- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Access list versus Next-Gen firewall?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Access list versus Next-Gen firewall?
Hi all
We soon will start with Fortinet NGFW devices in our company. We have an internal discussions about how to protect the inside -> out traffic which pass this new Fortinet. Until now, we had a Cisco device with "ip inspect" or "ZBFW" enabled. But this was not a NGFW with addtional security features, therefore we had an access list on the inside interface which just allowed the well-known traffic to the Internet. And in general, this was the source address of the proxy server plus several applications which needed a direct access.
Now it comes to the question, do we still need this ACL on the inside interface? There are NGFW features now which protects and controls the traffic. And is an ACL still the correct way as this "only" goes on destination IP addresses/Ports and not on applications? Is it worth to do this additional work to have another security layer from inside -> out?
I am wondering how other companies handles this topic, if it is good enough to have the NGFW in place or if any other features are in place.
I really appreciate your feedback. Thanks a lot!
Markus
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The firewall will only allow the traffic that you allow in the policy rules and will conduct the inspections based on what you tell it to inspect ( URL AV AS etc....)
BTW: You are confusing the two due to a cisco VBFW is not a layer7 aware security function
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure I've fully wrapped my head around your old setup, but I definitely see no reason for that additional layer with a FortiGate. We actually do use very restrictive firewall policies for outbound traffic to only allow the well-known traffic you're talking about. Basically in my experience if there's a design you want to achieve, the FortiGate is capable of doing it...it just might take some learning how it works.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The firewall will only allow the traffic that you allow in the policy rules and will conduct the inspections based on what you tell it to inspect ( URL AV AS etc....)
BTW: You are confusing the two due to a cisco VBFW is not a layer7 aware security function
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Lobstercreed and Kevin
Thank you for your inputs here. Indeed, there is this new inspection we will have with Fortigate, our current setup with the Cisco ISR routers is not L7 aware, it is only up to layer 4. And because we then have the Fortigate as a NGFW I would assume a further restriction to destination IP address/ports is no longer needed.
So did I got it right from your statement that you support a setup where the NGFW features are enabled in the Fortigate and no additional restrictions on the inside -> out path based on destination IP addresses and ports are needed?
Thank you
Markus
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear all
I just want to ask again here if other Fortinet customers have the same experience? So that there are no longer inside->out access lists which are continuously updated to have this additional security in place? And only "relies" on the NGFW features provided by the Fortigate appliance?
Thank you
Markus
Related Posts
- AWS Fortigate WAN IP 226 Views
- [ABUSE] By: SMGK74 / Board: fortinet-discussion... 1254 Views
- How do the VIP address are... 2212 Views
- How do the VIP address are... 1015 Views
- Fortinet Nextgen Firewall implementation in AWS 1072 Views
Labels
-
FortiGate
6,459 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.