Configure firewall services, addresses, and policies
To create the security policies, first you must create the firewall services group that will include all the services that will be allowed, then you must define the addresses that will be used in the security policies, and lastly you configure the security policies themselves.
To keep the configuration simple, the Company is allowing only HTTP traffic out of the local network. This will allow employees access to the Internet and their web-mail. DNS services will also be allowed through the firewall.
The security policies will allow HTTP traffic (port 80 and port 8080), HTTPS traffic (port 443), FTP traffic (port 21), and DNS traffic (port 53 and port 953) in both directions. Also BGP (port 179) may need access through the firewall.
| For added security, you may want to define a smaller range of addresses for the internal network. For example if only 20 addresses are used, only allow those addresses in the range. |
In the interest of keeping things simple, a zone will be used to group the two ISP interfaces together. This will allow using one security policy to apply to both ISPs at the same time. Remember to block intra-zone traffic as this will help prevent one ISP sending traffic to the other ISP through your FortiGate unit using your bandwidth. The zone keeps configuration simple, and in the future if there is a need for separate policies for each ISP, they can be created and the zone can be deleted.
The addresses that will be used are the addresses of the FortiGate unit internal and external ports, and the internal network.
More policies or services can be added in the future as applications are added to the network. For more information on security policies, see the firewall chapter of the FortiGate Administration Guide.
| When configuring security policies always enable logging to help you track and debug your traffic flow. |
To create a firewall services group - web-based manager
1. Go to Policy & Objects > Objects > Services, select the dropdown arrow next to Create New and select Service Group.
2. For Group Name, enter “Basic_Services”.
3. From the Members dropdown, choose the following six services — BGP, FTP, FTP_GET, FTP_PUT, DNS, HTTP, and HTTPS.
4. Select OK.
To create a firewall services group - CLI
config firewall service group
edit "Basic_Services"
set member "BGP" "DNS" "FTP" "FTP_GET" "FTP_PUT" "HTTP" "HTTPS"
next
end
To create a zone for the ISP interfaces - web-based manager
1. Go to System > Network > Interfaces.
2. Select the caret to the right of Create New and then select Zone.
3. Enter the following information.
Zone Name | ISPs |
Block Intra-zone traffic | enable |
interface members | port2 port3 |
4. Select OK.
To create a zone for the ISP interfaces - CLI
config system zone
edit "ISPs"
set interface "port2" "port3"
set intrazone block
next
end
To add the firewall addresses - web-based manager
1. Go to Policy & Objects > Objects > Addresses.
2. Select Create New, and set the following information.
Category | Address |
Name | Internal_network |
Type | Subnet / IP Range |
Subnet / IP Range | 10.11.101.0 255.255.255.0 |
Interface | port1 |
3. Select OK.
To add the firewall addresses - CLI
config firewall address
edit "Internal_network"
set associated-interface "port1"
set subnet 10.11.101.0 255.255.255.0
next
end
To add the HTTP and DNS security policies - web-based manager
1. Go to Policy & Objects > Policy > IPv4, and select Create New.
2. Set the following information.
Incoming Interface | port1(internal) |
Source Address | Internal_network |
Outgoing Interface | ISPs |
Destination Address | All |
Schedule | Always |
Service | Basic_services |
Action | ACCEPT |
Log Allowed Traffic | Enable |
Firewall / Network Options | Enable NAT |
Comments | ISP1 basic services out policy |
3. Select OK.
4. Select Create New, and set the following information.
Incoming Interface | ISPs |
Source Address | All |
Outgoing Interface | port1(internal) |
Destination Address | Internal_network |
Schedule | Always |
Service | Basic_services |
Action | ACCEPT |
Log Allowed Traffic | Enable |
Firewall / Network Options | Enable NAT |
Comments | ISP1 basic services in policy |
To add the security policies - CLI
config firewall policy
edit 1
set srcintf "port1"
set srcaddr "Internal_network"
set dstintf "ISPs"
set dstaddr "all"
set schedule "always"
set service "Basic_services"
set action accept
set nat enable
set profile-status enable
set logtraffic enable
set comments "ISP1 basic services out policy"
next
edit 2
set srcintf "ISPs"
set srcaddr "all"
set dstintf "port1"
set dstaddr "Internal_network"
set schedule "always"
set service "Basic_services"
set action accept
set nat enable
set profile-status enable
set logtraffic enable
set comments "ISP1 basic services in policy"
next
end