Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Multiple Datacenters for Enterprise (primary/secondary)

    Home FortiManager 7.4.0 Multiple Datacenters for Enterprise (primary/secondary)
    7.4.0
    7.4.0
    7.2.0

    Creating policy packages and firewall policies

    Creating policy packages and firewall policies

    Note

    The following policies are provided to allow traffic to flow between branches and hub. They require further security configuration to secure the communication.

    Following is a summary of how to create the policy package:

    1. Configure interface mapping for LAN. See Configure interface mapping for LAN.

    2. Create a policy package for branch devices. See Configure the branch policy package and policies.
    3. Create a policy package for the hub device. See Configuring the Hub policy package and policies.

    Configure interface mapping for LAN

    Start by creating an interface mapping to map ‘port3’ to LAN. While you can use port3 in policies, creating this mapping makes the policy purpose more transparent. It also allows for different interfaces to be referenced as LAN. For example, maybe one branch location needs to use port5 as their LAN connection. This can be explicitly mapped for that branch and still utilize the branch policy package which references the LAN interface.

    To configure interface mapping for LAN:

    1. Navigate to Policy & Objects > Normalized Interface.

    2. Use the search field in the top right to search for port3.

    3. Edit the port3 mapping by double-clicking on it.

    4. Expand Per-Platform Mapping, and search within this menu for FortiGate-VM64-KVM.

    5. Delete the entry and click OK to save.

    6. Remaining in the Normalized Interface menu, select Create New in the top menu bar to create a new mapping as follows:

      Name LAN
      Per-Platform Mapping

      Matched Platform: FortiGate-VM64-KVM

      Mapped Interface Name: port3

    Configure the branch policy package and policies

    To create the branch policy package and policies:
    1. Navigate to Policy & Objects, and expand the Branches folder, then select Firewall Policy.
      The firewall policy already contains an entry for Health Check Access.
    2. Use the Create New button in the top menu bar to create a firewall policy named Branch to DC as follows:

      Name

      Branch to DC

      Incoming Interface

      LAN

      Outgoing Interface

      HUB1, HUB2

      IPv4 Source Address

      Branch-LAN

      IPv4 Destination Address

      Datacenter LAN1

      Action

      Accept

    3. Click OK to create the firewall policy.

    4. Create a second policy using the same method as above with the following details:

      Name

      Direct Internet Access

      Incoming Interface

      LAN

      Outgoing Interface

      WAN1, WAN2

      IPv4 Source Address

      Branch-LAN

      IPv4 Destination Address

      RFC-1918 address group

      Negate Destination

      Enable

      Action

      Accept

      NAT

      Enable

      Security Profiles

      Apply security profiles as needed to protect users from internet threats.

    5. Click OK to create the firewall policy.

    6. Create a third policy using the same method as above with the following details:

      Name

      DC to LAN

      Incoming Interface

      HUB1, HUB2

      Outgoing Interface

      LAN

      IPv4 Source Address

      Datacenter-LAN1, Branch-LAN

      IPv4 Destination Address

      Branch-LAN

      Action

      Accept

    7. Click OK to create the firewall policy.

    Configuring the Hub policy package and policies

    To create the hub policy package and policies:
    1. Remaining in Policy & Objects, expand the Hub folder and select Firewall Policy to review the Hub firewall policy.
    2. There will be one policy created from the SD-WAN Overlay template Health Check Access.
    3. Use the Create New button in the top menu bar to create a firewall policy named Branch to DC as follows:

      Name

      Branch to Datacenter

      Incoming Interface

      VPN1, VPN2

      Outgoing Interface

      LAN

      IPv4 Source Address

      Branch-LAN

      IPv4 Destination Address

      Datacenter LAN1

      Action

      Accept

    4. Click OK to create the firewall policy.

    5. Create a second Hub policy using the same method as above with the following details:

      Name

      DC to Branch

      Incoming Interface

      LAN

      Outgoing Interface

      VPN1, VPN2

      IPv4 Source Address

      Datacenter-LAN1

      IPv4 Destination Address

      Branch-LAN

      Action

      Accept

    6. Click OK to create the firewall policy.

    7. Create a third Hub policy using the same method as above with the following details:

      Name

      Branch to Branch

      Incoming Interface

      VPN1, VPN2

      Outgoing Interface

      VPN1, VPN2

      IPv4 Source Address

      Branch-LAN

      IPv4 Destination Address

      Branch-LAN

      Action

      Accept

    8. Click OK to create the firewall policy.

    Previous
    Next

    Creating policy packages and firewall policies

    Creating policy packages and firewall policies

    Note

    The following policies are provided to allow traffic to flow between branches and hub. They require further security configuration to secure the communication.

