Configuring firewall policies
Identity-based firewall policies are needed to enable the WLAN users to access the Internet on Port1. First you create firewall addresses for employee and guest users, then you create the firewall policies.
To create firewall addresses for employee and guest WiFi users
1. Go to Firewall Objects > Address > Addresses.
2. Select Create New, enter the following information and select OK.
Address Name | employee-wifi-net |
Type | Subnet / IP Range |
Subnet / IP Range | 10.10.120.0/24 |
Interface | example_inc |
3. Select Create New, enter the following information and select OK.
Address Name | guest-wifi-net |
Type | Subnet / IP Range |
Subnet / IP Range | 10.10.115.0/24 |
Interface | example_guest |
To create firewall policies for employee WiFi users - web-based manager
1. Go to Policy > Policy and select Create New.
2. Enter the following information and select OK:
Source Interface/Zone | example_inc |
Source Address | employee-wifi-net |
Destination Interface/Zone | port1 |
Destination Address | all |
Schedule | always |
Service | ALL |
Action | ACCEPT |
NAT | Enable NAT |
3. Optionally, select UTM and set up UTM features for wireless users.
4. Select OK.
5. Repeat steps
1 through
4 but select Internal as the Destination Interface/Zone to provides access to the ExampleCo private network.
To create firewall policies for employee WiFi users - CLI
config firewall policy
edit 0
set srcintf "employee_inc"
set dstintf "port1"
set srcaddr "employee-wifi-net"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
set schedule "always"
set service "ANY"
next
edit 0
set srcintf "employee_inc"
set dstintf "internal"
set srcaddr "employee-wifi-net"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
set schedule "always"
set service "ANY"
end
To create a firewall policy for guest WiFi users - web-based manager
1. Go to Policy > Policy and select Create New.
2. Enter the following information and select OK:
Source Interface/Zone | example_guest |
Source Address | guest-wifi-net |
Destination Interface/Zone | port1 |
Destination Address | all |
Schedule | always |
Service | ALL |
Action | ACCEPT |
NAT | Enable NAT |
3. Optionally, select UTM and set up UTM features for wireless users.
4. Select OK.
To create a firewall policy for guest WiFi users - CLI
config firewall policy
edit 0
set srcintf "example_guest"
set dstintf "port1"
set srcaddr "guest-wifi-net"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
end