Fortinet white logo
Fortinet white logo

FortiWiFi and FortiAP Configuration Guide

Configuring firewall policies for the SSID

Configuring firewall policies for the SSID

For users on the WiFi LAN to communicate with other networks, firewall policies are required. This section describes creating a WiFi network to Internet policy.

Before you create firewall policies, you need to define any firewall addresses you will need.

Note

To enable IPv6 addresses, go to System > Feature Visibility and enable IPv6.

To create a firewall address for WiFi users - GUI
  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information and select OK.

Name

Enter a name for the address. For example, wifi_net.

Type

Select Subnet.

Subnet / IP Range

Enter the subnet address. For example, 10.10.110.0/24.

Interface

Select the interface where this address is used. For example, example_wifi.

To create a firewall address for WiFi users - CLI

config firewall address

edit "wifi_net"

set associated-interface "example_wifi"

set subnet 10.10.110.0 255.255.255.0

end

To create a firewall policy - GUI
  1. Go to Policy & Objects > Firewall Policy and select Create New.
  2. In Incoming Interface, select the wireless interface.
  3. In Source Address, select the address of your WiFi network, wifi_net for example.
  4. In Outgoing Interface, select the Internet interface, for example, port1.
  5. In Destination Address, select All.
  6. In Service, select ALL, or select the particular services that you want to allow, and then select the right arrow button to move the service to the Selected Services list.
  7. In Schedule, select always, unless you want to define a schedule for limited hours.
  8. In Action, select ACCEPT.
  9. Select Enable NAT.
  10. Optionally, set up UTM features for wireless users.
  11. Select OK.
To create a firewall policy - CLI

config firewall policy

edit 0

set srcintf "example_wifi"

set dstintf "port1"

set srcaddr "wifi_net"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set nat enable

end

Note

To configure IPv6 addresses, use set srcaddr6 and set dstaddr6.

Configuring firewall policies for the SSID

Configuring firewall policies for the SSID

For users on the WiFi LAN to communicate with other networks, firewall policies are required. This section describes creating a WiFi network to Internet policy.

Before you create firewall policies, you need to define any firewall addresses you will need.

Note

To enable IPv6 addresses, go to System > Feature Visibility and enable IPv6.

To create a firewall address for WiFi users - GUI
  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information and select OK.

Name

Enter a name for the address. For example, wifi_net.

Type

Select Subnet.

Subnet / IP Range

Enter the subnet address. For example, 10.10.110.0/24.

Interface

Select the interface where this address is used. For example, example_wifi.

To create a firewall address for WiFi users - CLI

config firewall address

edit "wifi_net"

set associated-interface "example_wifi"

set subnet 10.10.110.0 255.255.255.0

end

To create a firewall policy - GUI
  1. Go to Policy & Objects > Firewall Policy and select Create New.
  2. In Incoming Interface, select the wireless interface.
  3. In Source Address, select the address of your WiFi network, wifi_net for example.
  4. In Outgoing Interface, select the Internet interface, for example, port1.
  5. In Destination Address, select All.
  6. In Service, select ALL, or select the particular services that you want to allow, and then select the right arrow button to move the service to the Selected Services list.
  7. In Schedule, select always, unless you want to define a schedule for limited hours.
  8. In Action, select ACCEPT.
  9. Select Enable NAT.
  10. Optionally, set up UTM features for wireless users.
  11. Select OK.
To create a firewall policy - CLI

config firewall policy

edit 0

set srcintf "example_wifi"

set dstintf "port1"

set srcaddr "wifi_net"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set nat enable

end

Note

To configure IPv6 addresses, use set srcaddr6 and set dstaddr6.