By Manny Fernandez

January 17, 2020

Policy Advanced Options in FortiOS 6.2.3

FortiOS 6.2.3 Introduced some interesting new features.  One of those features is the Policy Advanced Options in which some interesting new  options and one of my favorites that finally made it into the GUI.

1. – FortiOS 6.2.3

First of all, you will need to be running FortiOS 6.2.3.

2020-01-16_23-33-30.png

2.- Enabling the Policy Advanced Options

You will need to go to system then Feature Visibility

2020-01-16_23-19-06.png

Tick the button on the Policy Advanced Options

2020-01-16_23-19-22.png

3. – TCP Sessions without SYN

Sometimes the firewall needs to handle long sessions, such as large data transfers or database backups, which can remain open at the endpoints but the session can be deleted from the firewall because of inactivity higher than 3600 sec (default inactivity timer). If a packet belonging to a deleted session reaches the firewall, it will be dropped. For this kind of scenario, disabling SYN checking in the FortiOS on a packet that belongs to an open session on the endpoints, could help avoiding such disruptions to network traffic flows, when the session becomes active again.  (REF: Fortinet KB FD40929 ).  This is also true for Asymmetric Routing.

config system settings
set tcp-session-without-syn enable
end

This is in addition to the Policy Advanced Options

The Results

2020-01-16_23-19-46.png

First thing you will see different is the ID​.  This feature allows you to assign the Policy ID which was not an option before.  The default of 0 is representative of next available number.   This is great.  In  the past, if you had a policy with a Policy ID of 3 and you deleted it. Next you created a new policy, it would be assigned and ID of 4.

The next two things you see is the Negate Source and Negate Destination.  This is something I used back in my Checkpoint days.  Although the feature has been in FortiOS for some time, it was NOT available in the GUI.  Ironically, in the 6.2.0 Release Notes, there was a picture of it but it was not in the code.  In development, sometimes features get moved and pushed down to a different release.  I am happy though, that it was included here.

4.- What Negate Does

When you create a policy such as the one below, it essentially tells the firewall that anything EXCEPT address object DC-01  will match this policy.  The use case for this would be that you want to permit all internal devices except for the DMZ network, you could create a policy and use Negate Destination .  One thing missing though is the Negate Service which is still available in the CLI.

LAB-FW-01 (76) # set service-negate

enable Enable negated service match.
disable Disable negated service match.

2020-01-16_23-49-29.png

Hopefully service-negate will be in 6.2.4.

5. – Other Advanced Options

The other things that will get enabled in the GUI when you enable Policy Advanced Options is the WCCP , Exempt from Captive Portal and the TCP option we configured in section 3.

2020-01-16_23-58-22.png

WCCP – Enable/disable forwarding traffic matching this policy to a configured WCCP server.

Exempt from Captive Portal – Enable to exempt some users from the captive portal

Allow TCP sessions without SYN – See above

 

Hope this helps.

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • Overview FortiOS 8.0 introduces custom tags as a first-class... Full Story

  • These are two distinct mechanisms on FortiOS, and conflating... Full Story

  • Replacement messages are the pages and text blocks that... Full Story