Creating a policy set
FortiGate CNF provides two options for creating policy sets:
-
Create New > Policy Set by Wizard: For most workloads in AWS, the inbound and outbound policies are very simple. The wizard creates these policies with only a couple of clicks. Once the policy set is created, you can edit the created objects, if needed. For more information about editing the various types of policy objects, see Configuration.
-
Create New > Policy Set: Create Address, Service, and Security Profile objects individually and assemble them to form a policy.
For more information about policy set settings, see Editing or viewing a policy set.
To create a new policy set by wizard:
-
In Policy Sets, click Create New and select Policy Set by Wizard.
-
Enter a name for the policy and select the Wizard Type:
-
Outbound Basic : Creates an outbound policy that prevents the workload from contacting malicious IP addresses such as command-and-control centers.
-
Outbound Geo Policy: Creates an outbound policy identical to the Outbound Basic type and an inbound policy that blocks incoming traffic from certain geographic locations.
-
-
Enable or disable logging.
-
Select the Cloud Platform from the following options:
-
ALL: This policy set can be deployed to AWS or Azure instances.
-
AWS: This policy set can only be deployed to AWS CNF instances.
-
Azure: This policy set can only be deployed to Azure CNF instances.
This setting cannot be changed.
-
-
Click Next.
-
Select the security profiles to enable, then click Next.
For more information, see Security profiles.
-
If Geographical Boundaries was selected, select the countries to block, then click Next.
-
Click Finalize. The policy set is created and can now be installed on one or more FortiGate CNF instances.
To create a new policy set:
-
In Policy Sets, click Create New and select Policy Set.
-
Enter a Name for the policy set.
-
Select the Cloud Platform from the following options:
-
ALL: This policy set can be deployed to AWS or Azure instances.
-
AWS: This policy set can only be deployed to AWS CNF instances.
-
Azure: This policy set can only be deployed to Azure CNF instances.
This setting cannot be changed.
-
- Click OK. The new empty policy set is created.
-
Add policies as needed.
For more information about policy settings, see Editing or viewing a policy set.