Fortinet 50A Policy matching in detail, Changing the order of policies in a policy list

Firewall configuration Configuring policy lists

FortiGate-50A Installation and Configuration Guide 145

For example, the default policy is a very general policy because it matches all

connection attempts. When you create exceptions to that policy, you must add them to

the policy list above the default policy. No policy below the default policy will ever be

matched.

This section describes:

•Policy matching in detail

•Changing the order of policies in a policy list

•Enabling and disabling policies

Policy matching in detail

When the FortiGate unit receives a connection attempt at an interface, it must select a

policy list to search through for a policy that matches the connection attempt. The

FortiGate unit chooses the policy list based on the source and destination addresses

of the connection attempt.

The FortiGate unit then starts at the top of the selected policy list and searches down

the list for the first policy that matches the connection attempt source and destination

addresses, service port, and time and date at which the connection attempt was

received. The first policy that matches is applied to the connection attempt. If no policy

matches, the connection is dropped.

The default policy accepts all connection attempts from the internal network to the

Internet. From the internal network, users can browse the web, use POP3 to get

email, use FTP to download files through the firewall, and so on. If the default policy is

at the top of the Int->Ext policy list, the firewall allows all connections from the internal

network to the Internet because all connections match the default policy. If more

specific policies are added to the list below the default policy, they are never matched.

A policy that is an exception to the default policy, for example, a policy to block FTP

connections, must be placed above the default policy in the Int->Ext policy list. In this

example, all FTP connection attempts from the internal network would then match the

FTP policy and be blocked. Connection attempts for all other kinds of services would

not match with the FTP policy but they would match with the default policy. Therefore,

the firewall would still accept all other connections from the internal network.

Changing the order of policies in a policy list

To change the order of a policy in a policy list

1Go to Firewall > Policy.

2Select the policy list that you want to change the order of.

3Choose the policy that you want to move and select Move To to change its order

in the policy list.

4Type a number in the Move to field to specify where in the policy list to move the policy

and select OK.

Note: Policies that require authentication must be added to the policy list above matching

policies that do not; otherwise, the policy that does not require authentication is selected first.