Configure basic security policies
For traffic to flow between the internal and external ports in both directions, two security policies are required as a minimum. More can be used to farther limit or direct traffic as needed, but will not be included here.
Before configuring the security policies, a firewall address group is configured for the PCs that are allowed Internet access. This prevents PC without Internet privileges from accessing the Internet.
The security policy assumptions are:
• Only the basic networking services have been listed as allowed for added security. Others can easily be added as the users require them.
• In this example to keep things simple, both incoming and outgoing security policies are the same. In a real network there are applications that are allowed out but not in, and vice versa.
• Endpoint control has been enabled to ensure that all computers on the local network are running FortiClient and those installs are up to date. This feature ensures added security on your local network without the need for the network administrator to continually bother users to update their software. The FortiGate unit can store an up to date copy of the FortiClient software and offer a URL to it for users to install it if they need to.
To configure security policies - web-based manager
1. Go to Policy & Objects > Objects > Addresses.
2. Create a new Firewall Address entry for each of:
PC Name | IP Address | Interface |
Admin | 192.168.10.11 | port1 |
Dentist1 | 192.168.10.21 | port1 |
Dentist2 | 192.168.10.22 | port1 |
Dentist3 | 192.168.10.23 | port1 |
3. Go to Policy & Objects > Objects > Addresses.
4. Select the dropdown arrow next to Create New and select Address Group.
5. Name the group Internet_PCs.
6. Add Admin, Dentist1, Dentist2, and Dentist3 as members of the group.
7. Select OK.
8. Go to Policy & Objects > Policy > IPv4.
9. Select Create New.
10. Enter the following: DH - port2(external) -> port1(internal)
Incoming Interface | port2 |
Source Address | all |
Outgoing Interface | port1 |
Destination Address | Internet_PCs |
Schedule | always |
Service | Multiple. Select DHCP, DNS,FTP, HTTP, HTTPS, NTP, POP3, SMTP, SSH. |
Action | ACCEPT |
Log Allowed Traffic | Enabled |
11. Select OK.
12. Select Create New.
13. Enter the following:
Incoming Interface | port1 |
Source Address | Internet_PCs |
Outgoing Interface | port2 |
Destination Address | all |
Schedule | always |
Service | Multiple. Select DHCP, DNS,FTP, HTTP, HTTPS, NTP, POP3, SMTP, SSH. |
Action | ACCEPT |
Log Allowed Traffic | Enabled |
14. Select OK.
To configure security policies - CLI
config firewall address
edit "Admin"
set associated-interface "port1"
set subnet 192.168.10.11 255.255.255.255
next
edit "Dentist1"
set associated-interface "port1"
set subnet 192.168.10.21 255.255.255.255
next
edit "Dentist2"
set associated-interface "port1"
set subnet 192.168.10.22 255.255.255.255
next
edit "Dentist3"
set associated-interface "port1"
set subnet 192.168.10.23 255.255.255.255
end
config firewall addrgrp
edit Internet_PCs
set member Admin Dentist1 Dentist2 Dentist3
end
config firewall policy
edit 1
set srcintf port1
set dstintf port2
set srcaddr Internet_PCs
set dstaddr all
set action accept
set schedule always
set service "DHCP" "DNS" "FTP" "HTTP" "HTTPS" "NTP" "POP3" "SMTP" "SSH"
set logtraffic enable
set label "Section2"
set endpoint-restrict-check no-av db-outdated
next
edit 2
set srcintf port2
set dstintf port1
set srcaddr all
set dstaddr Internet_PCs
set action accept
set schedule always
set service "DHCP" "DNS" "FTP" "HTTP" "HTTPS" "NTP" "POP3" "SMTP" "SSH"
set logtraffic enable
set label "Section2"
set endpoint-restrict-check no-av db-outdated
end
end