[email protected]
0
[email protected]

Shopping cart

Subtotal:

$0.00
View cartCheckout

FCP_FMG_AD-7.4 Policy and Objects

Policy and Objects

Detailed list of FCP_FMG_AD-7.4 knowledge points

Policy and Objects Detailed Explanation

4.1 Firewall Policies

What Are Firewall Policies?

Firewall policies are rules that control network traffic between different segments. They define who can communicate with whom, what type of traffic is allowed, and whether security inspections should be applied.

How Are Firewall Policies Processed?

  • Firewall policies are processed from top to bottom.
  • The first matching rule determines whether the traffic is allowed or denied.
  • If no rule matches the traffic, the default implicit deny rule blocks it.

Example:
If we have the following rules:

  1. Allow traffic from 192.168.1.0/24 to the Internet.
  2. Deny traffic from 192.168.2.0/24 to the Internet.

Traffic from 192.168.1.0/24 is allowed, but traffic from 192.168.2.0/24 is denied.

Basic Firewall Rule Components

Component Description
Source & Destination Defines where the traffic comes from and where it goes.
Services Specifies allowed protocols (e.g., HTTP, SSH, or custom services).
Action Choose between Allow or Deny.
Logging Enables logging for traffic monitoring and auditing.
Security Profiles Attach web filtering, antivirus, IPS, etc., for deeper inspection.

Example Firewall Policy:
A rule that allows all employees to access the Internet except for certain restricted websites.

Source Destination Service Action Security Profile
Employees Internet HTTP, HTTPS Allow Web Filtering - Block Social Media

Hands-on Lab: Creating a Firewall Policy in FortiManager

Step 1: Create a New Policy
  1. Log in to FortiManager.
  2. Go to Policy & Objects.
  3. Click Create New → Firewall Policy.
Step 2: Define Rule Settings
  1. Set Source:
  • Click Add → Select "Employees_Network".
  1. Set Destination:
  • Click Add → Select "Internet".
  1. Choose Allowed Services:
  • Select "HTTP, HTTPS, DNS".
  1. Set Action:
  • Choose "Allow".
Step 3: Attach Security Profiles
  1. Enable Web Filtering.
  2. Choose Block Social Media and Streaming.
  3. Click Save.
Step 4: Apply the Policy to a FortiGate Device
  1. Navigate to Device Manager.
  2. Select the FortiGate firewall.
  3. Click Install Wizard.
  4. Choose the policy package you created.
  5. Click Install to apply the rules.

Expected Outcome:

  • Employees can browse the Internet, but social media and video streaming websites are blocked.
  • The firewall logs all Internet activity for security auditing.

4.2 Address and Object Management

Firewall rules use objects instead of hardcoded IP addresses. This makes policies easier to manage and scale.

Types of Objects in FortiManager

Object Type Description
Address Objects Define single IPs, ranges, or subnets.
Service Objects Represent TCP/UDP port numbers.
Time Schedules Apply policies based on time constraints.
User/Group Objects Assign rules based on user identity.

Why Use Objects Instead of IP Addresses?

  • If a server changes IP, you only update the object, not every policy.
  • Makes firewall rules easier to understand and manage.

1. Address Objects

Define IP addresses, subnets, or FQDNs (fully qualified domain names).

Example:

Object Name Type IP Address/Subnet
HR_Network Subnet 192.168.10.0/24
Finance_Server Host 10.10.10.5

2. Service Objects

Define protocols and port numbers used in firewall policies.

Example:

Service Name Protocol Port(s)
Web_Traffic TCP 80, 443
SSH_Access TCP 22
Custom_App UDP 5000-5100

3. Time Schedules

Firewall rules can be restricted to specific time periods.

Example:

Schedule Name Time Window
Work_Hours Mon-Fri 9:00 AM - 6:00 PM
Night_Access Daily 10:00 PM - 6:00 AM

4. User/Group Objects

  • Apply policies based on user authentication instead of IP addresses.
  • Works with LDAP, RADIUS, or local user groups.

