Just found you and appreciate this video! Need to learn more about FortiNet Routers as I am trying to choose a brand of router to use for current and future clients. Thank you
Thanks for the video, but I have a question. These services that you added on the list are not supposed to be blocked when we use Web, app , and DNS filter on Policy?
Hi, thank you, it's been very interesting. What's the difference between using this policy and apply to a policy from lan to wan the security profiles ( I think they refer to same databases)?
Firewall has implicit deny for any traffic that comes from outside. Unless you have changed this by simply adding WAN as your source int and your internal interface as dest int. If you are referring to: what happens if a user tries to download a virus, When you create a security policy to allow outbound traffic from the internal network to the WAN, and if you have applied the antivirus security profile to that policy, it will protect against downloading malware or virus-infected files from the Internet to your internal network.
The basic rule of a firewall is to block traffic. So any attempts to connect to this firewall from outside to inbound is automatically blocked, unless a policy is created to allow it.
I know that there is an implicit deny rule at the bottom, but I am always doing a similar rule with known bad categories (and also with added third party feeds of known bad IP) an place it as the first firewall policy. It adds a little more security and it prevents known bad IP’s to hit your allowed inbound rules, e.g. a webserver.
Excellent tip, thanks for sharing it. Just one question with regards to the source address, any reason why you have selected all your vLAN/Addresses instead of All -> SpamDestination = Deny?
Two reasons. 1> When your firewall inspects traffic, it uses the firewall's processing resources. Those processing resources need to be managed with intentionality to your configuration. So It makes no sense to inspect literally every interface if there are interfaces where this inspection rule will never matter and have no benefit. Which ones are those? Well for one, the WAN interfaces do not need to be subjected to inspection of inbound traffic to malicious destinations that will never exist inside your network (or through it). That's an example of a hypothetical scenario where this would rule would not help by choosing "any". 2> Most firewall configurations do NOT have the multiple interfaces feature visible where you get to choose multiple source interface as well as the "any" source interface. so if I selected "any", ppl be like "it's not an option in my fw".
This is a next-gen Firewall which requires a subscriptions in order to keep up to date with worldwide threat intelligence. Threats are being created all the time, everyday. A subscription on your firewall allows it to receive this intelligence as soon as it's available. It's not enough to do classic firewall anymore. Threat intelligence is KEY to your firewall's ability to protect it's network from attacks. New Botnet domains are being created literally every moment of every day.
I do! Probably a combination of being in the Northeast where people just talk faster up here than many other parts of the world, and my 3rd cup of coffee contributed, and my desire to keep the video short. On a positive note, youtube lets you change speed of videos. I often find myself speeding up videos.
Thanks dude. I wish you were making more of these videos.
Just found you and appreciate this video! Need to learn more about FortiNet Routers as I am trying to choose a brand of router to use for current and future clients. Thank you
Straight forward and to the point. THank you.
Dude, this is awesome. I'd love you to share more of your knowledge.
thanks, using this to train our users. Great narration!
just applied to prod. thanks and looking forward to more!
Thanks for the video, but I have a question. These services that you added on the list are not supposed to be blocked when we use Web, app , and DNS filter on Policy?
Hi, thank you, it's been very interesting. What's the difference between using this policy and apply to a policy from lan to wan the security profiles ( I think they refer to same databases)?
Hello! good job! thanks One Question, its a nice practicese do the same with the incoming services conexion? Rule WAN (Bad Service) to LAN ?
This deserve more subscribe and likes.
good job Bro, so no need to apply security profile on each single policy if apply this policy at the top
thks.. but this video shows outbound connection from DC to the internet... what about securing malicious in traffic from internet to DC all VLANs
Firewall has implicit deny for any traffic that comes from outside. Unless you have changed this by simply adding WAN as your source int and your internal interface as dest int. If you are referring to: what happens if a user tries to download a virus, When you create a security policy to allow outbound traffic from the internal network to the WAN, and if you have applied the antivirus security profile to that policy, it will protect against downloading malware or virus-infected files from the Internet to your internal network.
The basic rule of a firewall is to block traffic. So any attempts to connect to this firewall from outside to inbound is automatically blocked, unless a policy is created to allow it.
I know that there is an implicit deny rule at the bottom, but I am always doing a similar rule with known bad categories (and also with added third party feeds of known bad IP) an place it as the first firewall policy. It adds a little more security and it prevents known bad IP’s to hit your allowed inbound rules, e.g. a webserver.
Excellent video
Excellent tip, thanks for sharing it.
Just one question with regards to the source address, any reason why you have selected all your vLAN/Addresses instead of All -> SpamDestination = Deny?
Two reasons. 1> When your firewall inspects traffic, it uses the firewall's processing resources. Those processing resources need to be managed with intentionality to your configuration. So It makes no sense to inspect literally every interface if there are interfaces where this inspection rule will never matter and have no benefit. Which ones are those? Well for one, the WAN interfaces do not need to be subjected to inspection of inbound traffic to malicious destinations that will never exist inside your network (or through it). That's an example of a hypothetical scenario where this would rule would not help by choosing "any". 2> Most firewall configurations do NOT have the multiple interfaces feature visible where you get to choose multiple source interface as well as the "any" source interface. so if I selected "any", ppl be like "it's not an option in my fw".
@@tonysfortinetchannel Thanks for your reply, exactly, the interfaces that you have selected don't show in my list other than the interface itself.
Thanks! Nice Policy
i cant add multiple interfaces in the incoming interfaces like you i have to do a policy for each how can i fix that
Enable multiple interface policies under feature visibility.
This helps a lot! thanks
In my Fortigate-60F there is no way to add multiple Incoming Interfaces. FortiGate 60F v7.4.5 build2702
I found the answer from one of the questions posted earlier. Thanks @michaelhood1815
i'm don't have licence for this fortigate
This is a next-gen Firewall which requires a subscriptions in order to keep up to date with worldwide threat intelligence. Threats are being created all the time, everyday. A subscription on your firewall allows it to receive this intelligence as soon as it's available. It's not enough to do classic firewall anymore. Threat intelligence is KEY to your firewall's ability to protect it's network from attacks. New Botnet domains are being created literally every moment of every day.
thanks mate
That is great
And get my system infected nu the Chinese? 😅
Tony you're great but you talk too damn fast. 🙂
I do! Probably a combination of being in the Northeast where people just talk faster up here than many other parts of the world, and my 3rd cup of coffee contributed, and my desire to keep the video short. On a positive note, youtube lets you change speed of videos. I often find myself speeding up videos.