DescriptionIntroduction : Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.
Firewall policies are instructions the FortiGate unit uses to decide connection acceptance and packet processing for traffic attempting to pass through. When the firewall receives a connection packet, it analyzes the packet’s source address, destination address, and service (by port number), and attempts to locate a firewall policy matching the packet.
If no Firewall Policy is matching the traffic, the
packets are dropped. Therefore it is not required to configure a DENY Firewall Policy in the last position to block the unauthorized traffic.
A Firewall Policy with
action = DENY is however needed when it is required to
log the denied traffic, also called "violation traffic".
Note : Storing and viewing the log for denied traffic requires a FortiAnalyzer, or a Syslog server, or a FortiGate unit with a local hard disk.
See related articles for more information about Firewall Policies.
Scope- All FortiOS.
- NAT or Transparent mode.
SolutionConfiguring a DENY policyIn the example illustrated below from the GUI, the Firewall Policies 1 and 2 will allow DNS and HTTP traffic, whereas Firewall Policy 3 will match and
deny ALL other traffic and will
log it.
CLI Configuration of policy 3 :config firewall policy edit 3 set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set schedule "always" set service "ANY" set logtraffic enable next end
|
Here below is an example of a Syslog message reporting some violation (icmp) traffic :Warning 10.160.0.110 date=2009-09-14 time=10:16:25
devname=FG300A3906550380 device_id=FG300A3906550380 log_id=0022000003
type=traffic subtype=violation pri=warning fwver=040000 status=deny
vd="root" src=10.160.1.10 srcname=10.160.1.10 src_port=0 dst=4.2.2.1
dstname=10.2.2.1 dst_port=0 service=8/icmp proto=1 app_type=N/A
duration=0 rule=3 policyid=3 sent=0 rcvd=0 vpn="N/A" src_int="port2"
dst_int="port1" SN=12215 user="N/A" group="N/A" carrier_ep="N/A" |