{"id":243,"date":"2022-04-07T14:39:29","date_gmt":"2022-04-07T18:39:29","guid":{"rendered":"https:\/\/opentextbc.ca\/fortigatefirewall\/chapter\/vlan-and-security-profile\/"},"modified":"2023-08-29T16:27:18","modified_gmt":"2023-08-29T20:27:18","slug":"vlan-and-security-profile","status":"publish","type":"chapter","link":"https:\/\/opentextbc.ca\/fortigatefirewall\/chapter\/vlan-and-security-profile\/","title":{"raw":"7.3 VLAN and Security Profile","rendered":"7.3 VLAN and Security Profile"},"content":{"raw":"
\n

Learning Objectives<\/p>\n\n<\/header>\n

\n
    \n \t
  • Configure VLANs in FortiGate firewall<\/li>\n \t
  • Configure a Security Policy for VLANs<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
    Scenario<\/strong>: In this lab, we are going to learn how to set VLAN on Port2 of the firewall. WebTerm1 is belong to Vlan10 and WebTerm2 is belong to Vlan20. We will set different policies on each VLAN and try to verify configuration.<\/div>\n\n[caption id=\"attachment_231\" align=\"aligncenter\" width=\"1106\"]\"Vlan Figure 7.22: Main scenario[\/caption]\n\n
    \n\n\n\n\n\n
    Table 7.2: Devices configuration<\/caption>\n
    Device<\/th>\nIP address<\/th>\nAccess<\/th>\n<\/tr>\n
    FortiGate<\/td>\nPort 1: DHCP Client\n\nPort 2:\n\nVlan 10: 192.168.10.1\/24\n\nVlan 20: 192.168.20.1\/24<\/td>\nICMP-HTTP-HTTPS<\/td>\n<\/tr>\n
    WebTerm1<\/td>\nDHCP Client<\/td>\n-<\/td>\n<\/tr>\n
    WebTerm2<\/td>\nDHCP Client<\/td>\n-<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
      \n \t
    1. Configure switches. Right-click on the Switch<\/strong> > Configure<\/strong>, configure eth0, eth1, and eth2 as Table 7.3:\n
      \n\n\n\n\n\n
      Table 7.3: Switch configuration<\/caption>\n
      Port<\/th>\nVLAN<\/th>\nType<\/th>\n<\/tr>\n
      0<\/td>\n1<\/td>\nDot1q<\/td>\n<\/tr>\n
      1<\/td>\n10<\/td>\nAccess<\/td>\n<\/tr>\n
      2<\/td>\n20<\/td>\nAccess<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\n[caption id=\"attachment_232\" align=\"aligncenter\" width=\"400\"]\"Switch Figure 7.23: Switch configuration[\/caption]<\/li>\n \t
    2. You should create two sub-interfaces on port2 of the firewall.\n\n[caption id=\"attachment_235\" align=\"aligncenter\" width=\"1151\"]\"Vlan10 Figure 7.24: Vlan10 Configuration[\/caption]\n\n[caption id=\"attachment_235\" align=\"aligncenter\" width=\"1190\"]\"Vlan20 Figure 7.25: Vlan20 Configuration[\/caption]\n\n[caption id=\"attachment_235\" align=\"aligncenter\" width=\"1054\"]\"Vlan10 Figure 7.26: Vlan10 and Vlan20 IP addresses[\/caption]<\/li>\n \t
    3. Block YouTube and Social Media on Vlan 20:\n
        \n \t
      1. Create an application profile as Figure 7.27.\n\n[caption id=\"attachment_236\" align=\"aligncenter\" width=\"863\"]\"Block Figure 7.27: Block Social.Media and Video\/Audio[\/caption]<\/li>\n \t
      2. Configure Firewall Policy from Vlan 20 to Port1 and assign application control to the Firewall Policy.\n\n[caption id=\"attachment_237\" align=\"aligncenter\" width=\"1200\"]\"Vlan20 Figure 7.28: Create vlan20 Firewall Policy and assign Application Control Profile[\/caption]<\/li>\n \t
      3. Verify your configuration by visiting Twitter.com or YouTube.com.\n\n[caption id=\"attachment_238\" align=\"aligncenter\" width=\"400\"]\"Verify Figure 7.29: Verify configuration[\/caption]<\/li>\n<\/ol>\n<\/li>\n \t
      4. Filter .zip, .pdf files on Vlan 10:\n
          \n \t
        1. Create a File filtezr profile. File filter only works on the unencrypted protocol. Set traffic for both and finally set the action to block.\n\n[caption id=\"attachment_239\" align=\"aligncenter\" width=\"1234\"]\"Block Figure 7.30: Block PDF and ZIP files[\/caption]<\/li>\n \t
        2. Make sure to set the feature set as flow-based.\n\n[caption id=\"attachment_240\" align=\"aligncenter\" width=\"400\"]\"Block Figure 7.31: Block profile[\/caption]<\/li>\n \t
        3. Create a Firewall Policy in the firewall from vlan10 to port1, inspection mode should be Proxy-based, and assign the profile you have created to File Filter.\n\n[caption id=\"attachment_241\" align=\"aligncenter\" width=\"1027\"]\"Vlan10 Figure 7.32: Create vlan10 Firewall Policy and assign File Filter Profile[\/caption]<\/li>\n \t
        4. Verify your configuration by downloading a zip or pdf file from HTTP websites.\n\n[caption id=\"attachment_242\" align=\"aligncenter\" width=\"450\"]\"Verify Figure 7.33: Verify configuration[\/caption]<\/li>\n<\/ol>\n<\/li>\n<\/ol>","rendered":"
          \n
          \n

