FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 191224

Description
This article describes an example of Firewall Policy rules where the Administrator needs to:

  1. On weekdays, allow all users to fully access the Internet during lunchtime and after business hours.
  2. Allow full access to the Internet without any restriction for users from a specific IP range, called Admin_PCs.
  3. During business hours, allow only access to www.fortinet.com and <my_business_web_site2>  for the other users.
  4. No restriction during the weekend.

Additional information about Firewall Policy can be found in the FortiGate Administration guides of each release.  See also the related articles at the end of this page.
Solution

Reminder about Firewall Policy order
 
For a specific pair of interfaces, the FortiGate screens the Firewall Policies from top to bottom (as they appear on the CLI or GUI screen), and performs a STOP ON MATCH. The Firewall Policy order must therefore be from the most specific to the most general because of the order in which policies are evaluated for a match, and because only the first matching firewall policy is applied to a connection. Subsequent possible matches are not considered or applied.
 
It should be noted that a Firewall Policy is inactive outside of its schedule and that the schedule relies upon the date/time that is configured on the FortiGate.
 
Configuration example
 
In this example it is assumed that all users are attached to the Internal interface and that the Internet access is attached wan1.



1. Configuring the schedules

Note: If the stop time is set earlier than the start time, the stop time will be considered as being during the next day. If the start time is equal to the stop time, the schedule will run for 24 hours.

 
config firewall schedule recurring
edit "week-end"
set day sunday saturday
next
edit "lunch-time"
set day monday tuesday wednesday thursday friday
set end 14:00
set start 12:00
next
edit " late evening to early morning
"
set day monday tuesday wednesday thursday friday
set end 08:00
set start 18:00
next
end


2. Configuring the IP addresses

config firewall address
edit "Admin_PCs"
set type iprange
set end-ip 192.168.1.254
set start-ip 192.168.1.200
next
edit "
www.fortinet.com "
set type fqdn
set fqdn "
www.fortinet.com "
next
edit "my_business_web_site2"
set type fqdn
set fqdn "www.my_business_web_site2.com"
next
end


3. Configuring the firewall policies

config firewall policy
edit 6
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set comments "Required for DNS requests anytime"
set schedule "always"
set service "DNS"
set nat enable
next
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set comments "week-end policy"
set schedule "week-end"
set service "ANY"
set nat enable
next
edit 2
set srcintf "internal"
set dstintf "wan1"
set srcaddr "Admin_PCs"
set dstaddr "all"
set action accept
set comments "Admin PCs no restriction"
set schedule "always"
set service "ANY"
set nat enable
next
edit 3
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set comments "lunch time policy"
set schedule "lunch-time"
set service "ANY"
set nat enable
next
edit 4
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set comments "late evening to early morning policy"
set schedule "late evening to early morning"
set service "ANY"
set nat enable
next
edit 5
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "www.fortinet.com" "my_business_web_site2"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
end



The final GUI Firewall Policy screen is shown below.
 
rmetzger_FD30971_fd30971_screenshot049.jpg

 

Related Articles

Technical Tip : Troubleshoot and verify if traffic is hitting a Firewall Policy

Technical Tip: Using multiple IP addresses or address groups to filter source or destination in a si...

Technical Tip : configuring a Firewall Policy with action = DENY to log unauthorized traffic, also c...

Contributors