Fortinet black logo

Administration Guide

Configuring the integrated firewall

Configuring the integrated firewall

In System > Firewall > Firewall Policy, you can configure:

  • The basic stateful firewall polices to monitors TCP, UDP, and ICMP traffic and determines which packets to forward to the back-end server. See Configuring the stateful firewall.

  • The FWMARK policies which allow you to mark the traffic coming in FortiWeb. Using it together with policy route, you can direct the marked traffic to go out of FortiWeb through a specified interface or/and to a specified next-hop gateway. See Configuring a firewall FWMARK policy.

  • The Firewall Admin policies which apply to traffic destined for the the network interfaces of FortiWeb. See Configuring a Firewall Admin policy.

To enable firewall

Before you can begin configuring firewall, you have to enable it. By default, firewall is disabled.

  1. Go to System > Config > Feature Visibility.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see "Permissions" on page 1.
  2. Locate System Features.
  3. Enable Firewall.
  4. Click Apply.

Configuring the stateful firewall

You can add basic stateful firewall functionality when FortiWeb is in Reverse Proxy, True Transparent Proxy, and Transparent Inspection modes. The firewall monitors TCP, UDP, and ICMP traffic and determines which packets to allow.

By default, the value of the system firewall policy Default Action setting is Accept. This allows any traffic that does not match a firewall policy rule to access the FortiWeb network interfaces.

When the firewall policy Default Action setting is Deny and the policy has no rules, FortiWeb only allows administrative access to ports. For example, the firewall prevents requests that do no match a rule from reaching virtual servers.

FortiWeb by default allows the connections from itself to the DNS server, even though the Default Action is Deny.
  1. Go to System > Firewall > Firewall Policy and select the Firewall Address tab.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configurationcategory. For details, see Permissions.

  3. Click Create New.
  4. Configure these settings:
    NameEnter a name that identifies the firewall address.
    Type

    Select how this configuration specifies a firewall address or addresses:

    • IP/IP Range—A single IP or a range of IP addresses.
    • IP/Netmask—A single IP address and netmask.
    IP/Netmask

    or

    IP/IP Range

    Enter one of the following:

    • If Type is IP/Netmask, an IPv4 address and subnet mask, separated by a forward slash ( / ). For example, 192.0.2.2/24.
    • If Type is IP/IP Range, a single IP address or a range of addresses. For example 1.2.3.4,2001::1,1.2.3.4-1.2.3.40,2001::1-2001::100.
  5. Click OK.
  6. Add any additional firewall addresses you require.
  7. Go to System > Firewall > Firewall Policy and select the Firewall Service tab.
  8. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

  9. Click Create New.
  10. Configure these settings:
    NameEnter a name that identifies the firewall service.
    Protocol

    Select the protocol that this firewall service inspects: TCP, UDP, or ICMP.

    Minimum Source Port

    Select the start port in the range of source ports for this firewall service.

    The default value is 0.

    Not available if Protocol is ICMP.

    Maximum Source PortSelect the end port in the range of source ports for this firewall service.

    The default value is 65535.

    Not available if Protocol is ICMP.
    Minimum Destination Port

    Select the start port in the range of destination ports for this firewall service.

    The default value is 0.

    Not available if Protocol is ICMP.

    Maximum Destination PortSelect the end port in the range of destination ports for this firewall service.

    The default value is 65535.

    Not available if Protocol is ICMP.
  11. Add any additional firewall services you require.
  12. Go to System > Firewall > Firewall Policy and select the Firewall Policy tab.

    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

  13. For Default Action, select one of the following:
    • Deny—Firewall blocks traffic that does not match a policy rule. However, administrative access is still allowed on network interfaces for which it has been configured.
    • Accept—Firewall allows traffic that does not match a policy rule.
  14. To add a policy rule, click Create New.
  15. Configure these settings:
    V-zone Enable

    Select to enable a V-zone (bridge). If this option is enabled, select a V-zone below. V-zones allow network connections to travel through FortiWeb's physical network ports without explicitly connecting to one of its IP addresses.

    This option is available only when the operation mode is True Transparent Proxy or Transparent Inspection mode.

    V-zone Select a configured V-zone. For details, see Configuring a bridge (V-zone)
    Ingress InterfaceSpecify incoming traffic that this rule applies to by selecting a network interface.
    Egress Interface

    Specify outgoing traffic that this rule applies to by selecting a network interface.

