Fortinet FortiGate Policy Implementation Guide
Fortinet FortiGate policy define how traffic flows through the firewall, controlling access between different network segments based on security rules. Each policy consists of essential parameters such as source, destination, service, action (allow or deny), and security profiles (IPS, antivirus, web filtering, etc.). Policies are processed in a top-down order, meaning the first matching rule is applied.
When implementing policies, it’s crucial to follow best practices such as using the least privilege principle, enabling logging for auditing, and structuring rules efficiently to optimize performance. Advanced features like application control, traffic shaping, and identity-based policies further enhance security and network management.
Rule 1: Test Policies Before Deploying
Before deploying firewall policies on a FortiGate firewall, always test them first to avoid misconfigurations that could disrupt network access or introduce security vulnerabilities. A small mistake—such as an overly permissive rule or an incorrect deny policy—can allow unauthorized access or block critical services. Testing helps ensure that firewall policies are effective, optimized, and do not cause unintended outages.
Why Is Testing Firewall Policies Important?
- Prevents Business Disruptions – A misconfigured rule can block legitimate traffic, causing downtime for applications, VPNs, or remote users.
- Ensures Security Compliance – Testing ensures that only authorized traffic is allowed, preventing unauthorized access.
- Avoids Overly Permissive Rules – If a rule is too broad, it may allow malware, unauthorized connections, or lateral movement within the network.
- Reduces Troubleshooting Time – Proactively testing policies minimizes time spent diagnosing connectivity issues after deployment.
How to Test FortiGate Firewall Policies? Use Policy Lookup
Before deploying a new rule, check if an existing policy will already allow or block the traffic.
In this case I checed which policy will be applied to destination port 443 traffic from the server with IP 192.168.20.116 and destination 8.8.8.8. If the wrong policy is being matched, adjust your rule order.
Rule 2: Be Careful when Deleting, Disabling or Editing Policies
Modifying firewall policies without proper analysis can lead to unintended security gaps or service disruptions. Deleting or disabling a policy may accidentally allow unauthorized traffic or block critical services, affecting users and applications. Always review policy dependencies, logs, and traffic flows before making changes. Instead of immediately removing a rule, consider disabling it first and monitoring logs to ensure it is no longer needed. If editing a policy, verify that changes do not weaken security or disrupt legitimate traffic. Always take a backup of the configuration before making adjustments to allow a quick rollback if issues arise.
Best Practices before Deleting, Disabling or Editing Policies
- Disable policies before deleting them to observe the impact.
- Avoid modifying rules during peak hours.
- Back up configurations before making changes.
Example how to create a backup on TFTP Server:
execute backup full-config tftp <TFTP_SERVER_IP> <FILENAME>Rule 3: Create Firewall Policies to Match Best as Possible
When implementing FortiGate firewall policies, it is essential to create rules that are as specific as possible to ensure security and efficiency. Instead of using broad rules that allow unnecessary traffic, define policies with precise source and destination addresses, specific services, and well-defined user or device groups.
Best practices for accurate policy matching include:
- Minimizing the use of “Any”: Avoid using “any” for source, destination, or service unless absolutely necessary.
- Using Application Control and Security Profiles: Enhance policy enforcement by inspecting traffic beyond basic port-based rules.
- Organizing Rules Effectively: Place more specific policies above general ones to ensure the correct rule is applied first.
- Enabling Logging and Monitoring: Regularly review logs and reports to refine policies and eliminate unused or overly permissive rules.
Avoid using ANY in source, destination, or services unless necessary.Be as specific as possible when defining IPs, ports, and protocols. Use object groups for better rule management. Check my other post about Policy Best Practice to see more details about this topic.
Rule 4: Restrict Source, Destination, Services
Define explicit allow and deny rules based on business needs.
To enhance security and reduce unnecessary traffic, FortiGate firewall policies should define specific source, destination, and service parameters rather than relying on broad, generic rules. Restricting these elements ensures that only the required traffic is allowed while minimizing the risk of unauthorized access.
Best Practices for Restricting Policy Scope
- Define Specific Source and Destination: Instead of using “Any,” specify IP addresses, subnets, or user groups to limit access to only authorized entities.
- Restrict Services: Allow only the necessary services or protocols instead of permitting all traffic (e.g., limit access to SSH, HTTPS, or a specific application).
- Use Address Groups and Service Groups: Organizing related addresses and services into groups simplifies policy management and improves clarity.
- Apply Role-Based Access Control (RBAC): Use identity-based policies to enforce access restrictions based on user roles or device types.
