Date published: 2020-06-08

Synapsa Firewall Auditor - Fortinet documentation

1 Source or Destination IP

The same conditions apply for Source and Destination IP.

1.1 Synapsa rules

Looking for Value Description
exact.ip 192.168.1.50 Looking for exact IP in the address field (*)
exact.net 192.168.1.0/24 Looking for exact Network in the address field (*)
within.net 192.168.1.0/24 Looking for any IP or subnet within the net (*)
any-ip-address --- Matching if SRC/DST is any IP address, any networks, but not "any"
any --- Matching if SRC/DST is keyword "any"
anything --- Always matching

1.2 Matching examples

Looking for Example 1 Example 2
exact.ip 192.168.1.50 192.168.1.50, 10.12.50.2
exact.net 192.168.1.0/24 192.168.1.0/24, 10.12.50.2
within.net 192.168.1.20 192.168.1.64/26, 10.1.1.12
any-ip-address 10.12.50.12, 172.16.20.20 10.12.50.0/27, 172.16.20.20
any any ---
anything * *

1.3 Not matching

Looking for Example 1 Example 2
exact.ip 192.168.1.20 10.10.2.30
exact.net 192.168.1.2/24 10.10.2.30
within.net 192.168.2.50 10.15.2.30
any-ip-address any ---
any 10.12.50.0/27, 172.16.2.20 10.0.0.0/8
anything --- ---

2 Incoming or outgoing Interface

The same conditions apply for Source and Destination Zone.

2.1 Synapsa rules

Looking for Value Description
interface Internal1 Matching if Zone contains ONE specific zone we are looking for (**)
any any Matching any interface

2.2 Matching examples

Looking for Example 1 Example 2
interface Internal1 ---
any

2.3 Not matching

Looking for Example 1 Example 2
interface DMZ Internet
any

3 Service

3.1 Synapsa rules

Looking for Value Description
tcp.port 443 Matching exactly TCP / 443 (*)
tcp.range 500-600 Matching exactly TCP range 500-600 including (*)
tcp.port-range_geq 100 Matching when TCP port range is greater or equals 100 (*)
udp.port 53 Matching exactly UDP port 53 (*)
udp.range 4500-6500 Matching UDP range 4500-6000 including (*)
udp.port-range_geq 100 Matching when UDP port range is greater or equals 100 (*)
port 5060 Matching TCP or UDP port 5060
port-range 5000-6500 Matching TCP or UDP range 5000-6000 including
port-range_geq 100 Matching when TCP or UDP port range is greater or equals 100
any-services --- Matching any configured service, but not word "ALL"
ALL --- Only matching "ALL"
anything --- Always matching

3.2 Matching examples

Looking for Example 1 Example 2
tcp.port tcp/443 tcp/443, udp/500
tcp.range tcp/500-600 tcp/500-600, udp/500
tcp.port-range_geq tcp/500-600 udp/300-400
udp.port udp/53 tcp/500-600, udp/53
udp.range udp/4500-6500 udp/4500-6500, udp/53
udp.port-range_geq udp/700-1000 udp/20-120
port tcp/5060, tcp/5070 udp/5060, tcp/21
port-range udp/5000-6500 udp/5000-6500, tcp/700-960
port-range_geq tcp/100-200 udp/100-200
any-services tcp/123, tcp/443, udp/100-200 tcp/123, tcp/443
ALL any ---
anything * *

3.3 Not matching

Looking for Example 1 Example 2
tcp.port tcp/400-500 tcp/22,udp/500
tcp.range tcp/501-600, udp/500 tcp/501-600
tcp.port-range_geq tcp/50-100 udp/100-1500
udp.port udp/500 any
udp.range udp/4500-6499 udp/4500-6499, tcp/21
udp.port-range_geq tcp/20-120 udp/40-90
port tcp/21 tcp/5070
port-range udp/5002-5010 udp/5001-6500
port-range_geq tcp/400-450 tcp/400-450
any-services any ---
ALL tcp/123, udp/100-200 tcp/443
anything --- ---

4 Action

4.1 Synapsa rules

Looking for Value Description
accept --- Matching Allow
deny --- Matching Deny
any --- Matching any action

5 Status

Looking for Value Description
enabled --- Matching Enabled policies
disabled --- Matching Disabled policies
any --- Matching policies of any status

6 Notes

  1. All the keywords for security zone are case insensitive.
  2. Logical operator between conditions is AND, meaning all the conditions have to be True to make the whole auditor rule to be True.
  3. Matching values for every line is in bold.

(*) Condition will match, if one of the objects in the specified field is matching the criteria.

(**) Item should have only one value.