Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ksolovjova
Staff
Staff

Created on ‎07-17-2023 08:46 AM

Article Id 264457

Technical Tip: Information about policy matching order when the intrazone setting is used

Description

 

This article describes how FortiOS uses policy matching when the intrazone setting is used to allow traffic between two or more interfaces, and provides further details about cases where an explicit DENY policy is configured.

 

Scope

 

Any supported version of FortiOS.

 

Solution

 

To allow intrazone traffic between two or more interfaces, run the following command:

 

config system zone

edit Zone_1

set interface VLAN_1 VLAN_2

set intrazone allow

end

 

In some setups, there may be an explicit DENY policy configured:

 

config firewall policy

edit 999

set srcintf "any"

set dstintf "any"

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set logtraffic all

end

 

Generally speaking, a policy like this is not necessary since there is an implicit DENY in the end of the policy list. However, this may depend on setup requirements.

 

Afterwards, the intrazone traffic is blocked. A debug flow will show see that it is blocked by policy ID 999 (explicit DENY):

 

id=20085 trace_id=21 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.0.1.10:13350->10.0.2.10:2048) from VLAN_1. type=8, code=0, id=13350, seq=1."
id=20085 trace_id=21 func=init_ip_session_common line=5995 msg="allocate a new session-00000017"
id=20085 trace_id=21 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-10.0.2.10 via VLAN_2"
id=20085 trace_id=21 func=fw_forward_handler line=655 msg="Denied by forward policy check (policy 999)"

 

-The reason why this happens is because the explicit DENY policy is considered by FortiOS as a regular forward traffic policy. The policy matching goes in this order:

 

  1. Forward policies.
  2. Intrazone settings.
  3. Implicit deny.


Policy ID 999 will be matched before the intrazone settings are checked.

 

Upon removing the explicit DENY policy, traffic flow will appear as follows:

 

id=20085 trace_id=30 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.0.1.10:36134->10.0.2.10:2048) from VLAN_1. type=8, code=0, id=36134, seq=1."
id=20085 trace_id=30 func=init_ip_session_common line=5995 msg="allocate a new session-00000020"
id=20085 trace_id=30 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-10.0.2.10 via VLAN_2"
id=20085 trace_id=30 func=fw_forward_handler line=811 msg="Allowed by Policy-4294967295:"
id=20085 trace_id=30 func=ipd_post_route_handler line=490 msg="out VLAN_2 vwl_zone_id 0, state2 0x0, quality 0.

 

Here, the traffic is matched to policy ID 4294967295 - this is the intrazone setting for those two interfaces. Those settings are also policies.

 

In conclusion, the reason why the forward policies are checked before intrazone settings is because it should be still possible to control this traffic. For example: it is possible to allow all kinds of communication between the subnets in a zone, except RDP, or vice versa: this is when it will be necessary to create the respective forward policies.

839
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.