Description

This article describes how to implement a basic policy set for Next-Generation Firewall (NGFW) policy-based mode using an example of allowing Internet Access for LAN users.

Scope

FortiGate; NGFW policy-based mode

Solution

The FortiGate supports two NGFW operational modes, which can be set on a per-VDOM basis (or globally, for non-VDOM FortiGates):

1. NGFW profile-based mode (default mode).
2. NGFW policy-based mode (which is discussed in this article).

To check if the FortiGate is in NGFW mode, look for the ngfw-mode setting under config system settings:

FortiGate (ngfw_vdom) # get system settings | grep ngfw-mode

ngfw-mode           : policy-based

Important note:

Changing from one NGFW mode to another will remove all the existing firewall policy configurations since they are non-transferrable between modes.

In NGFW policy-based mode, firewall policies are split into three separate components that need to be configured in order for a basic policy to function. These components are as follows:

**not mandatory if Source NAT is not required for a given traffic flow.

The above policy components are assessed in the following sequential order. If traffic does not have an appropriate match for the first two sections (SSL Inspection & Authentication Policy and Security Policy) then it will be dropped by implicit-deny, whereas Central SNAT is implicit-allow (with no Source NAT occurring) if a policy is not matched:

SSL Inspection & Authentication Policy (via the kernel) -> Security Policy (via the IPS Engine/Policy Match Engine) -> Central SNAT (via the kernel)

Note:

This article assumes that the FortiGate already has appropriate network routes (connected, static, dynamic, etc.) to determine how to reach a given destination, as well as satisfy reverse path filter (RPF) checks. For more info on this, see: Technical Tip: Reverse Path Forwarding (RPF) implementation and use of strict-src-check enable|disab...

Example configuration:

The following shows an example CLI configuration of a basic policy set that allows a local user to send traffic in on the FortiGate's 'internal' interface and out to the Internet via 'wan1'. A Central SNAT policy has also been added to Source NAT the traffic as it goes out wan1.

SSL Inspection & Authentication Policy:

config firewall policy

edit 1

set name 'Internet_SSL_Policy'
set srcintf 'internal'
set dstintf 'wan1'
set srcaddr 'all'
set dstaddr 'all'
set service 'ALL'

next

end

Security Policy:

config firewall security-policy

edit 1

set name 'Internet_Security_Policy'
set srcintf 'internal'
set dstintf 'wan1'
set srcaddr 'all'
set dstaddr 'all'
set action accept
set schedule 'always'
set logtraffic all

next

end

Central SNAT:

config firewall central-snat-map

edit 1

set srcintf 'internal'
set dstintf 'wan1'
set orig-addr 'all'
set dst-addr 'all'

next

end

Important note: 

• The FortiGate will match SSL Inspection & Authentication Policies and Central SNAT policies based on the network session tuple (which includes Source/Destination IP address, ports, and protocol). Security Policies are similar but have the additional ability to match traffic based on identified Application signature and/or URL category (see also: Technical Tip: How to block URL Category and Application in NGFW policy-based mode )
• It is generally best-practice to use the most-specific matching criteria possible when configuring these policies (i.e., filter based on allowed Source/Destination IP addresses and ports, rather than using the 'all' Address Object. This helps reduce the amount of unexpected traffic that is allowed through the FortiGate.
• NGFW modes may be set on a per-VDOM basis, so it may be wise to use NGFW policy-based mode in VDOMs to allow for more configuration flexibility (rather than using it globally in a non-VDOM FortiGate).

Related Documents:

Technical Tip: NGFW policy-based mode Resource List

FortiGate Admin Guide - NGFW Policy

Technical Tip: Basic command for investigating firewall policy based mode traffic