The following service groups need to be configured before the security policies. Note that the services listed are suggestions and may include more or less as required.

Service Group Name                               Interface                  Description of services to be included

essential_network_services                          internal                       Any network protocols required for normal network operation such as DNS, NTP, BGP.

 

essential_server_services                             dmz All the protocols required by the company servers such as BGP, HTTP, HTTPS, FTP, IMAP, POP3, SMTP, IKE, SQL, MYSQL, NTP, TRACEROUTE, SOCKs, and SNMP.

user_services                                                internal                       Any protocols required by users HTTP, HTTP, FTP,

The following security policy configurations are basic and only include logging, and default AV and IPS.

 

Configuring regular security policies

Regular security policies allow or deny access for non-RADIUS SSO traffic. This is essential as there are network services—such as DNS, NTP, and FortiGuard—that require access to the Internet.

 

To configure regular security policies – web-based manager:

1. Go to Policy & Objects > Policy > IP4, and select Create New.

2. Enter the following information, and select OK.

Incoming Interface                   Internal

Source Address                        internal_network

Outgoing Interface                   wan1

Destination Address                 all

Schedule                                    always

Service                                       essential_network_services

Action                                         ACCEPT

NAT                                             ON

Security Profiles                       ON: AntiVirus, IPS

Log Allowed Traffic                  ON

Comments                                  Essential network services

3. Select Create New, enter the following information, and select OK.

 

 

Incoming Interface                   dmz

Source Address                        company_servers

Outgoing Interface                   wan1

Destination Address                 all

Schedule                                    always

Service                                       essential_server_services

Action                                         ACCEPT

NAT                                             ON

Security Profiles                       ON: AntiVirus, IPS

Log Allowed Traffic                  enable

Comments                                  Company servers accessing the Internet

4. Select Create New, enter the following information, and select OK.

Incoming Interface                   Internal

Source Address                        internal_network

Outgoing Interface                   dmz

Destination Address                 company_servers

Schedule                                    always

Service                                       all

Action                                         ACCEPT

NAT                                             ON

Security Profiles                       ON: AntiVirus, IPS

Log Allowed Traffic                  enable

Comments                                  Access company servers

Configuring RADIUS SSO security policy

The RADIUS SSO policy allows access for members of specific RADIUS groups.

 

To configure RADIUS SSO security policy:

1. Go to Policy & Objects > Policy > IP4.

2. Select Create New.

3. Enter the following information:

 

	Incoming Interface	Internal
	Source Address	internal_network
	Source User(s)	Select the user groups you created for RSSO.
	Outgoing Interface	wan1
	Destination Address	all
	Schedule	business_hours
	Service	ALL
	Action	ACCEPT
	NAT	ON
	Security Profiles	ON: AntiVirus, WebFilter, IPS, and Email Filter. In each case, select the default profile.
4.	Select OK.

5. To ensure an RSSO-related policy is matched first, the policy should be placed higher in the security policy list

than more general policies for the same interfaces.

6. Select OK.