Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • SD-WAN Deployment for MSSPs

    Home FortiGate / FortiOS 6.4.0 SD-WAN Deployment for MSSPs
    6.4.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Configuring firewall policies (Edge)

    Configuring firewall policies (Edge)

    Just like on the hub, the firewall policies control and secure what traffic is permitted, and from which source and to which destination.

    Following is a summary of how to configure firewall policies:

    1. Create a new policy package for Edge devices and assign it to the Edge group. See Creating a new policy package.
    2. Configure 3 rules for the edge devices. See Creating rules.

    Creating a new policy package

    To create a new policy package:
    1. In Policy & Objects, create a new Policy Package called Edge, and add the Device Group Edge to its installation targets:

    Creating rules

    To create rules
    1. Create the following Firewall Policy:

      Name

      From

      To

      Src

      Dst

      Service

      NAT

      Action

      Corporate

      lan overlay

      lan overlay

      CORP_LAN

      CORP_LAN

      ALL

      No

      Accept

      Internet (DIA)

      lan

      underlay

      all

      all

      ALL

      Yes

      Accept

      Internet (RIA)

      lan

      overlay

      all

      all

      ALL

      No

      Accept

      Notes:

      • The SD-WAN Zones underlay and overlay were automatically created to be used in the Firewall Policy
      • The Firewall Policy distinguishes between Direct Internet Access (DIA, from the Edge itself) and Remote Internet Access (RIA, via the Hub), potentially applying different security features in each case. One common example shown above is Source NAT which is only applied to the traffic using DIA.
      • It is highly recommended to enable Application Control, especially on the Firewall Policy controlling Internet traffic. For accurate application identification, it is also highly recommended to enable SSL Inspection. This functionality is required for SD-WAN Application-aware traffic steering and is also used to populate SD-WAN widgets and reports.

    Previous
    Next

    Configuring firewall policies (Edge)

    Configuring firewall policies (Edge)

    Just like on the hub, the firewall policies control and secure what traffic is permitted, and from which source and to which destination.

    Following is a summary of how to configure firewall policies:

    1. Create a new policy package for Edge devices and assign it to the Edge group. See Creating a new policy package.
    2. Configure 3 rules for the edge devices. See Creating rules.

    Creating a new policy package

    To create a new policy package:
    1. In Policy & Objects, create a new Policy Package called Edge, and add the Device Group Edge to its installation targets:

    Creating rules

    To create rules
    1. Create the following Firewall Policy:

      Name

      From

      To

      Src

      Dst

      Service

      NAT

      Action

      Corporate

      lan overlay

      lan overlay

      CORP_LAN

      CORP_LAN

      ALL

      No

      Accept

      Internet (DIA)

      lan

      underlay

      all

      all

      ALL

      Yes

      Accept

      Internet (RIA)

      lan

      overlay

      all

      all

      ALL

      No

      Accept

      Notes:

      • The SD-WAN Zones underlay and overlay were automatically created to be used in the Firewall Policy
      • The Firewall Policy distinguishes between Direct Internet Access (DIA, from the Edge itself) and Remote Internet Access (RIA, via the Hub), potentially applying different security features in each case. One common example shown above is Source NAT which is only applied to the traffic using DIA.
      • It is highly recommended to enable Application Control, especially on the Firewall Policy controlling Internet traffic. For accurate application identification, it is also highly recommended to enable SSL Inspection. This functionality is required for SD-WAN Application-aware traffic steering and is also used to populate SD-WAN widgets and reports.

    Previous
    Next