Chapter 7. Security

7.3 VLAN and Security Profile

Learning Objectives

  • Configure VLANs in FortiGate firewall
  • Configure a Security Policy for VLANs
Scenario: In this lab, we are going to learn how to set VLAN on Port2 of the firewall. WebTerm1 is belong to Vlan10 and WebTerm2 is belong to Vlan20. We will set different policies on each VLAN and try to verify configuration.
Vlan and Security Profile main scenario
Figure 7.22: Main scenario
Table 7.2: Devices configuration
Device IP address Access
FortiGate Port 1: DHCP Client

Port 2:

Vlan 10: 192.168.10.1/24

Vlan 20: 192.168.20.1/24

 ICMP-HTTP-HTTPS
WebTerm1 DHCP Client
WebTerm2 DHCP Client
  1. Configure switches. Right-click on the Switch > Configure, configure eth0, eth1, and eth2 as Table 7.3:
    Table 7.3: Switch configuration
    Port VLAN Type
    0 1 Dot1q
    1 10 Access
    2 20 Access
    Switch configuration
    Figure 7.23: Switch configuration
  2. You should create two sub-interfaces on port2 of the firewall.
    Vlan10 Configuration
    Figure 7.24: Vlan10 Configuration
    Vlan20 Configuration
    Figure 7.25: Vlan20 Configuration
    Vlan10 and Vlan20 IP addresses
    Figure 7.26: Vlan10 and Vlan20 IP addresses
  3. Block YouTube and Social Media on Vlan 20:
    1. Create an application profile as Figure 7.27.
      Block Social Media and Video/Audio
      Figure 7.27: Block Social.Media and Video/Audio
    2. Configure Firewall Policy from Vlan 20 to Port1 and assign application control to the Firewall Policy.
      Vlan20 Firewall Policy and assign Application Control Profile
      Figure 7.28: Create vlan20 Firewall Policy and assign Application Control Profile
    3. Verify your configuration by visiting Twitter.com or YouTube.com.
      Verify configuration
      Figure 7.29: Verify configuration
  4. Filter .zip, .pdf files on Vlan 10:
    1. Create a File filtezr profile. File filter only works on the unencrypted protocol. Set traffic for both and finally set the action to block.
      Block pdf and zip files
      Figure 7.30: Block PDF and ZIP files
    2. Make sure to set the feature set as flow-based.
      Block Profile
      Figure 7.31: Block profile
    3. Create a Firewall Policy in the firewall from vlan10 to port1, inspection mode should be Proxy-based, and assign the profile you have created to File Filter.
      Vlan10 Firewall Policy and Assigning File Filter Profile
      Figure 7.32: Create vlan10 Firewall Policy and assign File Filter Profile
    4. Verify your configuration by downloading a zip or pdf file from HTTP websites.
      Verify your configuration by downloading a zip or pdf file from HTTP websites
      Figure 7.33: Verify configuration

License

Icon for the Creative Commons Attribution 4.0 International License

FortiGate Firewall Copyright © 2023 by Hamid Talebi is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book