Table of Contents
Advertisement
Viewing the firewall policy list
How policy matching works
Viewing the firewall policy list
214
When the FortiGate unit receives a connection attempt at an interface, it selects a
policy list to search through for a policy that matches the connection attempt. The
FortiGate unit chooses the policy list based on the source and destination
addresses of the connection attempt.
The FortiGate unit then starts at the top of the selected policy list and searches
down the list for the first policy that matches the connection attempt source and
destination addresses, service port, and time and date at which the connection
attempt was received. The first policy that matches is applied to the connection
attempt. If no policy matches, the connection is dropped. As a general rule,
always order firewall policies from most specific to most general.
General policies are policies that can accept connections from multiple source
and destination addresses or from address ranges. General policies can also
accept connections from multiple service ports or have schedules that mean the
policy can be matched over a wide range of times and dates. If you want to add
policies that are exceptions to general policies, then these specific exception
policies should be added to the policy list above the general policies.
For example, you may have a general policy that allows all users on your internal
network to access all services on the Internet. If you want to block access to FTP
servers on the Internet, you should add a policy that denies FTP connections
above the general policy. The deny policy blocks FTP connections, but connection
attempts for all other kinds of services do not match the FTP policy but do match
the general policy. Therefore, the firewall still accepts all connections from the
internal network to the Internet other than FTP connections.
Also note the following about policy matching:
•
Policies that require authentication must be added to the policy list above
matching policies that do not; otherwise, the policy that does not require
authentication is selected first.
•
IPSec VPN tunnel mode policies must be added to the policy list above
matching accept or deny policies
•
SSL VPN policies must be added to the policy list above matching accept or
deny policies
If virtual domains are enabled on the FortiGate unit, firewall policies are
configured separately for each virtual domain. To access policies, select a virtual
domain from the main menu.
You can add, delete, edit, and re-order policies in the policy list.
To view the policy list, go to Firewall > Policy.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Policy
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