    Source

    Specify the source address of traffic that this rule applies to by selecting an address from the firewall addresses you configured earlier under System > Firewall > Firewall Policy > Firewall Address.

    DestinationSpecify the destination address of traffic that this rules applies to by selecting an address from the firewall addresses you configured earlier under System > Firewall > Firewall Policy > Firewall Address.
    Service

    Select the protocol and port range that this rule applies to by selecting a firewall service configuration under System > Firewall > Firewall Policy > Firewall Service.

    Action

    Select the action FortiWeb takes for traffic that matches this rule:

    • Deny—Firewall blocks matching traffic. Administrative access is still allowed on network interfaces for which it has been configured.
    • Accept—Firewall allows matching traffic.
  16. Click OK.
  17. Add any additional rules that you require, and then click Apply.

Configuring a firewall FWMARK policy

The FWMARK policy allows you to mark the traffic coming in FortiWeb. Using it together with policy route, you can direct the marked traffic to go out of FortiWeb through a specified interface or/and to a specified next-hop gateway.

  1. Go to System > Firewall > Firewall Policy and select the Firewall FWMARK Policy tab.

    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

  2. To add a policy rule, click Create New.
  3. Configure these settings:
    Name

    Enter a name that identifies the FWMARK policy.

    SourceSpecify the source address of traffic that this policy applies to by selecting an address from the firewall addresses you configured earlier under System > Firewall > Firewall Policy > Firewall Address.
    DestinationSpecify the destination address of traffic that this policy applies to by selecting an address from the firewall addresses you configured earlier under System > Firewall > Firewall Policy > Firewall Address.
    Ingress Interface

    Specify incoming traffic that this policy applies to by selecting a network interface.

    Service

    Select the protocol and port range that this policy applies to by selecting a firewall service configuration under System > Firewall > Firewall Policy > Firewall Service.

    Mark

    Enter a value to mark the traffic that matches with the conditions above. The valid range is 1-255.

  4. Click OK.

Next, go to Network > Route > Policy Route. Configure a policy route to direct the marked traffic to go out of FortiWeb through a specified interface or/and to a specified next-hop gateway. Refer to Creating a policy route.

Configuring a Firewall Admin policy

While firewall policies control traffic flowing through FortiWeb, Firewall Admin policies control the administrative traffic to FortiWeb.

The Firewall Admin policy has the ability to granularly restrict administrative access by combining multiple matching conditions, e.g. the source and destination addresses of the traffic, the ingress interface, and services. It enables you to achieve specific access control objectives, such as allowing only traffic from certain source IP addresses to access FortiWeb through the FortiWebManager service.

The Firewall Admin policy is scanned before the Network > Interface allow access settings (as shown in the screenshot below), giving the Firewall Admin policy higher priority in case of a conflict between these two places. For example, if you have set a Firewall Admin policy to allow traffic to a network interface through SSH, the traffic that matches this policy will be allowed even if SSH is not selected in the interface's IPv4 Access Options.

Traffic destined for FortiWeb's interface with the port numbers for PING, SSH, SNMP, HTTP, HTTPS, or FortiWebManager is marked as administrative traffic.

Please note that the port numbers for HTTP and HTTPS are the ones you have defined in the Web Administration Ports in System > Admin > Settings.

To create a Firewall Admin policy:
  1. Go to System > Firewall > Firewall Policy and select the Firewall Admin Policy tab.

    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

  2. To add a policy rule, click Create New.
  3. Configure these settings:
    Ingress Interface

    Specify incoming traffic that this policy applies to by selecting a network interface.

    SourceSpecify the source address of traffic that this policy applies to by selecting an address from the firewall addresses you configured earlier under System > Firewall > Firewall Policy > Firewall Address.
    DestinationSpecify the destination address of traffic that this policy applies to by selecting an address from the firewall addresses you configured earlier under System > Firewall > Firewall Policy > Firewall Address.
    Service

    Select the protocol and port range that this policy applies to by selecting a firewall service configuration under System > Firewall > Firewall Policy > Firewall Service.

    Action

    Select the action FortiWeb takes for traffic that matches this rule:

    • Deny—Firewall blocks matching traffic.
    • Accept—Firewall allows matching traffic.
  4. Click OK.

