Firewall Policies
The firewall policies of the FortiGate are one of the most important aspects of the appliance. There are a lot of building blocks and configurations involved in setting up a firewall and it within the policies that a lot of these components come together to form a cohesive unit to perform the firewall’s main function, analyzing network traffic and responding appropriately to the results of that analysis.
There are a few different kinds of policies and in most cases these are further divided into IPv4 and IPv6 versions:
- IPv4 Policy – used for managing traffic going through the appliance using IPv4 protocols l IPv6 Policy – used for managing traffic going through the appliance using IPv6 protocols l NAT64 Policy – used for managing traffic going through the appliance that converts from IPv6 on the incoming interface to IPv4 on the outgoing interface
- NAT46 Policy – used for managing traffic going through the appliance that converts from IPv4 on the incoming interface to IPv6 on the outgoing interface
- Multicast Policy – used to manage traffic sent to multiple destinations l IPv4 Access Control List – used to filter out packets based on specific IPV4 parameters. l IPv6 Access Control List – used to filter out packets based on specific IPV6 parameters. l IPv4 DoS Policy – used to prevent malicious or flawed packets on an IPv4 interface from denying access to users. l IPv6 DoS Policy – used to prevent malicious or flawed packets on an IPv6 interface from denying access to users.
Because the policy determines whether or not NAT will be used, it is also import to look at how to configure: l Central SNAT – used for granular controlling when NATing is in use.
Viewing Firewall Policies
To find a Policy window, follow one of these path in the GUI:
- Policy & Objects> IPv4 Policy l Policy & Objects> IPv6 Policy l Policy & Objects> NAT64 Policy l Policy & Objects> NAT46 Policy l Policy & Objects> Proxy Policy l Policy & Objects> Multicast Policy
You may notice other policy options on the left window pane such as:
- Policy & Objects> IPv4 DoS Policy l Policy & Objects> IPv6 DoS Policy l Policy & Objects> Local InPolicy
These are different enough that they have their own descriptions in the sections that relate to them.
Viewing Firewall Policies
Menu Items
There are some variations, but there are some common elements share by all of them. There is a menu bar across the top. The menu bar will have the following items going from left to right:
l Create New button l Edit button l Delete button l Search field l Interface Pair View– Displays the policies in the order that they are checked for matching traffic, grouped by the pairs of Incoming and Outgoing interfaces. For instance, all of the policies referencing traffic from WAN1 to DMZ will be in one section. The policies referencing traffic from DMZ to WAN1 will be in another section. The sections are collapsible so that you only need to look at the sections with policies you are interested in. l By Sequence– Displays the policies in the order that they are checked for matching traffic without any grouping.
Menu items not shared by all policies
l Policy Lookup – (IPv4, IPv6 ) l NAT64 Forwarding – (NAT64)
The Table of Policies
Columns
The tables that make up the Policy window are based on rows which represent individual policies and the columns that represent the various parameters or status within the policy. The columns are customizable by which columns are included and what order they are in.
The table can be laid out a number ways to suit the viewer. There is a column for most of the important pieces of information that you might be interested in seeing, but a lot of them are hidden by default. If you had a large enough screen, you might be able to show all of the columns, but even then it might look a bit busy and crammed together. Figure out which pieces of information are most important to you and hide the rest.
To configure which columns are visible and which are hidden, right click on the header row of the table. This will present a drop down menu. The drop down will be divided into sections. At the top will be the Selected Columns which are currently visible, and the next section will be Available Columns which show which columns are available to add to the table.
To move a column from the Available list to the Selected list just click on it. To move a column from the Selected list to the Available list, it also just takes a click of the mouse. To make the changes show up on the table, go to the bottom of the drop down menu and select Apply. Any additions to the table will show up on the right side.
One of the more useful ones that can be added is the ID column. The reason for adding this one is that within the configuration file and CLI, the policies are referenced by their ID number. Some policy settings are only available for configuration in the CLI. If you are looking in the CLI you will see that the only designation for a policy is its number and if you wish to edit the policy or change its order in the sequence you will be asked to move it before or after another policy by referencing its number.
Policy Names
How “Any” policy can remove the Interface Pair View
The FortiGate unit will automatically change the view on the policy list page to By Sequence whenever there is a policy containing “any” as the Source or Destination interface. If the Interface Pair View is grayed out it is likely that one or more of the policies has used the “any” interface.
By using the “any” interface, the policy should go into multiple sections because it could effectively be any of a number of interface pairings. As mentioned, policies are sectioned by using the interface pairings (for example, port1 -> port2) and each section has its own specific policy order. The order in which a policy is checked for matching criteria to a packet’s information is based solely on the position of the policy within its section or within the entire list of policies as a whole but if the policy is in multiple sections at the same time there is no mechanism for placing the policy in a proper order within all of those sections at the same time because it is a manual process and there is no parameter to compare the precedence of one section or policy over the other. Thus a conflict is created. In order to resolve the conflict the FortiGate firewall removes that aspect of the sections so that there is no need to compare and find precedence between the sections and it therefore has only the Global View to work with.
Policy Names
Each policy has a name field. Every policy name must be unique for the current VDOM regardless of policy type. Previous to FortiOS 5.4, this field was optional.
On upgrading from an earlier version of FortiOS to 5.4, policy names are not assigned to old policies, but when configuring new policies, a unique name must be assigned to the policy.
Configuring the Name field
GUI
In the GUI, the field for the policy name is the first field on the editing page.
CLI
In the CLI, the syntax for assigning the policy name is:
config firewall [policy|policy6] edit 0 set name <policy name> end
Disabling Policy name requirement
While by default the requirement of having a unique name for each policy is the default, it can be enabled or disabled. Oddly enough, if disabling the requirement is a one time thing, doing it in the CLI is more straightforward.
IPv4
This setting is VDOM based so if you are running multiple VDOMs, you will have to enter the correct VDOM before entering the CLI commands or turning the feature on or off in the GUI.
GUI
To edit the requirement in the GUI, the ability to do so must be enabled in the CLI. The syntax is:
config system settings set gui-allow-unnamed-policy [enable|disable] end
Once it has been enabled, the requirement for named policies can be relaxed by going to System > Feature Visibility. Allow Unnamed Policies can be found under Additional Features. Here you can toggle the requirement on and off.
CLI
To change the requirement in the CLI, use the following syntax:
config system settings set gui-advance policy [enable|disable] end