Frotigate rules explanation.

Hi Experts,

I would like to see if you can explain me about the TABS on Fortigate40c.
Can you please tell me in comparison to a ASA 5500 what it means
Is the ROUTING TAB where I have to create an static route? Are the rules same as ASA?
destination network to reach and next hop?

Is POLICY TAB allowing the traffic or dropping?
Is FIREWALL TAB just creating and statement to allow or deny?
I set up SSLVPN following the instructions and worked but I am kind of confuse where everything falls into place.

Please explain.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Yes , routing tab is the place that you define your static routes.

rules are similar to ASA but not exactly the same . are you using the web interface or command prompt  ?

Policy tab is where you "ALLOW" traffic by defining rules , meaning that anything that has no rules to allow it , would be dropped.

Firewall tab is the place that you create source/destination and service OBJECTS . later you will use these objects to create traffic policies.

If I want to give you an example , let's say you want to alllow your internal network ( to access a service that is running on port 4567 TCP on a destination host with public IP

you first need to create some object using firewall tab : create source address ( e.g. name it Office Network) and it's connected to LAN interface of the firewall.

Then you create another address of and select WAN as its connected interface ( since it's on Internet , so it should be on that interface- let's name it remote host)

Now you create a service objects ( still under firewall tab) , TCP 4567 , (lets call it myservice)

now it's the time to define the rule for it , under policy tab , create a rule where it's from LAN to WAN zone ; source address will be "Office Network" , desitination address will be "remote host" and service will be "myservice" .

You probably will need to enable NAT on the rule.

If you create proper object and you bound them to proper interface , you will see those objects in drop down list when you create the policy .
chenzoviccAuthor Commented:
Yes I am using web base and the company I am working for has like 12 high end of this firewalls and they want me to get very familiar and I was going through their policies and routing was confusing for me as I was trying to co-relate to cisco asa configuration.
Do you have a link where I can learn the command base?.

chenzoviccAuthor Commented:
So let me see if I understood: To access certain service on the internet you create 3 rules which is the internal network , the wan-internet interface connecting to the internet and the rule name pointing to the port number then you create a policy where you will tight all this rules. What about ROUTING TAB? where do you apply it? Can you give me an example. Please or you want me to create another question on the forum?.

Is the traffic rules the same as ASA. The rule is all traffic you initiate from the inside network to the outside will be permitted.

Please advise
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

Yes , correct ..but I think you meant "OBJECTS" not "RULES"

so to review :

You create "OBJECTS" first . usually a source , a destination and a service.
Please note that there are some pre-defined services ( e.g. http ) , and some per-defined sources , destinations. ( e.g ANY ) ...

then you create Policies (Rules) using those OBJECTS.

As I said , It's similar to ASA , all firewalls have the same logic. but I don't get your point about this comment :

The rule is all traffic you initiate from the inside network to the outside will be permitted.

Usually NOTHING is allowed unless you allow it . Frewalls have a "deny all " rule that blocks
everything but the ALLOW policies.

I don't know a link about FortiGate command line ; I am pretty happy with web based and it's powerful. If you have that many of FortiGates ; itd be better to get the FotiGate certificate.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chenzoviccAuthor Commented:
The rule is all traffic you initiate from the inside network to the outside will be permitted.

On ASA Firewalls any traffic, any protocols you start from inside the firewall to the Internet is permited.(TRUSTED TO UNTRUSTED) you have to create an static route in which you allow all traffic from inside to the service provider default gateway and natting and you have all the access. That is what I mean.
..that's not the case in FortGate by default.
default "deny all" statement at the end of policies blocks everything other than allowed rules. but you can always change the approach by removing deny-all statement.  do you have a "deny all" rule in your firewalls ?
chenzoviccAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.