Description

This article describes how to implement basic policy for Policy Based NGFW Mode

Scope

Basic internet policy for PC users (tested on FOS 6.4.8).

Solution

Fortigate has 2 (two) NGFW mode:

1) Profile Based ( default ) - - not covered for this example.

2) Policy Based.

There are 3 (three) components which need to pay attention to, in order to implement basic policy in Policy-based NGFW mode.  

*not mandatory (can be ignored if snat is not required)

Note:

Routing must be in place to address the network requirement

FGT1 (client_vdom) # get system settings | grep ngfw

ngfw-mode           : policy-based

Policy based mode flow logic : 

Firewall policy --> Firewall Security-policy + ( firewall central-snat-map) 

FGT1 (client_vdom) # show firewall security-policy 1

config firewall security-policy

    edit 1

        set uuid 1aab8348-6cea-51ed-51f6-d59f43e4848e

        set name "internet"

        set srcintf "port7"       --> intf to user pc

        set dstintf "vdom_link1"  --> intf to internet 

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set logtraffic all

    next

end

FGT1 (client_vdom) # show firewall central-snat-map 1

config firewall central-snat-map

    edit 1

        set uuid 26bcef28-6cea-51ed-4867-befe6c338372

        set srcintf "port7"

        set dstintf "vdom_link1"

        set orig-addr "all"

        set dst-addr "all"

    next

end

FGT1 (client_vdom) # show firewall policy 1

config firewall policy

    edit 1

        set name "internet_ssl"

        set uuid 041ce39c-6cea-51ed-2ac9-a858f21eedd5

        set srcintf "port7"

        set dstintf "vdom_link1"

        set srcaddr "all"

        set dstaddr "all"

        set service "ALL"

    next

end

Warning.

Changing NGFW Mode from profile to policy-based and vice versa will remove all the firewall policy configurations.

Important Tips: 

1) FortiGate will screen these 3 policy categories individually and orderly. 

2) FortiGate is able to identify which policy should be applied to which traffic: only by matching the criteria defined in these 3 policy categories (such as src intf, dst intf, etc). 

3) It is very important to define the criteria as specifically as possible, in order to avoid FortiGate applying unexpected policies. In case there are general criteria to match more granular traffics, it is possible to define these criteria as generally as possible, so it will not be necessary to define each policy for each type of traffic.

4) For the policy that has a default implicit rule is mandatory to be configured, in order to avoid traffic hitting this default implicit rule.  

5) Each VDOM can be configured with a different NGFW mode.

Related document:

https://docs.fortinet.com/document/fortigate/6.2.0/Cookbook/978598/profile-based-ngfw-vs-policy-base...

Technical Tip : Basic Command for Investigating F... - Fortinet Community