Creating security policies

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This example shows how to create and order multiple security policies in the policy table, in order to apply the appropriate policy to various types of network traffic.

In the example, three IPv4 policies will be configured. PolicyA will be a general policy allowing Internet access to the LAN. PolicyB will allow Internet access while applying web filtering for specific mobile devices connecting through the LAN. PolicyC will allow the system administrator’s PC (named SysAdminPC) to have full access.

A fourth policy, the default “deny” policy, will also be used.

 

1. Configuring PolicyA to allow general web access

Go to Policy & Objects > Policy > IPv4 and edit the policy allowing outgoing traffic.

Set Service to HTTP, HTTPS, and DNS.

Ensure that you have enabled NAT.

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

2. Creating PolicyB to allow access for mobile devices

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to lan, Source Device Type to Mobile Devices (a default device group that includes tablets and mobile phones), Outgoing Interface to your Internet-facing interface, and Service to HTTP, HTTPS, and DNS.

Enable NAT.

Under Security Profiles, enable Web Filter and set it to use the default profile. This action will enable Proxy Options and SSL Inspection. Use the default profile for Proxy Options and set SSL Inspection to certificate-inspection to allow HTTPS traffic to be inspected.

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

3. Defining SysAdminPC

Go to User & Device > Device > Device Definitions and create a new definition for the system administrator’s PC.

Select an approprate Alias, then set the MAC Address. Set the appropriate Device Type.

4. Configuring PolicyC to allow access for SysAdminPC

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to lan, Source Device Type to SysAdminPC, Outgoing Interface to your Internet-facing interface, and Service to ALL.

Enable NAT.

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

5. Ordering the policy table

Go to Policy & Objects > Policy > IPv4 to view the policy table. Currently, the policies are arranged in the order they were created: PolicyA is at the top, followed by PolicyB, PolicyC, and the default deny policy.

In order to have the correct traffic flowing through each policy, they must be arranged so that the more specific policies are located at the top.

To rearrange the policies, select the column on the far left (in the example, Seq.#) and drag the policy to the desired position.

6. Results

Browse the Internet using the system administrator’s PC, a different PC, and a mobile device. 

Go to Log & Report > Traffic Log > Forward Traffic.

You can see that traffic from the three devices flows through different policies. In the example, the SysAdmin PC (IP 10.10.11.10), a Windows PC (IP 10.10.11.14), and an iPad (IP 10.10.11.13) were used to generate traffic.

(Optional) Attempt to make an SSL connection to a web server with all three devices. Only the system administrator’s PC will be able to connect. 

For further reading, check out Firewall policies in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
In this example, a wireless network has already been configured that is in the same subnet as the wired LAN. For information about this configuration, see Adding a wireless bridge with a FortiAP.
Using a device group will automatically enable device identification on the lan interface.
In the example, the policy table has been set to show only the columns that best display the differences between the policies. To do this, right-click on the top of the table, select or deselect columns as necessary, then select Apply.
Policy ID is automatically assigned to a policy when it is created, and so, in the example, the ID for PolicyA is 1, PolicyB is 2, and PolicyC is 3.
  • roman mohiuddin

    i m using fortigate 100D firewall
    i want to put a policy to stop internet connection for a range of ip example:10.78.2.0/255
    how can i make the policy