Policy configuration – FortiOS 6

IPv4 policy

To configure a IPv4 policy in the GUI

  1. Go to Policy & Objects > IPv4 Policy

The right side window will display a table of the existing IPv4 Policies.

l To edit an existing policy, double click on the policy you wish to edit l To create a new policy, select the Create New icon in the top left side of the right window.

  1. Make sure the policy has a name in the Name field

By default, a policy is required to have a name, but it is possible to toggle this requirement on or off in the CLI, or in the GUI if you have first enabled the GUI option in the CLI.

  1. Set the Incoming Interface parameter by selecting the field with the “+” next to the field label. Selecting the field will slide out a window from the right where you can select from the available interfaces. You can select one or more specific interfaces or you can select the any Choosing the any option will remove any other interfaces. For more information on interfaces, check the Concepts section called Interfaces and Zones.
  2. Set the Outgoing Interface parameter by selecting the field with the “+” next to the field label. (Same rules apply as with the above step.)

Multiple interfaces or ANY interface can be added to a firewall policy. This feature can be enabled or disabled in the GUI by going to the System > Feature Select page and toggling Multiple Interface Policies.

When selecting the Incoming or Outgoing interface of a policy, there are a few choices:

  • The ANY interface (choosing this will remove all other interfaces) l l A single specific interface
  • l multiple specific interfaces (can be added at the same time or one at a time)

The GUI is intuitive and straightforward on how to do this. Click on the “+” symbol in the interface field and then select the desired interfaces from the side menu. There are a couple of ways to do it in the CLI:

  1. Set the interfaces all at once:

config firewall policy edit 0 set srcintf wan1 wan2 end

  1. Set the first interface and append additional ones:

config firewall policy edit 0 set srcintf wan1 append srcintf wan2 end

  1. Set the Source parameter by selecting the field with the “+” next to the field label. The source in this case is either the source address, source user or source device of the initiating traffic. When the field is selected a window will slide out from the right. Tabs indcating Address, User or Device options are there to help categorize the options along with the option to search. In order to be able to select one of these options it needs to be configured as a firewall object before hand. The “+” icon next to the Search field is a shortcut for creating a new firewall object based on the tab that is currently selected. For the Address and Device tabs, single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  2. Set the Destination Address parameter by selecting the field with the “+” next to the field label. This field is similar to the Source field but address objects are the only available options to select. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  3. Set the Schedule parameter by using the drop down menu to select a preconfigured schedule. The “+” icon next to the Search field is a shortcut for creating a new schedule object. For more information on addresses, check the Firewall Objects section called Firewall schedules
  4. Set the Service parameter by selecting the field with the “+” next to the field label. (Same mechanics for selection apply as with the other similar fields in this window.) Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  5. Set the Action Select one of the following options for the action:
  • ACCEPT – lets the traffic through to the next phase of analysis l DENY – drops the session
  • LEARN – collects information about the traffic for future analysis l IPsec – for using with IPsec tunnels

Because the choice of Action determines the settings and options below this parameter in the window the rest of the step are associated with a specific Action.

Settings if the ACCEPT action is selected.

Firewall / Network Options

  1. Set the NAT parameter by toggling the slider button.(gray means it is disabled) The NAT setting section is affected by whether or not Central NAT is enabled.

If Central NAT is enabled, the only option in Firewall / Network options will be whether to enable or disable NAT. The rest of the NAT parameters will be set in the Central SNAT page.

If Central NAT is disabled, there are two additional settings in the Policy configuration page.

