a lot of these components come together to form a cohesive unit to perform the firewall’s main function, analyzing network traffic and responding appropriately to the results of that analysis.
There are a few different kinds of policies and in most cases these are further divided into IPv4 and IPv6 versions:
- IPv4 policy – used for managing traffic going through the appliance using IPv4 protocols l IPv6 policy – used for managing traffic going through the appliance using IPv6 protocols l NAT64 policy – used for managing traffic going through the appliance that converts from IPv6 on the incoming interface to IPv4 on the outgoing interface
- NAT46 policy – used for managing traffic going through the appliance that converts from IPv4 on the incoming interface to IPv6 on the outgoing interface
- Multicast policy – used to manage traffic sent to multiple destinations l IPv4 access control list – used to filter out packets based on specific IPV4 parameters. l IPv6 access control list – used to filter out packets based on specific IPV6 parameters. l IPv4 DoS policy – used to prevent malicious or flawed packets on an IPv4 interface from denying access to users. l IPv6 DoS policy – used to prevent malicious or flawed packets on an IPv6 interface from denying access to users.
Because the policy determines whether or not NAT will be used, it is also import to look at how to configure: l Central SNAT – used for granular controlling when NATing is in use.
Viewing firewall policies
To find a Policy window, follow one of these path in the GUI:
- Policy & Objects> IPv4 Policy l Policy & Objects> IPv6 Policy l Policy & Objects> NAT64 Policy l Policy & Objects> NAT46 Policy l Policy & Objects> Proxy Policy l Policy & Objects> Multicast Policy
You may notice other policy options on the left window pane such as:
- Policy & Objects> IPv4 DoS Policy l Policy & Objects> IPv6 DoS Policy l Policy & Objects> Local InPolicy
These are different enough that they have their own descriptions in the sections that relate to them.
Viewing firewall policies
There are some variations, but there are some common elements share by all of them. There is a menu bar across the top. The menu bar will have the following items going from left to right:
l Create New button l Edit button l Delete button l Search field l Interface Pair View– Displays the policies in the order that they are checked for matching traffic, grouped by the pairs of Incoming and Outgoing interfaces. For instance, all of the policies referencing traffic from WAN1 to DMZ will be in one section. The policies referencing traffic from DMZ to WAN1 will be in another section. The sections are collapsible so that you only need to look at the sections with policies you are interested in. l By Sequence– Displays the policies in the order that they are checked for matching traffic without any grouping.
Menu items not shared by all policies
l Policy Lookup – (IPv4, IPv6 ) l NAT64 Forwarding – (NAT64)
The Table of Policies
The tables that make up the Policy window are based on rows which represent individual policies and the columns that represent the various parameters or status within the policy. The columns are customizable by which columns are included and what order they are in.
The table can be laid out a number ways to suit the viewer. There is a column for most of the important pieces of information that you might be interested in seeing, but a lot of them are hidden by default. If you had a large enough screen, you might be able to show all of the columns, but even then it might look a bit busy and crammed together. Figure out which pieces of information are most important to you and hide the rest.
To configure which columns are visible and which are hidden, right click on the header row of the table. This will present a drop down menu. The drop down will be divided into sections. At the top will be the Selected Columns which are currently visible, and the next section will be Available Columns which show which columns are available to add to the table.
To move a column from the Available list to the Selected list just click on it. To move a column from the Selected list to the Available list, it also just takes a click of the mouse. To make the changes show up on the table, go to the bottom of the drop down menu and select Apply. Any additions to the table will show up on the right side.
One of the more useful ones that can be added is the ID column. The reason for adding this one is that within the configuration file and CLI, the policies are referenced by their ID number. Some policy settings are only available for configuration in the CLI. If you are looking in the CLI you will see that the only designation for a policy is its number and if you wish to edit the policy or change its order in the sequence you will be asked to move it before or after another policy by referencing its number.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU