Configuring a firewall policy
A firewall policy allows or denies traffic to be forwarded to the system based on a matching tuple: source address, destination address, and service.
The FortiADC system evaluates firewall policies before other rules. It matches traffic against the firewall policy table, beginning with the first rule. If a rule matches, the specified action is taken. If the session is denied by a firewall policy rule, it is dropped. If the session is accepted, system processing continues.
By default, if firewall rules are not configured, the system does not perform firewall processing; all traffic is processed as if the system were a router, and traffic is forwarded according to routing and other system rules.
Before you begin:
• You must have a good understanding and knowledge of firewalls.
• You must have created the address configuration objects and service configuration objects that define the matching tuple in your firewall policy rules.
• You must have Read-Write permission for Firewall settings.
To configure a firewall:
1. Go to Security > [Firewall Policy | Firewall IPv6 Policy].
2. Click Add to display the configuration editor.
3. Complete the configuration as described in
Table 37.
4. Save the configuration.
5. Reorder rules, as necessary.
Table 37: Firewall policy configuration
Settings | Guidelines |
Default Action | Action when no rule matches or no rules are configured: • Deny—Drop the traffic. • Accept—Allow the traffic to pass the firewall. |
Rule |
Name | Unique name. No spaces or special characters. After you initially save the configuration, you cannot edit the name. |
Ingress Interface | Select the interface that receives traffic. |
Egress Interface | Select the interface that forwards traffic. |
Source | Select a source address object to use to form the matching tuple. |
Destination | Select a destination address object to use to form the matching tuple. |
Service | Select a service object to use to form the matching tuple. |
Action | • Deny—Drop the traffic. • Accept—Allow the traffic to pass the firewall. |
Reordering |
| After you have saved a rule, reorder rules as necessary. The rules table is consulted from top to bottom. The first rule that matches is applied and subsequent rules are not evaluated. |