          Learning Objectives<\/p>\n<\/header>\n

          \n
            \n
          • Configure VLANs in FortiGate firewall<\/li>\n
          • Configure a Security Policy for VLANs<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
            Scenario<\/strong>: In this lab, we are going to learn how to set VLAN on Port2 of the firewall. WebTerm1 is belong to Vlan10 and WebTerm2 is belong to Vlan20. We will set different policies on each VLAN and try to verify configuration.<\/div>\n
            \"Vlan
            Figure 7.22: Main scenario<\/figcaption><\/figure>\n
            \n\n\n\n\n\n\n
            Table 7.2: Devices configuration<\/caption>\n
            Device<\/th>\nIP address<\/th>\nAccess<\/th>\n<\/tr>\n
            FortiGate<\/td>\nPort 1: DHCP Client<\/p>\n

            Port 2:<\/p>\n

            Vlan 10: 192.168.10.1\/24<\/p>\n

            Vlan 20: 192.168.20.1\/24<\/td>\n

            		ICMP-HTTP-HTTPS<\/td>\n<\/tr>\n
            WebTerm1<\/td>\nDHCP Client<\/td>\n–<\/td>\n<\/tr>\n
            WebTerm2<\/td>\nDHCP Client<\/td>\n–<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
              \n
            1. Configure switches. Right-click on the Switch<\/strong> > Configure<\/strong>, configure eth0, eth1, and eth2 as Table 7.3:\n
              \n\n\n\n\n\n\n
              Table 7.3: Switch configuration<\/caption>\n
              Port<\/th>\nVLAN<\/th>\nType<\/th>\n<\/tr>\n
              0<\/td>\n1<\/td>\nDot1q<\/td>\n<\/tr>\n
              1<\/td>\n10<\/td>\nAccess<\/td>\n<\/tr>\n
              2<\/td>\n20<\/td>\nAccess<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
              \"Switch
              Figure 7.23: Switch configuration<\/figcaption><\/figure>\n<\/li>\n
            2. You should create two sub-interfaces on port2 of the firewall.
              \n
              \"Vlan10
              Figure 7.24: Vlan10 Configuration<\/figcaption><\/figure>\n
              \"Vlan20
              Figure 7.25: Vlan20 Configuration<\/figcaption><\/figure>\n
              \"Vlan10
              Figure 7.26: Vlan10 and Vlan20 IP addresses<\/figcaption><\/figure>\n<\/li>\n
            3. Block YouTube and Social Media on Vlan 20:\n
                \n
              1. Create an application profile as Figure 7.27.
                \n
                \"Block
                Figure 7.27: Block Social.Media and Video\/Audio<\/figcaption><\/figure>\n<\/li>\n
              2. Configure Firewall Policy from Vlan 20 to Port1 and assign application control to the Firewall Policy.
                \n
                \"Vlan20
                Figure 7.28: Create vlan20 Firewall Policy and assign Application Control Profile<\/figcaption><\/figure>\n<\/li>\n
              3. Verify your configuration by visiting Twitter.com or YouTube.com.
                \n
                \"Verify
                Figure 7.29: Verify configuration<\/figcaption><\/figure>\n<\/li>\n<\/ol>\n<\/li>\n
              4. Filter .zip, .pdf files on Vlan 10:\n
                  \n
                1. Create a File filtezr profile. File filter only works on the unencrypted protocol. Set traffic for both and finally set the action to block.
                  \n
                  \"Block
                  Figure 7.30: Block PDF and ZIP files<\/figcaption><\/figure>\n<\/li>\n
                2. Make sure to set the feature set as flow-based.
                  \n
                  \"Block
                  Figure 7.31: Block profile<\/figcaption><\/figure>\n<\/li>\n
                3. Create a Firewall Policy in the firewall from vlan10 to port1, inspection mode should be Proxy-based, and assign the profile you have created to File Filter.
                  \n
                  \"Vlan10
                  Figure 7.32: Create vlan10 Firewall Policy and assign File Filter Profile<\/figcaption><\/figure>\n<\/li>\n
                4. Verify your configuration by downloading a zip or pdf file from HTTP websites.
                  \n
                  \"Verify
                  Figure 7.33: Verify configuration<\/figcaption><\/figure>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n","protected":false},"author":124,"menu_order":3,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[],"contributor":[],"license":[],"class_list":["post-243","chapter","type-chapter","status-publish","hentry"],"part":206,"_links":{"self":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/users\/124"}],"version-history":[{"count":1,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/243\/revisions"}],"predecessor-version":[{"id":244,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/243\/revisions\/244"}],"part":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/parts\/206"}],"metadata":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/243\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/media?parent=243"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapter-type?post=243"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/contributor?post=243"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/license?post=243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}