FortiGate Naming Schema

FortiGate Naming Schema

While browsing around for any on firewall object/policy naming suggestions, I found this post on reddit. While Its a nice and very thorough document, I do suggest (as this is what I did) to take the info and make it your own. Essentially, reading that post gave me some good ideas in the direction I wanted to take in my firewall naming schema

A suggested nomenclature for FortiGate firewall configurations, as first documented /u/VeryStrongBoi in the following thread:

Firewall object naming - What’s your standard?

Note: The following information is for inspiration only. No responsibility is assumed for any configuration implemented based on these suggestions.

Guiding Principles

Character Limitations

FortiOS has some limitations regarding lengths of object names, so try to use shorter names or abbreviations, where possible, with the comments fields being used for additional elaborations where needed.

Case Sensitivity

ForitOS runs on Linux, and Linux is case sensitive, so do not mix upper and lower case. The preference should be for all object names to be lower case, except for objects that are by default all upper case, such as service objects, so new/custom service objects should also be all upper case.

White Space

White space can create difficulties for parsers for many automation, documentation, and logging systems, so spaces should never be used in object names, and instead dashes - should be used to separate words.

Special Characters

Special characters can also create difficulties for parsers for many systems so the only special characters that should be used in object names are dashes - and underscores _, and never characters like ! @ # $ % ^ & * ( ) ~ + =, etc., even when FortiOS itself allows it.

Mutability

Unchangeable names (e.g., interfaces) should be named in such a way that they never need to be changed, so they should be named according to their objective essence (which cannot change) rather than their use case (which can change). The alias field (which is changeable) can then be named according to the current use case.

For names which can easily be changed (e.g., address objects) they should be named according to their use case or their FQDN.

Object Types

There can be many different types of objects that share the same use case, and so would share the same name, based on the above principle, but sharing the same name may be impossible in FortiOS in some cases, and even when possible, will still be confusing for humans. Therefore, each name should be suffixed by its object type, separated by an underscore _.

Example: Imagine a webserver whose FQDN is web01.example.local, and who has a private IP address of 192.168.1.11, and a public IP address of 4.4.4.4, with a 1-to-1 VIP object performing NAT.

In this case, the private IP address object would be named web01.example.local_priv (for “private IP”), whereas the VIP object would be named web01.example.local_vip.

Additionally, you might need a MAC address object for the same server, which would be named web01.example.local_mac.

Numbering

Multiple instances of the same object type for the same use case should be suffixed with a number that increments from 1. If you expect to never need more than 9 of an object, this can be a 1-digit number, but if you may need up to 99 of an object, it should be a 2-digit number, etc.

Example: If web01.example.local needed two different private IP addresses objects (such as if it were dual-homed), these would be named web01.example.local_priv01 and web01.example.local_priv02.

Object Type Groups

Group names should also be suffixed with their type, but will be of the plural form, indicating a collection of more than one of that object.

Example: A group of _priv objects would be named _privs. A group of _vip objects would be named _vips. A group of _mac objects would be named _macs, etc.

Interfaces

Loopback Interface

• Name: loN, where lo means “loopback” (like in Cisco terminology) and N is the number of the loopback interface, which increments from 1.
• Alias: <use-case>_loopback, where __ is what this loopback will be used for.

Example: If you just had a single loopback for all management function, then the alias for lo1 would be mgmt_loopback. If you were going to have different loopbacks for different management functions, you might have something like lo1:ntp_loopback, lo2:dns_loopback, lo3:bgp_loopback, etc.

LACP 802.3ad Aggregate Interface

• Name: poN, where po means “port channel” (like in Cisco terminology) and N is the number of the port channel, which increments from 1.
• Alias: <use-case>_trunk, where __ is what this trunk will be used for, and __trunk_ is Fortinet's terminology for a LACP Aggregate.

Example: po1 might have an alias of core_trunk.

Hardware Switch Interface

• Name: swN, where sw means “switch” and N is the number of the port channel, which increments from 1.
• Alias: <use-case>_switch, where __ is what this switch will be used for*.*

Example: sw1 might have an alias of lan_switch.

Tip: Consider disabling all unused physical ports on the FortiGate (for both security and stability reasons). Put all of them into a special switch object named sw0 with alias disabled_switch, and then just disable that whole switch object.

Software Switch

Never use these, because they can’t do hardware acceleration. The only time to use a software switch is if you have a FortiGate that can’t support hardware switches, in which case, you should try to just use a LACP Aggregate to a physical switch to do your switching.

