Policy; How Policy Matching Works - Fortinet FortiGate FortiGate-60M Administration Manual
Version 2.80 mr7 antivirus firewalls
Hide thumbs
Also See for FortiGate FortiGate-60M:
- Quick start manual (2 pages) ,
- Installation manual (64 pages)
Table of Contents
Advertisement
Policy
Policy
How policy matching works
192
Go to Firewall > Policy to add firewall policies to control connections and traffic
between FortiGate interfaces, zones, and VLAN subinterfaces.
The firewall matches policies by searching for a match starting at the top of the policy
list and moving down until it finds the first match. You must arrange policies in the
policy list from more specific to more general. For example, the default policy is a very
general policy because it matches all connection attempts. When you create
exceptions to that policy, you must add them to the policy list above the default policy.
No policy below the default policy will ever be matched.
This section describes:
•
How policy matching works
•
Policy list
•
Policy options
•
Advanced policy options
•
Configuring firewall policies
When the FortiGate unit receives a connection attempt at an interface, it selects a
policy list to search through for a policy that matches the connection attempt. The
FortiGate unit chooses the policy list based on the source and destination addresses
of the connection attempt.
The FortiGate unit then starts at the top of the selected policy list and searches down
the list for the first policy that matches the connection attempt source and destination
addresses, service port, and time and date at which the connection attempt was
received. The first policy that matches is applied to the connection attempt. If no policy
matches, the connection is dropped. So, as a general rule, always order your firewall
policies from most specific to most general.
The default policy accepts all connection attempts from the internal network to the
Internet. From the internal network, users can browse the web, use POP3 to get
email, use FTP to download files through the firewall, and so on. If the default policy is
at the top of the internal->wan1 policy list, the firewall allows all connections from the
internal network through the WAN1 interface to the Internet because all connections
match the default policy. If more specific policies are added to the list below the
default policy, they are never matched.
A policy that is an exception to the default policy, for example, a policy to block FTP
connections, must be placed above the default policy in the internal->wan1 policy list.
In this example, all FTP connection attempts from the internal network would then
match the FTP policy and be blocked. Connection attempts for all other kinds of
services would not match with the FTP policy but they would match with the default
policy. Therefore, the firewall would still accept all other connections from the internal
network.
Note: Policies that require authentication must be added to the policy list above matching
policies that do not; otherwise, the policy that does not require authentication is selected first.
01-28007-0144-20041217
Firewall
Fortinet Inc.
Advertisement
Table of Contents
