Hello and welcome to the FortiGate section. In this article, we will be going over more about how policies work in a FortiGate firewall as well as how to add policies on a Fortigate Firewall. As always we strongly encourage anyone interested in learning the topics to review the material with us through GNS3. There is an entire section dedicated on this blog to the installation of GNS3 to help you lab these devices yourself.
What are firewall policies?
In today's networking landscape security is a pretty big deal. And even the smallest hole in your security could potentially cost your company a lot of money and reputation. This is where firewalls and other security countermeasures come into play as a good firewall with proper policy administration could potentially save your company and clients from bad actors such as hackers.
We briefly touched on what a firewall is as well as how policies operate in our Firewalls article in the network fundamentals section. We will build up on what we learned there by looking specifically at how a FortiGate reads policies. In the shortest description possible, firewall policies allow us a way to define what network traffic is allowed or denied as administrators.
How do policies work?
The firewall will store all the firewall rules in a table which will inspect any traffic that passes through any of its interfaces and will try to match the traffic against the rule table. If nothing is matched then the firewall will simply drop the traffic.
An individual policy will generally look at things like the source and destination interfaces, the source and destination addresses as well as the services (is this HTTP and TCP?) Those are the things that the firewall will inspect based off of the policy. It will also then need to decide an action, will the traffic be denied or accepted?
The firewall will also check if there are any schedules applied to the policy, is this only being checked during certain days or times or is this always being checked?
We also have the option to NAT our traffic through the policy in order to mask our source addresses behind a different address, as well as being able to add things such as web filters or traffic shapers.
An important thing to take note of regarding firewall policies is that your policy will be looked at in a sequence, if you have a policy allowing all traffic and you are putting policies beneath it trying to deny certain traffic it will fail as the first policy has already allowed everything.
There's really so much that you can do with policies and typing each and every possibility could potentially take hours or even days! But have no fear, if you just understand the concept of adding one policy you will quickly be able to adapt and shape other policies into ways that fit your requirements. So let's go over how to add policies on a FortiGate firewall
Creating a Firewall policy
Log into your FortiGate device and navigate to the "Policy & Objects" tab and click on IPv4 Policy (We will cover creating IPv6 policies in a later article)
You will note that the main screen changes to the policy table. This is where all the policies you create are stored as well as where they are sequenced, just remember that the very first or "top" policy is always checked and then the policies below it are checked in the same order.
Let's create a new policy by clicking on the "Create New" button
Before we start creating the policy we first need to understand how the traffic is going to come into the firewall and how it will leave the firewall, in our example we are going to want to block ICMP or "Pings" from a specific host called LAN-PC1. This machine currently has full internet access and is the first policy in our policy table.
Whenever I need to create policies I generally draw up a small diagram similar to the one below to understand how the traffic will flow. In our topology traffic will come from LAN-PC1 into the firewall on Port2, if we are going to the Internet it will then leave over Port1. So I already know what the source and destination interfaces will be, I also know what the addresses of the LAN-PCs are as we have statically assigned them beforehand.
Now that we understand how the traffic will flow let's return to the creation of the firewall policy, after you have clicked on "Create new" you will be brought to the New Policy screen. It is from here where we will configure the traffic that will be inspected and what happens to that traffic.
It is best practice to name your policies, not only for your own sanity but for others who might also work on the firewall. A good name can give instant insight into what the policy is used for. So in our case we want to block ICMP traffic from PC1 so let's name this policy "Block ICMP Traffic from LAN-PC1"
We also already confirmed the source and destination interfaces so let us specify them as well. Select the dropdown of Incoming Interface and click on Port2 now on the Outgoing Interface click on the dropdown and select Port1.
Now we get to start defining source and destination addresses. Remember it is always better to clamp down on specific addresses instead of just opening up everything as this could also lead to a potential security breach. Click on the plus to add a source.
You will note that a new box has popped up where you can easily select entries. In our case, we would like to block ICMP from a specific source address which is the IP address of LAN-PC1. I have already created the address, however, I will show you how to do so yourself as well, you can click on the "+" symbol next to the search field which will open another box where we can quickly create a new address.
As when we started to create the policy we have to give the address object a name. I will call this "192.168.0.2 - LAN-PC1", now we only need to specify the address details. I will fill in 192.168.0.2/32 as this will only be for traffic from this host, if I made this 192.168.0.0/24 it would be for all machines in the subnet. Once done click on the OK button.
You will now notice that the address you just created has appeared in the address list. Please select it and confirm that the address is now in your "Source" field.
We will now specify the destination address. Let's block traffic to any destination. Again click on the "+" button for the destination where you will see the address list again. From the list find the "all" address and select it.
Now we need to specify a service, this will be the port and protocol of the traffic. Click on the "+" of the Service button and find "ALL_ICMP" and select it. It's worth noting that you can block custom services by creating them as objects as well.
The firewall now knows what traffic it is inspecting or specifically looking for when running the policy, however, we still need to set an Action. We know that we want to deny ICMP traffic if we left this on ACCEPT then ICMP would just keep working. Change this to DENY in order to stop ICMP traffic. You have now created a policy that will deny specific traffic, click on the OK button to complete the policy creation.
You will be brought back to the main policy table. As things currently stand the policy will not work because the very first policy would override the deny rule. Let's change that by simply dragging and dropping the "Block ICMP Traffic from LAN-PC1" above the "Allow Client PC1 Full Access"
We can now test from LAN-PC1 to see if ICMP is really being blocked by simply running a ping test to anything outside of the network.
Note that pings are not responding, even though www.google.com is resolving to an IP address. You will also see that browsing is still working, it is just ICMP that is being blocked.
That's a Wrap
You have how to add policies on a Fortigate, as well as what firewall policies are and how they function in the policy table. You have learned of all the policy elements such source and destination addresses and interfaces and how to create custom objects from within the policy. I hope this has been informative and that you have learned something new.