Configuring firewall policies (Hub)

Policies control what traffic is permitted, and leverages the previously created Hub group and SD-WAN zones.

Following is a summary of how to configure firewall policies:

1. Create a new policy package named Hubs, and assign it to the group named Hub. See Creating a policy package.

   This automatically applies the policy package to any FortiGate in the Hub group.

2. Define five firewall policies in the Hubs policy package to permit traffic. See Defining policies.

   These firewall policies leverage the SD-WAN zones and interfaces.

Creating a policy package

To create a policy package:

1. In FortiManager, go to Policy & Objects > Policy Packages.
2. From the Policy Package menu, select New.

   The Create New Policy Package dialog box is displayed.

3. In the Name box, type Hubs, and click OK.

   The policy package is created.

4. Under the policy package, select Installation Targets, and click Edit.

   The Edit Installation Targets dialog box is displayed.

5. Select the Device Group named Hubs, and click OK to add its installation targets to the policy package:

   

Defining policies

To define policies:

1. In FortiManager, go to Policy & Objects > Policy Packages > Hubs > Firewall Policy.
2. Click Create New, and create the following Firewall Policies:

   Name	From	To	Src	Dst	Service	NAT	Action
   Edge-Edge	overlay	overlay	CORP_LAN	CORP_LAN	ALL	No	Accept (see *)
   Edge-Hub	lan overlay	lan overlay	CORP_LAN	CORP_LAN	All	No	Accept
   Health-check	overlay	lo-HC	all	all	PING	No	Accept
   Internet (DIA)	lan	underlay	all	all	ALL	Yes	Accept
   Internet (RIA)	overlay	underlay	all	all	ALL	Yes	Accept

   * For Edge-Edge rule, we must configure the following Advanced Options:

   Parameter	Value
   anti-replay	off
   tcp-session-without-syn	all

   This is necessary to support existing TCP session switchover due to changes in SD-WAN steering decision:

   • If the traffic flows via direct Edge-to-Edge tunnel (ADVPN shortcut), the session on the Hub remains idle, and thus it will eventually timeout.
   • Then, if Edge SD-WAN makes a decision to switchover to a different overlay (due to the change in network conditions), the next few packets may need to flow via the Hub again.
   • Since this TCP session no longer exists on the Hub, the traffic will be dropped.
   • To avoid this, we configure the above options.

   These options do not compromise the security, because they only apply to Edge-to-Edge traffic, which will be protected by the Edge devices (the corresponding firewall rules will be covered later). The Edge devices will keep performing complete stateful inspection of this traffic, whether it flows via the Hub or via a direct Edge-to-Edge tunnel.

   

Notes:

• The SD-WAN Zones underlay and overlay were automatically created to be used in the Firewall Policy.
• This Firewall Policy is ready to support Remote Internet Access, which is traffic arriving from the Edge devices via the overlays, destined to the Internet (underlay).
• This Firewall Policy also allows Direct Internet Access for the workloads hosted behind the Hub itself.
• We must explicitly allow health-check probes that the Edge devices will send to the Hub device.
• Any desired security inspection can be applied, although keep in mind that Edge-to-Edge traffic will be typically secured by the Edge devices themselves.