Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff

Created on ‎11-25-2022 11:16 PM Edited on ‎05-30-2023 01:23 AM By Community Manager

Article Id 230884

Technical Tip: Implement Basic policy for Policy Based NGFW Mode

Description

 

This article describes how to implement basic policy for Policy Based NGFW Mode

 

Scope

 

Basic internet policy for PC users (tested on FOS 6.4.8).

 

Solution

 

Fortigate has 2 (two) NGFW mode:

1) Profile Based ( default ) - - not covered for this example.

2) Policy Based.

 

There are 3 (three) components which need to pay attention to, in order to implement basic policy in Policy-based NGFW mode.  

 

GUI ( Policy & Objects )

CLI

Security Policy

Firewall Security Policy

Central SNAT*

Firewall central-snat-map*

SSL Inspection & Authentication

Firewall Policy

*not mandatory (can be ignored if snat is not required)

 

Note:

Routing must be in place to address the network requirement

 

FGT1 (client_vdom) # get system settings | grep ngfw

ngfw-mode           : policy-based

 

Policy based mode flow logic

Firewall policy --> Firewall Security-policy + ( firewall central-snat-map) 

 

FGT1 (client_vdom) # show firewall security-policy 1

config firewall security-policy

    edit 1

        set uuid 1aab8348-6cea-51ed-51f6-d59f43e4848e

        set name "internet"

        set srcintf "port7"       --> intf to user pc

        set dstintf "vdom_link1"  --> intf to internet 

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set logtraffic all

    next

end

 

FGT1 (client_vdom) # show firewall central-snat-map 1

config firewall central-snat-map

    edit 1

        set uuid 26bcef28-6cea-51ed-4867-befe6c338372

        set srcintf "port7"

        set dstintf "vdom_link1"

        set orig-addr "all"

        set dst-addr "all"

    next

end

 

FGT1 (client_vdom) # show firewall policy 1

config firewall policy

    edit 1

        set name "internet_ssl"

        set uuid 041ce39c-6cea-51ed-2ac9-a858f21eedd5

        set srcintf "port7"

        set dstintf "vdom_link1"

        set srcaddr "all"

        set dstaddr "all"

        set service "ALL"

    next

end

 

Warning.

Changing NGFW Mode from profile to policy-based and vice versa will remove all the firewall policy configurations.

 

Important Tips: 

1) FortiGate will screen these 3 policy categories individually and orderly. 

2) FortiGate is able to identify which policy should be applied to which traffic: only by matching the criteria defined in these 3 policy categories (such as src intf, dst intf, etc). 

3) It is very important to define the criteria as specifically as possible, in order to avoid FortiGate applying unexpected policies. In case there are general criteria to match more granular traffics, it is possible to define these criteria as generally as possible, so it will not be necessary to define each policy for each type of traffic.

4) For the policy that has a default implicit rule is mandatory to be configured, in order to avoid traffic hitting this default implicit rule.  

5) Each VDOM can be configured with a different NGFW mode.

 

Related document:

https://docs.fortinet.com/document/fortigate/6.2.0/Cookbook/978598/profile-based-ngfw-vs-policy-base...

Technical Tip : Basic Command for Investigating F... - Fortinet Community

1087
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.