Chapter 2 Advanced Routing for FortiOS 5.0 : Border Gateway Protocol (BGP) : Dual-homed BGP example : Configuring the FortiGate unit : Configure firewall services, addresses, and policies
  
Configure firewall services, addresses, and policies
To create the security policies, first you must create the firewall services group that will include all the services that will be allowed, then you must define the addresses that will be used in the security policies, and lastly you configure the security policies themselves.
To keep the configuration simple, the Company is allowing only HTTP traffic out of the local network. This will allow employees access to the Internet and their web-mail. DNS services will also be allowed through the firewall.
The security policies will allow HTTP traffic (port 80 and port 8080), HTTPS traffic (port 443), FTP traffic (port 21), and DNS traffic (port 53 and port 953) in both directions. Also BGP (port 179) may need access through the firewall.
 
For added security, you may want to define a smaller range of addresses for the internal network. For example if only 20 addresses are used, only allow those addresses in the range.
In the interest of keeping things simple, a zone will be used to group the two ISP interfaces together. This will allow using one security policy to apply to both ISPs at the same time. Remember to block intra-zone traffic as this will help prevent one ISP sending traffic to the other ISP through your FortiGate unit using your bandwidth. The zone keeps configuration simple, and in the future if there is a need for separate policies for each ISP, they can be created and the zone can be deleted.
The addresses that will be used are the addresses of the FortiGate unit internal and external ports, and the internal network.
More policies or services can be added in the future as applications are added to the network. For more information on security policies, see the firewall chapter of the FortiGate Administration Guide.
 
When configuring security policies always enable logging to help you track and debug your traffic flow.
To create a firewall services group - web-based manager
1. Go to Firewall Objects > Service > Groups, and select Create New.
2. For Group Name, enter “Basic_Services”.
3. From Available Services, move the following six services over to the Member list — BGP, FTP, FTP_GET, FTP_PUT, DNS, HTTP, and HTTPS.
4. Select OK.
To create a firewall services group - CLI
config firewall service group
edit "Basic_Services"
set member "BGP" "DNS" "FTP" "FTP_GET" "FTP_PUT" "HTTP" "HTTPS"
next
end
To create a zone for the ISP interfaces - web-based manager
1. Go to System > Network > Interfaces.
2. Select the caret to the right of Create New and then select Zone.
3. Enter the following information.
Zone Name
ISPs
Block Intra-zone traffic
enable
interface members
port2 port3
4. Select OK.
To create a zone for the ISP interfaces - CLI
config system zone
edit "ISPs"
set interface "port2" "port3"
set intrazone block
next
end
To add the firewall addresses - web-based manager
1. Go to Firewall Objects > Address > Addresses.
2. Select Create New, and set the following information.
Address Name
Internal_network
Type
Subnet / IP Range
Subnet / IP Range
10.11.101.0 255.255.255.0
Interface
port1
3. Select OK.
To add the firewall addresses - CLI
config firewall address
edit "Internal_network"
set associated-interface "port1"
set subnet 10.11.101.0 255.255.255.0
next
end
To add the HTTP and DNS security policies - web-based manager
1. Go to Policy > Policy > Policy, and select Create New.
2. Set the following information.
Source Interface/Zone
port1(internal)
Source Address
Internal_network
Destination Interface/Zone
ISPs
Destination Address
All
Schedule
always
Service
Basic_services
Action
ACCEPT
Log Allowed Traffic
enable
Enable NAT
Enable
Comments
ISPs basic services out policy
3. Select OK.
4. Select Create New, and set the following information.
Source Interface/Zone
ISPs
Source Address
all
Destination Interface/Zone
port1(internal)
Destination Address
Internal_network
Schedule
always
Service
Basic_services
Action
ACCEPT
Log Allowed Traffic
enable
NAT
Enable
Comments
ISPs basic services in policy
To add the security policies - CLI
config firewall policy
edit 1
set srcintf "port1"
set srcaddr "Internal_network"
set dstintf "ISPs"
set dstaddr "all"
set schedule "always"
set service "Basic_services"
set action accept
set nat enable
set profile-status enable
set logtraffic enable
set comments "ISPs basic services out policy"
next
edit 2
set srcintf "ISPs"
set srcaddr "all"
set dstintf "port1"
set dstaddr "Internal_network"
set schedule "always"
set service "Basic_services"
set action accept
set nat enable
set profile-status enable
set logtraffic enable
set comments "ISPs basic services in policy"
next
end