FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 190198
Description
Introduction : Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.
Firewall policies are instructions the FortiGate unit uses to decide connection acceptance and packet processing for traffic attempting to pass through. When the firewall receives a connection packet, it analyzes the packet’s source address, destination address, and service (by port number), and attempts to locate a firewall policy matching the packet.

If no Firewall Policy is matching the traffic, the packets are dropped. Therefore it is not required to configure a DENY Firewall Policy in the last position to block the unauthorized traffic.
A Firewall Policy with action = DENY is however needed when it is required to log the denied traffic, also called "violation traffic".

Note : Storing and viewing the log for denied traffic requires a FortiAnalyzer, or a Syslog server, or a FortiGate unit with a local hard disk.

See related articles for more information about Firewall Policies.

Scope
  • All FortiOS.
  • NAT or Transparent mode.

Solution
Configuring a DENY policy

In the example illustrated below from the GUI, the Firewall Policies 1 and 2 will allow DNS and HTTP traffic, whereas Firewall Policy 3 will match and deny ALL other traffic and will log it.

rmetzger_FD31014_ScreenShot056.jpg


CLI Configuration of policy 3 :

config firewall policy
    edit 3
        set srcintf "port2"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
        set schedule "always"
            set service "ANY"
        set logtraffic enable
    next
end



Here below is an example of a Syslog message reporting some violation (icmp) traffic :

Warning    10.160.0.110    date=2009-09-14 time=10:16:25 devname=FG300A3906550380 device_id=FG300A3906550380 log_id=0022000003 type=traffic subtype=violation pri=warning fwver=040000 status=deny vd="root" src=10.160.1.10 srcname=10.160.1.10 src_port=0 dst=4.2.2.1 dstname=10.2.2.1 dst_port=0 service=8/icmp proto=1 app_type=N/A duration=0 rule=3 policyid=3 sent=0 rcvd=0 vpn="N/A" src_int="port2" dst_int="port1" SN=12215 user="N/A" group="N/A" carrier_ep="N/A"


Contributors