This video shows a simple firewall policy rule you can apply to your fortigate firewall to protect your network from a significant amount of malicious traffic.
Just found you and appreciate this video! Need to learn more about FortiNet Routers as I am trying to choose a brand of router to use for current and future clients. Thank you
Firewall has implicit deny for any traffic that comes from outside. Unless you have changed this by simply adding WAN as your source int and your internal interface as dest int. If you are referring to: what happens if a user tries to download a virus, When you create a security policy to allow outbound traffic from the internal network to the WAN, and if you have applied the antivirus security profile to that policy, it will protect against downloading malware or virus-infected files from the Internet to your internal network.
The basic rule of a firewall is to block traffic. So any attempts to connect to this firewall from outside to inbound is automatically blocked, unless a policy is created to allow it.
I know that there is an implicit deny rule at the bottom, but I am always doing a similar rule with known bad categories (and also with added third party feeds of known bad IP) an place it as the first firewall policy. It adds a little more security and it prevents known bad IP’s to hit your allowed inbound rules, e.g. a webserver.
Excellent tip, thanks for sharing it. Just one question with regards to the source address, any reason why you have selected all your vLAN/Addresses instead of All -> SpamDestination = Deny?
Two reasons. 1> When your firewall inspects traffic, it uses the firewall's processing resources. Those processing resources need to be managed with intentionality to your configuration. So It makes no sense to inspect literally every interface if there are interfaces where this inspection rule will never matter and have no benefit. Which ones are those? Well for one, the WAN interfaces do not need to be subjected to inspection of inbound traffic to malicious destinations that will never exist inside your network (or through it). That's an example of a hypothetical scenario where this would rule would not help by choosing "any". 2> Most firewall configurations do NOT have the multiple interfaces feature visible where you get to choose multiple source interface as well as the "any" source interface. so if I selected "any", ppl be like "it's not an option in my fw".
I do! Probably a combination of being in the Northeast where people just talk faster up here than many other parts of the world, and my 3rd cup of coffee contributed, and my desire to keep the video short. On a positive note, youtube lets you change speed of videos. I often find myself speeding up videos.
This is a next-gen Firewall which requires a subscriptions in order to keep up to date with worldwide threat intelligence. Threats are being created all the time, everyday. A subscription on your firewall allows it to receive this intelligence as soon as it's available. It's not enough to do classic firewall anymore. Threat intelligence is KEY to your firewall's ability to protect it's network from attacks. New Botnet domains are being created literally every moment of every day.
This deserve more subscribe and likes.
Straight forward and to the point. THank you.
Just found you and appreciate this video! Need to learn more about FortiNet Routers as I am trying to choose a brand of router to use for current and future clients. Thank you
just applied to prod. thanks and looking forward to more!
thks.. but this video shows outbound connection from DC to the internet... what about securing malicious in traffic from internet to DC all VLANs
Firewall has implicit deny for any traffic that comes from outside. Unless you have changed this by simply adding WAN as your source int and your internal interface as dest int. If you are referring to: what happens if a user tries to download a virus, When you create a security policy to allow outbound traffic from the internal network to the WAN, and if you have applied the antivirus security profile to that policy, it will protect against downloading malware or virus-infected files from the Internet to your internal network.
The basic rule of a firewall is to block traffic. So any attempts to connect to this firewall from outside to inbound is automatically blocked, unless a policy is created to allow it.
I know that there is an implicit deny rule at the bottom, but I am always doing a similar rule with known bad categories (and also with added third party feeds of known bad IP) an place it as the first firewall policy. It adds a little more security and it prevents known bad IP’s to hit your allowed inbound rules, e.g. a webserver.
i cant add multiple interfaces in the incoming interfaces like you i have to do a policy for each how can i fix that
Enable multiple interface policies under feature visibility.
good job Bro, so no need to apply security profile on each single policy if apply this policy at the top
Dude, this is awesome. I'd love you to share more of your knowledge.
And get my system infected nu the Chinese? 😅
Thanks dude. I wish you were making more of these videos.
thanks mate
Excellent tip, thanks for sharing it.
Just one question with regards to the source address, any reason why you have selected all your vLAN/Addresses instead of All -> SpamDestination = Deny?
Two reasons. 1> When your firewall inspects traffic, it uses the firewall's processing resources. Those processing resources need to be managed with intentionality to your configuration. So It makes no sense to inspect literally every interface if there are interfaces where this inspection rule will never matter and have no benefit. Which ones are those? Well for one, the WAN interfaces do not need to be subjected to inspection of inbound traffic to malicious destinations that will never exist inside your network (or through it). That's an example of a hypothetical scenario where this would rule would not help by choosing "any". 2> Most firewall configurations do NOT have the multiple interfaces feature visible where you get to choose multiple source interface as well as the "any" source interface. so if I selected "any", ppl be like "it's not an option in my fw".
@@tonysfortinetchannel Thanks for your reply, exactly, the interfaces that you have selected don't show in my list other than the interface itself.
Thanks! Nice Policy
thanks, using this to train our users. Great narration!
This helps a lot! thanks
That is great
Tony you're great but you talk too damn fast. 🙂
I do! Probably a combination of being in the Northeast where people just talk faster up here than many other parts of the world, and my 3rd cup of coffee contributed, and my desire to keep the video short. On a positive note, youtube lets you change speed of videos. I often find myself speeding up videos.
i'm don't have licence for this fortigate
This is a next-gen Firewall which requires a subscriptions in order to keep up to date with worldwide threat intelligence. Threats are being created all the time, everyday. A subscription on your firewall allows it to receive this intelligence as soon as it's available. It's not enough to do classic firewall anymore. Threat intelligence is KEY to your firewall's ability to protect it's network from attacks. New Botnet domains are being created literally every moment of every day.