[FortiGate] How to configure a firewall policy (ver. 7.0.x)

Firewall (UTM)

Work environment

  • FortiGate 60E
    • version 7.0.1

Creating an address object

You specify the source and destination addresses when you configure the firewall policy. Use the address object when specifying those addresses. Therefore, create an address object in advance.

Select [Policy & Objects > Addresses] and click Create New.

Then Select Address.

The following screen will be displayed. Specify each setting item and click OK.

  • Type
    • Subnet, IP Range, FQDN, Geography, Dynamic, or Device(MAC Address)
  • IP/Netmask (when type is Subnet)
    • x.x.x.x/xx or x.x.x.x x.x.x.x (10.10.10.0/24 or 10.10.10.0 255.255.255.0)
  • Interface
    • Which interface the specified address is ahead of.
  • Static route configuration
    • Normally leave it off

Configure firewall policy

Select [Policy & Objects > Firewall Policy] and click Create New.

The following policy setting screen is displayed.

Here, as an example, configure a policy that allows Internet connection (Web access) from the dmz interface (subnet: 10.10.10.0/24) to the wan1 interface.

Specify the basic setting part as follows.

For Source, specify the address object created in advance. For Destination, specify all as the Internet.

For Service, specify the service port that allows communication from the service object. Here, Web Access that exists by default is specified. Web Access is a service group that includes DNS, HTTP, and HTTPS.

Leave the Inspection Mode as Flow-based unless you enable Security Profiles.

Specify the NAT settings as follows. This is the default. Set the NAT settings according to the network environment.

Leave the defaults for other setting items. (Change if necessary.)

After specifying each item, click OK at the bottom of the screen.

Confirm that the policy has been added to the policy list screen.

that’s all.

Configuring firewall policy in CLI

In the CLI, config firewall policy is the configuration of firewall policy.

FTG60E # show firewall policy
config firewall policy
    edit 1
        set name "10.10.10.0_24_to_Internet"
        set uuid aa66a2ec-3b7c-51ec-2060-9786f54d7f39
        set srcintf "dmz"
        set dstintf "wan1"
        set action accept
        set srcaddr "10.10.10.0_24"
        set dstaddr "all"
        set schedule "always"
        set service "Web Access"
        set nat enable
    next
end

FTG60E #
FTG60E # show full-configuration firewall policy
config firewall policy
    edit 1
        set status enable
        set name "10.10.10.0_24_to_Internet"
        set uuid aa66a2ec-3b7c-51ec-2060-9786f54d7f39
        set srcintf "dmz"
        set dstintf "wan1"
        set action accept
        set srcaddr "10.10.10.0_24"
        set dstaddr "all"
        set ztna-status disable
        set internet-service disable
        set internet-service-src disable
        unset reputation-minimum
        set rtp-nat disable
        set schedule "always"
        set schedule-timeout disable
        set service "Web Access"
        set tos-mask 0x00
        set anti-replay enable
        set dynamic-shaping disable
        set passive-wan-health-measurement disable
        set utm-status disable
        set inspection-mode flow
        set profile-protocol-options "default"
        set ssl-ssh-profile "no-inspection"
        set logtraffic utm
        set logtraffic-start disable
        set auto-asic-offload enable
        set np-acceleration enable
        set nat enable
        set permit-any-host disable
        set permit-stun-host disable
        set fixedport disable
        set ippool disable
        set session-ttl 0
        set vlan-cos-fwd 255
        set vlan-cos-rev 255
        set wccp disable
        set disclaimer disable
        set email-collect disable
        set natip 0.0.0.0 0.0.0.0
        set diffserv-forward disable
        set diffserv-reverse disable
        set tcp-mss-sender 0
        set tcp-mss-receiver 0
        set comments ''
        set block-notification disable
        set replacemsg-override-group ''
        set srcaddr-negate disable
        set dstaddr-negate disable
        set service-negate disable
        set timeout-send-rst disable
        set captive-portal-exempt disable
        set dsri disable
        set radius-mac-auth-bypass disable
        set delay-tcp-npu-session disable
        unset vlan-filter
        set traffic-shaper ''
        set traffic-shaper-reverse ''
        set per-ip-shaper ''
    next
end

References

Policies | Administration Guide
config firewall policy | CLI Reference
config firewall address | CLI Reference
config firewall service custom | CLI Reference

Comments

Copied title and URL