Unlock the Power of Your FortiGate: A Deep Dive into Next-Gen Firewall Policy Mastery

Listen to this Post

Featured Image

Introduction:

Next-Generation Firewalls (NGFWs) like FortiGate form the cornerstone of modern network security, moving beyond simple port blocking to intelligent, application-aware filtering. By leveraging dynamic threat intelligence services like FortiGuard Labs, organizations can proactively block communications with known malicious sites, significantly reducing their attack surface. This article provides a technical deep dive into configuring and optimizing these critical security policies.

Learning Objectives:

  • Understand the core components of a robust FortiGate security policy, including Internet Service Database (ISDB) integration.
  • Master the CLI and GUI methods for implementing and verifying advanced security controls.
  • Learn to configure complementary features like SSL inspection and application control to build a defense-in-depth strategy.

You Should Know:

1. Harnessing the FortiGuard Internet Service Database (ISDB)

The FortiGuard Internet Service Database (ISDB) is a critical component for modern firewall policy. It contains a dynamically updated list of specific domains and IP addresses associated with thousands of well-known Internet services (e.g., Amazon-AWS, Microsoft-365, Google-Cloud). Instead of manually managing thousands of IPs for a service like Office 365, you can create a single policy using the relevant ISDB object, ensuring your ruleset remains manageable and accurate as the service evolves.

Verified FortiOS CLI Commands:

 Diagnose the available Internet Service entries for a specific service
diagnose internet-service name <service_name>

Show the details and reputation of a specific Internet Service ID
get internet-service id <service_id>

List all security policies and their associated Internet Services
show firewall policy | grep internet-service

Add an Internet Service to a firewall policy via CLI (context: `config firewall policy` then edit <policy_id>)
set internet-service-id <service_id>

Step-by-step guide:

To create a policy using the GUI, navigate to Policy & Objects > IPv4 Policy and create a new policy. In the Source and Destination fields, set your internal network and the WAN interface, respectively. Under Service, select Internet Service and then choose the specific service (e.g., “Amazon-AWS”) from the database. This policy will now allow or deny traffic based on the curated list of IPs for that service, which is automatically updated by FortiGuard.

2. Crafting an Outbound Restrictive Security Policy

A foundational security principle is to deny all traffic by default and only allow what is explicitly permitted. This policy blocks all outbound traffic from internal networks to the internet, forcing all traffic to be evaluated by more specific, permissive rules that utilize ISDB or other safe-lists. This is the policy you “fall through” to if no other policy matches.

Verified FortiOS CLI Commands:

 Create a deny-all policy via CLI
config firewall policy
edit 0
set name "Outbound-Deny-All"
set srcint "internal"
set dstint "wan1"
set srcaddr "all"
set dstaddr "all"
set action deny
set schedule "always"
set service "ALL"
set logtraffic all
next
end

Verify policy order and placement (policies are processed top-down)
show firewall policy

Step-by-step guide:

In the GUI, go to Policy & Objects > IPv4 Policy. Click Create New. Set the Incoming Interface to your internal LAN/zone and the Outgoing Interface to your WAN/Internet zone. Set Source and Destination Address to ‘all’. Set Service to ‘ALL’. Finally, set the Action to DENY. It is critical to place this policy at the bottom of your policy list. Any traffic not matching a more specific, permissive policy above it will be blocked and logged.

3. Enforcing DNS Security with Explicit Proxy

Many threats use DNS for data exfiltration or communication with command-and-control (C2) servers. By forcing all DNS queries through the FortiGate’s explicit proxy, you can apply web filtering, DNS filtering, and block requests to known malicious domains, even if the client is using a hard-coded, external DNS server.

Verified FortiOS CLI Commands:

 Configure an explicit proxy policy for DNS (TCP/UDP 53)
config firewall proxy-policy
edit 0
set proxy explicit-web
set srcint "internal"
set dstint "wan1"
set srcaddr "all"
set dstaddr "all"
set service "DNS" "DNSQL"
set action accept
set schedule "always"
set utm-status enable
set webfilter-profile "default"
set dns-filter-profile "default"
next
end

Block DNS over HTTPS (DoH) by blocking well-known DoH provider IPs/domains
config firewall policy
edit <policy_id>
set name "Block-Known-DoH"
set srcint "internal"
set dstint "wan1"
set srcaddr "all"
set dstaddr "Known-DoH-Servers"  (Create an address group for DoH IPs)
set action deny
next
end

Step-by-step guide:

Navigate to Network > Explicit Proxy and ensure the explicit proxy is enabled on the internal interface. Then, go to Policy & Objects > Proxy Policy to create a new policy. Set the source and destination interfaces, and for service, select DNS and DNSQL. Enable UTM and apply a Web Filter and DNS Filter profile. To block DoH, you must also create a firewall policy that denies traffic to the IP addresses of major public DoH servers (e.g., 1.1.1.1, 8.8.8.8, 9.9.9.9).

4. Implementing Deep Packet Inspection with SSL Inspection

Without SSL inspection, a NGFW is effectively blind to most modern web traffic, as it cannot see inside encrypted HTTPS connections. SSL Inspection decrypts outbound traffic, allows the security engines (IPS, Antivirus, Web Filter) to scan it, and then re-encrypts it before sending it to the destination.

