4. Fortinet Getting Started v6.0. Firewall policies

Greetings! Welcome to Fortinet Getting Started's fourth lesson. In the last lesson, we deployed a layout for future laboratory work. It's time to use it! In this lesson we will analyze the basics of security policies that delimit access between network segments. Under the cat, a brief theory from the video is presented, as well as the video lesson itself.

Firewall policies are a set of criteria against which packets that fall on the firewall are checked. It is worth noting here that FortiGate is a statfull firewall, i.e. a firewall with session remembering. This means that if the first packet in a session was allowed by the firewall policy, then any packets in the framework of this session are not checked for compliance with the policies – this session is remembered and allowed. Next, only traffic is checked as part of content inspections (but more on that later).

An important note – traffic is checked for compliance with policies strictly from top to bottom. If traffic falls under all policy criteria, the action specified in the policy is applied to this traffic (accept or deny). If the traffic does not fit the criteria of all policies, the Implicit Deny policy is applied to it, and this traffic is discarded.
Let's briefly go over the criteria of policies.

The first three criteria are inbound interfaces, outbound interfaces, and the source. The inbound and outbound interfaces can be either one or several interfaces. However, by default, the use of multiple interfaces in policies is disabled; the video tutorial shows how to enable this option. A special case of using multiple interfaces is the Any interface. It includes all possible interfaces. Also, as interfaces, you can use a pre-configured zone – a logical group of interfaces.
A large number of objects can be used as a source; they are presented on a slide. But there are certain rules:
At least one of the following objects must be specified as a source: IP address or range of IP addresses, subnet, FQDN, geographical location or objects from the database of Internet services. Further, if desired, you can specify the policy by selecting a user, user group or a specific device. Users and user groups can be either local or remote. Work with remote authentication servers will be discussed later in the course. Unfortunately, we will not consider working with individual devices, this material is beyond the scope of our course.

Like the source criterion, the destination criterion can use the following objects: IP address or range of addresses, subnets, FQDN, geographical location or database objects of Internet services.
If you use FQDN, make sure FortiGate and DNS servers communicate correctly because Fortigate uses DNS queries to determine the IP addresses of the FQDNs.
A Geography object represents groups or ranges of IP addresses allocated to a specific country. Such objects are updated automatically through FortiGuard.
It is also worth saying a few words about the Database of Internet services. It contains IP addresses, protocols and port numbers of popular Internet services such as Amazon, Dropbox, Facebook and so on. This data is also updated automatically through FortiGuard.
The service criterion defines the transmission protocols (UDP / TCP and so on), as well as port numbers. You can use the pre-installed services, if necessary, you can also create your own.
And the last criterion is the schedule. It can be divided into two types: long-term and one-time. In the long, you can choose the necessary days of the week and determine the time. In this case, the policy to which a specific criterion of the schedule is bound will check the date and time the packet passed. The second type is a one-time schedule. In this case, you can set the date and time period that is necessary (for example, due to one-time work, employees will need remote access on a specific day and specific time).
Finally, we looked at all the criteria for firewall policies. As I said, if a network packet falls under all these criteria, then the action specified in the policy is applied to traffic.

The rest is up to practice. The above theory and practical part are discussed in more detail in the video tutorial:

In the next lesson, we will practice using NAT technology, both for releasing users to the Internet and for publishing internal services. In order not to miss it, stay tuned for updates on the following channels:

Vkontakte community
Yandex Zen
Our website
Telegram channel

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *