Fortinet white logo
Fortinet white logo

Azure vWAN SD-WAN NGFW Deployment Guide

7.6.0

(Optional) Creating policy packages

(Optional) Creating policy packages

Note

The following policies are provided to allow traffic to flow between branches and hub. They require further security configuration to secure the communication.

Following is a summary of how to create the policy package:

  1. Create a policy package for branch devices. See Creating the branch policy package and policies.

    These firewall policies leverage the SD-WAN zones and interfaces.

  2. Create a policy package for the Azure hub. See Creating the Azure hub policy package and policies.

Creating the branch policy package and policies

To create the branch policy package and policies:
  1. In FortiManager, go to Policy & Objects.
  2. Create a policy package named Branches:
    1. From the Policy Package menu, select New.

      The Create New Policy Package dialog box is displayed.

    2. Set name to Branches, and click OK.

      The policy package named Branches is created.

  3. In the branches policy package, create a firewall policy named Branch to Azure:
    1. Select the Branches policy package, and click Create New. The Create New Firewall Policy pane opens.
    2. Set the following options, and click OK:

      Name

      Branch to Azure

      Incoming Interface

      LAN

      Outgoing Interface

      HUB1, HUB2

      IPv4 Source Address

      Branch network

      IPv4 Destination Address

      Datacenter LAN1, Cloud LAN1

      Action

      Accept

      Note

      You may need to split the Branch to Azure rule into individual rules for each hub, if the security needs for each hub differ, such as permitted services and security profiles.

      The firewall policy is created.

  4. In the branches policy package, create a firewall policy named Direct Internet Access:
    1. Select the Branches policy package, and click Create New. The Create New Firewall Policy pane opens.
    2. Set the following options, and click OK:

      Name

      Direct Internet Access

      Incoming Interface

      LAN

      Outgoing Interface

      WAN1

      IPv4 Source Address

      Branch network

      IPv4 Destination Address

      all

      Action

      Accept

      NAT

      Enable

      The firewall policy is created.

  5. Assign the branches policy package to the branch device group:
    1. On the Policy & Objects pane, expand the Branches policy package, and select Installation Targets.
    2. In the toolbar, click Edit. The Edit Installation Targets dialog box opens.
    3. In the Available Entries list, select the Branches group, and click the right arrow (>) to move it to the Selected Entries list.

    4. Click OK.

      The installation target for the branches policy package is the Branches device group.

Creating the Azure hub policy package and policies

To create the Azure hub policy package and policies:
  1. In FortiManager, go to Policy & Objects.
  2. Create a policy package named HUB:
    1. From the Policy Package menu, select New.

      The Create New Policy Package dialog box is displayed.

    2. Set name to HUB, and click OK.

      The policy package named HUB is created.

  3. In the HUB policy package, create a firewall policy named SLA-HealthCheck :
    1. Select the HUB policy package, and click Create New. The Create New Firewall Policy pane opens.
    2. Set the following options, and click OK:

      Name

      SLA-HealthCheck

      Incoming Interface

      Branches

      Outgoing Interface

      HUB-Loopback

      IPv4 Source Address

      Overlay Tunnels, 10.10.0.0/16 (create new address object)

      IPv4 Destination Address

      all

      Action

      Accept

      The firewall policy is created.

  4. In the HUB policy package, create a firewall policy named Branch to Azure:
    1. Select the HUB policy package, and click Create New. The Create New Firewall Policy pane opens.
    2. Set the following options, and click OK:

      Name

      Branch to Azure

      Incoming Interface

      Branches

      Outgoing Interface

      LAN

      IPv4 Source Address

      Branch Network

      IPv4 Destination Address

      Azure LAN

      Action

      Accept

      The firewall policy is created.

  5. Assign the HUB policy package to the hub devices:
    1. On the Policy & Objects pane, expand the HUB policy package, and select Installation Targets.
    2. In the toolbar, click Edit. The Edit Installation Targets dialog box opens.
    3. In the Available Entries list, select the FGT-3lxk3dptizwra000000 and FGT-3lxk3dptizwra000001 devices, and click the right arrow (>) to move them to the Selected Entries list.

    4. Click OK.

      The installation target for the HUB policy package is the FGT-3lxk3dptizwra000000 and FGT-3lxk3dptizwra000001 devices.

(Optional) Creating policy packages

(Optional) Creating policy packages

Note

The following policies are provided to allow traffic to flow between branches and hub. They require further security configuration to secure the communication.

Following is a summary of how to create the policy package:

  1. Create a policy package for branch devices. See Creating the branch policy package and policies.

    These firewall policies leverage the SD-WAN zones and interfaces.

  2. Create a policy package for the Azure hub. See Creating the Azure hub policy package and policies.

Creating the branch policy package and policies

To create the branch policy package and policies:
  1. In FortiManager, go to Policy & Objects.
  2. Create a policy package named Branches:
    1. From the Policy Package menu, select New.

      The Create New Policy Package dialog box is displayed.

    2. Set name to Branches, and click OK.

      The policy package named Branches is created.

  3. In the branches policy package, create a firewall policy named Branch to Azure:
    1. Select the Branches policy package, and click Create New. The Create New Firewall Policy pane opens.
    2. Set the following options, and click OK:

      Name

      Branch to Azure

      Incoming Interface

      LAN

      Outgoing Interface

      HUB1, HUB2

      IPv4 Source Address

      Branch network

      IPv4 Destination Address

      Datacenter LAN1, Cloud LAN1

      Action

      Accept

      Note

      You may need to split the Branch to Azure rule into individual rules for each hub, if the security needs for each hub differ, such as permitted services and security profiles.

      The firewall policy is created.

  4. In the branches policy package, create a firewall policy named Direct Internet Access:
    1. Select the Branches policy package, and click Create New. The Create New Firewall Policy pane opens.
    2. Set the following options, and click OK:

      Name

      Direct Internet Access

      Incoming Interface

      LAN

      Outgoing Interface

      WAN1

      IPv4 Source Address

      Branch network

      IPv4 Destination Address

      all

      Action

      Accept

      NAT

      Enable

      The firewall policy is created.

  5. Assign the branches policy package to the branch device group:
    1. On the Policy & Objects pane, expand the Branches policy package, and select Installation Targets.
    2. In the toolbar, click Edit. The Edit Installation Targets dialog box opens.
    3. In the Available Entries list, select the Branches group, and click the right arrow (>) to move it to the Selected Entries list.

    4. Click OK.

      The installation target for the branches policy package is the Branches device group.

Creating the Azure hub policy package and policies

To create the Azure hub policy package and policies:
  1. In FortiManager, go to Policy & Objects.
  2. Create a policy package named HUB:
    1. From the Policy Package menu, select New.

      The Create New Policy Package dialog box is displayed.

    2. Set name to HUB, and click OK.

      The policy package named HUB is created.

  3. In the HUB policy package, create a firewall policy named SLA-HealthCheck :
    1. Select the HUB policy package, and click Create New. The Create New Firewall Policy pane opens.
    2. Set the following options, and click OK:

      Name

      SLA-HealthCheck

      Incoming Interface

      Branches

      Outgoing Interface

      HUB-Loopback

      IPv4 Source Address

      Overlay Tunnels, 10.10.0.0/16 (create new address object)

      IPv4 Destination Address

      all

      Action

      Accept

      The firewall policy is created.

  4. In the HUB policy package, create a firewall policy named Branch to Azure:
    1. Select the HUB policy package, and click Create New. The Create New Firewall Policy pane opens.
    2. Set the following options, and click OK:

      Name

      Branch to Azure

      Incoming Interface

      Branches

      Outgoing Interface

      LAN

      IPv4 Source Address

      Branch Network

      IPv4 Destination Address

      Azure LAN

      Action

      Accept

      The firewall policy is created.

  5. Assign the HUB policy package to the hub devices:
    1. On the Policy & Objects pane, expand the HUB policy package, and select Installation Targets.
    2. In the toolbar, click Edit. The Edit Installation Targets dialog box opens.
    3. In the Available Entries list, select the FGT-3lxk3dptizwra000000 and FGT-3lxk3dptizwra000001 devices, and click the right arrow (>) to move them to the Selected Entries list.

    4. Click OK.

      The installation target for the HUB policy package is the FGT-3lxk3dptizwra000000 and FGT-3lxk3dptizwra000001 devices.