Fortinet Document Library

Version:


Table of Contents

Cookbook

6.2.0
Download PDF
Copy Link

Firewall policy parameters

For traffic to flow through the FortiGate firewall, there must be a policy that matches its parameters:

  • Incoming interface(s)
  • Outgoing interface(s)
  • Source address(es)
  • User(s) identity
  • Destination address(es)
  • Internet service(s)
  • Schedule
  • Service

Without all six (possibly eight) of these things matching, the traffic is declined.

Traffic flow initiated from each direction requires a policy, that is, if sessions can be initiated from both directions, each direction requires a policy.

Just because packets can go from point A to point B on port X does not mean that the traffic can flow from point B to point A on port X. A policy must be configured for each direction.

When designing a policy, there is often reference to the traffic flow, but most communication is two-way so trying to determine the direction of the flow might be confusing. If traffic is HTTP web traffic, the user sends a request to the website, but most of the traffic flow will be coming from the website to the user or in both directions? For the purposes of determining the direction for a policy, the important factor is the direction of the initiating communication. The user is sending a request to the website, so this is the initial communication; the website is responding so the traffic is from the user's network to the Internet.

Firewall policy parameters

For traffic to flow through the FortiGate firewall, there must be a policy that matches its parameters:

  • Incoming interface(s)
  • Outgoing interface(s)
  • Source address(es)
  • User(s) identity
  • Destination address(es)
  • Internet service(s)
  • Schedule
  • Service

Without all six (possibly eight) of these things matching, the traffic is declined.

Traffic flow initiated from each direction requires a policy, that is, if sessions can be initiated from both directions, each direction requires a policy.

Just because packets can go from point A to point B on port X does not mean that the traffic can flow from point B to point A on port X. A policy must be configured for each direction.

When designing a policy, there is often reference to the traffic flow, but most communication is two-way so trying to determine the direction of the flow might be confusing. If traffic is HTTP web traffic, the user sends a request to the website, but most of the traffic flow will be coming from the website to the user or in both directions? For the purposes of determining the direction for a policy, the important factor is the direction of the initiating communication. The user is sending a request to the website, so this is the initial communication; the website is responding so the traffic is from the user's network to the Internet.