Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ekrishnan
Staff
Staff

Created on ‎02-15-2023 10:15 PM Edited on ‎09-24-2023 09:14 PM By Community Manager

Article Id 246027

Technical Tip: How to disable a Firewall policy using automation stitch during WAN failover

Description

This article describes how to bring down a firewall policy using automation stitches.

It has been explained with the usage of 2 ISPs and Firewall policy.
Scope This article has been tested with the requirement to bring down a firewall policy when a WAN failover happens i.e if the requirement is to only use WAN1 for a specific policy and when it fails over to WAN2 all other traffic should work except a policy and in the example its policy ID :4 and again if WAN1 is up then the policy ID 4 should be enabled back.
Solution
  • Configure link monitor for WAN1.


config sys link-monitor
    set server 8.8.8.8
    set srcintf WAN1
end


  • This link will be monitored by FortiGate by sending probes to 8.8.8.8 to check if the link is active or dead.

    Configure automation stitch under Security Fabrics.


Note: 2 Stitches should be configured.

 

  1. To disable the policy when link monitors detect the WAN1 ISP interface has failed (dead).
  2. To enable the policy when Link Monitor detects the WAN1 ISP interface has come back up (alive)


For the 1st one:

  • Configure the Trigger:

 

Select Create New and select Event 'Link Monitor Status'.


Configure the Field filters:
msg : Link Monitor initial state is dead, protocol: ping


ekrishnan_0-1676513492711.png

 


Configure Action, select Create New ->CLI Script.

Script:


config firewall policy
    edit 4 <-----Firewall policy ID.
        set status disable
    end

 

dp.PNG


The administrator profile to be used is super_admin.

Finally, Configure the Stitch:

Select 'Create New, choose the Trigger created, and Choose the CLI script action configured in the previous step.

So the above config is for disabling the firewall policy when WAn1 goes down

Similarly, it is necessary to configure a Stitch for Enabling the firewall policy back when WAN1 comes back up,

 

  • Other steps would be the same, the only change is the Script config and the Trigger config,


Configure the Trigger:

Select 'Create New' and select Event 'Link Monitor Status'.

Configure the Field filters:
msg : Link Monitor initial state is alive, protocol: ping

ekrishnan_1-1676513609597.png

 


Configure Action, select 'Create New' ->CLI Script.

Script:


config firewall policy
    edit 4
        set status enable <----- Change here to enable.
    end

 

ep.PNG


There are now 2 Stitches and once the link monitor detects that the WAN1 link is down, it triggers the script and disables the firewall policy.
3077
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.