Configuring firewall settings for the Sales VDOM
Like the Accounting firewall settings, this configuration includes two firewall addresses and two firewall policies for the sales VDOM: one for the internal network, and one for the VDOM link with the management VDOM.
When entering the CLI commands, the number of the firewall policies must be high enough to be a new policy. Depending on the number of firewall policies on your FortiGate unit, this may require starting at a higher number than the 6 required for the default configuration. This number is added automatically when you configure firewall policies using the web manager interface.
The FortiClient application must be used on Sales network computers to ensure additional protection for the sensitive information and for protection against spam.
To configure firewall addresses - web-based manager
1. Open the Sales VDOM.
2. Go to Firewall Objects > Address > Address.
3. Select Create New, enter the following information, and select OK.
Address Name | SalesLocal |
Type | Subnet / IP Range |
Subnet / IP Range | 172.100.0.0 |
Interface | port3 |
4. Go to Firewall Objects > Addresses.
5. Select Create New, enter the following information, and select OK.
Address Name | SalesManagement |
Type | Subnet / IP Range |
Subnet / IP Range | 10.0.1.0 |
Interface | SalesVlnk |
To configure the firewall addresses - CLI
config vdom
edit Sales
config fireall address
edit SalesLocal
set type iprange
set subnet 172.100.0.0
set associated-interface port2
next
edit SalesManagement
set type iprange
set subnet 10.0.1.0
set associated-interface SalesVlnk
end
end
To configure the firewall policies from SalesLocal to the Internet - web-based manager
1. Open the Sales VDOM.
2. Go to Policy > Policy.
3. Select Create New, enter the following information, and select OK.
Source Interface/Zone | port3 |
Source Address | SalesLocal |
Destination Interface/Zone | SalesVlnk |
Destination Address | SalesManagement |
Schedule | always |
Service | OfficeServices |
Action | ACCEPT |
Log Allowed Traffic | enabled |
Enable Endpoint Control Check | disabled |
Redirect Non-conforming Clients to Download Portal | enabled |
4. Open the root VDOM.
5. Go to Policy > Policy.
6. Select Create New, enter the following information, and select OK.
Source Interface/Zone | SalesVlnk |
Source Address | SalesManagement |
Destination Interface/Zone | external |
Destination Address | all |
Schedule | always |
Service | OfficeServices |
Action | ACCEPT |
Protection Profile | scan |
Log Allowed Traffic | enabled |
Enable Endpoint Control Check | disabled |
To configure the firewall policies from SalesLocal to the Internet - CLI
config vdom
edit root
config firewall policy
edit 6
set srcintf port2
set srcaddr SalesLocal
set dstintf SalesVlnk
set dstaddr SalesManagement
set schedule always
set service OfficeServices
set action accept
set profile-status enable
set profile scan
set logtraffic enable
set endpoint-check enable
set endpoint-redir-portal enable
end
end
config vdom
edit Sales
config firewall policy
edit 7
set srcintf SalesVlnk
set srcaddr SalesManagement
set dstintf external
set dstaddr all
set schedule always
set service OfficeServices
set action accept
set profile-status enable
set profile scan
set logtraffic enable
set endpoint-check enable
end
end
To configure the firewall policies from the Internet to SalesLocal - web-based manager
1. Open the root VDOM.
2. Go to Policy > Policy.
3. Select Create New, enter the following information, and select OK.
Source Interface/Zone | external |
Source Address | all |
Destination Interface/Zone | SalesVlnk |
Destination Address | SalesManagement |
Schedule | always |
Service | OfficeServices |
Action | ACCEPT |
Protection Profile | scan |
Log Allowed Traffic | enabled |
Enable Endpoint Control Check | disabled |
4. Open the Sales VDOM.
5. Go to Policy > Policy.
6. Select Create New, enter the following information, and select OK.
Source Interface/Zone | SalesVlnk |
Source Address | SalesManagement |
Destination Interface/Zone | port2 |
Destination Address | SalesLocal |
Schedule | always |
Service | OfficeServices |
Action | ACCEPT |
Protection Profile | scan |
Log Allowed Traffic | enabled |
Enable Endpoint Control Check | disabled |
Redirect Non-conforming Clients to Download Portal | enabled |
To configure the firewall policies from the Internet to SalesLocal - CLI
config vdom
edit root
config firewall policy
edit 8
set srcintf external
set srcaddr all
set dstintf SalesVlnk
set dstaddr SalesManagement
set schedule always
set service OfficeServices
set action accept
set profile-status enable
set profile scan
set logtraffic enable
set endpoint-check enable
set endpoint-redir-portal enable
end
end
config vdom
edit Sales
config firewall policy
edit 9
set srcintf SalesVlnk
set srcaddr SalesManagement
set dstintf port2
set dstaddr SalesLocal
set schedule always
set service OfficeServices
set action accept
set profile-status enable
set profile scan
set logtraffic enable
set endpoint-check enable
set endpoint-redir-portal enable
end
end