Firewall Policy Examples
Note: The following are examples. Policies will differ by network environment and organization requirements.
DNS for Authorized Hosts
Block authorized host DNS traffic to/from FortiNAC.
Name |
Deny Authorized DNS to FortiNAC |
Incoming Interface |
Interface of managed ports |
Outgoing Interface |
FortiNAC interface |
Source |
All traffic Applicable User Group for registered hosts |
Destination |
All traffic |
Schedule |
Always |
Service |
DNS |
Action |
DENY |
Enable this policy |
enable |
Network Access for Authorized Hosts
Allow authorized host traffic to/from the production network.
Name |
Name of policy |
Incoming Interface |
Interface of managed ports |
Outgoing Interface |
wan |
Source |
All traffic Applicable User Group for registered hosts |
Destination |
All traffic |
Schedule |
Always |
Service |
ALL |
Action |
ACCEPT |
NAT |
May need to be enabled |
Enable this policy |
Enable |
Network Access for Unauthorized Hosts
Allow unauthorized host traffic to/from FortiNAC.
Note: Another policy may be required to allow internet access for FortiNAC SSL certificate authentication as well as Anti-Virus/Anti-Spyware/Operating System remediation.
Name |
Name of policy |
Incoming Interface |
Interface of managed ports |
Outgoing Interface |
FortiNAC interface |
Source |
All traffic |
Destination |
All traffic |
Schedule |
Always |
Service |
All |
Action |
ACCEPT |
Enable this policy |
enable |
Network Access for Disabled Hosts (DeadEnd)
Disabled hosts are prevented from accessing the production network and are presented with the Captive Portal.
FortiNAC Network Access Policy
Firewall Tag: Disabled
User/Host Profile:
-
Where: (Port group with FortiGate interface containing managed ports)
-
Who/What By Attribute: Host: Access Status: Disabled
Network Access Configuration:
-
Direct Configuration
-
Firewall Tags: Disabled
Rank policy above the other policies for FortiGate Managed Ports.
Configure FortiGate Firewall Policy
-
Navigate to Security Fabric > Fabric Connectors – apply and refresh to pull in Disabled Tag created in FortiNAC
-
View User/Groups to see Disabled Tag was pulled in to FortiGate
-
Navigate to User & Device > User Groups
-
Create group type Fortinet Single Sign - On (FSSO) and add Disabled (tag pulled in from the Fabric Connector)
-
Navigate to Policy and Objects > IPv4 Policy
-
Create Policy to Control disabled hosts
DeadEnd Network Access
Name |
Name of policy |
Incoming Interface |
Interface of managed ports |
Outgoing Interface |
wan |
Source |
All traffic Disabled user group |
Destination |
All |
Schedule |
Always |
Service |
All |
Action |
DENY |
Enable this policy |
enable |
DeadEnd DNS
Allow DNS traffic for disabled hosts to FortiNAC for Captive Portal access.
Name |
Name of policy |
Incoming Interface |
Interface of managed ports |
Outgoing Interface |
FortiNAC interface |
Source |
All traffic Disabled user group |
Destination |
All |
Schedule |
Always |
Service |
DNS |
Action |
ACCEPT |
Enable this policy |
enable |