The FortiGate firewall must apply egress filters to traffic outbound from the network through any internal interface.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-234153	FNFG-FW-000120	SV-234153r852963_rule		Medium

Description
If outbound communications traffic is not filtered, hostile activity intended to harm other networks or packets from networks destined to unauthorized networks may not be detected and prevented. Access control policies and access control lists implemented on devices, such as firewalls, that control the flow of network traffic ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the internet) must be kept separated. This requirement addresses the binding of the egress filter to the interface/zone rather than the content of the egress filter.

Description

If outbound communications traffic is not filtered, hostile activity intended to harm other networks or packets from networks destined to unauthorized networks may not be detected and prevented. Access control policies and access control lists implemented on devices, such as firewalls, that control the flow of network traffic ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the internet) must be kept separated. This requirement addresses the binding of the egress filter to the interface/zone rather than the content of the egress filter.

STIG	Date
Fortinet FortiGate Firewall Security Technical Implementation Guide	2022-09-12

Details

Check Text ( C-37338r611457_chk )
Log in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege. 1. Click the Policy and Objects. 2. Click IPv4 or IPv6 Policy. 3. Verify the policies are configured for each Outgoing Interface. 4. Verify polices are configured with Action set either to DENY or ACCEPT based on the organizational requirement. If the Firewall Policies are not applied to all outbound interfaces, this is a finding.

Check Text ( C-37338r611457_chk )

Log in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege.

1. Click the Policy and Objects.
2. Click IPv4 or IPv6 Policy.
3. Verify the policies are configured for each Outgoing Interface.
4. Verify polices are configured with Action set either to DENY or ACCEPT based on the organizational requirement.

If the Firewall Policies are not applied to all outbound interfaces, this is a finding.

Fix Text (F-37303r611458_fix)
Log in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege. 1. Click the Policy and Objects. 2. Click IPv4 or IPv6 Policy. 3. Click +Create New. 4. Name the policy and select Incoming and Outgoing Interfaces. 5. Create the policies with authorized sources and destinations. 6. Create the policies with Action set to either DENY or ACCEPT. 7. Ensure the Enable this policy is toggled to right. 8. Click OK.

Fix Text (F-37303r611458_fix)

Log in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege.

1. Click the Policy and Objects.
2. Click IPv4 or IPv6 Policy.
3. Click +Create New.
4. Name the policy and select Incoming and Outgoing Interfaces.
5. Create the policies with authorized sources and destinations.
6. Create the policies with Action set to either DENY or ACCEPT.
7. Ensure the Enable this policy is toggled to right.
8. Click OK.