How to Set Up Firewall Policies on FortiGate: A Step-by-Step Guide to Secure Your Network

FortiGate firewalls have more than a few capabilities, among them are deep packet inspection, threat intelligence integration, and application control for thousands of applications. 

That said, many deployments fail their users - albeit,  not because of missing features, but because policies are built like textbook examples that don't survive the real-world complexities. 

Usually, systems are expected to operate under ideal conditions, but in reality, behavior can vary, and those conditions are rarely consistent or perfect. As such, the difference between FortiGate success and failure lies in understanding that misconfigured rules can leave gaps for attackers, while overly restrictive setups can also hinder productivity.

Take, for instance, the example  of a "simple" web application making API calls to twelve cloud services, uses non-standard ports, and requires certificate handling that could break under deep inspection. 

Therefore, the organizations that stay secure think beyond textbook configurations and build policies that anticipate how modern applications actually communicate. 

In this post, we’ll walk through a step-by-step guide to secure your network with necessary firewall policies. But before we get into FortiGate configurations, there’s one critical prerequisite you must address: backups.

Step 0: Backup Everything Before You Begin

First and foremost: before making any policy changes, establish automated configuration backups. 

Unlike many other firewalls, FortiGate implements changes immediately without commit steps. Human errors are inevitable, and there's no foolproof mechanism to prevent accidental configurations.

Enable SCP backup capability and implement regular automated backups. This single step can save countless deployments from catastrophic misconfigurations. 

Now that your safety net is in place, let’s dive into the step-by-step guide to securing your firewall with precision and confidence.

Step-by-Step Guide to Secure Your Firewall Network

Step 1: Access the FortiGate Interface

Log in to your FortiGate web portal at https://<your-fortigate-IP> and navigate to Policy & Objects > Firewall Policy.

Pro Tip: Create a dedicated API user under System > Administrators with granular permissions. 

This single step helps with future automations, SIEM integration, and compliance reporting without emergency changes.

Step 2: Define Address Objects That Scale

Create reusable address objects at Policy & Objects > Addresses > Create New. Build objects such as "HR-Servers" or "Sales-Team" with descriptive names and IP ranges.

The naming convention strategy will be useful in the long haul as structured naming eliminates ambiguity. A few examples are:

  • BIZ-FINANCE-SERVERS  for business grouping
  • APP-SALESFORCE-ENDPOINTS for application grouping

This approach ensures that your policies remain transparent and scalable over time, especially when troubleshooting with CLI tools later on.

Step 3: Create Strategic Firewall Policies

Crafting firewall policies that are both efficient and secure starts with intention. Navigate to Firewall Policy > Create New to define rules tailored to your specific network environment.

Tips for Effective Policy Creation

  • Avoid the ANY/ALL Trap: One of the most common pitfalls is using "ANY" or "ALL" in service fields. While it may seem convenient, this approach often leads to FortiGate devices overloading and entering conserve mode, a state no admin wants. Instead, adopt a more targeted strategy.
  • Align Profiles with Their Purpose: Use Web Filtering profiles strictly for HTTP/HTTPS traffic (ports 80/443) and apply Spam Filtering profiles only to email ports. The key is specificity, which ensures each security profile maps directly to the service it’s meant to protect.

With the core principles set, it’s time to refine the technical details of your firewall policies to ensure visibility, and performance:

  • Interfaces: Start by defining the direction of traffic. For instance, from WAN1 to your internal LAN. Always enable Security Profiles and ensure logging for allowed traffic is turned on. This gives you continuous visibility into what’s flowing through your network.
  • Source & Destination: Use well-defined address objects instead of broad or vague entries. This not only tightens control but also helps prevent misrouting and makes your policy set more manageable.
  • Action: Every rule should serve a clear purpose. Whether you're setting it to Accept or Deny, base the decision on a well-documented business need, not convenience or habit.

By getting granular with your firewall rules and service mappings, you’re not just reducing risk, you’re boosting performance and keeping your FortiGate operating smoothly.

Step 4: Master the CLI for Complete Control

Many configuration options are only available through CLI, not the GUI. When you can't find a setting in the interface, it's likely fully available on the command line.

Always check System >  Feature Visibility to ensure GUI features are enabled, but prepare to use CLI for advanced configurations. 

Configuration restrictions and limits differ between the GUI and CLI interfaces.

Step 5: Prioritize for Performance and Security

FortiGate processes policies top-to-bottom. Position-specific policies are above broader ones, but consider actual traffic volume, not just security logic.

Make sure to monitor policy hit counts and optimize based on actual usage patterns. Place frequently matched rules higher in the policy list to improve processing efficiency.

Step 6: Test Beyond Basic Validations

Use Tools > Packet Capture and Security Events Logs for basic validation, but test from multiple user perspectives, such as employees accessing cloud apps, remote workers, and mobile devices.

How Metron Simplifies FortiGate Integration

Managing FortiGate policies becomes complex when they need to work seamlessly with your existing security tools. 

Fortunately, Metron specializes in integrating different security platforms and ensures:

  • Multi-Vendor Policy Coordination: When FortiGate policies need to align with cloud security, endpoint protection, and identity management tools, our integrations ensure a consistent security posture across all systems.
  • Automated Synchronization: Changes in one security tool automatically update relevant policies in FortiGate and other integrated platforms, eliminating manual coordination errors.
  • Unified Reporting: Consolidated security dashboards that show how FortiGate policies perform alongside your other security investments. No more switching between multiple vendor consoles.

The Bottom Line

FortiGate policies are powerful when designed with both security principles and business reality in mind. The most secure networks aren't fortress-like barriers. They're intelligent filters that stop threats while enabling business operations.

Start with solid fundamentals, build in business intelligence, and continuously adapt as threats and business needs evolve

Ready to integrate your FortiGate with your existing security stack? Metron's integration platform ensures your security tools work together seamlessly. Connect with us through connect@metronlabs.com, and our team would love to help you out.