Technical Tip: Configuring a Firewall Policy which is valid only at certain days or hours by using a schedule
Description
This article describes an example of Firewall Policy rules where the Administrator needs to:
- On weekdays, allow all users to fully access the Internet during lunchtime and after business hours.
- Allow full access to the Internet without any restriction for users from a specific IP range, called Admin_PCs.
- During business hours, allow only access to www.fortinet.com and <my_business_web_site2> for the other users.
- No restrictions during the weekend.
Additional information about Firewall Policy can be found in the FortiGate Administration guides of each release. See also the related articles at the end of this page.
Scope
FortiGate.
Solution
Reminder about the Firewall Policy Order:
For a specific pair of interfaces, the FortiGate screens the Firewall Policies from top to bottom (as they appear on the CLI or GUI screen), and performs a STOP ON MATCH. The Firewall Policy order must therefore be from the most specific to the most general because of the order in which policies are evaluated for a match, and because only the first matching firewall policy is applied to a connection. Subsequent possible matches are not considered or applied.
It should be noted that a Firewall Policy is inactive outside of its schedule and that the schedule relies upon the date/time that is configured on the FortiGate.
Configuration example
In this example, it is assumed that all users are attached to the Internal interface and that the Internet access is attached wan1.
Configuring the schedules.
Note:
If the stop time is set earlier than the start time, the stop time will be considered as being during the next day. If the start time is equal to the stop time, the schedule will run for 24 hours.
config firewall schedule recurring
edit "week-end"
set day sunday saturday
next
edit "lunch-time"
set day monday tuesday wednesday thursday friday
set end 14:00
set start 12:00
next
edit "late evening to early morning"
set day monday tuesday wednesday thursday friday
set end 08:00
set start 18:00
next
end
edit "week-end"
set day sunday saturday
next
edit "lunch-time"
set day monday tuesday wednesday thursday friday
set end 14:00
set start 12:00
next
edit "late evening to early morning"
set day monday tuesday wednesday thursday friday
set end 08:00
set start 18:00
next
end
Configuring the IP addresses:
config firewall address
edit "Admin_PCs"
set type iprange
set end-ip 192.168.1.254
set start-ip 192.168.1.200
next
edit "www.fortinet.com"
set type fqdn
set fqdn "www.fortinet.com"
next
edit "my_business_web_site2"
set type fqdn
set fqdn "www.my_business_web_site2.com"
next
end
edit "Admin_PCs"
set type iprange
set end-ip 192.168.1.254
set start-ip 192.168.1.200
next
edit "www.fortinet.com"
set type fqdn
set fqdn "www.fortinet.com"
next
edit "my_business_web_site2"
set type fqdn
set fqdn "www.my_business_web_site2.com"
next
end
Configuring the firewall policies:
config firewall policy
edit 6
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set comments "Required for DNS requests anytime"
set schedule "always"
set service "DNS"
set nat enable
next
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set comments "week-end policy"
set schedule "week-end"
set service "ALL"
set nat enable
next
edit 2
set srcintf "internal"
set dstintf "wan1"
set srcaddr "Admin_PCs"
set dstaddr "all"
set action accept
set comments "Admin PCs no restriction"
set schedule "always"
set service "ALL"
set nat enable
next
edit 3
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set comments "lunch time policy"
set schedule "lunch-time"
set service "ALL"
set nat enable
next
edit 4
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set comments "late evening to early morning policy"
set schedule "late evening to early morning"
set service "ALL"
set nat enable
next
edit 5
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "www.fortinet.com" "my_business_web_site2"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
edit 6
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set comments "Required for DNS requests anytime"
set schedule "always"
set service "DNS"
set nat enable
next
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set comments "week-end policy"
set schedule "week-end"
set service "ALL"
set nat enable
next
edit 2
set srcintf "internal"
set dstintf "wan1"
set srcaddr "Admin_PCs"
set dstaddr "all"
set action accept
set comments "Admin PCs no restriction"
set schedule "always"
set service "ALL"
set nat enable
next
edit 3
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set comments "lunch time policy"
set schedule "lunch-time"
set service "ALL"
set nat enable
next
edit 4
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set comments "late evening to early morning policy"
set schedule "late evening to early morning"
set service "ALL"
set nat enable
next
edit 5
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "www.fortinet.com" "my_business_web_site2"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
The final GUI Firewall Policy screen is shown below.
Related articles
Technical Tip : Troubleshoot and verify if traffic is hitting a Firewall Policy