Work environment
- FortiGate 60E
- version 7.0.1
Creating an address object
You specify the source and destination addresses when you configure the firewall policy. Use the address object when specifying those addresses. Therefore, create an address object in advance.
Select [Policy & Objects > Addresses] and click Create New.
Then Select Address.
The following screen will be displayed. Specify each setting item and click OK.
- Type
- Subnet, IP Range, FQDN, Geography, Dynamic, or Device(MAC Address)
- IP/Netmask (when type is Subnet)
- x.x.x.x/xx or x.x.x.x x.x.x.x (10.10.10.0/24 or 10.10.10.0 255.255.255.0)
- Interface
- Which interface the specified address is ahead of.
- Static route configuration
- Normally leave it off
Configure firewall policy
Select [Policy & Objects > Firewall Policy] and click Create New.
The following policy setting screen is displayed.
Here, as an example, configure a policy that allows Internet connection (Web access) from the dmz interface (subnet: 10.10.10.0/24) to the wan1 interface.
Specify the basic setting part as follows.
For Source, specify the address object created in advance. For Destination, specify all as the Internet.
For Service, specify the service port that allows communication from the service object. Here, Web Access that exists by default is specified. Web Access is a service group that includes DNS, HTTP, and HTTPS.
Leave the Inspection Mode as Flow-based unless you enable Security Profiles.
Specify the NAT settings as follows. This is the default. Set the NAT settings according to the network environment.
Leave the defaults for other setting items. (Change if necessary.)
After specifying each item, click OK at the bottom of the screen.
Confirm that the policy has been added to the policy list screen.
that’s all.
Configuring firewall policy in CLI
In the CLI, config firewall policy
is the configuration of firewall policy.
FTG60E # show firewall policy
config firewall policy
edit 1
set name "10.10.10.0_24_to_Internet"
set uuid aa66a2ec-3b7c-51ec-2060-9786f54d7f39
set srcintf "dmz"
set dstintf "wan1"
set action accept
set srcaddr "10.10.10.0_24"
set dstaddr "all"
set schedule "always"
set service "Web Access"
set nat enable
next
end
FTG60E #
FTG60E # show full-configuration firewall policy
config firewall policy
edit 1
set status enable
set name "10.10.10.0_24_to_Internet"
set uuid aa66a2ec-3b7c-51ec-2060-9786f54d7f39
set srcintf "dmz"
set dstintf "wan1"
set action accept
set srcaddr "10.10.10.0_24"
set dstaddr "all"
set ztna-status disable
set internet-service disable
set internet-service-src disable
unset reputation-minimum
set rtp-nat disable
set schedule "always"
set schedule-timeout disable
set service "Web Access"
set tos-mask 0x00
set anti-replay enable
set dynamic-shaping disable
set passive-wan-health-measurement disable
set utm-status disable
set inspection-mode flow
set profile-protocol-options "default"
set ssl-ssh-profile "no-inspection"
set logtraffic utm
set logtraffic-start disable
set auto-asic-offload enable
set np-acceleration enable
set nat enable
set permit-any-host disable
set permit-stun-host disable
set fixedport disable
set ippool disable
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set wccp disable
set disclaimer disable
set email-collect disable
set natip 0.0.0.0 0.0.0.0
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set block-notification disable
set replacemsg-override-group ''
set srcaddr-negate disable
set dstaddr-negate disable
set service-negate disable
set timeout-send-rst disable
set captive-portal-exempt disable
set dsri disable
set radius-mac-auth-bypass disable
set delay-tcp-npu-session disable
unset vlan-filter
set traffic-shaper ''
set traffic-shaper-reverse ''
set per-ip-shaper ''
next
end
Comments