NAT/Route mode installation

Firewall policy example

 

 

Firewall policy example

Firewall policies control how traffic flows through the FortiGate unit. Once routing for multiple internet connections has been configured you must create firewall policies to control which traffic is allowed through the FortiGate unit and the interfaces through which this traffic can connect.

For traffic originating on the Internal network to be able to connect to the Internet through both Internet connections, you must add redundant policies from the internal interface to each interface that connects to the Internet. Once these policies have been added, the routing configuration controls which internet connection is actually used.

Adding a redundant default policy

Figure 8 on page 50 shows a FortiGate unit connected to the Internet using its internal and DMZ interfaces. The default policy allows all traffic from the internal network to connect to the Internet through the external interface. If you add a similar policy to the internal to DMZ policy list, this policy will allow all traffic from the internal network to connect to the Internet through the DMZ interface. With both of these policies added to the firewall configuration, the routing configuration will determine which Internet connection the traffic from the internal network actually uses. For more information about the default policy, see “Default firewall configuration” on page 142.

To add a redundant default policy

1Go to Firewall > Policy > Int->DMZ.

2Select New.

3Configure the policy to match the default policy.

Source

Internal_All

Destination

DMZ_All

Schedule

Always

Service

ANY

Action

Accept

NAT

Select NAT.

4Select OK to save your changes.

Adding more firewall policies

In most cases your firewall configuration includes more than just the default policy. However, the basic premise of creating redundant policies applies even as the firewall configuration becomes more complex. To configure the FortiGate unit to use multiple Internet connections you must add duplicate policies for connections between the internal network and both interfaces connected to the Internet. As well, as you add redundant policies, you must arrange them in both policy lists in the same order.

FortiGate-100 Installation and Configuration Guide

55

Page 55
Image 55
Fortinet 100 Firewall policy example, Adding a redundant default policy, Adding more firewall policies, Action Accept