Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
isec46
New Contributor

Newbie : Make a firewall policy with different IP from FortiGate

Hello everyone, I'm somewhat new to FortiGate setup. I work in IT Security, and I'm currently creating a new policy on my FortiGate. This policy aims to limit social media usage within my company. I would like to know if it's possible to make an exception for guest devices when they connect to our network. In this case, I've configured a different segment IP from our office segment IP ?

Screenshot_8.png

Note : This is my current setting

1 Solution
AEK
Honored Contributor

If you do that than you can manage with IP ranges, e.g.:

  • users: 10.0.0.1-10.0.0.99
  • guest:10.0.0.100-10.0.0.200

But this is not good for security. You should change it.

AEK

View solution in original post

AEK
6 REPLIES 6
smaruvala
Staff
Staff

Hi,

 

- If you have configured different IP segments to guest users and internal/office users then you can just create 2 separate policy. In these policy you can define the correct source IP segment as per the need. You can also use the correct Application profile, Web filter profile etc as per the requirement you have.

 

Regards,

Shiva

isec46

Hi @smaruvala ,
If I create a different FortiGate policy, will it affect or conflict with existing policies?

smaruvala

Hi,

 

Firewall policy lookup happens from top to bottom. Depending on the parameters of policy such as source interface, destination interface, Source IP, destination IP, Service the firewall will select the policy. The order in which you configure the policy is important along with the parameters used to match the policy. 

 

Regards,

Shiva

AEK
Honored Contributor

Hi @isec46 

The first good practice is to put the guest devices on a separate interface, e.g.: if they use WiFi they should have a dedicated separate SSID.

After that it's simple, you add a guest-dedicated firewall rule like this:

  • srcintf: Guest-SSID-intf or Guest-VLAN
  • dstintf: wan1
  • src: Guest-IP-Subnet
  • dest: all
  • service: some services
  • security profiles: some security profiles
AEK
AEK
isec46
New Contributor

Hi @AEK ,

What if I use the same interface ? can I running the policy with this setup ?

AEK
Honored Contributor

If you do that than you can manage with IP ranges, e.g.:

  • users: 10.0.0.1-10.0.0.99
  • guest:10.0.0.100-10.0.0.200

But this is not good for security. You should change it.

AEK
AEK
Labels
Top Kudoed Authors