Fortinet black logo

FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

Home FortiSASE FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

Firewall policy configuration

Copy Link
Copy Doc ID b10d503a-c519-11ee-8c42-fa163e15d75b:963259
Download PDF

Firewall policy configuration

To allow health checks from FortiSASE security points of presence to access the target SLA, as well as to allow FortiSASE remote users to access protected resources, you must configure these corresponding firewall policies to allow this traffic as this topic demonstrates.

Note

The following settings are only examples. Do not consider them as recommended settings.

This deployment requires a spoke-to-hub LAN firewall policy. This policy allows traffic sourced from a spoke subnet destined for hub subnets. The IPsec wizard automatically configures this policy. This topic provides the configuration for reference purposes.

This deployment requires a spoke-to-spoke firewall firewall policy. This policy allows traffic sourced from a spoke subnet destined for other spoke subnets. The IPsec wizard automatically configures this policy. This topic provides the configuration for reference purposes.

To configure a spoke-to-loopback firewall policy using the GUI:

This policy allows health check traffic from a spoke to the hub's loopback interface.

  1. Go to Policy & Objects > Firewall Policy and click Create New. The New Policy pane displays.
  2. In the Name field, enter Lo-HC.
  3. Set the following options:
    1. For Incoming interface, select VPN1.
    2. For Outgoing interface, select Lo-BGP-RID.
    3. For Source, select all.
    4. For Destination, select all.
    5. From the Schedule dropdown list, select always.
    6. For Service, select ALL.
    7. For Action, select Accept.
    8. Disable NAT.
    9. Select Enable this policy.
  4. Click OK to save changes.
Previous
Next

Firewall policy configuration

To allow health checks from FortiSASE security points of presence to access the target SLA, as well as to allow FortiSASE remote users to access protected resources, you must configure these corresponding firewall policies to allow this traffic as this topic demonstrates.

Note

The following settings are only examples. Do not consider them as recommended settings.

This deployment requires a spoke-to-hub LAN firewall policy. This policy allows traffic sourced from a spoke subnet destined for hub subnets. The IPsec wizard automatically configures this policy. This topic provides the configuration for reference purposes.

This deployment requires a spoke-to-spoke firewall firewall policy. This policy allows traffic sourced from a spoke subnet destined for other spoke subnets. The IPsec wizard automatically configures this policy. This topic provides the configuration for reference purposes.

To configure a spoke-to-loopback firewall policy using the GUI:

This policy allows health check traffic from a spoke to the hub's loopback interface.

  1. Go to Policy & Objects > Firewall Policy and click Create New. The New Policy pane displays.
  2. In the Name field, enter Lo-HC.
  3. Set the following options:
    1. For Incoming interface, select VPN1.
    2. For Outgoing interface, select Lo-BGP-RID.
    3. For Source, select all.
    4. For Destination, select all.
    5. From the Schedule dropdown list, select always.
    6. For Service, select ALL.
    7. For Action, select Accept.
    8. Disable NAT.
    9. Select Enable this policy.
  4. Click OK to save changes.
Previous
Next