Firewall Policy How list order affects policy matching
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903 387
http://docs.fortinet.com/ • Feedback
Firewall Policy
Firewall policies control all traffic attempting to pass through the FortiGate unit, between
FortiGate interfaces, zones, and VLAN subinterfaces.
Firewall policies are instructions the FortiGate unit uses to decide connection acceptance
and packet processing for traffic attempting to pass through. When the firewall receives a
connection packet, it analyzes the packet’s source address, destination address, and
service (by port number), and attempts to locate a firewall policy matching the packet.
Firewall policies can contain many instructions for the FortiGate unit to follow when it
receives matching packets. Some instructions are required, such as whether to drop or
accept and process the packets, while other instructions, such as logging and
authentication, are optional.
Policy instructions may include network address translation (NAT), or port address
translation (PAT), by using virtual IPs or IP pools to translate source and destination IP
addresses and port numbers. For details on using virtual IPs and IP pools, see “Firewall
Virtual IP” on page 447.
Policy instructions may also include protection profiles, which can specify application-layer
inspection and other protocol-specific protection and logging. For details on using
protection profiles, see “Firewall Protection Profile” on page 479.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall policies are
configured separately for each virtual domain, and you must first enter the virtual domain
to configure its firewall policies. For details, see “Using virtual domains” on page 159.
This section describes:
• How list order affects policy matching
• Multicast policies
• Viewing the firewall policy list
• Configuring firewall policies
• Using DoS policies to detect and prevent attacks
• Using one-arm sniffer policies to detect network attacks
• How FortiOS selects unused NAT ports
• Firewall policy examples
How list order affects policy matching
Each time a FortiGate unit receives a connection attempting to pass through one of its
interfaces, the unit searches its firewall policy list for a matching firewall policy.
The search begins at the top of the policy list and progresses in order towards the bottom.
The FortiGate unit evaluates each policy in the firewall policy list for a match until a match
is found. When the FortiGate unit finds the first matching policy, it applies the matching
policy’s specified actions to the packet, and disregards subsequent firewall policies.
Matching firewall policies are determined by comparing the firewall policy and the
packet’s:
• source and destination interfaces
To Next Page
Loading...
Need help?
General