VMware NSX-T Administration Guide
Managing firewall policies
Managing firewall policies
To create and configure a firewall policy:
- In FortiManager, go to Policy & Objects > Policy Packages > <desired policy package> > Virtual Wire Pair Policy.
- Click Create New or double-click an existing policy that FortiManager imported from the FortiGate-VM.
- Configure the policy:
- In the Name field, enter the policy name.
- In the Virtual Wire Pair field, select the bidirectional option.
- For Source Address or Destination Address, select a previously created address.
- For Service, specify a protocol to apply. This example selects ICMP.
- For Action, select Accept.
- Select between Flow and Proxy-based inspection modes.
- Under Firewall/Network Options, configure NAT with IPv4/IPv6 dynamic IP address pools if needed.
- Under Disclaimer Options, display customized messages for certain actions.
- Under Security Profiles, for SSL/SSH inspection, choose the desired packet inspection level.
- Under Traffic Shaping Options, set traffic priorities to ease network congestion.
- To log traffic, enable Log Security Events or Log All Sessions. You can capture packets with these options, which helps with troubleshooting. Click OK.
- Create other firewall policies as desired. This example has one policy that allows ICMP bidirectionally between the specified sources and destinations, and denies all other traffic.
- Push the policy package to the FortiGate-VM:
- Right-click the policy package that contains the firewall policies to apply to the FortiGate-VM, then click Install Wizard.
- Select the FortiGate-VMs where you applied the policy package, then click Next.
- After FortiManager applies the package, click Finish. FortiManager has now installed the policy package. The FortiGate-VM now has the policy synchronized with FortiManager.
- Ping from a source to destination to verify that it goes through and to verify that all other traffic does not go through the FortiGate-VM.
Managing firewall policies
To create and configure a firewall policy:
- In FortiManager, go to Policy & Objects > Policy Packages > <desired policy package> > Virtual Wire Pair Policy.
- Click Create New or double-click an existing policy that FortiManager imported from the FortiGate-VM.
- Configure the policy:
- In the Name field, enter the policy name.
- In the Virtual Wire Pair field, select the bidirectional option.
- For Source Address or Destination Address, select a previously created address.
- For Service, specify a protocol to apply. This example selects ICMP.
- For Action, select Accept.
- Select between Flow and Proxy-based inspection modes.
- Under Firewall/Network Options, configure NAT with IPv4/IPv6 dynamic IP address pools if needed.
- Under Disclaimer Options, display customized messages for certain actions.
- Under Security Profiles, for SSL/SSH inspection, choose the desired packet inspection level.
- Under Traffic Shaping Options, set traffic priorities to ease network congestion.
- To log traffic, enable Log Security Events or Log All Sessions. You can capture packets with these options, which helps with troubleshooting. Click OK.
- Create other firewall policies as desired. This example has one policy that allows ICMP bidirectionally between the specified sources and destinations, and denies all other traffic.
- Push the policy package to the FortiGate-VM:
- Right-click the policy package that contains the firewall policies to apply to the FortiGate-VM, then click Install Wizard.
- Select the FortiGate-VMs where you applied the policy package, then click Next.
- After FortiManager applies the package, click Finish. FortiManager has now installed the policy package. The FortiGate-VM now has the policy synchronized with FortiManager.
- Ping from a source to destination to verify that it goes through and to verify that all other traffic does not go through the FortiGate-VM.