FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 8 - Deploying Wireless Networks > Configuring a WiFi LAN > Configuring firewall policies for the SSID

Configuring firewall policies for the SSID

For users on the WiFi LAN to communicate with other networks, firewall policies are required. This section describes creating a WiFi network to Internet policy.

Before you create firewall policies, you need to define any firewall addresses you will need.

To create a firewall address for WiFi users - web-based manager
  1. Go to Policy & Objects > Objects > Addresses.
  2. Select Create New, enter the following information and select OK.
Name Enter a name for the address, wifi_net for example.
Type Select Subnet.
Subnet / IP Range Enter the subnet address, 10.10.110.0/24 for example.
Interface Select the interface where this address is used, e.g., example_wifi
To create a firewall address for WiFi users - CLI

config firewall address

edit "wifi_net"

set associated-interface "example_wifi"

set subnet 10.10.110.0 255.255.255.0

end

To create a firewall policy - web-based manager
  1. Go to Policy & Objects > Policy > IPv4 and select Create New.
  2. In Incoming Interface, select the wireless interface.
  3. In Source Address, select the address of your WiFi network, wifi_net for example.
  4. In Outgoing Interface, select the Internet interface, for example, port1.
  5. In Destination Address, select All.
  6. In Service, select ALL, or select the particular services that you want to allow, and then select the right arrow button to move the service to the Selected Services list.
  7. In Schedule, select always, unless you want to define a schedule for limited hours.
  8. In Action, select ACCEPT.
  9. Select Enable NAT.
  10. Optionally, set up UTM features for wireless users.
  11. Select OK.
To create a firewall policy - CLI

config firewall policy

edit 0

set srcintf "example_wifi"

set dstintf "port1"

set srcaddr "wifi_net"

set dstaddr "all"

set action accept

set schedule "always"

set service "ANY"

set nat enable

end