Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fullmoon
Contributor III

firewall policy creation

trying my best to adopt how fortigate works in my network most esp in firewall policy. this questions boggles me , in which section of Life of Packet could explain why do we need to create reverse policy if traffic is originated from LAN to other local network and vice-versa. Whereas, as LAN-External traffic doesn't require a reverse rule to send back the reply from the original sender.

 

anyone could shed me to the right direction? thank you

Fortigate Newbie

Fortigate Newbie
2 REPLIES 2
emnoc
Esteemed Contributor III

What do you mean reverse-policy, traffic  is stateful and the firewall maintains "state" ( tcp.ack.seq.src/dst-port ...) I never have created   reverse-policy btw.

 

Maybe if you where running asymmerical which is not good and defeats the purpose of a stateful-FW

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
sw2090
Honored Contributor

you need a reverse rule/policy ony if you have native traffic coming this direction.

 

to simplify:

 

if just you want to reach a pc in the other subnet you need a forward policy from your net to the other one but no reverse rule/policy. THat would be native traffic from you to there. This includes answers on your packets.

 

if the pc in the other net should be able to contact you itself you need  a reverse rule too since that would be native traffic from there to you.

 

Additionally if you enabled NAT in your policy  you also don't need a reverse rule/policy at all since NAT does that for you already ;)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors