- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Newbie : Make a firewall policy with different IP from FortiGate
Note : This is my current setting
Solved! Go to Solution.
- Labels:
-
Firewall policy
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you do that than you can manage with IP ranges, e.g.:
- users: 10.0.0.1-10.0.0.99
- guest:10.0.0.100-10.0.0.200
But this is not good for security. You should change it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
- If you have configured different IP segments to guest users and internal/office users then you can just create 2 separate policy. In these policy you can define the correct source IP segment as per the need. You can also use the correct Application profile, Web filter profile etc as per the requirement you have.
Regards,
Shiva
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @smaruvala ,
If I create a different FortiGate policy, will it affect or conflict with existing policies?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Firewall policy lookup happens from top to bottom. Depending on the parameters of policy such as source interface, destination interface, Source IP, destination IP, Service the firewall will select the policy. The order in which you configure the policy is important along with the parameters used to match the policy.
Regards,
Shiva
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @isec46
The first good practice is to put the guest devices on a separate interface, e.g.: if they use WiFi they should have a dedicated separate SSID.
After that it's simple, you add a guest-dedicated firewall rule like this:
- srcintf: Guest-SSID-intf or Guest-VLAN
- dstintf: wan1
- src: Guest-IP-Subnet
- dest: all
- service: some services
- security profiles: some security profiles
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AEK ,
What if I use the same interface ? can I running the policy with this setup ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you do that than you can manage with IP ranges, e.g.:
- users: 10.0.0.1-10.0.0.99
- guest:10.0.0.100-10.0.0.200
But this is not good for security. You should change it.