Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Adding policies to perform granular firewall actions and inspection

Adding policies to perform granular firewall actions and inspection

You can add multiple policies to perform granular firewall actions and inspection. This example configures a policy to allow a set of remote users to access *.fortinet.com and blocks the same remote users from accessing all traffic to *.netflix.com.

Policy name

Description

RemoteHomeOffice-DenyNetflix

Blocks remote employees (members of the Remote-Home-Office VPN user group) from accessing *.netflix.com.

RemoteHomeOffice-AllowFortinet

Allows remote employees (members of the Remote-Home-Office VPN user group) to access *.fortinet.com.

The following provides instructions for configuring the described policies. You may want to configure similar policies, modifying settings based on your environment.

To add policies to perform granular firewall actions and inspection:
  1. Go to Configuration > Policies.
  2. Create the RemoteHomeOffice-DenyNetflix policy:
    1. Click Create.
    2. For Source Scope, select VPN Users.
    3. For User, select Specify: Click +, and select the Remote-Home-Office user group from the Select Entries pane.
    4. In the Destination field, select Specify, click +, then do the following:
      1. On the Host tab, click Create.
      2. Select IPv4 Host.
      3. In the Name field, enter the desired name.
      4. From the Type dropdown list, select FQDN.
      5. In the FQDN field, enter *.netflix.com. When using wildcard FQDNs, FortiSASE caches the FQDN address's IP addresses based on matching DNS responses.
      6. Click OK.
      7. Select the newly created Netflix host.
    5. In the Service field, click +. On the Select Entries pane, select ALL.
    6. Leave all other fields at their default values.
    7. Click OK.
  3. Create the RemoteHomeOffice-AllowFortinet policy:
    1. Click Create.
    2. For User, select Specify. Click +, and select the Remote-Home-Office user group from the Select Entries pane.
    3. In the Destination field, click +, then do the following:
      1. On the Host tab, click Create.
      2. Select IPv4 Host.
      3. In the Name field, enter the desired name.
      4. From the Type dropdown list, select FQDN.
      5. In the FQDN field, enter *.fortinet.com. When using wildcard FQDNs, FortiSASE caches the FQDN address's IP addresses based on matching DNS responses.
      6. Click OK.
      7. Select the newly created Fortinet host.
    4. In the Service field, click +. On the Select Entries pane, select ALL.
    5. For Action, select Accept.
    6. Leave all other fields at their default values.
    7. Click OK.
  4. In Configuration > Policies, ensure that you order the policies so that RemoteHomeOffice-DenyNetflix policy is before the RemoteHomeOffice-AllowFortinet policy, and that both those VPN policies are before the Allow-All policy.

When a session is initiated through the VPN tunnel, FortiSASE analyzes the connection and performs a policy match. FortiSASE performs the match from top down and compares the session with the configured policy parameters. For example, consider that a user who belongs to the Remote-Home-Office user group attempts to access www.fortinet.com. FortiSASE attempts to match the RemoteHomeOffice-DenyNetflix, but the traffic is not for *.netflix.com. Then, FortiSASE attempts to match the next policy, the RemoteHomeOffice-AllowFortinet policy, which matches. FortiSASE allows the user access to www.fortinet.com.

You can view data for access attempts on the FortiView Sources dashboard. You can view the application, destination, and policy information.

Previous
Next

Adding policies to perform granular firewall actions and inspection

You can add multiple policies to perform granular firewall actions and inspection. This example configures a policy to allow a set of remote users to access *.fortinet.com and blocks the same remote users from accessing all traffic to *.netflix.com.

Policy name

Description

RemoteHomeOffice-DenyNetflix

Blocks remote employees (members of the Remote-Home-Office VPN user group) from accessing *.netflix.com.

RemoteHomeOffice-AllowFortinet

Allows remote employees (members of the Remote-Home-Office VPN user group) to access *.fortinet.com.

The following provides instructions for configuring the described policies. You may want to configure similar policies, modifying settings based on your environment.

To add policies to perform granular firewall actions and inspection:
  1. Go to Configuration > Policies.
  2. Create the RemoteHomeOffice-DenyNetflix policy:
    1. Click Create.
    2. For Source Scope, select VPN Users.
    3. For User, select Specify: Click +, and select the Remote-Home-Office user group from the Select Entries pane.
    4. In the Destination field, select Specify, click +, then do the following:
      1. On the Host tab, click Create.
      2. Select IPv4 Host.
      3. In the Name field, enter the desired name.
      4. From the Type dropdown list, select FQDN.
      5. In the FQDN field, enter *.netflix.com. When using wildcard FQDNs, FortiSASE caches the FQDN address's IP addresses based on matching DNS responses.
      6. Click OK.
      7. Select the newly created Netflix host.
    5. In the Service field, click +. On the Select Entries pane, select ALL.
    6. Leave all other fields at their default values.
    7. Click OK.
  3. Create the RemoteHomeOffice-AllowFortinet policy:
    1. Click Create.
    2. For User, select Specify. Click +, and select the Remote-Home-Office user group from the Select Entries pane.
    3. In the Destination field, click +, then do the following:
      1. On the Host tab, click Create.
      2. Select IPv4 Host.
      3. In the Name field, enter the desired name.
      4. From the Type dropdown list, select FQDN.
      5. In the FQDN field, enter *.fortinet.com. When using wildcard FQDNs, FortiSASE caches the FQDN address's IP addresses based on matching DNS responses.
      6. Click OK.
      7. Select the newly created Fortinet host.
    4. In the Service field, click +. On the Select Entries pane, select ALL.
    5. For Action, select Accept.
    6. Leave all other fields at their default values.
    7. Click OK.
  4. In Configuration > Policies, ensure that you order the policies so that RemoteHomeOffice-DenyNetflix policy is before the RemoteHomeOffice-AllowFortinet policy, and that both those VPN policies are before the Allow-All policy.

When a session is initiated through the VPN tunnel, FortiSASE analyzes the connection and performs a policy match. FortiSASE performs the match from top down and compares the session with the configured policy parameters. For example, consider that a user who belongs to the Remote-Home-Office user group attempts to access www.fortinet.com. FortiSASE attempts to match the RemoteHomeOffice-DenyNetflix, but the traffic is not for *.netflix.com. Then, FortiSASE attempts to match the next policy, the RemoteHomeOffice-AllowFortinet policy, which matches. FortiSASE allows the user access to www.fortinet.com.

You can view data for access attempts on the FortiView Sources dashboard. You can view the application, destination, and policy information.

Previous
Next