Hot!General Policy Question

Author
polarpanda
Bronze Member
  • Total Posts : 21
  • Scores: 0
  • Reward points: 0
  • Status: offline
2020/01/13 09:49:30 (permalink)
0

General Policy Question

Hi there,
 
               I'm trying to learn the policy setup of fortigate product. Can anyone tell me why I need some specific policy for allowing traffic? I saw some allowing policies in my current environment has specific source and destination ip address (assuming all settings are same except source and destination). Why cannot allowing "all" source to "all" destination policy take care of the traffic? Thank you.
post edited by polarpanda - 2020/01/13 10:22:36
#1

8 Replies Related Threads

    neonbit
    Expert Member
    • Total Posts : 559
    • Scores: 72
    • Reward points: 0
    • Joined: 2013/07/02 21:39:52
    • Location: Dark side of the moon
    • Status: offline
    Re: General Policy Question 2020/01/13 11:15:48 (permalink)
    0
    You can certainly create an all > all policy to match everything, but in the security world this is not best practice. Ideally should only create policies/enable access for as specific IP and services as possible.
    #2
    polarpanda
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Status: offline
    Re: General Policy Question 2020/01/13 13:41:49 (permalink)
    0
    neonbit
    You can certainly create an all > all policy to match everything, but in the security world this is not best practice. Ideally should only create policies/enable access for as specific IP and services as possible.





    Thank you for the answer Neonbit. Now I'm confused that an issue I encountered. We need a v server connects to an external ip address. We do have the policy of "all" to "all" from inside to outside. The traffic flow wasn't stable, it's on and off, and super slow. But as soon as I created a specific policy for this task. The issue was gone. Do you know the reason?
    #3
    emnoc
    Expert Member
    • Total Posts : 5748
    • Scores: 373
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: General Policy Question 2020/01/13 14:32:39 (permalink)
    0
    I highly doubt a specific policy was the issue. What was you any/any policy did you have any UTM features enabled.
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #4
    polarpanda
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Status: offline
    Re: General Policy Question 2020/01/13 14:46:29 (permalink)
    0
    emnoc
    I highly doubt a specific policy was the issue. What was you any/any policy did you have any UTM features enabled.
     
    Ken Felix





    Hi Ken,
           Thank you for helping me out on this post as well. Comparing the two policies, the only difference is any/any policy has few security profiles enabled. Can you explain why that might cause the issue? Thanks.
    #5
    emnoc
    Expert Member
    • Total Posts : 5748
    • Scores: 373
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: General Policy Question 2020/01/13 14:51:57 (permalink)
    0
    what is in your security policy ? "
     
     i.e   show full firewall policy <id> 
     
    What out knowing what you had enabled, it would be hard to make a determination of the issue(s).
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #6
    poundy
    Bronze Member
    • Total Posts : 41
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/13 20:58:45
    • Status: offline
    Re: General Policy Question 2020/01/13 20:14:11 (permalink)
    0
    is this thread no longer needed because as per the other thread from the OP https://forum.fortinet.com/tm.aspx?m=181788 there was a misconfiguration elsewhere, not the FW? 
    #7
    sw2090
    Expert Member
    • Total Posts : 712
    • Scores: 50
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: General Policy Question 2020/01/14 05:30:12 (permalink)
    0
    generally this is because all FortiGate do have one policy (#0) that blocks everything to everything.
    So one needs policies that match before #0 to alow traffic.
    #8
    emnoc
    Expert Member
    • Total Posts : 5748
    • Scores: 373
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: General Policy Question 2020/01/14 07:24:46 (permalink)
    0
    Correct a implicit deny exist. So if you do not match any of the other policyid ( greater than 0 .....per se ) , than the ultimate action is to drop.
     
    Without seeing what he had enabled, we would not know the difference between the two policyIDs
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #9
    Jump to:
    © 2020 APG vNext Commercial Version 5.5