Configuring firewall policies for the SSID
For users on the WiFi LAN to communicate with other networks, firewall policies are required. This section describes creating a WiFi network to Internet policy.
Before you create firewall policies, you need to define any firewall addresses you will need.
To enable IPv6 addresses, go to System > Feature Visibility and enable IPv6. |
To create a firewall address for WiFi users - GUI:
- Go to Policy & Objects > Addresses.
-
Select Create New > Address and enter the following information:
Category
Select Address to create an IPv4 address.
Name
Enter a name for the address. For example, wifi_net.
Type
Select Subnet.
IP/Netmask
Enter the subnet address. For example, 10.10.110.0/24.
Interface
Select the interface where this address is used. For example, example_wifi.
- When you are finished, click OK
To create a firewall address for WiFi users - CLI:
config firewall address
edit "wifi_net"
set associated-interface "example_wifi"
set subnet 10.10.110.0 255.255.255.0
end
To create a firewall policy - GUI:
- Go to Policy & Objects > Firewall Policy and select Create New.
- In Incoming Interface, select the wireless interface.
- In Source Address, select the address of your WiFi network, wifi_net for example.
- In Outgoing Interface, select the Internet interface, for example, port1.
- In Destination Address, select All.
- In Service, select ALL, or select the particular services that you want to allow, and then select the right arrow button to move the service to the Selected Services list.
- In Schedule, select always, unless you want to define a schedule for limited hours.
- In Action, select ACCEPT.
- Select Enable NAT.
- Optionally, set up UTM features for wireless users.
- Select OK.
To create a firewall policy - CLI:
config firewall policy
edit 0
set srcintf "example_wifi"
set dstintf "port1"
set srcaddr "wifi_net"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
end
To configure IPv6 addresses, use |