Configuring firewall settings for the Accounting VDOM
This configuration includes two firewall addresses and two firewall policies for the Accounting VDOM - one for the internal network, and one for the VDOM link with the management VDOM (root).
For added security, all traffic allowed will be scanned. Only valid office traffic will be allowed using the service group OfficeServices. The FortiClient application must be used to ensure additional protection for the sensitive accounting information.
All sales and accounting computers have the FortiClient application installed, so the firewall policies check that FortiClient is installed and that antivirus scanning is enabled.
Note the spelling of AccountVlnk which is due to the eleven character limit on VDOM link names.
To configure firewall addresses - web-based manager
1. Open the Accounting VDOM.
2. Select Policy & Objects > Objects > Addresses.
3. Select Create New, enter the following information, and select OK.
Address Name | AccountingLocal |
Type | Subnet/ IP Range |
Subnet / IP Range | 172.100.0.0 |
Interface | port1 |
4. Select Create New, enter the following information, and select OK.
Address Name | AccountManagement |
Type | Subnet/ IP Range |
Subnet / IP Range | 10.0.1.0 |
Interface | AccountVlnk |
To configure firewall addresses - CLI
config vdom
edit Accounting
config firewall address
edit AccountingLocal
set type iprange
set subnet 172.100.0.0
set associated-interface port1
next
edit AccountManagement
set type iprange
set subnet 10.0.1.0
set associated-interface AccountVlnk
end
end
To configure the firewall policies from AccountingLocal to the Internet - web-based manager
1. Open the Accounting VDOM.
2. Go to Policy & Objects > Policy.
3. Select Create New, enter the following information, and then select OK.
Incoming Interface | port2 |
Source Address | AccountingLocal |
Outgoing Interface | AccountVlnk |
Destination Address | AccountManagement |
Schedule | always |
Service | OfficeServices |
Action | ACCEPT |
Enable NAT | enable |
Security Features | enabled |
Protocol Option | default |
Web Filtering | webStrict |
AntiVirus Filtering | avStrict |
Application Control | appStrict |
Enable Endpoint NAC | Enforce_FortiClient_AV |
4. Open the root VDOM.
5. Go to Policy & Objects > Policy.
6. Select Create New, enter the following information, and then select OK.
Incoming Interface | AccountVlnk |
Source Address | AccountManagement |
Outgoing Interface | port2 |
Destination Address | all |
Schedule | always |
Service | OfficeServices |
Action | ACCEPT |
Enable NAT | enable |
Security Features | enable |
Protocol Option | default |
Web Filtering | webStrict |
AntiVirus Filtering | avStrict |
Application Control | appStrict |
Enable Endpoint NAC | disabled |
To configure the firewall policies from AccountingLocal to Internet - CLI
config vdom
edit Accounting
config firewall policy
edit 1
set srcintf "port2"
set dstintf "AccountVlnk"
set srcaddr "AccountingLocal"
set dstaddr "AccountManagement"
set action accept
set schedule "always"
set service "OfficeServices"
set nat enable
set av-profile avStrict
set webfilter-profile webStrict
set application-list appStrict
set profile-protocol-options default
set endpoint-check enable
set endpoint-profile "FortiClient_installed"
end
end
config vdom
edit root
config firewall policy
edit 2
set srcintf AccountVlnk
set dstintf port1
set srcaddr AccountManagement
set dstaddr all
set action accept
set schedule always
set service OfficeServices
set nat enable
set av-profile "scan"
set webfilter-profile "scan"
set application-list "AppControlList"
set profile-protocol-options default
set endpoint-check disable
end
end
To configure the firewall policies from Internet to AccountingLocal - web-based manager
1. Open the root VDOM.
2. Go to Policy & Objects > Policy.
3. Select Create New, enter the following information, and select OK.
Incoming Interface | port1 |
Source Address | all |
Outgoing Interface | AccountVlnk |
Destination Address | AccountManagement |
Schedule | always |
Service | OfficeServices |
Action | ACCEPT |
Enable NAT | enable |
Security Features | enable |
Protocol Option | default |
Web Filtering | webStrict |
AntiVirus Filtering | avStrict |
Application Control | appStrict |
Enable Endpoint NAC | disabled |
4. Open the Accounting VDOM.
5. Go to Policy & Objects > Policy.
6. Select Create New, enter the following information, and select OK.
Incoming Interface | AccountVlnk |
Source Address | AccountManagement |
Outgoing Interface | port2 |
Destination Address | AccountingLocal |
Schedule | always |
Service | OfficeServices |
Action | ACCEPT |
Enable NAT | enable |
Security Features | enable |
Protocol Option | default |
Web Filtering | webStrict |
AntiVirus Filtering | avStrict |
Application Control | appStrict |
Enable Endpoint NAC | disabled |
To configure the firewall policies from Internet to AccountingLocal - CLI
config vdom
edit root
config firewall policy
edit 3
set srcintf port1
set dstintf AccountVlnk
set srcaddr all
set dstaddr AccountManagement
set action accept
set schedule always
set service OfficeServices
set nat enable
set av-profile avStrict
set webfilter-profile webStrict
set application-list appstrict
set profile-protocol-options default
set endpoint-check disable
end
end
config vdom
edit Accounting
config firewall policy
edit 4
set srcintf AccountVlnk
set dstintf port2
set srcaddr AccountManagement
set dstaddr AccountingLocal
set action accept
set schedule always
set service OfficeServices
set nat enable
set av-profile avStrict
set webfilter-profile webStrict
set application-list appstrict
set profile-protocol-options default
set endpoint-check disable
end
end