Technical Tip: Example of using Firewall Policy feature on FortiADC
Description
This article provides examples of how the Firewall Policy feature can be used on the FortiADC.
Scope
FortiADC.
Solution
The Firewall Policy feature on the FortiADC is only used when the ADC acts as a router.
Diagram:
GUI Configuration:
The Firewall Policy configuration can be found in the GUI under Network Security -> Firewall Policy.
For example, in the above scenario (see diagram), when physical_server has a default gateway set to FortiADC, access can be limited to some server(s) and/or service(s) by creating a Firewall rule.
 
Or access can be allowed only to some server(s) and/or service(s) when the Default Action is set to Deny.
CLI Configuration:
The same can be done through CLI.
Access can be limited to some server(s) and/or service(s) by creating a Firewall rule:
Diagram:
physical_server == (port2)FortiADC(port1) == Internet
GUI Configuration:
The Firewall Policy configuration can be found in the GUI under Network Security -> Firewall Policy.
 
   
 
CLI Configuration:
The same can be done through CLI.
Access can be limited to some server(s) and/or service(s) by creating a Firewall rule:
config firewall policy
config rule
edit "firewall_rule"
set in-interface port2
set out-interface port1
set source-address physical_server
set destination-address internet_address
set service ALL
set action deny
set deny-log enable
next
end
end
config rule
edit "firewall_rule"
set in-interface port2
set out-interface port1
set source-address physical_server
set destination-address internet_address
set service ALL
set action deny
set deny-log enable
next
end
end
Or access can be allowed only to some server(s) and/or service(s), when the Default Action is set to Deny:
config firewall policy
set default-action deny
config rule
edit "firewall_rule"
set in-interface port2
set out-interface port1
set source-address physical_server
set destination-address internet_address
set service ALL
set action accept
next
end
end
set default-action deny
config rule
edit "firewall_rule"
set in-interface port2
set out-interface port1
set source-address physical_server
set destination-address internet_address
set service ALL
set action accept
next
end
end
Note:
This feature cannot be used to restrict access to virtual servers, such a setup is not supported.
Before creating the rules the firewall addresses/services need to be defined. This can be done in Shared Resources -> Address
and Shared Resources -> Service.
Or through CLI under 'config firewall' context:
This feature cannot be used to restrict access to virtual servers, such a setup is not supported.
Before creating the rules the firewall addresses/services need to be defined. This can be done in Shared Resources -> Address
and Shared Resources -> Service.
Or through CLI under 'config firewall' context:
config firewall
connlimit firewall connection limit
connlimit6 firewall IPv6 connection limit
global firewall global configuration
nat-snat snat
policy firewall policy
policy6 firewall IPv6 policy
qos-filter QoS filter
qos-filter6 QoS IPv6 filter
qos-queue QoS queue
connlimit firewall connection limit
connlimit6 firewall IPv6 connection limit
global firewall global configuration
nat-snat snat
policy firewall policy
policy6 firewall IPv6 policy
qos-filter QoS filter
qos-filter6 QoS IPv6 filter
qos-queue QoS queue
vip virtual IP
More details can be found in Administration Guide and CLI Reference Guide for FortiADC in the Fortinet Document Library.