120
Fortinet Inc.
Configuring policy lists
Firewall configuration
Log Traffic
Select Log Traffic to write messages to the traffic log whenever the policy processes a
connection. For more information about logging, see
“Logging and reporting” on
page 221
.
Comments
Optionally add a description or other information about the policy. The comment can
be up to 63 characters long, including spaces.
Configuring policy lists
The firewall matches policies by searching for a match starting at the top of the policy
list and moving down until it finds the first match. You must arrange policies in the
policy list from more specific to more general.
For example, the default policy is a very general policy because it matches all
connection attempts. When you create exceptions to this policy, you must add them to
the policy list above the default policy. No policy below the default policy will ever be
matched.
This section describes:
•
Policy matching in detail
•
Changing the order of policies in a policy list
•
Enabling and disabling policies
Policy matching in detail
When the FortiGate unit receives a connection attempt at an interface, it must select a
policy list to search through for a policy that matches the connection attempt. The
FortiGate unit chooses the policy list based on the source and destination addresses
of the connection attempt.
The FortiGate unit then starts at the top of the selected policy list and searches down
the list for the first policy that matches the connection attempt source and destination
addresses, service port, and time and date at which the connection attempt was
received. The first policy that matches is applied to the connection attempt. If no policy
matches, the connection is dropped.
The default policy accepts all connection attempts from the internal network to the
Internet. From the internal network, users can browse the web, use POP3 to get
email, use FTP to download files through the firewall, and so on. If the default policy is
at the top of the Int
->
Ext policy list, the firewall allows all connections from the internal
network to the Internet because all connections match the default policy. If more
specific policies are added to the list below the default policy, they are never matched.
Summary of Contents for FortiGate FortiGate-50
Page 16: ...16 Fortinet Inc Customer service and technical support Introduction...
Page 32: ...32 Fortinet Inc Next steps Getting started...
Page 40: ...40 Fortinet Inc Completing the configuration NAT Route mode installation...
Page 112: ...112 Fortinet Inc Customizing replacement messages System configuration...
Page 144: ...144 Fortinet Inc Content profiles Firewall configuration...
Page 202: ...202 Fortinet Inc Logging attacks Network Intrusion Detection System NIDS...
Page 216: ...216 Fortinet Inc Exempt URL list Web filtering...
Page 228: ...228 Fortinet Inc Configuring alert email Logging and reporting...
Page 232: ...232 Fortinet Inc Glossary...