Configuring firewall settings between the Accounting and Sales VDOMs
Firewall policies are required for any communication between each internal network and the Internet. Policies are also required for the two internal networks to communicate with each other through the management VDOM.
The more limited AccountingSalesServices group of services will be used between Sales and Accounting to ensure the traffic is necessary business traffic only. These policies will result in a partially meshed VDOM configuration. The FortiClient application must be used to ensure additional protection for the sensitive accounting information.
Two firewall policies are required to allow traffic in both directions between Sales and Accounting.
To configure the firewall policy between Sales and Accounting on the management VDOM - web-based manager
1. Open the root VDOM.
2. Go to Policy > Policy.
3. Select Create New, enter the following information, and select OK.
Source Interface/Zone | SalesVlnk |
Source Address | SalesManagement |
Destination Interface/Zone | AccountVlnk |
Destination Address | AccountingManagement |
Schedule | always |
Service | AccountingSalesServices |
Action | ACCEPT |
Protection Profile | scan |
Log Allowed Traffic | enabled |
Enable Endpoint Control Check | disabled |
Redirect Non-conforming Clients to Download Portal | enabled |
4. Go to Policy > Policy.
5. Select Create New, enter the following information, and select OK.
Source Interface/Zone | AccountVlnk |
Source Address | AccountingManagement |
Destination Interface/Zone | SalesVlnk |
Destination Address | SalesManagement |
Schedule | always |
Service | AccountingSalesServices |
Action | ACCEPT |
Protection Profile | scan |
Log Allowed Traffic | enabled |
Enable Endpoint Control Check | disabled |
Redirect Non-conforming Clients to Download Portal | enabled |
To configure the firewall policy between Sales and Accounting on the management VDOM - CLI
config vdom
edit root
config system firewall policy
edit 9
set srcintf SalesVlnk
set srcaddr SalesManagement
set dstintf AccountVlnk
set dstaddr AccountManagement
set schedule always
set service AccountingSalesServices
set action accept
set profile-status enable
set profile scan
set logtraffic enable
set endpoint-check enable
set endpoint-redir-portal enable
next
edit 10
set srcintf AccountVlnk
set srcaddr AccountManagement
set dstintf SalesVlnk
set dstaddr SalesManagement
set schedule always
set service AccountingSalesServices
set action accept
set profile-status enable
set profile scan
set logtraffic enable
set endpoint-check enable
set endpoint-redir-portal enable
end
end