Configuring the integrated firewall

Configuring the integrated firewall

In System > Firewall > Firewall Policy, you can configure:

  • The basic stateful firewall polices to monitors TCP, UDP, and ICMP traffic and determines which packets to forward to the back-end server. See Configuring the stateful firewall.

  • The FWMARK policies which allow you to mark the traffic coming in FortiWeb. Using it together with policy route, you can direct the marked traffic to go out of FortiWeb through a specified interface or/and to a specified next-hop gateway. See Configuring a firewall FWMARK policy.

  • The Firewall Admin policies which apply to traffic destined for the the network interfaces of FortiWeb. See Configuring a Firewall Admin policy.

To enable firewall

Before you can begin configuring firewall, you have to enable it. By default, firewall is disabled.

  1. Go to System > Config > Feature Visibility.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see "Permissions" on page 1.
  2. Locate System Features.
  3. Enable Firewall.
  4. Click Apply.

Configuring the stateful firewall

You can add basic stateful firewall functionality when FortiWeb is in Reverse Proxy, True Transparent Proxy, and Transparent Inspection modes. The firewall monitors TCP, UDP, and ICMP traffic and determines which packets to allow.

By default, the value of the system firewall policy Default Action setting is Accept. This allows any traffic that does not match a firewall policy rule to access the FortiWeb network interfaces.

When the firewall policy Default Action setting is Deny and the policy has no rules, FortiWeb only allows administrative access to ports. For example, the firewall prevents requests that do no match a rule from reaching virtual servers.

FortiWeb by default allows the connections from itself to the DNS server, even though the Default Action is Deny.
  1. Go to System > Firewall > Firewall Policy and select the Firewall Address tab.
  2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configurationcategory. For details, see Permissions.

  3. Click Create New.
  4. Configure these settings:
    NameEnter a name that identifies the firewall address.
    Type

    Select how this configuration specifies a firewall address or addresses:

    • IP/IP Range—A single IP or a range of IP addresses.
    • IP/Netmask—A single IP address and netmask.
    IP/Netmask

    or

    IP/IP Range

    Enter one of the following:

    • If Type is IP/Netmask, an IPv4 address and subnet mask, separated by a forward slash ( / ). For example, 192.0.2.2/24.
    • If Type is IP/IP Range, a single IP address or a range of addresses. For example 1.2.3.4,2001::1,1.2.3.4-1.2.3.40,2001::1-2001::100.
  5. Click OK.
  6. Add any additional firewall addresses you require.
  7. Go to System > Firewall > Firewall Policy and select the Firewall Service tab.
  8. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

  9. Click Create New.
  10. Configure these settings:
    NameEnter a name that identifies the firewall service.
    Protocol

    Select the protocol that this firewall service inspects: TCP, UDP, or ICMP.

    Minimum Source Port

    Select the start port in the range of source ports for this firewall service.

    The default value is 0.

    Not available if Protocol is ICMP.

    Maximum Source PortSelect the end port in the range of source ports for this firewall service.

    The default value is 65535.

    Not available if Protocol is ICMP.
    Minimum Destination Port

    Select the start port in the range of destination ports for this firewall service.

    The default value is 0.

    Not available if Protocol is ICMP.

    Maximum Destination PortSelect the end port in the range of destination ports for this firewall service.

    The default value is 65535.

    Not available if Protocol is ICMP.
  11. Add any additional firewall services you require.
  12. Go to System > Firewall > Firewall Policy and select the Firewall Policy tab.

    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

  13. For Default Action, select one of the following:
    • Deny—Firewall blocks traffic that does not match a policy rule. However, administrative access is still allowed on network interfaces for which it has been configured.
    • Accept—Firewall allows traffic that does not match a policy rule.
  14. To add a policy rule, click Create New.
  15. Configure these settings:
    V-zone Enable

    Select to enable a V-zone (bridge). If this option is enabled, select a V-zone below. V-zones allow network connections to travel through FortiWeb's physical network ports without explicitly connecting to one of its IP addresses.

    This option is available only when the operation mode is True Transparent Proxy or Transparent Inspection mode.

    V-zone Select a configured V-zone. For details, see Configuring a bridge (V-zone)
    Ingress InterfaceSpecify incoming traffic that this rule applies to by selecting a network interface.
    Egress Interface

    Specify outgoing traffic that this rule applies to by selecting a network interface.

