Configuring firewall policies (Hub)
Policies control what traffic is permitted, and leverages the previously created Hub group and SD-WAN zones.
Following is a summary of how to configure firewall policies:
- Create a new policy package named Hubs, and assign it to the group named Hub. See Creating a policy package.
This automatically applies the policy package to any FortiGate in the Hub group.
- Define five firewall policies in the Hubs policy package to permit traffic. See Defining policies.
These firewall policies leverage the SD-WAN zones and interfaces.
Creating a policy package
To create a policy package:
- In FortiManager, go to Policy & Objects > Policy Packages.
- From the Policy Package menu, select New.
The Create New Policy Package dialog box is displayed.
- In the Name box, type Hubs, and click OK.
The policy package is created.
- Under the policy package, select Installation Targets, and click Edit.
The Edit Installation Targets dialog box is displayed.
- Select the Device Group named Hubs, and click OK to add its installation targets to the policy package:
Defining policies
To define policies:
- In FortiManager, go to Policy & Objects > Policy Packages > Hubs > Firewall Policy.
- Click Create New, and create the following Firewall Policies:
Name
From
To
Src
Dst
Service
NAT
Action
Edge-Edge
overlay
overlay
CORP_LAN
CORP_LAN
ALL
No
Accept
(see *)
Edge-Hub
lan overlay
lan overlay
CORP_LAN
CORP_LAN
All
No
Accept
Health-check
overlay
lo-HC
all
all
PING
No
Accept
Internet (DIA)
lan
underlay
all
all
ALL
Yes
Accept
Internet (RIA)
overlay
underlay
all
all
ALL
Yes
Accept
* For Edge-Edge rule, we must configure the following Advanced Options:
Parameter
Value
anti-replay
off
tcp-session-without-syn
all
This is necessary to support existing TCP session switchover due to changes in SD-WAN steering decision:
- If the traffic flows via direct Edge-to-Edge tunnel (ADVPN shortcut), the session on the Hub remains idle, and thus it will eventually timeout.
- Then, if Edge SD-WAN makes a decision to switchover to a different overlay (due to the change in network conditions), the next few packets may need to flow via the Hub again.
- Since this TCP session no longer exists on the Hub, the traffic will be dropped.
- To avoid this, we configure the above options.
These options do not compromise the security, because they only apply to Edge-to-Edge traffic, which will be protected by the Edge devices (the corresponding firewall rules will be covered later). The Edge devices will keep performing complete stateful inspection of this traffic, whether it flows via the Hub or via a direct Edge-to-Edge tunnel.
Notes:
- The SD-WAN Zones
underlay
andoverlay
were automatically created to be used in the Firewall Policy. - This Firewall Policy is ready to support Remote Internet Access, which is traffic arriving from the Edge devices via the overlays, destined to the Internet (underlay).
- This Firewall Policy also allows Direct Internet Access for the workloads hosted behind the Hub itself.
- We must explicitly allow health-check probes that the Edge devices will send to the Hub device.
- Any desired security inspection can be applied, although keep in mind that Edge-to-Edge traffic will be typically secured by the Edge devices themselves.