Example:

User Group Allowed Access
HR_Department Internal Network, HR Apps
Developers Internet, GitHub, Dev Servers

Hands-on Lab: Creating Address and Object Management in FortiManager

Step 1: Create an Address Object
  1. Log in to FortiManager.
  2. Navigate to Policy & Objects → Addresses.
  3. Click Create New → Address Object.
  4. Enter:
  • Name: HR_Network
  • Type: Subnet
  • Subnet: 192.168.10.0/24
  1. Click OK.
Step 2: Create a Service Object
  1. Navigate to Policy & Objects → Services.
  2. Click Create New → Service Object.
  3. Enter:
  • Name: Custom_Web_Service
  • Protocol: TCP
  • Port Range: 8080-8090
  1. Click OK.
Step 3: Apply Objects in a Firewall Rule
  1. Navigate to Policy & Objects → Firewall Policy.
  2. Select an existing policy or create a new one.
  3. In Source, select HR_Network.
  4. In Destination, select Internet.
  5. In Service, select Custom_Web_Service.
  6. Click Save.
Step 4: Install the Configuration
  1. Go to Device Manager.
  2. Select the FortiGate firewall.
  3. Click Install Wizard.
  4. Select the policy package.
  5. Click Install.

Expected Outcome:

  • Only HR department devices can access Internet using ports 8080-8090.
  • If the HR network changes, only the object needs updating, not every rule.

4.3 Advanced Firewall Policy Configurations

Basic firewall rules are simple, but in complex networks, additional settings may be needed. Below are some advanced configurations used in FortiManager.

1. Deep Packet Inspection (DPI)

  • By default, firewalls filter traffic based on IP addresses and ports.
  • DPI allows FortiGate to inspect the actual content of packets, preventing malware, exploits, and suspicious activities.

Example:
A company wants to allow HTTPS traffic, but they need to block downloads of EXE files from the Internet.

Solution:

  1. Enable DPI in SSL/SSH Inspection Settings.
  2. Create a Web Filter Profile to block EXE downloads.
  3. Apply the Web Filter Profile to the firewall policy.

2. Application Control Policies

  • Instead of filtering traffic by IP and ports, Application Control allows blocking or allowing specific applications.
  • Useful for blocking social media, gaming, or VPN applications.

Example:
A company wants to allow Internet access but block social media apps like Facebook, Instagram, and Twitter.

Solution:

  1. Create an Application Control Profile.
  2. In the profile, block applications under Social Media category.
  3. Attach this profile to the Internet access firewall policy.

3. Traffic Shaping (QoS - Quality of Service)

  • Traffic shaping prioritizes important applications and limits bandwidth for less important traffic.
  • Ensures business-critical apps (VoIP, CRM, VPN) get priority over video streaming or downloads.

Example:
A company wants to prioritize VoIP calls and limit YouTube streaming bandwidth.

Solution:

  1. Enable Traffic Shaping.
  2. Create a Traffic Shaping Policy:
  • High priority for VoIP traffic (UDP 5060).
  • Low priority for YouTube (TCP 443).
  1. Apply the shaping rule to the firewall policy.

4.4 Network Address Translation (NAT) Policies

What is NAT?

NAT (Network Address Translation) modifies the source or destination IP address of packets as they pass through the firewall.

Why use NAT?

  • Hides internal IPs from the Internet.
  • Allows multiple internal devices to share a public IP.
  • Enables inbound access to internal servers.

Types of NAT in FortiGate

NAT Type Description Example Use Case
Source NAT (SNAT) Replaces the source IP with a public IP. Users accessing the Internet from inside the network.
Destination NAT (DNAT) Maps external IP to internal server IP. Allowing external users to access an internal web server.
Overload (PAT - Port Address Translation) Multiple internal users share a single public IP. Office network using one ISP public IP for all users.

1. Source NAT (SNAT) - Internet Access

  • Used when internal users need to access the Internet.
  • Replaces the internal IP with the firewall's public IP.
Step-by-Step: Configuring SNAT
  1. Go to Policy & Objects → Firewall Policy.
  2. Edit the Internet access rule.
  3. Enable NAT under "Outgoing Interface".
  4. Select "Use Outgoing Interface Address".
  5. Click Save and Install the Policy.

Expected Outcome:

  • Internal devices can browse the Internet, but their real IPs are hidden.
  • External websites will see the firewall’s public IP instead.

2. Destination NAT (DNAT) - Hosting a Web Server

  • Used when external users need access to an internal server (e.g., Web, Mail, RDP).
  • Maps a public IP to an internal private IP.
Step-by-Step: Configuring DNAT
  1. Go to Policy & Objects → Virtual IPs (VIPs).
  2. Click Create New → Virtual IP.
  3. Set the External IP (Public IP assigned by ISP).
  4. Set the Internal IP (Server’s Private IP).
  5. Create a Firewall Policy:
  • Source: Internet.
  • Destination: VIP Object.
  • Service: HTTP, HTTPS.
  • Action: Allow.
  1. Click Save and Install the Policy.

