Chapter 2 – Policy

2-1 Security Policy

Learning Objectives

  • Create a Security Policy in FortiGate
  • Reordering Firewall Policies and Firewall Policy Actions
Scenario: We are going to allow traffic from the local network to the Internet. We will set Security Policy that allows the traffic from Port 2 to Port3. Then, Webterm-1 will be able to reach the Internet.

Security Policy

Security Policy main scenario
Figure 2-1: main scenario

 

Table 2-1: Devices configuration
Device Configuration
FortiGate Port 2: DHCP Server

Port 3: DHCP Client

 WebTerm DHCP Client

 

1. Configuration of port1 of the firewall in CLI is as follows:

Configuration of Port1
Figure 2-2: Configuration of Port1

2.Open the browser in WebTerm 2 and type https://192.168.0.1. You should be able to access the firewall.

Login in to the FortiGate
Figure 2-3: Login in to the FortiGate

3. Go to Network> Interfaces>Port2, set the interface IP address as 192.168.1.1/24 and configure DHCP server on interface port2 (Range of IP addresses should be: 192.168.1.20- 192.168.1.30, DNS: 4.2.2.4) and Enable Device Detection under Port2

Enable DHCP Server
Figure 2-4: Enable DHCP Server

4. Set a port3 as a DHCP client and enable Device Detection under Port3.

Enable DHCP Client
Figure 2-5: Enable DHCP Client

5.Set a Static route in the firewall to reach the NAT object. Go to Network > Static Route > Create a new

Configure a static route
Figure 2-6: Configure a static route

6. Go to Policy & Objects > Firewall Policy section, click Create New to add a new firewall policy ,and configure the following settings:

    • Name: LocalToInternet
    • From inside to outside (port2 to port3)
    • Source: Create an address for local network (Subnet: 192.168.1.0/24)
    • Destination: all
    • Schedule: Always
    • Service: Only HTTP, HTTPS, DNS,Ping
    • Action: Accept
set local subnet
Figure 2-7: Set local subnet
Set firewall policy
Figure 2-8: Set firewall policy

7. Go to WebTerm1, Set interface as DHCP and then open the browser, you should be able to access the internet.

Enable DHCP Client on webterm1
Figure 2-9: Enable DHCP Client on webterm1
Verify your configuration by testing google.com
Figure 2-10: Verify your configuration by testing google.com

Verify your configuration

  • Go to Dashboard >FortiView Sessions. You should be able to see the traffic.
Fortiview Sessions
Figure 2-11: Fortiview Sessions
  • ¬†Go to Firewall Policy and on the right side of the screen, you should be able to see Hit count.
Hit count in the Firewall Policy
Figure 2-12: Hit count in the Firewall Policy
  • Go to Dashboard> Users & Devices> Device Inventory and verify the IP and Mac address of the device.
Device Inventory
Figure 2-13: Device Inventory

Reordering Firewall Policies and Firewall Policy Actions

FortiGate will look for a matching policy, beginning at the top. Usually, you should put more specific policies at the top; otherwise, more general policies will match the traffic first, and your more granular policies will never be applied.

You will create a new firewall policy with more specific settings such as source, destination, service, and action set to DENY. Then, you will move this firewall policy above the existing firewall policies and observe the behavior of firewall policy reordering.

Create a Firewall Policy

You will create a new firewall policy to match a specific source, destination, service, and action set to DENY

Table 2-2: Firewall policy configuration
Field Value
Name Block_Ping
Incoming Interface Port2
Outgoing Interface Port3
Source LOCAL_SUBNET
Destination All
Schedule Always
Service PING
Action DENY
Log Violation Traffic <enable>
Enable this policy <enable>
Set firewall policy to block ping
Figure 2-14: Set firewall policy to block ping

Click OK to save the changes. Add this policy on top of the previous policy.

Priority of Block_Ping should be higher than LocalToInternet
Figure 2-15: Priority of Block_Ping should be higher than LocalToInternet

Go to Webterm1 and ping 4.2.2.4. You shouldn’t be able to ping!

Webterm1 and ping 4.2.2.4. You shouldn't be able to ping!
Figure 2-16: Verify ping in the webterm1

 

License

Share This Book