    Source

    Specify the source address of traffic that this rule applies to by selecting an address from the firewall addresses you configured earlier under System > Firewall > Firewall Policy > Firewall Address.

    DestinationSpecify the destination address of traffic that this rules applies to by selecting an address from the firewall addresses you configured earlier under System > Firewall > Firewall Policy > Firewall Address.
    Service

    Select the protocol and port range that this rule applies to by selecting a firewall service configuration under System > Firewall > Firewall Policy > Firewall Service.

    Action

    Select the action FortiWeb takes for traffic that matches this rule:

    • Deny—Firewall blocks matching traffic. Administrative access is still allowed on network interfaces for which it has been configured.
    • Accept—Firewall allows matching traffic.
  16. Click OK.
  17. Add any additional rules that you require, and then click Apply.

Configuring a firewall FWMARK policy

The FWMARK policy allows you to mark the traffic coming in FortiWeb. Using it together with policy route, you can direct the marked traffic to go out of FortiWeb through a specified interface or/and to a specified next-hop gateway.

  1. Go to System > Firewall > Firewall Policy and select the Firewall FWMARK Policy tab.

    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

  2. To add a policy rule, click Create New.
  3. Configure these settings:
    Name

    Enter a name that identifies the FWMARK policy.

    SourceSpecify the source address of traffic that this policy applies to by selecting an address from the firewall addresses you configured earlier under System > Firewall > Firewall Policy > Firewall Address.
    DestinationSpecify the destination address of traffic that this policy applies to by selecting an address from the firewall addresses you configured earlier under System > Firewall > Firewall Policy > Firewall Address.
    Ingress Interface

    Specify incoming traffic that this policy applies to by selecting a network interface.

    Service

    Select the protocol and port range that this policy applies to by selecting a firewall service configuration under System > Firewall > Firewall Policy > Firewall Service.

    Mark

    Enter a value to mark the traffic that matches with the conditions above. The valid range is 1-255.

  4. Click OK.

Next, go to Network > Route > Policy Route. Configure a policy route to direct the marked traffic to go out of FortiWeb through a specified interface or/and to a specified next-hop gateway. Refer to Creating a policy route.

Configuring a Firewall Admin policy

While firewall policies control traffic flowing through FortiWeb, Firewall Admin policies control the administrative traffic to FortiWeb.

The Firewall Admin policy has the ability to granularly restrict administrative access by combining multiple matching conditions, e.g. the source and destination addresses of the traffic, the ingress interface, and services. It enables you to achieve specific access control objectives, such as allowing only traffic from certain source IP addresses to access FortiWeb through the FortiWebManager service.

The Firewall Admin policy is scanned before the Network > Interface allow access settings (as shown in the screenshot below), giving the Firewall Admin policy higher priority in case of a conflict between these two places. For example, if you have set a Firewall Admin policy to allow traffic to a network interface through SSH, the traffic that matches this policy will be allowed even if SSH is not selected in the interface's IPv4 Access Options.

Traffic destined for FortiWeb's interface with the port numbers for PING, SSH, SNMP, HTTP, HTTPS, or FortiWebManager is marked as administrative traffic.

Please note that the port numbers for HTTP and HTTPS are the ones you have defined in the Web Administration Ports in System > Admin > Settings.

To create a Firewall Admin policy:
  1. Go to System > Firewall > Firewall Policy and select the Firewall Admin Policy tab.

    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

  2. To add a policy rule, click Create New.
  3. Configure these settings:
    Ingress Interface

    Specify incoming traffic that this policy applies to by selecting a network interface.

    SourceSpecify the source address of traffic that this policy applies to by selecting an address from the firewall addresses you configured earlier under System > Firewall > Firewall Policy > Firewall Address.
    DestinationSpecify the destination address of traffic that this policy applies to by selecting an address from the firewall addresses you configured earlier under System > Firewall > Firewall Policy > Firewall Address.
    Service

    Select the protocol and port range that this policy applies to by selecting a firewall service configuration under System > Firewall > Firewall Policy > Firewall Service.

    Action

    Select the action FortiWeb takes for traffic that matches this rule:

    • Deny—Firewall blocks matching traffic.
    • Accept—Firewall allows matching traffic.
  4. Click OK.