  1. Set the Fixed Port parameter by toggling the slider button.(gray means it is disabled)
  2. Set the IP Pool Configuration by selection one of the options of:
    • Use Outgoing Interface Address l Use Dynamic IP Pool

If the Use Dynamic IP Pool option is selected, an additional field will appear with the + icon. Selecting this field will slide out a window from the right where a preexisting IP Pool can be chosen. One or more IP Pools can be chosen and the “+” icon next to the Search field is a shortcut for creating a new IP Pool. Security Profiles

  1. Enabling the Use Security Profile Group option will allow the selection of a profile group instead of selecting the individual profiles for the policy.
  2. Disable or enable the various Security Profiles. Once a Profile has been toggled into the enabled mode a drop down menu will appear for the purpose of choosing a specific profile. Only one profile can be chosen for each profile type. The “+” icon next to the Search field in the drop down menu is a shortcut for creating a new profile. The list of Security Profiles available to set includes:
    • AntiVirus l Web Filter l DNS Filter l Application Control l CASI l IPS l Anti-Spam l DLP Sensor l VoIP
    • ICAP
    • Web Application Firewall l Proxy Options l SSL/SSH Inspection

IPv4 policy

Logging Options

  1. Set the Log Allowed Traffic parameter by toggling the slider button (gray means it is disabled).

If the Log Allowed Traffic setting is enabled, choose whether to log just Security Events or All Sessions and determine whether or not to keep a record of the packets by toggling the Capture Packets setting on or off.

  1. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  2. Toggle whether or not to Enable this policy.The default is enabled.
  3. Select the OK button to save the policy.

Settings if the DENY action is selected

Enable the Log Violation Traffic setting by toggling the slider button.

  1. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  2. Toggle whether or not to Enable this policy.The default is enabled.
  3. Select the OK button to save the policy.

Settings if the LEARN action is selected

To get more information on the LEARN option, read the Learning mode for Firewall policies topic in What’s new for Firewall in 6.0

Firewall / Network Options

  1. Set the NAT parameter by toggling the slider button.(gray means it is disabled). Unlike the ACCEPT option, whether or not Central NAT is enabled or disabled does not affect this settings options.
  2. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  3. Toggle whether or not to Enable this policy.The default is enabled.
  4. Select the OK button to save the policy.

Settings if the IPsec action is selected

VPN Tunnel

  1. For the VPN Tunnel field, use the drop down menu to select the VPN tunnel that you want the policy associated with.
  2. Toggle the sliding button to enable or disable the option to Allow traffic to be initiated from the remote site Security Profiles
  3. Disable or enable the various Security Profiles. Once a Profile has been toggled into the enabled mode a drop down menu will appear for the purpose of choosing a specific profile. Only one profile can be chosen for each profile type. The “+” icon next to the Search field in the drop down menu is a shortcut for creating a new profile. The list of Security Profiles available to set includes:
    • AntiVirus l Web Filter l DNS Filter l Application Control l CASI l IPS
    • Anti-Spam l DLP Sensor l VoIP
    • ICAP
    • Web Application Firewall l Proxy Options l SSL/SSH Inspection Logging Options
  4. Set the Log Allowed Traffic parameter by toggling the slider button (gray means it is disabled).

If the Log Allowed Traffic setting is enabled, choose whether to log just Security Events or All Sessions and determine whether or not to keep a record of the packets by toggling the Capture Packets setting on or off.

  1. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  2. Toggle whether or not to Enable this policy.The default is enabled.
  3. Select the OK button to save the policy.

ISDB and IRDB in firewall policies

The Internet Service Database (ISDB) and the IP Reputation Database (IRDB) provide similar functionality, so for ease of use, appear together in the GUI.

Use the contents of both, or either database as criteria for inclusion or exclusion in a firewall policy.

Use CLI to define the objects of the ISDB or IRDB objects as parameters within a policy is done within the CLI.

CLI Syntax config firewall policy

IPv6 policy

edit <ID #> set internet-service-src {enable|disable} set internet-service-src-id <ID #> set internet-service-src-custom <name> set internet-service-src-negate {enable|disable}

end

CLI options

Option Description
internet-service-src Enables or disables the use of Internet Services source for this policy. If enabled, destination address and service are not used.
internet-service-src-id Internet Service ID Examples:

l 65536 Google-Others l 65537 Google-Web

internet-service-src-custom Custom Internet Service name

This custom name must already be configured.

internet-service-src-negate Enables or disables the use of Internet Services in source for this policy. If enabled, internet-service-src specifies what the service must NOT be.

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.