Configuring firewall policies

Chapter 6 Deploying Wireless Networks for FortiOS 5.0 : Wireless network examples : A more complex example : Configuring firewall policies

Identity-based firewall policies are needed to enable the WLAN users to access the Internet on Port1. First you create firewall addresses for employee and guest users, then you create the firewall policies.

To create firewall addresses for employee and guest WiFi users

1. Go to Firewall Objects > Address > Addresses.

2. Select Create New, enter the following information and select OK.


Address Name	employee-wifi-net
Type	Subnet / IP Range
Subnet / IP Range	10.10.120.0/24
Interface	example_inc

3. Select Create New, enter the following information and select OK.


Address Name	guest-wifi-net
Type	Subnet / IP Range
Subnet / IP Range	10.10.115.0/24
Interface	example_guest

To create firewall policies for employee WiFi users - web-based manager

1. Go to Policy > Policy and select Create New.

2. Enter the following information and select OK:


Source Interface/Zone	example_inc
Source Address	employee-wifi-net
Destination Interface/Zone	port1
Destination Address	all
Schedule	always
Service	ALL
Action	ACCEPT
NAT	Enable NAT

3. Optionally, select UTM and set up UTM features for wireless users.

4. Select OK.

5. Repeat steps 1 through 4 but select Internal as the Destination Interface/Zone to provides access to the ExampleCo private network.

To create firewall policies for employee WiFi users - CLI

config firewall policy

edit 0

set srcintf "employee_inc"

set dstintf "port1"

set srcaddr "employee-wifi-net"

set dstaddr "all"

set action accept

set schedule "always"

set service "ANY"

set nat enable

set schedule "always"

set service "ANY"

edit 0

set srcintf "employee_inc"

set dstintf "internal"

set srcaddr "employee-wifi-net"

set dstaddr "all"

set action accept

set schedule "always"

set service "ANY"

set nat enable

set schedule "always"

set service "ANY"

end

To create a firewall policy for guest WiFi users - web-based manager

1. Go to Policy > Policy and select Create New.

2. Enter the following information and select OK:


Source Interface/Zone	example_guest
Source Address	guest-wifi-net
Destination Interface/Zone	port1
Destination Address	all
Schedule	always
Service	ALL
Action	ACCEPT
NAT	Enable NAT

3. Optionally, select UTM and set up UTM features for wireless users.

4. Select OK.

To create a firewall policy for guest WiFi users - CLI

config firewall policy

edit 0

set srcintf "example_guest"

set dstintf "port1"

set srcaddr "guest-wifi-net"

set dstaddr "all"

set action accept

set schedule "always"

set service "ANY"

set nat enable

end