Information
We want to make sure that all security policies in effect clearly state which protocols / services they are allowing.
Rationale:
This is to make sure that the firewall do not allow traffic with unauthorized protocols/services by mistakes.
Solution
In this example, we will modify policy with ID of 2 to change the service from 'ALL' to FTP and SNMP
In CLI:
FGT1 # config firewall policy
FGT1 (policy) # edit 2
FGT1 (2) # set service 'FTP' 'SNMP'
FGT1 (2) # end
FGT1 #
In the GUI,
click on Policy & Objects -> IPv4 Policy. Select the policy, click 'Edit'. In the Service section, click on it and select FTP and SNMP. Click OK
Default Value:
By default, all new policy will have 'ALL' in its service field.