Chapter 19 Virtual Domains : Inter-VDOM routing : Example of inter-VDOM routing : Configuring the firewall and Security Profile settings : Configuring firewall settings for the Accounting VDOM
  
Configuring firewall settings for the Accounting VDOM
This configuration includes two firewall addresses and two firewall policies for the Accounting VDOM - one for the internal network, and one for the VDOM link with the management VDOM (root).
For added security, all traffic allowed will be scanned. Only valid office traffic will be allowed using the service group OfficeServices. The FortiClient application must be used to ensure additional protection for the sensitive accounting information.
All sales and accounting computers have the FortiClient application installed, so the firewall policies check that FortiClient is installed and that antivirus scanning is enabled.
Note the spelling of AccountVlnk which is due to the eleven character limit on VDOM link names.
To configure firewall addresses - web-based manager
1. Open the Accounting VDOM.
2. Select Firewall Objects > Address > Address
3. Select Create New, enter the following information, and select OK.
Address Name
AccountingLocal
Type
Subnet/ IP Range
Subnet / IP Range
172.100.0.0
Interface
port1
4. Select Create New, enter the following information, and select OK.
Address Name
AccountManagement
Type
Subnet/ IP Range
Subnet / IP Range
10.0.1.0
Interface
AccountVlnk
To configure firewall addresses - CLI
config vdom
edit Accounting
config firewall address
edit AccountingLocal
set type iprange
set subnet 172.100.0.0
set associated-interface port1
next
edit AccountManagement
set type iprange
set subnet 10.0.1.0
set associated-interface AccountVlnk
end
end
To configure protocol options for Accounting VDOM - web-based manager
1. Open the Accounting VDOM.
2. Select Policy > Policy > Protocol Options.
3. Select Create New.
4. Enter default for the Name.
5. Select OK.
To configure the firewall policies from AccountingLocal to the Internet - web-based manager
1. Open the Accounting VDOM.
2. Go to Policy > Policy.
3. Select Create New, enter the following information, and then select OK.
Source Interface/Zone
port2
Source Address
AccountingLocal
Destination Interface/Zone
AccountVlnk
Destination Address
AccountManagement
Schedule
always
Service
OfficeServices
Action
ACCEPT
Enable NAT
enable
Security Features
enabled
 
Protocol Option
default
 
Web Filtering
webStrict
 
AntiVirus Filtering
avStrict
 
Application Control
appStrict
Enable Endpoint NAC
Enforce_FortiClient_AV
4. Open the root VDOM.
5. Go to Policy > Policy.
6. Select Create New, enter the following information, and then select OK.
Source Interface/Zone
AccountVlnk
Source Address
AccountManagement
Destination Interface/Zone
port2
Destination Address
all
Schedule
always
Service
OfficeServices
Action
ACCEPT
Enable NAT
enable
Security Features
enable
    Protocol Option
default
    Web Filtering
webStrict
    AntiVirus Filtering
avStrict
    Application Control
appStrict
Enable Endpoint NAC
disabled
To configure the firewall policies from AccountingLocal to Internet - CLI
config vdom
edit Accounting
config firewall policy
edit 1
set srcintf "port2"
set dstintf "AccountVlnk"
set srcaddr "AccountingLocal"
set dstaddr "AccountManagement"
set action accept
set schedule "always"
set service "OfficeServices"
set nat enable
set av-profile avStrict
set webfilter-profile webStrict
set application-list appStrict
set profile-protocol-options default
set endpoint-check enable
set endpoint-profile "FortiClient_installed"
end
end
 
config vdom
edit root
config firewall policy
edit 2
set srcintf AccountVlnk
set dstintf port1
set srcaddr AccountManagement
set dstaddr all
set action accept
set schedule always
set service OfficeServices
set nat enable
set av-profile "scan"
set webfilter-profile "scan"
set application-list "AppControlList"
set profile-protocol-options default
set endpoint-check disable
end
end
To configure the firewall policies from Internet to AccountingLocal - web-based manager
1. Open the root VDOM.
2. Go to Policy > Policy.
3. Select Create New, enter the following information, and select OK.
Source Interface/Zone
port1
Source Address
all
Destination Interface/Zone
AccountVlnk
Destination Address
AccountManagement
Schedule
always
Service
OfficeServices
Action
ACCEPT
Enable NAT
enable
Security Features
enable
    Protocol Option
default
    Web Filtering
webStrict
    AntiVirus Filtering
avStrict
    Application Control
appStrict
Enable Endpoint NAC
disabled
4. Open the Accounting VDOM.
5. Go to Policy > Policy.
6. Select Create New, enter the following information, and select OK.
Source Interface/Zone
AccountVlnk
Source Address
AccountManagement
Destination Interface/Zone
port2
Destination Address
AccountingLocal
Schedule
always
Service
OfficeServices
Action
ACCEPT
Enable NAT
enable
Security Features
enable
    Protocol Option
default
    Web Filtering
webStrict
    AntiVirus Filtering
avStrict
    Application Control
appStrict
Enable Endpoint NAC
disabled
To configure the firewall policies from Internet to AccountingLocal - CLI
config vdom
edit root
config firewall policy
edit 3
set srcintf port1
set dstintf AccountVlnk
set srcaddr all
set dstaddr AccountManagement
set action accept
set schedule always
set service OfficeServices
set nat enable
set av-profile avStrict
set webfilter-profile webStrict
set application-list appstrict
set profile-protocol-options default
set endpoint-check disable
end
end
config vdom
edit Accounting
config firewall policy
edit 4
set srcintf AccountVlnk
set dstintf port2
set srcaddr AccountManagement
set dstaddr AccountingLocal
set action accept
set schedule always
set service OfficeServices
set nat enable
set av-profile avStrict
set webfilter-profile webStrict
set application-list appstrict
set profile-protocol-options default
set endpoint-check disable
end
end