Skip to content

Firewall Rules

Firewall Rules allow you to define granular security policies to control traffic flow entering or leaving your Virtual Network (VNET). By filtering traffic based on source, destination, and service type, you can ensure that only authorized connections are permitted within your environment.

When to use Firewall Rules

  • Security Hardening: Restricting access to sensitive internal servers (e.g., databases) so they are only reachable from specific subnets.
  • Traffic Filtering: Blocking unwanted traffic from the internet or specific external prefixes.
  • Managed Security Integration: Redirecting traffic to high-performance third-party security appliances for advanced inspection.

Prerequisites

Before configuring Firewall Rules, ensure you have:

  • A Virtual Network (VNET) already deployed.
  • Defined Traffic Objects (Configuration Objects, Traffic Identifiers, or Address Books) representing your sources and destinations. See Working with Objects.

Configuring Firewall Rules

Follow these steps to create a firewall rule:

  1. Navigate to the Services page and select your VNET.
  2. In the left sidebar, expand Policies and select Firewall Rules.
  3. Click the Add firewall rule button.
  4. Complete the following fields in the configuration screen:
    • Name: Enter a descriptive name for the rule (e.g., "Allow Web Traffic").
    • Group Name: Enter a new group name or select an existing group to organize your rules.
    • Source: Click Add to specify the origin of the traffic. You can choose from a Traffic Identification, Address Book, or Configuration Object.
    • Destination: Click Add to specify where the traffic is headed. You can choose from a Traffic Identification, Address Book, or Configuration Object.
    • Action: Select the action to be taken:
      • Allow: Permits the traffic to pass through.
      • Block: Drops the traffic.
      • Premium: Redirects the traffic to a managed external firewall for advanced inspection.
  5. Click Save.
  6. Do not forget to toggle the Enabled switch. By default new rules are added Disabled.

Important Considerations

Rule Order

Rules and Rule Groups are evaluated in sequence from top to bottom. The first rule that matches the traffic criteria will be applied. Ensure that your most specific rules are placed at the top of the list to avoid them being overridden by broader "Catch-all" rules.

Tip

After adding one or more rules you can re-order them first and then click the Save button top-left on this screen.

Action: Premium

The Premium action is used when you require advanced security features like Deep Packet Inspection (DPI) or Intrusion Prevention (IPS) provided by a managed firewall appliance. For more information, see Fortinet Firewall.

Warning

If you are using 1:1 NAT or Port Forwarding, you must ensure your firewall rules are configured to allow the translated traffic.

Note

Applying Changes: Like all networking services in the portal, your Firewall Rules will not be active until you deploy the changes. See Workflows and Applying Changes.