Hello ShawnZA thanks for your prompt reply!

Here's the general overview of the objective I want to acomplish and the things I've already made:

Objective: Protect public DNS servers from attacks and unwanted queries, using ipv4 policy routing to only allow defined traffic inside my infrastructure to reach the mentioned servers via specific protocol/ports, using the Fortigate 200E appliance.

Current scenario: I have to replace an old PFSense server that acts like a firewall, but is now almost dead.

Expected scenario: I assume the Fortigate I was passed on, can do the job or a better job than this old PFSense firewall dying server.

Firewall configuration/specs: I defined three physical connections: LAN, WAN and mgmt. Contained in the LAN are the DNS servers I want to prevent free entrance from the internet using known methods, and also where I defined the policies (WAN->LAN), WAN is the communication I set facing the internet and the point of contact for the users from the cloud so they can reach the public DNS with the politics made, and also the way the DNS servers have to reach internet. Regarding the mgmt interface, is just as is, a management port that is working.

Restrictions: I cannot modify IP addressing, because it's a thing that is already operating (alas suboptimally), thus I was just told that I have to use this FW Fortigate and replace the old PFSense with this new one.

Things I think I've already done right: In the User & device > Device Inventory using the GUI, I see the MAC and IPs of the servers I wan't to protect, I used specific Vlans to discover all the servers and machines in this LAN, briefly illustrated by the schematic below. 

Things I think I'm missing and don't know how to circumvent: In the User & device > Device Inventory using the GUI, I don't see the WAN interface online, maybe because the device has not been configured as transparent YET. 

Specs: 

Basic Network Schematic: FORTIGATE200E_new.png

Note:

So far at least 4 Maintance windows: I haven't been able to make this FG200E appliance my main perimetral protection tool.

Questions: 

Am I right on my logic in this realm? I'm really new to this fortinet appliances but I want to do the job to the best I can.

What is the difference between Policy Routes that is a suboption of Network (meaning Network > Policy Routes) and the ones contained in the option Policy & Objects > IPv4 Policy? Because I saw in the FortiOS Handbook (Transparent Mode for FortiOS 5.6.3) that the transparent mode has a restriction of a Feature/Capability for the Unicast Routing / Policy Based Routing, is that a problem I would face assuming transparent mode is the thing I need in order to bridge this networks.

Ah so you need to rip and replace the PFSense with a Fortigate. Then transparent mode is not what you want at all.

You would need to configure the Fortigate with the same details as the FPSense, IP's, firewall policies, routers etc. The fortigate can do everything the PFSense can do and more.

Policy Routing... https://kb.fortinet.com/kb/documentLink.do?externalID=FD46603

"In some FortiGate deployments, it may be necessary to have a certain type or source of traffic filtered through a different network connection. In other words, a specific protocol or IP will sometimes need to be sent to a destination other than the default gateway or route."

You don't need to use it unless you have a specific case to use it. I moved all our Fortigates away from Policy Routing as we did not need it anymore, static routing, BGP and SD-WAN rules took over from what our Policy Routes did.

The IPv4 Policy are the actual rules to allow traffic, it's not routing rules, it's firewall rules, that's where you would need to create all the rules that's on the FPSense.

 Attached a screenshot of some of my home firewall policies, rules to allow traffic out to the internet (LAn to WAN).... so whatever policies are on the PF needs to be created here on the Fortigate to allow the traffic. You would also specify WAN to LAN rules under IPv4 Policy

Hi!

You would need to configure the Fortigate with the same details as the FPSense, IP's, firewall policies, routers etc. The fortigate can do everything the PFSense can do and more.

I see. Yeah, I've already translated this rules exactly as the PFSense has them onto the FortiGate FG200E. Alas, when I do a maintenance window it seems that the appliance is blocking all the traffic. For this a countermeasure I divised is; when I do the real deployment (the MW in the datacenter discconectiong the old PFSense) I made a rule that allow all traffic, a type of ipv4 police (ALLOW ALL FROM ALL TO ALL) kinda of rule, and I disable all the rules that are the ones I need, but, whitstanding any changes, it just not able to reach internet and it "blocks" all trafic, or so it seems.

My objective does not get completed...

[size="2"]"In some FortiGate deployments, it may be necessary to have a certain type or source of traffic filtered through a different network connection...

Hmm... I really don't get this sentence. For me, the source traffic would be the WAN (the interface that is facing the "internet"). First "What is a different network connection"? Is it a physical one? Filtered how? a logical one? a virtual one?... 

[size="2"][size="2"]

In other words, a specific protocol or IP will sometimes need to be sent to a destination other than the default gateway or route."

[size="2"]Sent where in the Firewall...? I don't get it.[/size]

You don't need to use it unless you have a specific case to use it. I moved all our Fortigates away from Policy Routing as we did not need it anymore, static routing, BGP and SD-WAN rules took over from what our Policy Routes did.

I get this get precedence because of the administrative distance of this protocols? They get overriden, perhaps  

The IPv4 Policy are the actual rules to allow traffic, it's not routing rules, it's firewall rules, that's where you would need to create all the rules that's on the FPSense.

Thanks for clearing that out Shawn. Following you I get this; IPv4 Policy = Firewall rules

Attached a screenshot of some of my home firewall policies, rules to allow traffic out to the internet (LAn to WAN).... so whatever policies are on the PF needs to be created here on the Fortigate to allow the traffic. You would also specify WAN to LAN rules under IPv4 Policy  

As I've cleared it previosly on this reply, I specified some WAN -> LAN rules and some other LAN -> WAN rules, that permit ALL. But it seems that the Fortigate blocks all the traffic, however. Could this be some licensing issue?

Also I attach the rules I've made for this appliance, and they don't seem to work for my client when I deploy the solution.

Do you have any recommendation in order to make this work for production environment? 

Something I'm doing wrong, something I'm missing?

Best Regards to you all!

No licensing issue.

The fgt by default expects "management traffic" from outside directed to it's WAN (outside) IP addresses.   If you are planning to run various servers behind that single IP, you may need to set up VIPs (e.g. port forwards) - you may also need to move the fgt's default web ui management ports (from 80, 443 to something like 8080 and 8443, etc.) 

Also when it comes to setting up the services (protocols) in firewall polices/VIPs that you are leaving the source port values as 0-65535.  A common mistake is assuming both source/dest port values are the same (e.g. web traffic 80, 443).

itamez wrote:
As I've cleared it previosly on this reply, I specified some WAN -> LAN rules and some other LAN -> WAN rules, that permit ALL. But it seems that the Fortigate blocks all the traffic, however. Could this be some licensing issue? Also I attach the rules I've made for this appliance, and they don't seem to work for my client when I deploy the solution.