What are security policies and how do they operate on FortiGates?
A brief walk-through of firewall policies and how they function.
I thought it might be helpful to bridge the gap between "conceptual" and "practical" by describing security policies in more depth. Along the way, I'll elaborate on how they're implemented in FortiGate appliances. I'll try to keep this to medium-level depth 😄.
What are security policies?
First off, let's establish some basics. Security policies are instructions that help a firewall understand what to do with network traffic. These details are captured in sets of rules (policies) and are based (matched) on a variety of options/criteria (e.g. source, destination, incoming/outgoing interfaces, data type, schedule, etc).
Most of the time when we're discussing firewall rules, we're thinking in terms of end user traffic flows that are going through the firewall and trying to reach a singular remote destination. It's worth noting though, that there can be several different types of policies, each with their own unique benefits and use cases. For example, FortiGates have the following additional policy types:
- Multicast Policy - Restrictions on how multicast packets can flow from one interface to another.
- Local-In-Policy - Restrictions on traffic directed towards the firewall interface itself (things like administrative access).
- Denial of Service (DoS) Policy - Restrictions and rules that look for abnormal traffic patterns
Alas, I digress. Let's put these other policies types aside for a moment and focus on traditional network traffic for now...
Firewall policy workflow, post-action process, and performance considerations
The first thing the firewall attempts to do is find a policy match. Rules are evaluated in sequence (top down) and once there's a match, the given action for that rule takes place (deny or allow).
The "deny" action is pretty self-explanatory but the "allow" action is little more interesting. Just because something is "allowed", doesn't mean that it's blissfully ignored by the firewall after that. Depending on what's configured for that matching rule, modern firewalls have the ability to further scrutinize the traffic to see if it's really something that should continue on its journey. In the FortiGate mindset, examples of this could be things like:
- Applying Security Profiles (e.g. AntiVirus, Web Filtering, DLP Profiles, IPS, etc).
- Logging (helpful for auditing, threat hunting, etc).
Taking a deeper look at data (with things like security profiles) requires more firewall resources. FortiGate firewalls have different low-level techniques and approaches for examining data; some of which are more thorough and some of which yield faster performance.
There's more to say on this topic but I'll save that for another day. In the meantime, consider checking out the links below for some additional detail.
Mike Berggren
