Description
This article describes an example of Firewall Policy rules where the Administrator needs to:
- On weekdays, allow all users to fully access the Internet during lunchtime and after business hours.
- Allow full access to the Internet without any restriction for users from a specific IP range, called Admin_PCs.
- During business hours, allow only access to www.fortinet.com and <my_business_web_site2> for the other users.
- No restrictions during the weekend.
Additional information about Firewall Policy can be found in the FortiGate Administration guides of each release. See also the related articles at the end of this page.
Scope
FortiGate.
Solution
Reminder about the Firewall Policy Order:
For a specific pair of interfaces, the FortiGate screens the Firewall Policies from top to bottom (as they appear on the CLI or GUI screen), and performs a STOP ON MATCH. The Firewall Policy order must therefore be from the most specific to the most general because of the order in which policies are evaluated for a match, and because only the first matching firewall policy is applied to a connection. Subsequent possible matches are not considered or applied.
It should be noted that a Firewall Policy is inactive outside of its schedule and that the schedule relies upon the date/time that is configured on the FortiGate.
Configuration example
In this example, it is assumed that all users are attached to the Internal interface and that the Internet access is attached wan1.
Configuring the schedules.
Note:
If the stop time is set earlier than the start time, the stop time will be considered as being during the next day. If the start time is equal to the stop time, the schedule will run for 24 hours.
config firewall schedule recurring
edit "week-end"
set day sunday saturday
next
edit "lunch-time"
set day monday tuesday wednesday thursday friday
set end 14:00
set start 12:00
next
edit "late evening to early morning"
set day monday tuesday wednesday thursday friday
set end 08:00
set start 18:00
next
end
Configuring the IP addresses:
Configuring the firewall policies:
config firewall policyedit 6set srcintf "internal"set dstintf "wan1"set srcaddr "all"set dstaddr "all"set action acceptset comments "Required for DNS requests anytime"set schedule "always"set service "DNS"set nat enablenextedit 1set srcintf "internal"set dstintf "wan1"set srcaddr "all"set dstaddr "all"set action acceptset comments "week-end policy"set schedule "week-end"set service "ALL"set nat enablenextedit 2set srcintf "internal"set dstintf "wan1"set srcaddr "Admin_PCs"set dstaddr "all"set action acceptset comments "Admin PCs no restriction"set schedule "always"set service "ALL"set nat enablenextedit 3set srcintf "internal"set dstintf "wan1"set srcaddr "all"set dstaddr "all"set action acceptset comments "lunch time policy"set schedule "lunch-time"set service "ALL"set nat enablenextedit 4set srcintf "internal"set dstintf "wan1"set srcaddr "all"set dstaddr "all"set action acceptset comments "late evening to early morning policy"set schedule "late evening to early morning"set service "ALL"set nat enablenextedit 5set srcintf "internal"set dstintf "wan1"set srcaddr "all"set dstaddr "www.fortinet.com" "my_business_web_site2"set action acceptset schedule "always"set service "ALL"set nat enablenextend
The final GUI Firewall Policy screen is shown below.
Related articles
Technical Tip : Troubleshoot and verify if traffic is hitting a Firewall Policy
Technical Tip: Using multiple IP addresses or address groups to filter source or destination in a si...
Technical Tip : configuring a Firewall Policy with action = DENY to log unauthorized traffic, also c...