What are the implications of not using interfaces when defining policies on fortigate firewalls?
i.e
Policy would be
edit 1
set srcintf "any"
set dstintf "any"
set srcaddr "ip-192.168.1.10"
set dstaddr "ip-172.16.1.254
set status enable
set schedule "always"
set service "TCP-8080"
set logtraffic disable
next
Is there any benefits of specifying the interface?
My understanding is the fortigate firewalls apply RPF checks against traffic when it enters the firewall.
For example if packet from 192.168.1.0/24 via port1, It would expect a route in the routing table to exist for that prefix if not RPF would block it.
We are looking at automating how we populate firewall rules and removing the interface logic would make it a a lot simpler to implement.
Any thoughts or experiences would be good.
Best Answer
The interface is part of the policy. When you use
any, the rule applies to all interfaces, ie. it doesn't matter where the packet enters or is bound to exit the firewall for the policy to be applied.FGs apply RPF - in order to accept a source address on an interface there must be an appropriate route out of that interface. So, essentially you're not required to use interfaces in the policies at all times.
RPF can be disabled by turning on asymmetric routing (
config system setting, set asymmetric enable), disabling stateful inspection on the way. A better way may be to set a route with a high metric that won't ever get used.