Verified FortiOS CLI Commands:

 Create a certificate for SSL Inspection (on FortiGate)
config vpn certificate local
edit "FortiGate-SSL-Inspection-CA"
set certificate "--BEGIN CERTIFICATE-- ..."
set private-key "--BEGIN RSA PRIVATE KEY-- ..."
set comment "CA certificate for deep-inspection"
next
end

Apply SSL Inspection to a firewall policy (context: `config firewall policy` then edit <policy_id>)
set ssl-ssh-profile "custom-deep-inspection"

Verify the SSL/SSH profile settings
show firewall ssl-ssh-profile

Step-by-step guide:

First, generate a Certificate Authority (CA) on the FortiGate under System > Certificates. Then, create a custom SSL/SSH Inspection profile via Security Profiles > SSL/SSH Inspection. Set the SSL Inspection options to Deep-Inspection and select your newly created CA certificate. Finally, edit your outbound permit policies (e.g., the one using ISDB) and in the SSL Inspection field, select your custom deep-inspection profile. Important: You must deploy the FortiGate’s CA certificate to all trusted root stores on your client machines.

5. Leveraging Application Control for Granular Enforcement

While ISDB blocks based on destination IP, Application Control identifies the specific application (e.g., Facebook, BitTorrent, Skype) based on its network behavior, regardless of the IP or port it uses. This allows you to create policies like “allow Facebook but block Facebook Games” or “block all peer-to-peer file sharing.”

Verified FortiOS CLI Commands:

 Create a custom application control sensor
config application list
edit "Custom-App-Sensor"
set comments "Block high-risk apps and limit social media"
config entries
edit 1
set application 13  Bittorrent
set action block
next
edit 2
set category 6  Social.Media
set action block
next
end
next
end

Apply the application control sensor to a firewall policy
config firewall policy
edit <permit_policy_id>
set application-list "Custom-App-Sensor"
next
end

Monitor application control logs
execute log filter category 3  Application Control category
execute log display

Step-by-step guide:

Go to Security Profiles > Application Control and create a new Application Control Sensor. Here, you can browse or search for applications and categories. You can set actions to Pass, Monitor, or Block. After creating the sensor, apply it to your outbound permit firewall policies by selecting it in the Application Control field. The FortiGate will now identify and control traffic based on the application signature, adding a powerful layer of enforcement on top of your network-based rules.

6. Automating with FortiManager and FortiAnalyzer

For large-scale deployments, managing individual FortiGate devices becomes untenable. FortiManager provides centralized policy management, while FortiAnalyzer offers consolidated logging, reporting, and threat analytics, allowing for a unified security posture across the entire network.

Verified FortiOS/FortiManager CLI Commands:

 On FortiManager, install a policy package to managed devices
config global
execute install-package policy-package <package_name> adom <adom_name> target <device_name>

On FortiGate, check the management status
get system performance status | grep Management

On FortiAnalyzer, query logs for a specific event
execute log-day search -m value "traffic" "srcip=192.168.1.100"

Step-by-step guide:

To centralize management, first add your FortiGate to a FortiManager device group. In FortiManager, create a Policy Package within the relevant ADOM (Administrative Domain). Define all your security policies, objects, and profiles within this package. Once configured, you can push the entire package to one or hundreds of FortiGates simultaneously. For logging, register the FortiGate with a FortiAnalyzer unit under System > FortiAnalyzer. This will forward all logs to a central repository for advanced correlation, reporting, and forensic analysis.

7. Continuous Monitoring and Threat Hunting

Configuration is only half the battle. Continuous monitoring of logs and network flows is essential for detecting anomalous behavior, validating policy effectiveness, and hunting for advanced threats that may have bypassed perimeter defenses.

Verified FortiOS CLI Commands for Monitoring:

 Real-time log monitoring for denied traffic
execute log filter category 2  Traffic log category
execute log filter field action deny
execute log display

Check for current sessions through the firewall
get system session list

Use the built-in sniffer for deep packet analysis on a specific interface
diagnose sniffer packet any "host <ip_address>" 4

Check the status of FortiGuard services and updates
get system fortiguard status

Search for specific threats in the IPS logs
execute log filter category 1  IPS/IDS category
execute log filter field threat "<threat_name>"
execute log display

Step-by-step guide:

Regularly review the FortiView dashboards on your FortiGate (Security > FortiView) to visualize top sources, destinations, applications, and threats. Set up automated reports in FortiAnalyzer to be delivered weekly. For proactive threat hunting, use the CLI commands above to search for specific indicators of compromise (IoCs), such as connections to known-bad IPs or the detection of specific IPS signatures. Correlate firewall deny logs with endpoint detection and response (EDR) alerts to identify potential internal threats attempting to call out.

What Undercode Say:

  • A well-configured NGFW policy is a living entity, not a set-and-forget configuration. It requires continuous tuning based on logs and evolving business needs.
  • The true power of a FortiGate is realized not by using individual features in isolation, but by strategically layering them—ISDB for destination control, Application Control for application awareness, and SSL Inspection for content visibility—to create a resilient, defense-in-depth security posture.
    Our analysis indicates that many organizations fail to activate SSL Inspection due to perceived complexity, rendering their advanced UTM features largely ineffective against encrypted threats. Furthermore, the strategic use of a default-deny outbound policy, as highlighted in the source post, is a critical control that is often overlooked in favor of overly permissive rulesets, creating unnecessary risk. Automating policy management and log analysis with FortiManager and FortiAnalyzer is no longer a luxury for large enterprises but a necessity for maintaining consistent security and operational efficiency.

Prediction:

The convergence of network and security, exemplified by advanced NGFWs, will continue to accelerate. Future iterations will leverage AI more deeply not just in threat intelligence (FortiGuard AI), but in local policy optimization, automatically suggesting and implementing rule changes based on analyzed traffic patterns and threat feeds. We will see a shift towards self-healing networks where the firewall can autonomously isolate compromised endpoints based on behavioral analysis and dynamically update policies to contain breaches in real-time, fundamentally changing the role of the security administrator from a configurator to an overseer of automated security systems.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Activity 7391241070023475200 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky