Fortinet black logo

Handbook

Viewing firewall policies

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:172114
Download PDF

Viewing firewall policies

To find a Policy window, follow one of these path in the GUI:

  • Policy & Objects> IPv4 Policy
  • Policy & Objects> IPv6 Policy
  • Policy & Objects> NAT64 Policy
  • Policy & Objects> NAT46 Policy
  • Policy & Objects> Proxy Policy
  • Policy & Objects> Multicast Policy

You may notice other policy options on the left window pane such as:

  • Policy & Objects> IPv4 DoS Policy
  • Policy & Objects> IPv6 DoS Policy
  • Policy & Objects> Local InPolicy

These are different enough that they have their own descriptions in the sections that relate to them.

Menu items

There are some variations, but there are some common elements share by all of them. There is a menu bar across the top. The menu bar will have the following items going from left to right:

  • Create New button
  • Edit button
  • Delete button
  • Search field
  • Interface Pair View- Displays the policies in the order that they are checked for matching traffic, grouped by the pairs of Incoming and Outgoing interfaces. For instance, all of the policies referencing traffic from WAN1 to DMZ will be in one section. The policies referencing traffic from DMZ to WAN1 will be in another section. The sections are collapsible so that you only need to look at the sections with policies you are interested in.
  • By Sequence- Displays the policies in the order that they are checked for matching traffic without any grouping.

Menu items not shared by all policies

  • Policy Lookup - (IPv4, IPv6 )
  • NAT64 Forwarding - (NAT64)

The Table of Policies

Columns

The tables that make up the Policy window are based on rows which represent individual policies and the columns that represent the various parameters or status within the policy. The columns are customizable by which columns are included and what order they are in.

The table can be laid out a number ways to suit the viewer. There is a column for most of the important pieces of information that you might be interested in seeing, but a lot of them are hidden by default. If you had a large enough screen, you might be able to show all of the columns, but even then it might look a bit busy and crammed together. Figure out which pieces of information are most important to you and hide the rest.

To configure which columns are visible and which are hidden, right click on the header row of the table. This will present a drop down menu. The drop down will be divided into sections. At the top will be the Selected Columns which are currently visible, and the next section will be Available Columns which show which columns are available to add to the table.

To move a column from the Available list to the Selected list just click on it. To move a column from the Selected list to the Available list, it also just takes a click of the mouse. To make the changes show up on the table, go to the bottom of the drop down menu and select Apply. Any additions to the table will show up on the right side.

One of the more useful ones that can be added is the ID column. The reason for adding this one is that within the configuration file and CLI, the policies are referenced by their ID number. Some policy settings are only available for configuration in the CLI. If you are looking in the CLI you will see that the only designation for a policy is its number and if you wish to edit the policy or change its order in the sequence you will be asked to move it before or after another policy by referencing its number.

How “Any” policy can remove the Interface Pair View

The FortiGate unit will automatically change the view on the policy list page to By Sequence whenever there is a policy containing “any” as the Source or Destination interface. If the Interface Pair View is grayed out it is likely that one or more of the policies has used the “any” interface.

By using the “any” interface, the policy should go into multiple sections because it could effectively be any of a number of interface pairings. As mentioned, policies are sectioned by using the interface pairings (for example, port1 -> port2) and each section has its own specific policy order. The order in which a policy is checked for matching criteria to a packet’s information is based solely on the position of the policy within its section or within the entire list of policies as a whole but if the policy is in multiple sections at the same time there is no mechanism for placing the policy in a proper order within all of those sections at the same time because it is a manual process and there is no parameter to compare the precedence of one section or policy over the other. Thus a conflict is created. In order to resolve the conflict the FortiGate firewall removes that aspect of the sections so that there is no need to compare and find precedence between the sections and it therefore has only the Global View to work with.

Viewing firewall policies

To find a Policy window, follow one of these path in the GUI:

  • Policy & Objects> IPv4 Policy
  • Policy & Objects> IPv6 Policy
  • Policy & Objects> NAT64 Policy
  • Policy & Objects> NAT46 Policy
  • Policy & Objects> Proxy Policy
  • Policy & Objects> Multicast Policy

You may notice other policy options on the left window pane such as:

  • Policy & Objects> IPv4 DoS Policy
  • Policy & Objects> IPv6 DoS Policy
  • Policy & Objects> Local InPolicy

These are different enough that they have their own descriptions in the sections that relate to them.

Menu items

There are some variations, but there are some common elements share by all of them. There is a menu bar across the top. The menu bar will have the following items going from left to right:

  • Create New button
  • Edit button
  • Delete button
  • Search field
  • Interface Pair View- Displays the policies in the order that they are checked for matching traffic, grouped by the pairs of Incoming and Outgoing interfaces. For instance, all of the policies referencing traffic from WAN1 to DMZ will be in one section. The policies referencing traffic from DMZ to WAN1 will be in another section. The sections are collapsible so that you only need to look at the sections with policies you are interested in.
  • By Sequence- Displays the policies in the order that they are checked for matching traffic without any grouping.

Menu items not shared by all policies

  • Policy Lookup - (IPv4, IPv6 )
  • NAT64 Forwarding - (NAT64)

The Table of Policies

Columns

The tables that make up the Policy window are based on rows which represent individual policies and the columns that represent the various parameters or status within the policy. The columns are customizable by which columns are included and what order they are in.

The table can be laid out a number ways to suit the viewer. There is a column for most of the important pieces of information that you might be interested in seeing, but a lot of them are hidden by default. If you had a large enough screen, you might be able to show all of the columns, but even then it might look a bit busy and crammed together. Figure out which pieces of information are most important to you and hide the rest.

To configure which columns are visible and which are hidden, right click on the header row of the table. This will present a drop down menu. The drop down will be divided into sections. At the top will be the Selected Columns which are currently visible, and the next section will be Available Columns which show which columns are available to add to the table.

To move a column from the Available list to the Selected list just click on it. To move a column from the Selected list to the Available list, it also just takes a click of the mouse. To make the changes show up on the table, go to the bottom of the drop down menu and select Apply. Any additions to the table will show up on the right side.

One of the more useful ones that can be added is the ID column. The reason for adding this one is that within the configuration file and CLI, the policies are referenced by their ID number. Some policy settings are only available for configuration in the CLI. If you are looking in the CLI you will see that the only designation for a policy is its number and if you wish to edit the policy or change its order in the sequence you will be asked to move it before or after another policy by referencing its number.

How “Any” policy can remove the Interface Pair View

The FortiGate unit will automatically change the view on the policy list page to By Sequence whenever there is a policy containing “any” as the Source or Destination interface. If the Interface Pair View is grayed out it is likely that one or more of the policies has used the “any” interface.

By using the “any” interface, the policy should go into multiple sections because it could effectively be any of a number of interface pairings. As mentioned, policies are sectioned by using the interface pairings (for example, port1 -> port2) and each section has its own specific policy order. The order in which a policy is checked for matching criteria to a packet’s information is based solely on the position of the policy within its section or within the entire list of policies as a whole but if the policy is in multiple sections at the same time there is no mechanism for placing the policy in a proper order within all of those sections at the same time because it is a manual process and there is no parameter to compare the precedence of one section or policy over the other. Thus a conflict is created. In order to resolve the conflict the FortiGate firewall removes that aspect of the sections so that there is no need to compare and find precedence between the sections and it therefore has only the Global View to work with.