Friday, August 8, 2014

Fortigate firewall policy matching order

A firewall policy on a fortigate is match in the follow order;


source and destination interfaces
source and destination address
service 
schedule
and finally we execute the action


Basically the same way you see the policy in the WebGUI display or CLI is the matching order.

Also multiple policies are are matched top to bottom & till one of 2 things happen;

1> it's match and the corresponding action  take place ( drop/accept/encrypt/etc.... ) and any security profiles are applied or traffic shapers


or

2> it's not matched and drop

Always place most specific 1st and more broader policies last . I always try to  get in a habit of placing vpn policies above everybody else.

Here's a typically policy with  #s indicating the matching order. I left  out the user identity stuff.



or  via cli


Keep the following in mind when troubleshooting fwpolicies;


1: RPF checks if applied comes 1st

2: next any  route lookup/decisions comes next ( can't do anything till we know where the packet is destination )

3: diag debug flow is your friend  ( learn how to use it )
http://socpuppet.blogspot.com/2013/03/flow-diagnostic-fortigate.html

4: the policy must be active in order for it to work ( will duh, but easily missed )

5:  the ordering of the policies are very crucial

6: the traffic has to reach the firewall in order to be process ( will again a big duh, but if you have no sessions no drops in the logs  if logging is enable, than you can assume the packet never made it  to you )


The diag sniffer packet command is your next best friend


I hope this post comes in handy for flow diagnostics.

Ken Felix
Security and Network  Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   -   - )=
         o
      /     \

1 comment:

  1. Your post is so good.I am glad to visit your post.Thanks for sharing.
    Crack Software Download

    ReplyDelete