Next generation firewalls have a concept of using objects within firewall policies. There are many benefits to this such as:
- Ability to reuse a single object in multiple firewall rules.
- If object is used in multiple places but requires a change, only the object needs to be modified instead of each individual rule where it is referenced.
- Simplifies templating the configuration to be deployed over multiple distinct locations.
There are a host of other reasons why the concept of objects has been adapted but that is out of scope for this post. Instead, I want to focus on the best practices I have used when creating these objects on the FortiGate.
- Always use lower case letters when defining your network objects
- Do not use special characters (with the exception of “-”, “_” and “.”) when defining the objects
- Do not use spaces when using multiple words, instead, use hyphen (-) or undercore (_)
- Descriptively name your objects
Important Tip: When defining address objects, do not use the network address within the object name when you are deploying multiple sites with the same policy.
When creating a network object, determine up with a descriptive name for the network and preface the network object with an “n” for network. It should follow the nomenclature:
For example, if I have a home network that my IP cameras are on and they belong to the 192.168.1.0/24 network, I would have the following entry in my FortiGate:
config firewall address edit "n-home_ip_cameras" set subnet 192.168.1.0 255.255.255.0 next end
When creating a range of network addresses, determine up with a descriptive name for the network and preface the range object with a “r” for network. It should follow the nomenclature:
For example, if I have a home network and my IP cameras are in the specific range of 192.168.1.10 – 192.168.1.15, I would have the following entry in my FortiGate:
config firewall address edit "r-home_ip_cameras" set type iprange set start-ip 192.168.1.10 set end-ip 192.168.1.15 next end
Fully Qualified Domain Name (FQDN)
When creating a FQDN object, just use the FQDN as the object name. There is no need to preface this object because it is unique as it will only correspond to one type of object. For example, if I were defining an object to “www.google.com”, I would have the following entry on my FortiGate:
config firewall address edit "www.google.com" set type fqdn set fqdn "www.google.com" next end
When creating an address object for geography, use the country name for the object name and preface the network object with an “g” for geography. It should follow the nomenclature:
For example, if I want to create a geography object for Canada, I would have the following entry in my FortiGate:
config firewall address edit "g-canada" set type geography set country "CA" next end