- FortiGate 60E
- version 7.0.1
Creating an address object
You specify the source and destination addresses when you configure the firewall policy. Use the address object when specifying those addresses. Therefore, create an address object in advance.
Select [Policy & Objects > Addresses] and click Create New.
Then Select Address.
The following screen will be displayed. Specify each setting item and click OK.
- Subnet, IP Range, FQDN, Geography, Dynamic, or Device(MAC Address)
- IP/Netmask (when type is Subnet)
- x.x.x.x/xx or x.x.x.x x.x.x.x (10.10.10.0/24 or 10.10.10.0 255.255.255.0)
- Which interface the specified address is ahead of.
- Static route configuration
- Normally leave it off
Configure firewall policy
Select [Policy & Objects > Firewall Policy] and click Create New.
The following policy setting screen is displayed.
Here, as an example, configure a policy that allows Internet connection (Web access) from the dmz interface (subnet: 10.10.10.0/24) to the wan1 interface.
Specify the basic setting part as follows.
For Source, specify the address object created in advance. For Destination, specify all as the Internet.
For Service, specify the service port that allows communication from the service object. Here, Web Access that exists by default is specified. Web Access is a service group that includes DNS, HTTP, and HTTPS.
Leave the Inspection Mode as Flow-based unless you enable Security Profiles.
Specify the NAT settings as follows. This is the default. Set the NAT settings according to the network environment.
Leave the defaults for other setting items. (Change if necessary.)
After specifying each item, click OK at the bottom of the screen.
Confirm that the policy has been added to the policy list screen.
Configuring firewall policy in CLI
In the CLI,
config firewall policy is the configuration of firewall policy.
FTG60E # show firewall policy config firewall policy edit 1 set name "10.10.10.0_24_to_Internet" set uuid aa66a2ec-3b7c-51ec-2060-9786f54d7f39 set srcintf "dmz" set dstintf "wan1" set action accept set srcaddr "10.10.10.0_24" set dstaddr "all" set schedule "always" set service "Web Access" set nat enable next end FTG60E # FTG60E # show full-configuration firewall policy config firewall policy edit 1 set status enable set name "10.10.10.0_24_to_Internet" set uuid aa66a2ec-3b7c-51ec-2060-9786f54d7f39 set srcintf "dmz" set dstintf "wan1" set action accept set srcaddr "10.10.10.0_24" set dstaddr "all" set ztna-status disable set internet-service disable set internet-service-src disable unset reputation-minimum set rtp-nat disable set schedule "always" set schedule-timeout disable set service "Web Access" set tos-mask 0x00 set anti-replay enable set dynamic-shaping disable set passive-wan-health-measurement disable set utm-status disable set inspection-mode flow set profile-protocol-options "default" set ssl-ssh-profile "no-inspection" set logtraffic utm set logtraffic-start disable set auto-asic-offload enable set np-acceleration enable set nat enable set permit-any-host disable set permit-stun-host disable set fixedport disable set ippool disable set session-ttl 0 set vlan-cos-fwd 255 set vlan-cos-rev 255 set wccp disable set disclaimer disable set email-collect disable set natip 0.0.0.0 0.0.0.0 set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments '' set block-notification disable set replacemsg-override-group '' set srcaddr-negate disable set dstaddr-negate disable set service-negate disable set timeout-send-rst disable set captive-portal-exempt disable set dsri disable set radius-mac-auth-bypass disable set delay-tcp-npu-session disable unset vlan-filter set traffic-shaper '' set traffic-shaper-reverse '' set per-ip-shaper '' next end