In FortiGate firewalls, firewall policies are the core mechanism for controlling traffic flow across networks. Whether you’re building a segmentation strategy or securing access to applications, creating clear and effective policies is critical. This guide walks you through the process of configuring, managing, and optimizing policies for utmost security and performance.
What Are Firewall Policies in FortiGate?
A firewall policy in FortiGate defines how traffic is allowed or denied between source and destination zones, addresses, and ports. Each policy includes:
- Source and destination interfaces
- Source and destination addresses
- Services (ports/protocols)
- Action (allow/deny)
- Security profiles (optional: AV, IPS, Web Filtering, etc.)
Firewall policies can be applied to IPv4 and IPv6 traffic and can include advanced configurations such as NAT, identity-based policies, and deep inspection.
Understanding Policy Types
FortiGate supports multiple policy types to suit different network use cases:
- IPv4 / IPv6 Policies: Standard policies for IP-based traffic.
- Proxy Policies: Used with explicit proxy configurations.
- NAT Policies: Translate internal IPs/ports to external ones, which is essential for outbound traffic access.
- Zone-based Policies: Define traffic rules between zones instead of interfaces, simplifying management in complex networks.
Understanding these types helps align your firewall setup with the network design.
Prerequisites Before Creating Policies
Before diving into policy creation, ensure:
- Interfaces and zones are properly configured.
- Address objects and groups are defined (e.g., LAN_SUBNET, HR_NETWORK).
- Services are identified (e.g., HTTP, HTTPS, custom TCP/UDP ports).
- UTM profiles are prepared for deep inspection.
- NAT requirements are clear for outgoing and incoming traffic.
Tip: Naming conventions and documentation at this stage will save significant time during policy creation and auditing.
How to Create a Firewall Policy (GUI)
Step 1: Log in to the FortiGate GUI
Step 2: Navigate to Policy & Objects → Firewall Policy
Step 3: Click “Create New”
Step 4: Configure the following:
- Name: LAN-to-WAN
- Incoming Interface: LAN
- Outgoing Interface: WAN
- Source: LAN_SUBNET
- Destination: all
- Service: ALL (or specify as needed)
- Action: Accept
- Schedule: Always (or custom)
- NAT: Enable if translating private to public IP
Step 5: Enable Security Profiles like Antivirus, Web Filter, Application Control
Step 6: Enable Logging: Choose “All Sessions” or “Security Events”
Step 7: Click OK to save.
How to Create a Firewall Policy (CLI)
Using CLI allows for precise, scriptable configurations.
config firewall policy
edit 1
set name "LAN-to-WAN"
set srcintf "lan"
set dstintf "wan1"
set srcaddr "LAN_SUBNET"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
set logtraffic all
next
endTo apply UTM features via CLI:
config firewall policy
edit 1
set av-profile "default"
set webfilter-profile "strict"
set ips-sensor "protect"
next
endUnderstanding Interface Pairs and Zones
In FortiGate, interfaces can be grouped into zones. This abstraction simplifies policy management by letting you write rules between zones (like LAN to WAN) instead of specific interfaces. For example:
- LAN zone = port1, port2
- WAN zone = wan1, wan2
This is particularly helpful in high-availability environments.
Organizing and Prioritizing Policies
- FortiGate processes policies top-down.
- The first match wins principle applies.
- Use sections (comments and color coding) to separate types (e.g., VPN, Internal, Internet Access).
- Group similar rules to improve readability and maintenance.
- Keep specific policies above generic ones.
Tip: Use the Policy ID and comments to track change history and purpose.
Enabling Deep Inspection and Security Profiles
UTM (Unified Threat Management) features greatly enhance FortiGate’s firewall capabilities:
- Antivirus: Scans HTTP/FTP/SMTP traffic for malware
- Web Filtering: Blocks categories or specific URLs
- Application Control: Identifies and controls app-level traffic
- Intrusion Prevention (IPS): Detects and blocks exploit attempts
- SSL Inspection: Decrypts encrypted traffic to apply UTM checks
Enable only what’s necessary to avoid performance issues. Consider using flow-based inspection over proxy-based for better throughput on high-performance networks.
Understanding NAT in Policies
NAT is crucial in network security policies:
- SNAT (Source NAT): Hides internal IPs when accessing the Internet
- DNAT (Destination NAT): Maps external IPs to internal servers
Ensure you configure IP Pools and Virtual IPs (VIPs) where needed. Example:
config firewall vip
edit "WebServer_Public"
set extip 203.0.113.1
set mappedip 192.168.1.10
set portforward enable
set extport 80
set mappedport 80
next
endThen reference this VIP in your policy destination.
Policy Matching and Evaluation Process
When traffic reaches FortiGate:
- It’s compared against each rule top to bottom.
- The first match wins—no further rules are evaluated.
- If no match is found, traffic is dropped (implicit deny).
Helpful command:
diagnose firewall iprope lookup <src_ip> <dst_ip> <protocol>This command shows which rule would match given source and destination info.
Logging and Monitoring Policies
Logging is critical for security audits and troubleshooting:
- Enable per-policy logging: Sessions and Security Events
- Use
Log & Reportsection for browsing logs - Use filters to search by policy ID, user, IP, etc.
For large environments, integrate with FortiAnalyzer to:
- Store long-term logs
- Generate compliance reports
- Analyze traffic patterns
- Detect anomalies and attacks
Leveraging Hit Count and Policy Lookup Tools
FortiGate tracks how often each policy is triggered. This helps identify:
- Unused rules: Candidates for cleanup
- Overused generic rules: Could be refined for better control
Policy lookup in GUI or CLI helps answer: “Which rule matched this traffic?”
diagnose firewall iprope lookup <src_ip> <dst_ip> <protocol>Best Practices for Policy Management
- Use clear naming: Include source/destination/service in the name
- Tag policies: Add comments for tracking changes
- Minimize ANY/ANY rules: Be specific where possible
- Use Address and Service Groups: Avoid repetitive objects
- Regular audits: Review rules quarterly
- Document all changes: Use ticket or log systems
- Backup before major changes: Schedule during maintenance windows
Advanced Policy Scenarios
Identity-Based Policies
Integrate with Active Directory or FortiAuthenticator to apply policies per user or group.
Schedule-Based Policies
Allow or block traffic based on time-of-day or day-of-week schedules.
Traffic Shaping
Control bandwidth using shaping policies (e.g., limit guest Wi-Fi).
Device-Based Policies
Use device detection to allow/block traffic from specific device types (IoT, smartphones).
Troubleshooting Common Issues
- Traffic not passing?: Check interfaces, address objects, NAT settings
- Unexpected blocks?: Review policy order and matched rules
- Slow connections?: Tune UTM settings or review inspection methods
- No logs?: Confirm logging is enabled per policy
- SSL Inspection issues?: Confirm certificates are trusted on client devices
Use these tools:
diagnose debug flow
execute log display
execute tac reportConclusion
Firewall policies are the foundation of a secure and functional FortiGate deployment. When crafted with intent and aligned to your network structure, they offer not only protection but also visibility and control. From creating basic rules to leveraging UTM, NAT, and advanced features, mastering policy configuration ensures your network is secure, efficient, and future-ready.
Regular reviews, clear documentation, and the use of Fortinet’s diagnostic tools make the process manageable, even in complex environments. As your organization grows, keeping policies organized and aligned with changing requirements becomes a key part of your security posture.
0 Comments