By carefully defining these parameters, firewall policies become more effective in protecting the network while ensuring optimal performance:
- Implement Implicit Deny at the bottom of the rule list.
- Restrict administrative access to trusted networks.
- Block unused ports and services.
Rule 5: Firewall Security Profiles
Security profiles add extra protection against threats.
FortiGate Security Profiles provide an additional layer of protection by inspecting and filtering traffic beyond basic firewall rules. These profiles enhance security by detecting and blocking threats, filtering unwanted content, and ensuring compliance with network policies. Some of these features require licenses and are not free – such as web filtering.
Key FortiGate Security Profiles:
- Antivirus – Scans incoming and outgoing traffic for malware, viruses, and malicious files. It helps prevent infections before they reach end devices.
- Web Filtering – Controls access to websites based on categories, URLs, or content types. It is useful for restricting access to harmful or inappropriate sites.
- DNS Filtering – Blocks access to malicious domains, preventing users from reaching phishing, botnet, or malware-hosting sites.
- Application Control – Identifies and regulates application traffic, allowing or blocking specific applications (e.g., social media, streaming, or gaming apps) to enforce security policies.
- Intrusion Prevention System (IPS) – Detects and blocks known vulnerabilities, exploits, and attacks by inspecting traffic patterns and signatures.
- SSL/SSH Inspection – Decrypts encrypted traffic (HTTPS, SSL, and SSH) to inspect it for threats while maintaining compliance and security.
- Data Loss Prevention (DLP) – Monitors and prevents the unauthorized transmission of sensitive data, protecting against data breaches.
- Email Filtering – Protects against spam, phishing, and malicious email attachments by analyzing incoming email traffic.
Recommended Security Profiles:
- Antivirus: Scans for malware in traffic.
- Web Filtering: Blocks access to harmful sites.
- Application Control: Restricts risky applications.
- IPS (Intrusion Prevention System): Detects and blocks exploits.
There will be a new article about this security profile topics.
Rule 6: Not Displayed FortiGate Policy Settings in GUI
FortiGate’s web interface does not always display all available configuration options by default. Some advanced settings are hidden to simplify the user experience or require CLI activation. If a specific option is missing in the GUI, it may be necessary to enable it manually using the command-line interface (CLI).
Step 1: Access the CLI via Putty
- Connect via SSH or use the built-in CLI Console in the FortiGate web interface.
- If you are not sure which port is in use check it on the following way
Step 2: Enter Configuration Mode
- Depending on the feature you want to check, navigate to the appropriate configuration section. For example, if a policy setting is missing, use:
fgt-remote1 # config firewall policy
fgt-remote1 (policy) # edit 1
fgt-remote1 (1) # get
policyid : 1
name : to Internet
uuid : cb7b3bac-e88c-51eb-5592-ccd91bab3ac8
srcintf : "internal"
dstintf : "wan1"
srcaddr : "all"
dstaddr : "all"
internet-service : disable
internet-service-src: disable
rtp-nat : disable
learning-mode : disable
action : accept
status : enable
schedule : always
schedule-timeout : disable
service : "ALL"
dscp-match : disable
utm-status : enable
logtraffic : disable
logtraffic-start : disable
auto-asic-offload : enable
permit-any-host : disable
permit-stun-host : disable
fixedport : disable
ippool : disable
session-ttl : 0
vlan-cos-fwd : 255
vlan-cos-rev : 255
wccp : disable
fsso : disable
groups :
users :
devices :
disclaimer : disable
natip : 0.0.0.0 0.0.0.0
diffserv-forward : disable
diffserv-reverse : disable
tcp-mss-sender : 0
tcp-mss-receiver : 0
comments :
block-notification : disable
custom-log-fields :
replacemsg-override-group:
srcaddr-negate : disable
dstaddr-negate : disable
service-negate : disable
timeout-send-rst : disable
captive-portal-exempt: disable
ssl-mirror : disable
ssl-mirror-intf :
scan-botnet-connections: disable
dsri : disable
radius-mac-auth-bypass: disable
delay-tcp-npu-session: disable
vlan-filter :
profile-type : single
av-profile : default
webfilter-profile :
dnsfilter-profile :
ips-sensor : high_security
application-list : block-high-risk
voip-profile :
profile-protocol-options: default
ssl-ssh-profile : certificate-inspection
traffic-shaper :
traffic-shaper-reverse:
per-ip-shaper :
nat : enable
match-vip : disable
fgt-remote1 (1) #
About The Author
