Configure the integrated firewall

You can add basic stateful firewall functionality to FortiWeb. The firewall monitors TCP, UDP, and ICMP traffic and determines which packets to allow.

By default, the value of the system firewall policy Default Action setting is Accept. This allows any traffic that does not match a firewall policy rule to access the FortiWeb network interfaces.

When the firewall policy Default Action setting is Deny and the policy has no rules, FortiWeb only allows administrative access to ports. For example, the firewall prevents requests that do no match a rule from reaching virtual servers.
To configure the stateful firewall

1.  Go to System > Firewall and select the Firewall Address tab.

2.  Click Create New, and then complete the following settings:

Setting name Description
Name Enter a name that identifies the firewall address.
Type

Select how this configuration specifies a firewall address or addresses:

  • IP/IP Range — A single IP or a range of IP addresses.
  • IP/Netmask — A single IP address and netmask.
IP/Netmask

or

IP/IP Range

Enter one of the following:

  • If Type is IP/Netmask, an IPv4 address and subnet mask, separated by a forward slash ( / ). For example, 192.0.2.2/24.
  • If Type is IP/IP Range, a single IP address or a range of addresses. For example, 172.22.14.1, or 172.22.14.1-172.22.14.255.

3.  Click OK.

4.  Add any additional firewall addresses you require.

5.  Go to System > Firewall and select the Firewall Service tab.

6.  Click Create New, and then complete the following settings:

Setting name Description
Name Enter a name that identifies the firewall service.
Protocol

Select the protocol that this firewall service inspects: TCP, UDP, or ICMP.
Minimum Source Port

Select the start port in the range of source ports for this firewall service.

The default value is 0.

Not available if Protocol is IMCP.
Maximum Source Port Select the end port in the range of source ports for this firewall service.

The default value is 65535.

Not available if Protocol is IMCP.
Minimum Destination Port

Select the start port in the range of destination ports for this firewall service.

The default value is 0.

Not available if Protocol is IMCP.
Maximum Destination Port Select the end port in the range of destination ports for this firewall service.

The default value is 65535.

Not available if Protocol is IMCP.

7.  Add any additional firewall services you require.

8.  Go to System > Firewall and select the Firewall Policy tab.

9.  For Default Action, select one of the following:

10.  To add a policy rule, click Create New, and then complete the following settings:

Setting name Description
Ingress Interface Specify incoming traffic that this rule applies to by selecting a network interface.
Egress Interface

Specify outgoing traffic that this rule applies to by selecting a network interface.

Source

Specify the source address of traffic that this rule applies to by selecting an address from the firewall addresses you configured earlier (using System > Firewall > Firewall Address).
Destination Specify the destination address of traffic that this rules applies to by selecting an address from the firewall addresses you configured earlier (using System > Firewall > Firewall Address).
Service

Select the protocol and port range that this rule applies to by selecting a firewall service configuration (using System > Firewall > Firewall Service).
Action

Select the action FortiWeb takes for traffic that matches this rule:

  • Deny – Firewall blocks matching traffic. Administrative access is still allowed on network interfaces for which it has been configured.
  • Accept – Firewall allows matching traffic.

11.  Click OK.

12.  Add any additional rules that you require, and then click Apply.

Open topic with navigation