Expected Outcome:

  • External users can access the internal web server using the public IP.
  • The firewall forwards traffic to the internal server.

3. PAT (Port Address Translation) - One Public IP for Many Users

  • PAT allows multiple internal users to share a single public IP.
  • It assigns different port numbers to each session.
Step-by-Step: Configuring PAT
  1. Go to Policy & Objects → Firewall Policy.
  2. Edit the Internet access policy.
  3. Enable NAT.
  4. Select "Use Dynamic IP Pool".
  5. Choose an IP Pool range assigned by the ISP.
  6. Click Save and Install the Policy.

Expected Outcome:

  • Multiple users can browse the Internet using a single public IP.
  • Port numbers help keep sessions separate.

4.5 Troubleshooting Firewall and NAT Policies

Even with correct configurations, firewall policies or NAT rules may fail. Below are common issues and solutions.

Issue Possible Cause Solution
Firewall Policy Not Working Misconfigured source/destination or wrong service type Verify the policy order, source/destination, and services used.
NAT Not Working NAT is disabled or incorrectly configured Ensure NAT is enabled on the correct interface.
External Users Cannot Access an Internal Server VIP (DNAT) misconfigured or firewall policy missing Verify Virtual IP settings and create a proper firewall rule.
Internal Users Cannot Browse the Internet No NAT rule applied Enable SNAT using the outgoing interface address.
Traffic Logs Not Showing Expected Results Logging not enabled in policy Enable logging for both accepted and denied traffic.

How to Troubleshoot Using CLI

  1. Check if firewall policy is applied:
diagnose firewall policy list
  1. Check NAT table:
diagnose firewall ippool list
  1. View active sessions:
diagnose sys session list
  1. Test if the firewall allows outbound traffic:
execute ping 8.8.8.8

Frequently Asked Questions

What is a policy package in FortiManager?

Answer:

A policy package is a collection of firewall policies and objects that can be installed on managed devices.

Explanation:

In FortiManager, firewall policies are organized into policy packages. Each package represents a complete policy configuration that can be deployed to one or more devices. This allows administrators to manage large numbers of devices efficiently. Instead of editing individual device policies, administrators modify the package and install it across multiple firewalls.

Demand Score: 92

Exam Relevance Score: 95

Why are shared objects useful in FortiManager?

Answer:

They allow objects to be reused across multiple policies and devices.

Explanation:

Shared objects reduce configuration duplication and simplify management. For example, a shared address object representing a corporate subnet can be referenced by multiple policies and devices. If the subnet changes, administrators only update the object once instead of modifying every policy.

Demand Score: 85

Exam Relevance Score: 88

Why might a policy package fail to install on a device?

Answer:

The device may be missing required objects referenced by the policy.

Explanation:

Policies depend on address objects, services, and other configuration elements. If a referenced object is not available or incorrectly defined, FortiManager cannot generate the correct configuration during installation. Administrators must verify that all required objects exist in the policy database before installing the package.

Demand Score: 80

Exam Relevance Score: 90

What is the benefit of policy package reuse across multiple devices?

Answer:

It simplifies centralized policy management.

Explanation:

Using a single policy package for multiple devices ensures consistent security rules across the network. Administrators can apply the same policy logic to many firewalls, reducing configuration errors and management overhead.

Demand Score: 78

Exam Relevance Score: 86

What role do objects play in firewall policy configuration?

Answer:

Objects define reusable network elements such as addresses, services, and schedules.

Explanation:

Instead of entering raw values in every policy rule, administrators reference predefined objects. This improves readability, reduces configuration duplication, and simplifies updates.

Demand Score: 76

Exam Relevance Score: 84

Why is centralized policy management beneficial in large networks?

Answer:

It ensures consistent security policies across all managed devices.

Explanation:

Centralized management allows administrators to maintain uniform security policies and deploy updates efficiently. This reduces configuration drift and improves compliance across distributed network environments.

Demand Score: 70

Exam Relevance Score: 82

 FCP_FMG_AD-7.4 Study Plan FCP_FMG_AD-7.4 Study Methods And Exam Tips FCP_FMG_AD-7.4 Training Details
FCP_FMG_AD-7.4 Training Course
$68$29.99
Related Products
FCP_FMG_AD-7.4 Training Course