Description
Solution
This article provides examples of how the Firewall Policy feature can be used on the FortiADC-D.
Solution
The Firewall Policy feature on the FortiADC is only used when the ADC acts as router.
Diagram
GUI Configuration
The Firewall Policy configuration can be found in the GUI under Security > Firewall Policy
For example, in above scenario (see diagram), when physical_server has a default gateway set to FortiADC, access can be limited to some server(s) and/or service(s) by creating a Firewall rule.
Or access can be allowed only to some server(s) and/or service(s), when the Default Action is set to Deny.
CLI Configuration
The same can be done through CLI.
Access can be limited to some server(s) and/or service(s) by creating a Firewall rule:
(1) This feature cannot be used to restrict access to virtual servers, such a setup is not supported.
(2) Prior to creating the rules the firewall addresses/services need to be defined. This can be done in:
* System > Shared Resources > Address
* System > Shared Resources > Service
Or through CLI under 'config firewall' context:
Diagram
physical_server == (port2)FortiADC(port1) == Internet
GUI Configuration
The Firewall Policy configuration can be found in the GUI under Security > Firewall Policy
For example, in above scenario (see diagram), when physical_server has a default gateway set to FortiADC, access can be limited to some server(s) and/or service(s) by creating a Firewall rule.
Or access can be allowed only to some server(s) and/or service(s), when the Default Action is set to Deny.
CLI Configuration
The same can be done through CLI.
Access can be limited to some server(s) and/or service(s) by creating a Firewall rule:
config firewall policyOr access can be allowed only to some server(s) and/or service(s), when the Default Action is set to Deny:
set default-action accept
config rule
edit "firewall_rule"
set in-interface port2
set out-interface port1
set source-address <physical_server >
set destination-address <internet_address >
set service <all_tcp >
set action deny
next
end
end
config firewall policyNotes
set default-action deny
config rule
edit "firewall_rule"
set in-interface port2
set out-interface port1
set source-address <physical_server >
set destination-address <allowed_addresses >
set service <port_80>
set action accept
next
end
end
(1) This feature cannot be used to restrict access to virtual servers, such a setup is not supported.
(2) Prior to creating the rules the firewall addresses/services need to be defined. This can be done in:
* System > Shared Resources > Address
* System > Shared Resources > Service
Or through CLI under 'config firewall' context:
FAD # config firewallMore details can be found in CLI Reference Guide for FortiADC D Series in the Fortinet Document Library.
address firewall address
address6 firewall IPv6 address
connlimit firewall connection limit
connlimit6 firewall IPv6 connection limit
nat-snat snat
policy firewall policy
policy6 firewall IPv6 policy
qos-filter QoS filter
qos-filter6 QoS IPv6 filter
qos-queue QoS queue
service firewall service
vip virtual IP
