Description |
This article describes to set FortiGate to use policy-based NGFW. |
Scope | FortiGate. |
Solution |
# config sys setting
settings) # set ngfw-mode policy-based Changing to policy-based mode will remove all firewall policy/proxy-policy in this VDOM Do you want to continue? (y/n)y
(settings) # end
Configure CENTRAL SNAT.
# config firewall central-snat-map edit 1 set uuid b803eab0-e9ee-51ec-b0f8-aa0b0be5818d set srcintf "port2" set dstintf "port1" set orig-addr "all" set dst-addr "all" next end
Sample policy-based NGFW policy.
# config firewall security-policy edit 1 set uuid d5461206-e9ee-51ec-98b9-4cca37b83356 set name "TEST POLICY BASE NGFW" set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set enforce-default-app-port disable set service "ALL" set schedule "always" set logtraffic all set url-category 37 next edit 2 set uuid 46a0f57e-e9ef-51ec-6363-08b4a132187c set name "ALLOW ALL" set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set enforce-default-app-port disable set service "ALL" set action accept set schedule "always" set logtraffic all next end
1ST - Policy to blocked internet traffic that would fall under Social Network URL categories. 2nd – To allow any traffic 'Catch all'.
Result:
- When accessing Facebook it is getting blocked by policy name TEST POLICY BASE NGFW.
8: date=2022-06-12 time=09:41:54 eventtime=1654998114856614750 tz="+0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.115.1.80 srcport=49653 srcintf="port2" srcintfrole="undefined" dstip=157.240.10.35 dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Malaysia" sessionid=5519 proto=6 action="deny" policyid=1 policytype="security-policy" poluuid="d5461206-e9ee-51ec-98b9-4cca37b83356" policyname="TEST POLICY BASE NGFW" centralnatid=1 service="HTTPS" trandisp="snat" transip=10.47.1.42 transport=49653 duration=5 sentbyte=1196 rcvdbyte=8890 sentpkt=12 rcvdpkt=16 appcat="unscanned" utmaction="block" countweb=1 utmref=65535-0
- While if destination traffic is not Facebook it is hitting the ALLOW ALL policy
10: date=2022-06-12 time=09:41:54 eventtime=1654998114726622676 tz="+0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.115.1.80 srcport=62652 srcintf="port2" srcintfrole="undefined" dstip=8.8.8.8 dstport=53 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=4642 proto=17 action="accept" policyid=2 policytype="security-policy" poluuid="46a0f57e-e9ef-51ec-6363-08b4a132187c" policyname="ALLOW ALL" centralnatid=1 service="DNS" trandisp="snat" transip=10.47.1.42 transport=62652 duration=180 sentbyte=56 rcvdbyte=140 sentpkt=1 rcvdpkt=1 appcat="unscanned" |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.