Managing firewall policies

To create and configure a firewall policy:

1. In FortiManager, go to Policy & Objects > Policy Packages > <desired policy package> > Virtual Wire Pair Policy.
2. Click Create New or double-click an existing policy that FortiManager imported from the FortiGate-VM.
3. Configure the policy:
   1. In the Name field, enter the policy name.
   2. In the Virtual Wire Pair field, select the bidirectional option.
   3. For Source Address or Destination Address, select a previously created address.
   4. For Service, specify a protocol to apply. This example selects ICMP.

      

   5. For Action, select Accept.
   6. Select between Flow and Proxy-based inspection modes.
   7. Under Firewall/Network Options, configure NAT with IPv4/IPv6 dynamic IP address pools if needed.
   8. Under Disclaimer Options, display customized messages for certain actions.
   9. Under Security Profiles, for SSL/SSH inspection, choose the desired packet inspection level.
   10. Under Traffic Shaping Options, set traffic priorities to ease network congestion.
   11. To log traffic, enable Log Security Events or Log All Sessions. You can capture packets with these options, which helps with troubleshooting. Click OK.
4. Create other firewall policies as desired. This example has one policy that allows ICMP bidirectionally between the specified sources and destinations, and denies all other traffic.
5. Push the policy package to the FortiGate-VM:
   1. Right-click the policy package that contains the firewall policies to apply to the FortiGate-VM, then click Install Wizard.
   2. Select the FortiGate-VMs where you applied the policy package, then click Next.
   3. After FortiManager applies the package, click Finish. FortiManager has now installed the policy package. The FortiGate-VM now has the policy synchronized with FortiManager.

      

6. Ping from a source to destination to verify that it goes through and to verify that all other traffic does not go through the FortiGate-VM.