A firewall policy is a filter that allows or denies traffic based on a matching tuple: source address, destination address, and service. By default, firewall policy rules are stateful: if client-to-server traffic is allowed, the session is maintained in a state table, and the response traffic is allowed.
The FortiADC system evaluates firewall policies before other rules. It matches traffic against the firewall policy table, beginning with the first rule. If a rule matches, the specified action is taken. If the session is denied by a firewall policy rule, it is dropped. If the session is accepted, system processing continues.
By default, if firewall rules are not configured, the system does not perform firewall processing; all traffic is processed as if the system were a router, and traffic is forwarded according to routing and other system rules.
Note: You do not need to create firewall rules for routine management traffic associated with the management port or HA ports. The interface “allow access” option enables permitted protocols. The system automatically permits from-self traffic, such as health check traffic, and expected responses.
Before you begin:
Settings | Guidelines |
---|---|
Default Action |
Action when no rule matches or no rules are configured:
|
Rule |
|
Name |
Configuration name. Valid characters are After you initially save the configuration, you cannot edit the name. |
Ingress Interface |
Select the interface that receives traffic. |
Egress Interface |
Select the interface that forwards traffic. |
Source |
Select a source address object to use to form the matching tuple. |
Destination |
Select a destination address object to use to form the matching tuple. |
Service |
Select a service object to use to form the matching tuple. |
Action |
|
Reordering |
|
|
After you have saved a rule, reorder rules as necessary. The rules table is consulted from top to bottom. The first rule that matches is applied and subsequent rules are not evaluated. |