Fortinet black logo

SIA Agent-based Deployment Guide

Home FortiSASE SIA Agent-based Deployment Guide

Adding VPN policies to perform granular firewall actions and inspection

Copy Link
Copy Doc ID 1947280d-c519-11ee-8c42-fa163e15d75b:890446
Download PDF

Adding VPN policies to perform granular firewall actions and inspection

You can add multiple policies to perform granular firewall actions and inspection. This example configures a VPN policy to allow a set of remote users to access *.fortinet.com and blocks the same remote users from accessing all traffic to *.netflix.com.

VPN policy name

Description

RemoteHomeOffice-DenyNetflix

Blocks remote employees (members of the Remote-Home-Office VPN user group) from accessing *.netflix.com.

RemoteHomeOffice-AllowFortinet

Allows remote employees (members of the Remote-Home-Office VPN user group) to access *.fortinet.com.

The following provides instructions for configuring the described policies. You may want to configure similar policies, modifying settings based on your environment.

This example assumes that you have created the Remote-Home-Office VPN user group and you have already added one or more of your users to this group already using the steps in Defining a user group of Entra ID SAML SSO users.

Note

For proper group matching, ensure that you follow the steps in Defining a user group of Entra ID SAML SSO users and specify group IDs in the Remote Groups section of the Create New User Group and Edit User Group dialogs. You should not specify Group IDs using the SAML Group Matching option in Configuration > VPN User SSO > Configure Service Provider.
To add policies to perform granular firewall actions and inspection:
  1. Go to Configuration > VPN Policies.
  2. Create the RemoteHomeOffice-DenyNetflix VPN policy:
    1. Click Create.
    2. For Source Scope, select VPN Users.
    3. For User, select Specify: Click +, and select the Remote-Home-Office user group from the Select Entries pane.
    4. In the Destination field, select Specify, click +, then do the following:
      1. On the Host tab, click Create.
      2. Select IPv4 Host.
      3. In the Name field, enter the desired name.
      4. From the Type dropdown list, select FQDN.
      5. In the FQDN field, enter *.netflix.com. When using wildcard FQDNs, FortiSASE caches the FQDN address's IP addresses based on matching DNS responses.
      6. Click OK.
      7. Select the newly created Netflix host.
    5. In the Service field, click +. On the Select Entries pane, select ALL.
    6. Leave all other fields at their default values.
    7. Click OK.
  3. Create the RemoteHomeOffice-AllowFortinet VPN policy:
    1. Click Create.
    2. For User, select Specify. Click +, and select the Remote-Home-Office user group from the Select Entries pane.
    3. In the Destination field, click +, then do the following:
      1. On the Host tab, click Create.
      2. Select IPv4 Host.
      3. In the Name field, enter the desired name.
      4. From the Type dropdown list, select FQDN.
      5. In the FQDN field, enter *.fortinet.com. When using wildcard FQDNs, FortiSASE caches the FQDN address's IP addresses based on matching DNS responses.
      6. Click OK.
      7. Select the newly created Fortinet host.
    4. In the Service field, click +. On the Select Entries pane, select ALL.
    5. For Action, select Accept.
    6. Leave all other fields at their default values.
    7. Click OK.
  4. In Configuration > VPN Policies, ensure that you order the policies so that RemoteHomeOffice-DenyNetflix VPN policy is before the RemoteHomeOffice-AllowFortinet VPN policy, and that those VPN policies are before the Allow-All VPN policy.

When a session is initiated through the VPN tunnel, FortiSASE analyzes the connection and performs a VPN policy match. FortiSASE performs the match from top down and compares the session with the configured VPN policy parameters.

Previous
Next

Adding VPN policies to perform granular firewall actions and inspection

You can add multiple policies to perform granular firewall actions and inspection. This example configures a VPN policy to allow a set of remote users to access *.fortinet.com and blocks the same remote users from accessing all traffic to *.netflix.com.

VPN policy name

Description

RemoteHomeOffice-DenyNetflix

Blocks remote employees (members of the Remote-Home-Office VPN user group) from accessing *.netflix.com.

RemoteHomeOffice-AllowFortinet

Allows remote employees (members of the Remote-Home-Office VPN user group) to access *.fortinet.com.

The following provides instructions for configuring the described policies. You may want to configure similar policies, modifying settings based on your environment.

This example assumes that you have created the Remote-Home-Office VPN user group and you have already added one or more of your users to this group already using the steps in Defining a user group of Entra ID SAML SSO users.

Note

For proper group matching, ensure that you follow the steps in Defining a user group of Entra ID SAML SSO users and specify group IDs in the Remote Groups section of the Create New User Group and Edit User Group dialogs. You should not specify Group IDs using the SAML Group Matching option in Configuration > VPN User SSO > Configure Service Provider.
To add policies to perform granular firewall actions and inspection:
  1. Go to Configuration > VPN Policies.
  2. Create the RemoteHomeOffice-DenyNetflix VPN policy:
    1. Click Create.
    2. For Source Scope, select VPN Users.
    3. For User, select Specify: Click +, and select the Remote-Home-Office user group from the Select Entries pane.
    4. In the Destination field, select Specify, click +, then do the following:
      1. On the Host tab, click Create.
      2. Select IPv4 Host.
      3. In the Name field, enter the desired name.
      4. From the Type dropdown list, select FQDN.
      5. In the FQDN field, enter *.netflix.com. When using wildcard FQDNs, FortiSASE caches the FQDN address's IP addresses based on matching DNS responses.
      6. Click OK.
      7. Select the newly created Netflix host.
    5. In the Service field, click +. On the Select Entries pane, select ALL.
    6. Leave all other fields at their default values.
    7. Click OK.
  3. Create the RemoteHomeOffice-AllowFortinet VPN policy:
    1. Click Create.
    2. For User, select Specify. Click +, and select the Remote-Home-Office user group from the Select Entries pane.
    3. In the Destination field, click +, then do the following:
      1. On the Host tab, click Create.
      2. Select IPv4 Host.
      3. In the Name field, enter the desired name.
      4. From the Type dropdown list, select FQDN.
      5. In the FQDN field, enter *.fortinet.com. When using wildcard FQDNs, FortiSASE caches the FQDN address's IP addresses based on matching DNS responses.
      6. Click OK.
      7. Select the newly created Fortinet host.
    4. In the Service field, click +. On the Select Entries pane, select ALL.
    5. For Action, select Accept.
    6. Leave all other fields at their default values.
    7. Click OK.
  4. In Configuration > VPN Policies, ensure that you order the policies so that RemoteHomeOffice-DenyNetflix VPN policy is before the RemoteHomeOffice-AllowFortinet VPN policy, and that those VPN policies are before the Allow-All VPN policy.

When a session is initiated through the VPN tunnel, FortiSASE analyzes the connection and performs a VPN policy match. FortiSASE performs the match from top down and compares the session with the configured VPN policy parameters.

Previous
Next