If you must use a software switch, just follow the same naming convention for a hardware switch.

Physical Interface

Physical interfaces cannot be renamed, but also they should never be used in your configuration, because they are completely inflexible and will create reference hell for you if you ever need to add/change the underlying physical interfaces. So instead, always create either a LACP Aggregate or a Hardware Switch Interface to add your physical interfaces to, even if you only need a single interface today.

NPU VDOM Link

• Name: These are hard-coded as npuN-vlinkM, where N is the number of NPUs, incrementing from 0, and M is the vlink number (either 0 or 1).
• Alias: These cannot have aliases.

Tip: We will not be using the NPU VDOM Links themselves, but instead will be using 802.1q VLAN sub-interfaces on the VDOM links, so that we can have up to 4096 hardware-accelerated VDOM links per NPUs.

Software VDOM Links

Do not use these, because they cannot be hardware accelerated.

VLAN Interfaces

• Name: <base-interface>.VVVV, where __ is the base interface of which this VLAN interface is sub-interface, and _VVVV_ is the 4-digit VLAN ID according to 802.1q.
• Alias: <use-case>_vlan

Examples:

• po1.0002 might have an alias for inf_vlan (where inf means > infrastructure, such as servers and management IPs of network infrastructure).
• po1.0003 might have an alias of user_vlan.
• po1.0004 might have an alias for voip_vlan.
• po1.0005 might have an alias of guest_vlan.
• po1.0006 might have an alias of iot_vlan (where iot means Internet of > Things, such as printers, cameras, building automation sensors, and other low-security headless devices).
• Alternatively, if you’re using a hardware switch instead of LACP Aggregate, > sw1.0002 might have an alias for inf_vlan, etc, as above.
• npu0-vlink0.0002 might have an alias of <vdom01>_vlink while npu0-vlink1.0002 might have an alias of <vdom02>_vlink (thus linking vdom01 with vdom02)

SSID Interfaces

• Name: ssidN, where N is the number of SSID interface, which increments from 1.
• Alias: <use-case>_ssid, where __ is what this SSID will be used for.

Example: ssid1 might have an alias of corp_ssid, and ssid2 might have an alias of guest_ssid.

IPsec VPN Phase-1 Interfaces

• Name: <use-case>_tunN, where tun means “tunnel” and N is the number of the tunnel that increments from 1.
• Alias: As of FortiOS 6.4, IPsec VPN Phase-1 Interfaces cannot have aliases, which is why the use-case is in the name instead, so the use-case name must be relatively short/abbreviated.

Zones

• Name: <use-case>_zone
• Alias: Zones cannot have aliases as of FortiOS 6.4, but you can use the comments field for additional elaboration if needed.

Examples:

• inside_zone might be the name of for the zone that will collect all of the “inside” interfaces protected behind this FortiGate.
• wan_zone might be the name for the (SD-WAN) zone that will collect all of the “wan” interfaces connected to this FortiGate.
• tun_zone might be the name for the (SD-WAN) zone that will collect all of the “tunnel” IPsec interfaces connected to this FortiGate.

Tip: All interfaces that will have IPv4/6 firewall policies applied should be added to a zone, such that all policies will be zone-based and not interface-based, which will greatly enhance policy consolidation, and make future interface changes/additions much easier and quicker.

Address Objects

Device/MAC Objects

• Name: <fqdn>_mac. Comments can be used for additional elaboration.

Subnet Objects

For a /32 in the RFC 1918 (private) IP space:

• Name: <fqdn>_priv, or <fqnd>_privNN if more than one _priv will be needed for that same FQDN.

For a /32 outside of the RFC 1918 space:

• Name: <fqdn>_pub or <fqnd>_NN if more than one _priv will be needed for that same FQDN

For prefix shorter than /32:

• Name: <use-case>_subnet, or <use-case>_subnetNN if more than one _subnet will be needed for that same use-case.

Comments can be used for additional elaboration.

FQDN Objects

• Name: <fqdn>_fqdn. Comments can be used for additional elaboration.

GeoIP Objects

• Name: <country-abbreviation>_geo

IP Range Objects

• Name: <use-case>_range. Comments can be used for additional elaboration.

Tip: Do not use a _range object when a subnet object could be used instead.

