This example shows how to create and order multiple security policies in the policy table, in order to apply the appropriate policy to various types of network traffic.
In the example, three IPv4 policies will be configured. PolicyA will be a general policy allowing Internet access to the LAN. PolicyB will allow Internet access while applying web filtering for specific mobile devices connecting through the LAN. PolicyC will allow the system administrator’s PC (named SysAdminPC) to have full access.
A fourth policy, the default “deny” policy, will also be used.
Watch the video
Find this recipe for other FortiOS versions
5.2 | 5.4 | 6.0
1. Configuring PolicyA to allow general web access |
|
|
Go to Policy & Objects > Policy > IPv4 and edit the policy allowing outgoing traffic. Set Service to HTTP, HTTPS, and DNS. Ensure that you have enabled NAT. |
 |
| Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions. |  |
2. Creating PolicyB to allow access for mobile devices |
|
|
Go to Policy & Objects > Policy > IPv4 and create a new policy. Set Incoming Interface to lan, Source Device Type to Mobile Devices (a default device group that includes tablets and mobile phones), Outgoing Interface to your Internet-facing interface, and Service to HTTP, HTTPS, and DNS. Enable NAT. Under Security Profiles, enable Web Filter and set it to use the default profile. This action will enable Proxy Options and SSL Inspection. Use the default profile for Proxy Options and set SSL Inspection to certificate-inspection to allow HTTPS traffic to be inspected. |
 |
| Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions. | |
3. Defining SysAdminPC |
|
|
Go to User & Device > Device > Device Definitions and create a new definition for the system administrator’s PC. Select an approprate Alias, then set the MAC Address. Set the appropriate Device Type. |
 |
4. Configuring PolicyC to allow access for SysAdminPC |
|
|
Go to Policy & Objects > Policy > IPv4 and create a new policy. Set Incoming Interface to lan, Source Device Type to SysAdminPC, Outgoing Interface to your Internet-facing interface, and Service to ALL. Enable NAT. |
 |
| Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions. | |
5. Ordering the policy table |
|
|
Go to Policy & Objects > Policy > IPv4 to view the policy table. Currently, the policies are arranged in the order they were created: PolicyA is at the top, followed by PolicyB, PolicyC, and the default deny policy. In order to have the correct traffic flowing through each policy, they must be arranged so that the more specific policies are located at the top. |
 |
|
To rearrange the policies, select the column on the far left (in the example, Seq.#) and drag the policy to the desired position. |
 |
6. Results |
|
| Browse the Internet using the system administrator’s PC, a different PC, and a mobile device. | |
|
Go to Log & Report > Traffic Log > Forward Traffic. You can see that traffic from the three devices flows through different policies. In the example, the SysAdmin PC (IP 10.10.11.10), a Windows PC (IP 10.10.11.14), and an iPad (IP 10.10.11.13) were used to generate traffic. |
 |
| (Optional) Attempt to make an SSL connection to a web server with all three devices. Only the system administrator’s PC will be able to connect. | |
For further reading, check out Firewall policies in the FortiOS 5.2 Handbook.
Victoria Martin
Latest posts by Victoria Martin (see all)
- Episode 44: SD-WAN - February 20, 2019
- Episode 43: FortiGuard Service - February 6, 2019
- Episode 42: Security Round Table 3 - January 24, 2019
