Professional Documents
Culture Documents
Policy and Objects Fortigate
Policy and Objects Fortigate
The firewall policy is the axis around which most features of the FortiGate revolve. Many
firewall settings end up relating to or being associated with the firewall policies and the
traffic they govern. Any traffic going through a FortiGate has to be associated with a
policy. These policies are essentially discrete compartmentalized sets of instructions
that control the traffic flow going through the firewall. These instructions control where
the traffic goes, how it is processed, if it is processed, and whether or not it is allowed to
pass through the FortiGate.
When the firewall receives a connection packet, it analyzes the source address,
destination address, and service (by port number). It also registers the incoming
interface, the outgoing interface it needs to use, and the time of day. Using this
information, the FortiGate firewall attempts to locate a security policy that matches the
packet. If a policy matches the parameters, then the FortiGate takes the required action
for that policy. If it is Accept, the traffic is allowed to proceed to the next step. If the
action is Deny or a match cannot be found, the traffic is not allowed to proceed.
The two basic actions at the initial connection are either Accept or Deny:
If the action is Accept, the policy permits communication sessions. There may be
other packet processing instructions, such as requiring authentication to use the
policy or restrictions on the source and destination of the traffic.
If the action is Deny, the policy blocks communication sessions, and you can
optionally log the denied traffic. If no security policy matches the traffic, the packets
are dropped. A Deny security policy is needed when it is required to log the denied
traffic, also called violation traffic.
One other action can be associated with the policy:
IPsec—this is an Accept action that is specifically for IPsec VPNs.
The following topics provide instructions on configuring policies:
Firewall policy parameters
Profile-based NGFW vs policy-based NGFW
NGFW policy mode application default service
Policy views and policy lookup
Policy with source NAT
Policy with destination NAT
Policy with Internet Service
NAT64 policy and DNS64 (DNS proxy)
NAT46 policy
Multicast processing and basic Multicast policy
Local-in policies
IPv4/IPv6 access control lists
Mirroring SSL traffic in policies
Inspection mode per policy
Combined IPv4 and IPv6 policy
FortiGuard DNS filter for IPv6 policies
OSPFv3 neighbor authentication
Firewall anti-replay option per policy
Enabling advanced policy options in the GUI
Recognize anycast addresses in geo-IP blocking
Authentication policy extensions
NTLM extensions
HTTP to HTTPS redirect for load balancing
GTPv2 in policies
Use active directory objects directly in policies
FortiGate Cloud / FDN communication through an explicit proxy
QoS (quality of service) is the capability to adjust quality aspects of your overall network traffic,
including techniques such as priority-based queuing and traffic policing. Because bandwidth is
finite and some types of traffic are slow, jitter or packet loss sensitive, bandwidth intensive, or
critical for operations, QoS is a useful tool to optimize the performance of various applications in
your network. QoS is especially important for managing voice and streaming multimedia traffic
because these types of traffic can rapidly consume bandwidth and are sensitive to latency. You
can implement QoS on FortiGate devices using the following techniques:
When determining how to configure QoS, it is helpful to know when a FortiGate uses
each technique in the overall traffic processing flow and the considerations for each
technique. After the FortiGate accepts packets, it classifies the traffic and may apply
traffic policing at additional points during traffic processing. The FortiGate may also
apply QoS techniques, such as prioritization and traffic shaping. Traffic shaping consists
of both traffic policing to enforce bandwidth limits and adjusting priority queues to help
packets achieve the guaranteed rate.
Traffic shaping accuracy is optimal for security policies without a protection profile
where no FortiGate content inspection is processed.