Custom ISDB Objects

• Name: <use-case>_isdb

VIP Objects of Type static-nat

For a 1-to-1 Destination NAT:

• Name: <fqdn>_vip

For a N-to-_N_ Destination NAT range:

• Name: <use-case>_vip

For a 1-to-M Destination PAT:

• Name: <fqdn>-<service>_vip

Example: web01.example.com-ssh_vip for port 22 and web01.example.com-http_vip for port 80.

Address Group Objects

• Name: <fqdn | use-case>_<object-type>s, where the s indicates plurality.

Examples:

• company-asn_subnets might contain all of the subnets for the company’s ASN such as company-asn_subnet01 and company-asn_subnet02.
• ban_geos might include all of the Geo IP objects that you want to block, such china_geo and iran_geo.
• sslvpn_geos might include all of the Geo IP object for which you want to allow SSL VPN connections.
• web01.example.com_vips might contain both web01.example.com-ssh_vip and web01.example.com-http_vip.
• hairpin_vips might contain all of the VIP objects for which you want to allow hairpin NAT.
• collab_isdbs might contain the ISDB objects for Zoom, Teams, WebEx, Slack, etc.

Tip: Groups should always be preferred over individual objects for creating policies and routes, as this makes it easier to facilitate changes/additions in the future.

Special Address Objects

VIP Objects of type server-load-balance (aka Virtual Servers)

• Name: <cluster-name>:<port>_vlb, where vlb means “virtual load balancer”.

IP Pools (aka Source NAT objects)

For an overload pool:

• Name: <use-case>_overload

For a 1-to-1 pool:

• Name: <use-case>_one-to-one

As of FortiOS 6.4, neither VIP Objects nor IP Pools can be added to groups.

Service Objects

Single Service Object

• Name: <SERVICE-NAME> in ALL CAPS, because all of the default service objects are in all caps.

Special Case: Alternate ports for default service(s) should be suffixed with -ALT01.

• E.g., HTTPS_ALT01 could be TCP/9443, and HTTPS-ALT02 could be TCP/10443, etc.

Service Group Objects

• Name: <use-case>_services, lower case.

  Examples:

  • web_services might contain HTTP, HTTPS, and ALL_ICMP.
  • webamin_services might contain SSH, HTTP, HTTPS, and ALL_ICMP (where webamin is short for “web administration”).

Tip: Service groups should be preferred in policies to facilitate easier changes/additions.

Tip: ALL_ICMP should generally be added to most service groups to allow for easier troubleshooting and better functionality of services like PMTUD, although security considerations in some cases might warrant restrictions on some ICMP types and codes.

Security Profiles

Antivirus

• Name: <use-case>_av

Example: You might have both flow_av and proxy_av.

Web Filter

• Name: <use-case>_wf

Example: You might have both corp_wf and guest_wf.

DNS Filter

• Name: <use-case>_df

Example: You might have both corp_df and guest_df.

Application Control

• Name: <use-case>_ac

Example: You might have both corp_ac and guest_ac.

Intrusion Prevention

• Name: <filters>_ips

Example: You might have both client_ips (to protect clients that connect outbound to internet) and win-server-iis_ips (to protect a Windows IIS server), as well as lin-server-appache_ips (to protect a Linux Apache server), etc.

Tip: Using as specific of an IPS filter as possible for a given flow will greatly improve the efficiency of the IPS Engine’s processing.

WAF

• Name: <use-case | fqdn>_waf

Example: You might have web01.example.com_waf and web02.example.com_waf, with different configurations for two different web servers that you need to protect.

SSL Inspection

• Name: <use-case | fqdn>_ssl

Examples:

• For basic outbound certificate inspection, you might have client-cert_ssl.
• For deep SSL inspection outbound, you might have client-deep_ssl.
• For deep SSL inspection inbound protecting a single server (or multiple servers with SNI in FortiOS 7.0 or higher), you might have web01.example.com_ssl.

Protocol Options

• Name: <use-case>_prot

Example: You might have both default_prot and comfort-clients_prot.

Firewall Policies

For an allow policy:

• Name: [this]>[that], where [this] is the name of the source and [that] is the name of the destination.

Examples:

• lan_subnets>wan
• corp_subnets>dc01.example.com

For a deny policy:

• Name: [this]>[that]_deny, where [this] is the name of the source and [that] is the name of the destination.

Example: lan_subnets>ban-geos_deny

User and Authentication Objects

User Group

• Name: <group-name>_users

LDAP Server

• Name: <fqdn-of-server>_ldap

RADIUS Server

• Name: <fqdn-of-server>_radius

-eof-