Next Generation Firewall (NGFW)

Fortigate as Policy-based mode (confissing or missunderstanding?)

  • 1.  Fortigate as Policy-based mode (confissing or missunderstanding?)

    Posted Jun 25, 2020 06:31 AM
    Hy everyone,

    Does anyone is using NGFW policy-based ? I am testing in lab environment (FG500e HA AA - 6.4.1) before go to production but my first impression is that is a little bit confusing work with the policies. For example, firewall policy is now under SSL inspection & autentication (wierd?) and I do also have to config security policy because they work together. Every new policy I have to create in both?

    I really like the ideia of the security policy (NGFW) but my confusion is working this SSL inspection & autentication x Security policy. It help me in one side where I can apply app controlls directly in the policy but now every new policy I have to config in two places? In my mind it brings complexity to the method and not simplicity.If I have lots of polices in a complex setup It may bring more variables as the profile-based mode.

    Addionally, for me the firewall policy was replaced by SSL Inspection & Authentication (I found the name quite confusing as well). In the CLI, for example, config policy policy = SSL Inspection & Authentication. If I configure just one policy in SSL Inspection & Authentication allowing all to users I can centralized all my policis in Security policy but I think that is not the smartest solution because some traffic will be processed for the IPS and others resources even when not necessary. Another situation is that there is no policy-lookup in security policy, only in Inspection and SSL authentication.

    I am insinting in the matter because I may be wrong in the understood.

    Thanks!