Configuring and verifying rules for on-net access
So far, the configurations are focused on remote off-net access. It is assumed that with prior teleworking setup, on-net access is configured with a wide-open policy as a very basic case. In most scenarios, there will be more segmentation but one variable will remain the same. Access is granted based on the source network and sometimes user login, but the security posture of the device is not checked.
Existing Teleworking configurations to allow traffic from port1 (Clients_LAN) to port2 (DMZ):
config firewall policy edit 12 set name "to_DMZ_webservers" set srcintf "port1" set dstintf "port2" set action accept set srcaddr "all" set dstaddr "FAZ" "Finance" "Webserver" "EMS" "FAC" set schedule "always" set service "ALL" set inspection-mode proxy set logtraffic all next end
In the following section, we will explore configuring on-net access policy with ZTNA tags to enhance the security of on-net devices.
It is assumed that On-net endpoints behind port1 is registered to the FortiClient EMS server over port 8013. Therefore, this port should be allowed without any restrictions.