Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • SD-WAN Deployment for MSSPs

    Home FortiGate / FortiOS 6.4.0 SD-WAN Deployment for MSSPs
    6.4.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Configuring firewall policies

    Configuring firewall policies

    The existing policy package on the Hubs do not account for inter-regional communication. Two rules are expanded and one new rule is defined.

    We must also update the Hub firewall policy.

    Following is a summary of how to configure the firewall policy:

    1. Create three normalized interfaces for the two BGP loopback interfaces and the hub to hub zone. See Creating interfaces.

      These loopback interfaces are used for eBGP peering.

    2. Edit 2 rules to include the inter-regional zone. See Editing rules.

      This allows communication between the zones.

    3. Define a new rule to permit the inter-regional BGP sessions using the normalized bgp loopback interfaces. See Defining a new rule.

      BGP session traffic must be explicitly permitted since it uses different interfaces than other traffic.

    4. Deploy the updated policy package. See Deploying updated policy package.

    Creating interfaces

    1. Navigate to Policy & Objects > Object Configurations, and add the new Normalized Interfaces mapped to the newly created loopback interfaces (lo-BGP_INET, lo-BGP_MPLS), as well as for the zone hub2hub-overlay:

    Editing rules

    To edit rules:
    1. Edit the Edge-Edge and Edge-Hub firewall rules in the Hub policy package, adding the new inter-regional zone to them, in order to permit inter-regional communication:

      Name

      From

      To

      Src

      Dst

      Service

      NAT

      Action

      Edge- Edge

      overlay hub2hub - overlay

      overlay hub2hub - overlay

      CORP_LAN

      CORP_LAN

      ALL

      No

      		Accept
      Edge-hub

      lan overlay hub2hub - overlay

      lan overlay hub2hub - overlay

      CORP_LAN

      CORP_LAN

      ALL

      No

      		Accept

    Defining a new rule

    To define a new rule:
    1. Add a new firewall rule, in order to permit inter-regional BGP sessions.

      Use the following options for the multi-region firewall rule:

      Option

      Setting

      Fromlo-BGP_INET lo-BGP_MPLS hub2hub-overlay
      Tolo-BGP_INET lo-BGP_MPLS hub2hub-overlay

      Src

      all

      Dst

      all

      Service

      PING

      BGP

      NAT

      No

      Action

      Accept

    Deploying updated policy package

    To deploy the updated policy package:
    1. Reinstall policy on all the Hubs.

    Previous
    Next

    Configuring firewall policies

    Configuring firewall policies

    The existing policy package on the Hubs do not account for inter-regional communication. Two rules are expanded and one new rule is defined.

    We must also update the Hub firewall policy.

    Following is a summary of how to configure the firewall policy:

    1. Create three normalized interfaces for the two BGP loopback interfaces and the hub to hub zone. See Creating interfaces.

      These loopback interfaces are used for eBGP peering.

    2. Edit 2 rules to include the inter-regional zone. See Editing rules.

      This allows communication between the zones.

    3. Define a new rule to permit the inter-regional BGP sessions using the normalized bgp loopback interfaces. See Defining a new rule.

      BGP session traffic must be explicitly permitted since it uses different interfaces than other traffic.

    4. Deploy the updated policy package. See Deploying updated policy package.

    Creating interfaces

    1. Navigate to Policy & Objects > Object Configurations, and add the new Normalized Interfaces mapped to the newly created loopback interfaces (lo-BGP_INET, lo-BGP_MPLS), as well as for the zone hub2hub-overlay:

    Editing rules

    To edit rules:
    1. Edit the Edge-Edge and Edge-Hub firewall rules in the Hub policy package, adding the new inter-regional zone to them, in order to permit inter-regional communication:

      Name

      From

      To

      Src

      Dst

      Service

      NAT

      Action

      Edge- Edge

      overlay hub2hub - overlay

      overlay hub2hub - overlay

      CORP_LAN

      CORP_LAN

      ALL

      No

      		Accept
      Edge-hub

      lan overlay hub2hub - overlay

      lan overlay hub2hub - overlay

      CORP_LAN

      CORP_LAN

      ALL

      No

      		Accept

    Defining a new rule

    To define a new rule:
    1. Add a new firewall rule, in order to permit inter-regional BGP sessions.

      Use the following options for the multi-region firewall rule:

      Option

      Setting

      Fromlo-BGP_INET lo-BGP_MPLS hub2hub-overlay
      Tolo-BGP_INET lo-BGP_MPLS hub2hub-overlay

      Src

      all

      Dst

      all

      Service

      PING

      BGP

      NAT

      No

      Action

      Accept

    Deploying updated policy package

    To deploy the updated policy package:
    1. Reinstall policy on all the Hubs.

    Previous
    Next