Fortinet black logo

Handbook

Interface policies

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:676123
Download PDF

Interface policies

Interface policies are implemented before the “security” policies and are only flow based. They are configured in the CLI.

This feature allows you to attach a set of IPS policies with the interface instead of the forwarding path, so packets can be delivered to IPS before entering firewall. This feature is used for following IPS deployments:

  • One-Arm: by defining interface policies with IPS and DoS anomaly checks and enabling sniff-mode on the interface, the interface can be used for one-arm IDS;
  • IPv6 IPS: IPS inspection can be enabled through interface IPv6 policy. Only IPS signature scan is supported in FortiOS 4.0. IPv6 DoS protection is not supported;
  • Scan traffics that destined to FortiGate;
  • Scan and log traffics that are silently dropped or flooded by Firewall or Multicast traffic.

IPS sensors can be assigned to an interface policy. Both incoming and outgoing packets are inspected by IPS sensor (signature).

Here is an example of an interface policy,

# show full-configuration

config firewall interface-policy

edit 1

set status enable

set comments 'test interface policy #1'

set logtraffic utm

set interface "port9"

set srcaddr "all"

set dstaddr "all"

set service "ALL"

set application-list-status disable

set ips-sensor-status disable

set dsri disable

set av-profile-status enable

set av-profile "default"

set webfilter-profile-status disable

set spamfilter-profile-status disable

set dlp-sensor-status disable

set scan-botnet-connections disable

end

Interface policies

Interface policies are implemented before the “security” policies and are only flow based. They are configured in the CLI.

This feature allows you to attach a set of IPS policies with the interface instead of the forwarding path, so packets can be delivered to IPS before entering firewall. This feature is used for following IPS deployments:

  • One-Arm: by defining interface policies with IPS and DoS anomaly checks and enabling sniff-mode on the interface, the interface can be used for one-arm IDS;
  • IPv6 IPS: IPS inspection can be enabled through interface IPv6 policy. Only IPS signature scan is supported in FortiOS 4.0. IPv6 DoS protection is not supported;
  • Scan traffics that destined to FortiGate;
  • Scan and log traffics that are silently dropped or flooded by Firewall or Multicast traffic.

IPS sensors can be assigned to an interface policy. Both incoming and outgoing packets are inspected by IPS sensor (signature).

Here is an example of an interface policy,

# show full-configuration

config firewall interface-policy

edit 1

set status enable

set comments 'test interface policy #1'

set logtraffic utm

set interface "port9"

set srcaddr "all"

set dstaddr "all"

set service "ALL"

set application-list-status disable

set ips-sensor-status disable

set dsri disable

set av-profile-status enable

set av-profile "default"

set webfilter-profile-status disable

set spamfilter-profile-status disable

set dlp-sensor-status disable

set scan-botnet-connections disable

end