Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff

Created on ‎06-11-2022 11:50 PM

Article Id 214432

Technical Tip: Configure Fortigate to use policy-based NGFW

Description

This article describes to set FortiGate to use policy-based NGFW.
Scope FortiGate.
Solution

# config sys setting

 

settings) # set ngfw-mode policy-based

Changing to policy-based mode will remove all firewall policy/proxy-policy in this VDOM

Do you want to continue? (y/n)y

 

(settings) # end

 

Configure CENTRAL SNAT.

 

# config firewall central-snat-map

    edit 1

        set uuid b803eab0-e9ee-51ec-b0f8-aa0b0be5818d

        set srcintf "port2"

        set dstintf "port1"

        set orig-addr "all"

        set dst-addr "all"

    next

end

 

Sample policy-based NGFW policy.

 

# config firewall security-policy

    edit 1

        set uuid d5461206-e9ee-51ec-98b9-4cca37b83356

        set name "TEST POLICY BASE NGFW"

        set srcintf "port2"

        set dstintf "port1"

        set srcaddr "all"

        set dstaddr "all"

        set enforce-default-app-port disable

        set service "ALL"

        set schedule "always"

        set logtraffic all

        set url-category 37

    next

    edit 2

        set uuid 46a0f57e-e9ef-51ec-6363-08b4a132187c

        set name "ALLOW ALL"

        set srcintf "port2"

        set dstintf "port1"

        set srcaddr "all"

        set dstaddr "all"

        set enforce-default-app-port disable

        set service "ALL"

        set action accept

        set schedule "always"

        set logtraffic all

    next

end

 

1ST  - Policy to blocked internet traffic that would fall under Social Network URL categories.

2nd – To allow any traffic 'Catch all'.

 

Result:

 

- When accessing Facebook it is getting blocked by policy name TEST POLICY BASE NGFW.

 

8: date=2022-06-12 time=09:41:54 eventtime=1654998114856614750 tz="+0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.115.1.80 srcport=49653 srcintf="port2" srcintfrole="undefined" dstip=157.240.10.35 dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Malaysia" sessionid=5519 proto=6 action="deny" policyid=1 policytype="security-policy" poluuid="d5461206-e9ee-51ec-98b9-4cca37b83356" policyname="TEST POLICY BASE NGFW" centralnatid=1 service="HTTPS" trandisp="snat" transip=10.47.1.42 transport=49653 duration=5 sentbyte=1196 rcvdbyte=8890 sentpkt=12 rcvdpkt=16 appcat="unscanned" utmaction="block" countweb=1 utmref=65535-0

 

- While if destination traffic is not Facebook it is hitting the ALLOW ALL policy

 

10: date=2022-06-12 time=09:41:54 eventtime=1654998114726622676 tz="+0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.115.1.80 srcport=62652 srcintf="port2" srcintfrole="undefined" dstip=8.8.8.8 dstport=53 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=4642 proto=17 action="accept" policyid=2 policytype="security-policy" poluuid="46a0f57e-e9ef-51ec-6363-08b4a132187c" policyname="ALLOW ALL" centralnatid=1 service="DNS" trandisp="snat" transip=10.47.1.42 transport=62652 duration=180 sentbyte=56 rcvdbyte=140 sentpkt=1 rcvdpkt=1 appcat="unscanned"
625
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.