Policy and Objects Fortigate

The firewall policy is the axis around which most features of the FortiGate revolve. Many
firewall settings end up relating to or being associated with the firewall policies and the
traffic they govern. Any traffic going through a FortiGate has to be associated with a
policy. These policies are essentially discrete compartmentalized sets of instructions
that control the traffic flow going through the firewall. These instructions control where
the traffic goes, how it is processed, if it is processed, and whether or not it is allowed to
pass through the FortiGate.
When the firewall receives a connection packet, it analyzes the source address,
destination address, and service (by port number). It also registers the incoming
interface, the outgoing interface it needs to use, and the time of day. Using this
information, the FortiGate firewall attempts to locate a security policy that matches the
packet. If a policy matches the parameters, then the FortiGate takes the required action
for that policy. If it is Accept, the traffic is allowed to proceed to the next step. If the
action is Deny or a match cannot be found, the traffic is not allowed to proceed.
The two basic actions at the initial connection are either Accept or Deny:
 If the action is Accept, the policy permits communication sessions. There may be
other packet processing instructions, such as requiring authentication to use the
policy or restrictions on the source and destination of the traffic.
 If the action is Deny, the policy blocks communication sessions, and you can
optionally log the denied traffic. If no security policy matches the traffic, the packets
are dropped. A Deny security policy is needed when it is required to log the denied
traffic, also called violation traffic.
One other action can be associated with the policy:
 IPsec—this is an Accept action that is specifically for IPsec VPNs.
The following topics provide instructions on configuring policies:
 Firewall policy parameters
 Profile-based NGFW vs policy-based NGFW
 NGFW policy mode application default service
 Policy views and policy lookup
 Policy with source NAT
 Policy with destination NAT
 Policy with Internet Service
 NAT64 policy and DNS64 (DNS proxy)
 NAT46 policy
 Multicast processing and basic Multicast policy
 Local-in policies
 IPv4/IPv6 access control lists
 Mirroring SSL traffic in policies
 Inspection mode per policy
 Combined IPv4 and IPv6 policy
 FortiGuard DNS filter for IPv6 policies
 OSPFv3 neighbor authentication
 Firewall anti-replay option per policy
 Enabling advanced policy options in the GUI
 Recognize anycast addresses in geo-IP blocking
 Authentication policy extensions
 NTLM extensions
 HTTP to HTTPS redirect for load balancing
 GTPv2 in policies
 Use active directory objects directly in policies
 FortiGate Cloud / FDN communication through an explicit proxy

The following topics provide information about objects:

 Address group exclusions
 MAC addressed-based policies
 Dynamic policy — fabric devices
 FSSO dynamic address subtype
 ClearPass integration for dynamic address objects
 Using wildcard FQDN addresses in firewall policies

QoS (quality of service) is the capability to adjust quality aspects of your overall network traffic,
including techniques such as priority-based queuing and traffic policing. Because bandwidth is
finite and some types of traffic are slow, jitter or packet loss sensitive, bandwidth intensive, or
critical for operations, QoS is a useful tool to optimize the performance of various applications in
your network. QoS is especially important for managing voice and streaming multimedia traffic
because these types of traffic can rapidly consume bandwidth and are sensitive to latency. You
can implement QoS on FortiGate devices using the following techniques:

When determining how to configure QoS, it is helpful to know when a FortiGate uses
each technique in the overall traffic processing flow and the considerations for each
technique. After the FortiGate accepts packets, it classifies the traffic and may apply
traffic policing at additional points during traffic processing. The FortiGate may also
apply QoS techniques, such as prioritization and traffic shaping. Traffic shaping consists
of both traffic policing to enforce bandwidth limits and adjusting priority queues to help
packets achieve the guaranteed rate.
Traffic shaping accuracy is optimal for security policies without a protection profile
where no FortiGate content inspection is processed.