Frotigate rules explanation.

Hi Experts,

I would like to see if you can explain me about the TABS on Fortigate40c.
Can you please tell me in comparison to a ASA 5500 what it means
Is the ROUTING TAB where I have to create an static route? Are the rules same as ASA?
destination network to reach and next hop?

Is POLICY TAB allowing the traffic or dropping?
Is FIREWALL TAB just creating and statement to allow or deny?
I set up SSLVPN following the instructions and worked but I am kind of confuse where everything falls into place.

Please explain.

Who is Participating?
akhalighiConnect With a Mentor Commented:
Yes , correct ..but I think you meant "OBJECTS" not "RULES"

so to review :

You create "OBJECTS" first . usually a source , a destination and a service.
Please note that there are some pre-defined services ( e.g. http ) , and some per-defined sources , destinations. ( e.g ANY ) ...

then you create Policies (Rules) using those OBJECTS.

As I said , It's similar to ASA , all firewalls have the same logic. but I don't get your point about this comment :

The rule is all traffic you initiate from the inside network to the outside will be permitted.

Usually NOTHING is allowed unless you allow it . Frewalls have a "deny all " rule that blocks
everything but the ALLOW policies.

I don't know a link about FortiGate command line ; I am pretty happy with web based and it's powerful. If you have that many of FortiGates ; itd be better to get the FotiGate certificate.
Yes , routing tab is the place that you define your static routes.

rules are similar to ASA but not exactly the same . are you using the web interface or command prompt  ?

Policy tab is where you "ALLOW" traffic by defining rules , meaning that anything that has no rules to allow it , would be dropped.

Firewall tab is the place that you create source/destination and service OBJECTS . later you will use these objects to create traffic policies.

If I want to give you an example , let's say you want to alllow your internal network ( to access a service that is running on port 4567 TCP on a destination host with public IP

you first need to create some object using firewall tab : create source address ( e.g. name it Office Network) and it's connected to LAN interface of the firewall.

Then you create another address of and select WAN as its connected interface ( since it's on Internet , so it should be on that interface- let's name it remote host)

Now you create a service objects ( still under firewall tab) , TCP 4567 , (lets call it myservice)

now it's the time to define the rule for it , under policy tab , create a rule where it's from LAN to WAN zone ; source address will be "Office Network" , desitination address will be "remote host" and service will be "myservice" .

You probably will need to enable NAT on the rule.

If you create proper object and you bound them to proper interface , you will see those objects in drop down list when you create the policy .
chenzoviccAuthor Commented:
Yes I am using web base and the company I am working for has like 12 high end of this firewalls and they want me to get very familiar and I was going through their policies and routing was confusing for me as I was trying to co-relate to cisco asa configuration.
Do you have a link where I can learn the command base?.

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

chenzoviccAuthor Commented:
So let me see if I understood: To access certain service on the internet you create 3 rules which is the internal network , the wan-internet interface connecting to the internet and the rule name pointing to the port number then you create a policy where you will tight all this rules. What about ROUTING TAB? where do you apply it? Can you give me an example. Please or you want me to create another question on the forum?.

Is the traffic rules the same as ASA. The rule is all traffic you initiate from the inside network to the outside will be permitted.

Please advise
chenzoviccAuthor Commented:
The rule is all traffic you initiate from the inside network to the outside will be permitted.

On ASA Firewalls any traffic, any protocols you start from inside the firewall to the Internet is permited.(TRUSTED TO UNTRUSTED) you have to create an static route in which you allow all traffic from inside to the service provider default gateway and natting and you have all the access. That is what I mean.
..that's not the case in FortGate by default.
default "deny all" statement at the end of policies blocks everything other than allowed rules. but you can always change the approach by removing deny-all statement.  do you have a "deny all" rule in your firewalls ?
chenzoviccAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.