Firewall Policy
How list order affects policy matching
FortiGate Version 4.0 Administration Guide
01-400-89802-20090424
319
•
Firewall Policy
Firewall policies control all traffic attempting to pass through the FortiGate unit, between
FortiGate interfaces, zones, and VLAN subinterfaces.
Firewall policies are instructions the FortiGate unit uses to decide connection acceptance
and packet processing for traffic attempting to pass through. When the firewall receives a
connection packet, it analyzes the packet’s source address, destination address, and
service (by port number), and attempts to locate a firewall policy matching the packet.
Firewall policies can contain many instructions for the FortiGate unit to follow when it
receives matching packets. Some instructions are required, such as whether to drop or
accept and process the packets, while other instructions, such as logging and
authentication, are optional.
Policy instructions may include network address translation (NAT), or port address
translation (PAT), by using virtual IPs or IP pools to translate source and destination IP
addresses and port numbers. For details on using virtual IPs and IP pools, see
.
Policy instructions may also include protection profiles, which can specify application-layer
inspection and other protocol-specific protection and logging. For details on using
protection profiles, see
“Firewall Protection Profile” on page 397
.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall policies are
configured separately for each virtual domain, and you must first enter the virtual domain
to configure its firewall policies. For details, see
“Using virtual domains” on page 103
.
This section describes:
•
How list order affects policy matching
•
•
Viewing the firewall policy list
•
•
How list order affects policy matching
Each time a FortiGate unit receives a connection attempting to pass through one of its
interfaces, the unit searches its firewall policy list for a matching firewall policy.
The search begins at the top of the policy list and progresses in order towards the bottom.
The FortiGate unit evaluates each policy in the firewall policy list for a match until a match
is found. When the FortiGate unit finds the first matching policy, it applies the matching
policy’s specified actions to the packet, and disregards subsequent firewall policies.
Matching firewall policies are determined by comparing the firewall policy and the
packet’s:
•
source and destination interfaces
•
source and destination firewall addresses
•
services
•
time/schedule.
Summary of Contents for Gate 60D
Page 705: ...www fortinet com...
Page 706: ...www fortinet com...