Chapter 7. Security
7.3 VLAN and Security Profile
Learning Objectives
- Configure VLANs in FortiGate firewall
- Configure a Security Policy for VLANs
Scenario: In this lab, we are going to learn how to set VLAN on Port2 of the firewall. WebTerm1 is belong to Vlan10 and WebTerm2 is belong to Vlan20. We will set different policies on each VLAN and try to verify configuration.
| Device | IP address | Access |
|---|---|---|
| FortiGate | Port 1: DHCP Client
Port 2: Vlan 10: 192.168.10.1/24 Vlan 20: 192.168.20.1/24 |
ICMP-HTTP-HTTPS |
| WebTerm1 | DHCP Client | – |
| WebTerm2 | DHCP Client | – |
- Configure switches. Right-click on the Switch > Configure, configure eth0, eth1, and eth2 as Table 7.3:
Table 7.3: Switch configuration Port VLAN Type 0 1 Dot1q 1 10 Access 2 20 Access - You should create two sub-interfaces on port2 of the firewall.
- Block YouTube and Social Media on Vlan 20:
- Create an application profile as Figure 7.27.
- Configure Firewall Policy from Vlan 20 to Port1 and assign application control to the Firewall Policy.
- Verify your configuration by visiting Twitter.com or YouTube.com.
- Create an application profile as Figure 7.27.
- Filter .zip, .pdf files on Vlan 10:
- Create a File filtezr profile. File filter only works on the unencrypted protocol. Set traffic for both and finally set the action to block.
- Make sure to set the feature set as flow-based.
- Create a Firewall Policy in the firewall from vlan10 to port1, inspection mode should be Proxy-based, and assign the profile you have created to File Filter.
- Verify your configuration by downloading a zip or pdf file from HTTP websites.
- Create a File filtezr profile. File filter only works on the unencrypted protocol. Set traffic for both and finally set the action to block.