The firewall policy is the axis around which most features of the FortiGate revolve. Many firewall settings end up relating to or being associated with the firewall policies and the traffic they govern. Any traffic going through a FortiGate has to be associated with a policy. These policies are essentially discrete compartmentalized sets of instructions that control the traffic flow going through the firewall. These instructions control where the traffic goes, how it is processed, if it is processed, and whether or not it is allowed to pass through the FortiGate.
When the firewall receives a connection packet, it analyzes the source address, destination address, and service (by port number). It also registers the incoming interface, the outgoing interface it needs to use, and the time of day. Using this information, the FortiGate firewall attempts to locate a security policy that matches the packet. If a policy matches the parameters, then the FortiGate takes the required action for that policy. If it is Accept, the traffic is allowed to proceed to the next step. If the action is Deny or a match cannot be found, the traffic is not allowed to proceed.
The two basic actions at the initial connection are either Accept or Deny:
- If the action is Accept, the policy permits communication sessions. There may be other packet processing instructions, such as requiring authentication to use the policy or restrictions on the source and destination of the traffic.
- If the action is Deny, the policy blocks communication sessions, and you can optionally log the denied traffic. If no security policy matches the traffic, the packets are dropped. A Deny security policy is needed when it is required to log the denied traffic, also called violation traffic.
One other action can be associated with the policy:
- IPsec: this is an Accept action that is specifically for IPsec VPNs.
The following topics provide instructions on configuring policies:
- Firewall policy parameters
- Profile-based NGFW vs policy-based NGFW
- NGFW policy mode application default service
- Application logging in NGFW policy mode
- Policy views and policy lookup
- Policy with source NAT
- Policy with destination NAT
- Policy with Internet Service
- NAT64 policy and DNS64 (DNS proxy)
- NAT46 policy
- Local-in policies
- DoS protection
- Access control lists
- Mirroring SSL traffic in policies
- Inspection mode per policy
- OSPFv3 neighbor authentication
- Firewall anti-replay option per policy
- Enabling advanced policy options in the GUI
- Recognize anycast addresses in geo-IP blocking
- Matching GeoIP by registered and physical location
- Authentication policy extensions
- HTTP to HTTPS redirect for load balancing
- Use Active Directory objects directly in policies
- FortiGate Cloud / FDN communication through an explicit proxy
- No session timeout
- MAP-E support
- Seven-day rolling counter for policy hit counters
- Cisco Security Group Tag as policy matching criteria