    Following is a summary of how to create the policy package:

    1. Configure interface mapping for LAN. See Configure interface mapping for LAN.

    2. Create a policy package for branch devices. See Configure the branch policy package and policies.
    3. Create a policy package for the hub device. See Configuring the Hub policy package and policies.

    Configure interface mapping for LAN

    Start by creating an interface mapping to map ‘port3’ to LAN. While you can use port3 in policies, creating this mapping makes the policy purpose more transparent. It also allows for different interfaces to be referenced as LAN. For example, maybe one branch location needs to use port5 as their LAN connection. This can be explicitly mapped for that branch and still utilize the branch policy package which references the LAN interface.

    To configure interface mapping for LAN:

    1. Navigate to Policy & Objects > Normalized Interface.

    2. Use the search field in the top right to search for port3.

    3. Edit the port3 mapping by double-clicking on it.

    4. Expand Per-Platform Mapping, and search within this menu for FortiGate-VM64-KVM.

    5. Delete the entry and click OK to save.

    6. Remaining in the Normalized Interface menu, select Create New in the top menu bar to create a new mapping as follows:

      Name LAN
      Per-Platform Mapping

      Matched Platform: FortiGate-VM64-KVM

      Mapped Interface Name: port3

    Configure the branch policy package and policies

    To create the branch policy package and policies:
    1. Navigate to Policy & Objects, and expand the Branches folder, then select Firewall Policy.
      The firewall policy already contains an entry for Health Check Access.
    2. Use the Create New button in the top menu bar to create a firewall policy named Branch to DC as follows:

      Name

      Branch to DC

      Incoming Interface

      LAN

      Outgoing Interface

      HUB1, HUB2

      IPv4 Source Address

      Branch-LAN

      IPv4 Destination Address

      Datacenter LAN1

      Action

      Accept

    3. Click OK to create the firewall policy.

    4. Create a second policy using the same method as above with the following details:

      Name

      Direct Internet Access

      Incoming Interface

      LAN

      Outgoing Interface

      WAN1, WAN2

      IPv4 Source Address

      Branch-LAN

      IPv4 Destination Address

      RFC-1918 address group

      Negate Destination

      Enable

      Action

      Accept

      NAT

      Enable

      Security Profiles

      Apply security profiles as needed to protect users from internet threats.

    5. Click OK to create the firewall policy.

    6. Create a third policy using the same method as above with the following details:

      Name

      DC to LAN

      Incoming Interface

      HUB1, HUB2

      Outgoing Interface

      LAN

      IPv4 Source Address

      Datacenter-LAN1, Branch-LAN

      IPv4 Destination Address

      Branch-LAN

      Action

      Accept

    7. Click OK to create the firewall policy.

    Configuring the Hub policy package and policies

    To create the hub policy package and policies:
    1. Remaining in Policy & Objects, expand the Hub folder and select Firewall Policy to review the Hub firewall policy.
    2. There will be one policy created from the SD-WAN Overlay template Health Check Access.
    3. Use the Create New button in the top menu bar to create a firewall policy named Branch to DC as follows:

      Name

      Branch to Datacenter

      Incoming Interface

      VPN1, VPN2

      Outgoing Interface

      LAN

      IPv4 Source Address

      Branch-LAN

      IPv4 Destination Address

      Datacenter LAN1

      Action

      Accept

    4. Click OK to create the firewall policy.

    5. Create a second Hub policy using the same method as above with the following details:

      Name

      DC to Branch

      Incoming Interface

      LAN

      Outgoing Interface

      VPN1, VPN2

      IPv4 Source Address

      Datacenter-LAN1

      IPv4 Destination Address

      Branch-LAN

      Action

      Accept

    6. Click OK to create the firewall policy.

    7. Create a third Hub policy using the same method as above with the following details:

      Name

      Branch to Branch

      Incoming Interface

      VPN1, VPN2

      Outgoing Interface

      VPN1, VPN2

      IPv4 Source Address

      Branch-LAN

      IPv4 Destination Address

      Branch-LAN

      Action

      Accept

    8. Click OK to create the firewall policy.

    Previous
    Next