Fortinet black logo

Examples

Home FortiManager 6.4.0 Examples

Configuring firewall policies

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0
Copy Link
Copy Doc ID 5ecc39ba-34cd-11eb-96b9-00505692583a:840385
Download PDF

Configuring firewall policies

While SD-WAN rules define where the traffic should flow, the firewall policy defines whether the traffic is permitted to flow and how traffic should be inspected.

This topic describes how to create the following policy packages with firewall policies:

  • A policy package named Branches-PP for spoke devices
  • A policy package named DataCenter-PP for hub devices

After you create the policy package, assign it to the target devices, and install the policy packages.

Note

With the introduction of SD-WAN Zones concept, it is no longer possible to use individual tunnel interfaces in firewall policies! We must group them into SD-WAN Zones and use these zones in the policies.

We have assigned all our SD-WAN members to the newly created zone named overlay, which automatically created a corresponding normalized interface. Use the normalized interface in the policies.
To create a policy package and firewall policy rules for spokes:
  1. Go to Policy & Objects > Policy Packages.
  2. Create a policy package for spoke devices:
    1. Click Policy Package > New. The Create New Policy Package dialog box is displayed.
    2. In the Name box, type a name, such as Branches-PP.
    3. Leave Central NAT toggled OFF.
    4. Beside NGFW Mode, select Profile-based.
    5. Click OK. The policy package is created.
  3. In the tree menu, select the policy package for spokes named, for example, Branches-PP. The firewall policies in the policy package are displayed.
  4. Add policies to the firewall policy:
    1. In the toolbar, click Create New. The Create New Firewall Policy pane is displayed.
    2. Create the following policy for spokes, and click OK.

      Name

      From

      To

      Src

      Dst

      Service

      NAT

      Action

      Corporate

      vl_lan overlay

      overlay vl_lan

      CORP_LAN

      CORP_LAN

      All

      No

      		Accept

      The rule is added to the firewall policy.

  5. Set the installation targets to spoke devices, and install the policy package.
To create a policy package and firewall policy rules for hubs:
  1. Go to Policy & Objects > Policy Packages.
  2. Create a policy package for spoke devices:
    1. Click Policy Package > New. The Create New Policy Package dialog box is displayed.
    2. In the Name box, type a name, such as DataCenter-PP.
    3. Leave Central NAT toggled OFF.
    4. Beside NGFW Mode, select Profile-based.
    5. Click OK. The policy package is created.
  3. In the tree menu, select the policy package for spokes named, for example, DataCenter-PP. The firewall policies in the policy package are displayed.
  4. Add policies to the firewall policy:
    1. In the toolbar, click Create New. The Create New Firewall Policy pane is displayed.
    2. Create the following policy for spokes, and click OK.

      Name

      From

      To

      Src

      Dst

      Service

      NAT

      Action

      Branch to Branch

      OL_INET

      OL_MPLS

      OL_INET

      OL_MPLS

      all

      all

      All

      No

      		Accept

      Branch to DC

      OL_INET

      OL_MPLS

      vl_lan

      all

      all

      All

      No

      		Accept

      Health-check

      OL_INET

      OL_MPLS

      any

      all

      HC

      PING

      NO

      		Accept
      Note

      On the Hub devices, individual interfaces are used in the firewall policy because SD-WAN is not configured on the Hub devices. As a result, there are no SD-WAN zones either.

      Also incoming health probes must be explicitly permitted. Traffic towards loopback is not permitted by default.

  5. Set the installation targets to hub devices, and install the policy package.
Previous
Next

Configuring firewall policies

While SD-WAN rules define where the traffic should flow, the firewall policy defines whether the traffic is permitted to flow and how traffic should be inspected.

This topic describes how to create the following policy packages with firewall policies:

  • A policy package named Branches-PP for spoke devices
  • A policy package named DataCenter-PP for hub devices

After you create the policy package, assign it to the target devices, and install the policy packages.

Note

With the introduction of SD-WAN Zones concept, it is no longer possible to use individual tunnel interfaces in firewall policies! We must group them into SD-WAN Zones and use these zones in the policies.

We have assigned all our SD-WAN members to the newly created zone named overlay, which automatically created a corresponding normalized interface. Use the normalized interface in the policies.
To create a policy package and firewall policy rules for spokes:
  1. Go to Policy & Objects > Policy Packages.
  2. Create a policy package for spoke devices:
    1. Click Policy Package > New. The Create New Policy Package dialog box is displayed.
    2. In the Name box, type a name, such as Branches-PP.
    3. Leave Central NAT toggled OFF.
    4. Beside NGFW Mode, select Profile-based.
    5. Click OK. The policy package is created.
  3. In the tree menu, select the policy package for spokes named, for example, Branches-PP. The firewall policies in the policy package are displayed.
  4. Add policies to the firewall policy:
    1. In the toolbar, click Create New. The Create New Firewall Policy pane is displayed.
    2. Create the following policy for spokes, and click OK.

      Name

      From

      To

      Src

      Dst

      Service

      NAT

      Action

      Corporate

      vl_lan overlay

      overlay vl_lan

      CORP_LAN

      CORP_LAN

      All

      No

      		Accept

      The rule is added to the firewall policy.

  5. Set the installation targets to spoke devices, and install the policy package.
To create a policy package and firewall policy rules for hubs:
  1. Go to Policy & Objects > Policy Packages.
  2. Create a policy package for spoke devices:
    1. Click Policy Package > New. The Create New Policy Package dialog box is displayed.
    2. In the Name box, type a name, such as DataCenter-PP.
    3. Leave Central NAT toggled OFF.
    4. Beside NGFW Mode, select Profile-based.
    5. Click OK. The policy package is created.
  3. In the tree menu, select the policy package for spokes named, for example, DataCenter-PP. The firewall policies in the policy package are displayed.
  4. Add policies to the firewall policy:
    1. In the toolbar, click Create New. The Create New Firewall Policy pane is displayed.
    2. Create the following policy for spokes, and click OK.

      Name

      From

      To

      Src

      Dst

      Service

      NAT

      Action

      Branch to Branch

      OL_INET

      OL_MPLS

      OL_INET

      OL_MPLS

      all

      all

      All

      No

      		Accept

      Branch to DC

      OL_INET

      OL_MPLS

      vl_lan

      all

      all

      All

      No

      		Accept

      Health-check

      OL_INET

      OL_MPLS

      any

      all

      HC

      PING

      NO

      		Accept
      Note

      On the Hub devices, individual interfaces are used in the firewall policy because SD-WAN is not configured on the Hub devices. As a result, there are no SD-WAN zones either.

      Also incoming health probes must be explicitly permitted. Traffic towards loopback is not permitted by default.

  5. Set the installation targets to hub devices, and install the policy package.
Previous
Next