Firewall configuration

Configuring policy lists

 

 

Log Traffic

Select Log Traffic to write messages to the traffic log whenever the policy processes a connection. For more information about logging, see “Logging and reporting” on page 281.

Comments

Optionally add a description or other information about the policy. The comment can be up to 63 characters long, including spaces.

Configuring policy lists

The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. You must arrange policies in the policy list from more specific to more general.

For example, the default policy is a very general policy because it matches all connection attempts. When you create exceptions to this policy, you must add them to the policy list above the default policy. No policy below the default policy will ever be matched.

This section describes:

Policy matching in detail

Changing the order of policies in a policy list

Enabling and disabling policies

Policy matching in detail

When the FortiGate unit receives a connection attempt at an interface, it must select a policy list to search through for a policy that matches the connection attempt. The FortiGate unit chooses the policy list based on the source and destination addresses of the connection attempt.

The FortiGate unit then starts at the top of the selected policy list and searches down the list for the first policy that matches the connection attempt source and destination addresses, service port, and time and date at which the connection attempt was received. The first policy that matches is applied to the connection attempt. If no policy matches, the connection is dropped.

The default policy accepts all connection attempts from the network connected to port1 to the network connected to port2. From the network connected to port1, users can browse the web, use POP3 to get email, use FTP to download files through the firewall, and so on. If the default policy is at the top of the port1->port2 policy list, the firewall allows all connections from the network connected to port1 to the Internet because all connections match the default policy. If more specific policies are added to the list below the default policy, they are never matched.

FortiGate-400 Installation and Configuration Guide

177

Page 177
Image 177
Fortinet 400 manual Configuring policy lists, Log Traffic, Comments, Policy matching in detail, 177