Fortinet black logo

FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

Home FortiSASE FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

Firewall policy configuration

Copy Link
Copy Doc ID b10d503a-c519-11ee-8c42-fa163e15d75b:347063
Download PDF

Firewall policy configuration

To allow health checks from FortiSASE security points of presence to access the target SLA, as well as to allow FortiSASE remote users to access protected resources, you must configure these corresponding firewall policies to allow this traffic as this topic demonstrates.

Note

The following settings are only examples. Do not consider them as recommended settings.
To configure firewall policies using the GUI:
  1. This deployment requires a spoke-to-hub LAN firewall policy. This policy allows traffic sourced from a spoke subnet destined for hub subnets. Create the policy:
    1. Go to Policy & Objects > Firewall Policy.
    2. Click Create New. The New Policy pane displays.
    3. Set the following options:
      1. For Incoming interface, select VPN1.
      2. For Outgoing interface, select port4.
      3. For Source, select all.
      4. For Destination, select all.
      5. From the Schedule dropdown list, select always.
      6. For Service, select ALL.
      7. For Action, select Accept.
      8. Disable NAT.
      9. Select Enable this policy.
    4. Click OK.
  2. This deployment requires a spoke-to-spoke firewall firewall policy. This policy allows traffic sourced from a spoke subnet destined for other spoke subnets. Create the policy:
    1. Go to Policy & Objects > Firewall Policy.
    2. Click Create New. The New Policy pane displays.
    3. Set the following options:
      1. For Incoming interface, select VPN1.
      2. For Outgoing interface, select VPN1.
      3. For Source, select all.
      4. For Destination, select all.
      5. From the Schedule dropdown list, select always.
      6. For Service, select ALL.
      7. For Action, select Accept.
      8. Disable NAT.
      9. Select Enable this policy.
    4. Click OK.
  3. Create a spoke-to-loopback firewall policy. This policy allows health check traffic from a spoke to the hub's loopback interface:
    1. Go to Policy & Objects > Firewall Policy and click Create New. The New Policy pane displays.
    2. In the Name field, enter Lo-HC.
    3. Set the following options:
      1. For Incoming interface, select VPN1.
      2. For Outgoing interface, select Lo-BGP-RID.
      3. For Source, select all.
      4. For Destination, select all.
      5. From the Schedule dropdown list, select always.
      6. For Service, select ALL.
      7. For Action, select Accept.
      8. Disable NAT.
      9. Select Enable this policy.
    4. Click OK to save changes.
To configure firewall policies using the CLI:
config firewall policy
    edit 1
        set name "Spoke-to-Hub"
        set srcintf "VPN1"
        set dstintf "port4"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL”
        set logtraffic all
    next
    edit 2
        set name "Spoke-to-Spoke"
        set srcintf "VPN1"
        set dstintf "VPN1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL”
        set logtraffic all
    next
    edit 3
        set name "Lo-BGP-HC"
        set srcintf "VPN1"
        set dstintf "Lo-BGP-RID"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next  
end
Previous
Next

Firewall policy configuration

To allow health checks from FortiSASE security points of presence to access the target SLA, as well as to allow FortiSASE remote users to access protected resources, you must configure these corresponding firewall policies to allow this traffic as this topic demonstrates.

Note

The following settings are only examples. Do not consider them as recommended settings.
To configure firewall policies using the GUI:
  1. This deployment requires a spoke-to-hub LAN firewall policy. This policy allows traffic sourced from a spoke subnet destined for hub subnets. Create the policy:
    1. Go to Policy & Objects > Firewall Policy.
    2. Click Create New. The New Policy pane displays.
    3. Set the following options:
      1. For Incoming interface, select VPN1.
      2. For Outgoing interface, select port4.
      3. For Source, select all.
      4. For Destination, select all.
      5. From the Schedule dropdown list, select always.
      6. For Service, select ALL.
      7. For Action, select Accept.
      8. Disable NAT.
      9. Select Enable this policy.
    4. Click OK.
  2. This deployment requires a spoke-to-spoke firewall firewall policy. This policy allows traffic sourced from a spoke subnet destined for other spoke subnets. Create the policy:
    1. Go to Policy & Objects > Firewall Policy.
    2. Click Create New. The New Policy pane displays.
    3. Set the following options:
      1. For Incoming interface, select VPN1.
      2. For Outgoing interface, select VPN1.
      3. For Source, select all.
      4. For Destination, select all.
      5. From the Schedule dropdown list, select always.
      6. For Service, select ALL.
      7. For Action, select Accept.
      8. Disable NAT.
      9. Select Enable this policy.
    4. Click OK.
  3. Create a spoke-to-loopback firewall policy. This policy allows health check traffic from a spoke to the hub's loopback interface:
    1. Go to Policy & Objects > Firewall Policy and click Create New. The New Policy pane displays.
    2. In the Name field, enter Lo-HC.
    3. Set the following options:
      1. For Incoming interface, select VPN1.
      2. For Outgoing interface, select Lo-BGP-RID.
      3. For Source, select all.
      4. For Destination, select all.
      5. From the Schedule dropdown list, select always.
      6. For Service, select ALL.
      7. For Action, select Accept.
      8. Disable NAT.
      9. Select Enable this policy.
    4. Click OK to save changes.
To configure firewall policies using the CLI:
config firewall policy
    edit 1
        set name "Spoke-to-Hub"
        set srcintf "VPN1"
        set dstintf "port4"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL”
        set logtraffic all
    next
    edit 2
        set name "Spoke-to-Spoke"
        set srcintf "VPN1"
        set dstintf "VPN1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL”
        set logtraffic all
    next
    edit 3
        set name "Lo-BGP-HC"
        set srcintf "VPN1"
        set dstintf "Lo-BGP-RID"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next  
end
Previous
Next