{"id":54,"date":"2022-03-09T23:08:49","date_gmt":"2022-03-10T04:08:49","guid":{"rendered":"https:\/\/opentextbc.ca\/fortigatefirewall\/chapter\/security-policy\/"},"modified":"2023-08-29T16:26:11","modified_gmt":"2023-08-29T20:26:11","slug":"security-policy","status":"publish","type":"chapter","link":"https:\/\/opentextbc.ca\/fortigatefirewall\/chapter\/security-policy\/","title":{"raw":"2.1 Security Policy","rendered":"2.1 Security Policy"},"content":{"raw":"
\n

Learning Objectives<\/p>\n\n<\/header>\n

\n
    \n \t
  • Create a Security Policy in FortiGate<\/li>\n \t
  • Reorder Firewall Policies and Firewall Policy Actions<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
    Scenario<\/strong>: We are going to allow traffic from the local network to the Internet. We will set Security Policy that allows the traffic from Port 2 to Port 3. Then, WebTerm1 will be able to reach the Internet.<\/div>\n

    Security Policy<\/h2>\n[caption id=\"attachment_53\" align=\"aligncenter\" width=\"931\"]\"Security Figure 2.1: Main scenario[\/caption]\n\n \n
    \n\n\n\n\n
    Table 2.1: Devices configuration<\/caption>\n
    Device<\/th>\nConfiguration<\/th>\n<\/tr>\n
    FortiGate<\/td>\nPort 2: DHCP Server\n\nPort 3: DHCP Client<\/td>\n<\/tr>\n
    \u00a0WebTerm<\/td>\nDHCP Client<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nConfiguration of port1 of the firewall in CLI is as follows:\n\n[caption id=\"attachment_53\" align=\"aligncenter\" width=\"578\"]\"Configuration Figure 2.2: Configuration of port1[\/caption]\n
      \n \t
    1. Open the browser in WebTerm2 and type https:\/\/192.168.0.1. You should be able to access the firewall.\n\n[caption id=\"attachment_40\" align=\"aligncenter\" width=\"400\"]\"Login Figure 2.3: Log in to the FortiGate[\/caption]<\/li>\n \t
    2. Go to Network<\/strong> > Interfaces<\/strong> > Port2<\/strong>, set the interface IP address as 192.168.1.1\/24<\/strong> and configure DHCP server on interface port2 (Range of IP addresses should be: 192.168.1.20 to 192.168.1.30, DNS: 4.2.2.4) and Enable Device Detection<\/strong> under Port2.\n\n[caption id=\"attachment_41\" align=\"aligncenter\" width=\"1150\"]\"Enable Figure 2.4: Enable DHCP Server[\/caption]<\/li>\n \t
    3. Set a port3 as a DHCP client and enable Device Detection<\/strong> under Port3.\n\n[caption id=\"attachment_42\" align=\"aligncenter\" width=\"914\"]\" Figure 2.5: Enable DHCP Client[\/caption]<\/li>\n \t
    4. Set a Static route in the firewall to reach the NAT object. Go to Network > Static Route > Create a new<\/strong>.\n\n[caption id=\"attachment_43\" align=\"aligncenter\" width=\"400\"]\"Configure Figure 2.6: Configure a static route[\/caption]<\/li>\n \t
    5. Go to Policy & Objects > Firewall Policy<\/strong> section, click Create New<\/strong> to add a new firewall policy, and configure the following settings:\n
        \n \t
      • Name: LocalToInternet<\/strong><\/li>\n \t
      • From inside<\/strong> to outside (port2 to port3)<\/strong><\/li>\n \t
      • Source: Create an address for local network (Subnet: 192.168.1.0\/24)<\/strong><\/li>\n \t
      • Destination: all<\/strong><\/li>\n \t
      • Schedule: Always<\/strong><\/li>\n \t
      • Service: Only HTTP, HTTPS, DNS, Ping<\/strong><\/li>\n \t
      • Action: Accept<\/strong><\/li>\n<\/ul>\n[caption id=\"attachment_45\" align=\"aligncenter\" width=\"400\"]\"set Figure 2.7: Set local subnet[\/caption]\n\n[caption id=\"attachment_45\" align=\"aligncenter\" width=\"500\"]\"Set Figure 2.8: Set firewall policy[\/caption]<\/li>\n \t
      • Go to WebTerm1<\/strong>, Set interface as DHCP and then open the browser, you should be able to access the internet.\n\n[caption id=\"attachment_47\" align=\"aligncenter\" width=\"1053\"]\"Enable Figure 2.9: Enable DHCP Client on WebTerm1[\/caption]\n\n[caption id=\"attachment_47\" align=\"aligncenter\" width=\"500\"]\"Verify Figure 2.10: Verify your configuration by testing Google.com[\/caption]<\/li>\n<\/ol>\n

        Verify Your Configuration<\/h2>\n
          \n \t
        • Go to Dashboard <\/strong>> FortiView Sessions<\/strong>. You should be able to see the traffic.<\/li>\n<\/ul>\n[caption id=\"attachment_53\" align=\"aligncenter\" width=\"1270\"]\" Figure 2.11: FortiView Sessions[\/caption]\n
            \n \t
          • \u00a0Go to Firewall Policy and on the right side of the screen, you should be able to see Hit count.<\/strong><\/li>\n<\/ul>\n[caption id=\"attachment_53\" align=\"aligncenter\" width=\"1261\"]\"Hit Figure 2.12: Hit count in the Firewall Policy[\/caption]\n
              \n \t
            • Go to Dashboard<\/strong> > Users & Devices<\/strong> > Device Inventory<\/strong> and verify the IP and Mac address of the device.<\/li>\n<\/ul>\n[caption id=\"attachment_53\" align=\"aligncenter\" width=\"1268\"]\"Device Figure 2.13: Device Inventory[\/caption]\n

              Reordering Firewall Policies and Firewall Policy Actions<\/h2>\nFortiGate will look for a matching policy, beginning at the top. Usually, you should put more specific policies at the top; otherwise, more general policies will match the traffic first, and your more granular policies will never be applied.\n\nYou will create a new firewall policy with more specific settings such as source, destination, service, and action set to DENY<\/strong>. Then, you will move this firewall policy above the existing firewall policies and observe the behaviour of firewall policy reordering.\n

              Create a firewall policy<\/h3>\nYou will create a new firewall policy to match a specific source, destination, service, and action set to DENY<\/strong>.\n\n\n\n\n\n\n\n\n\n\n\n\n
              Table 2.2: Firewall policy configuration<\/caption>\n
              Field<\/th>\nValue<\/th>\n<\/tr>\n
              Name<\/td>\nBlock_Ping<\/td>\n<\/tr>\n
              Incoming Interface<\/td>\nPort2<\/td>\n<\/tr>\n
              Outgoing Interface<\/td>\nPort3<\/td>\n<\/tr>\n
              Source<\/td>\nLOCAL_SUBNET<\/td>\n<\/tr>\n
              Destination<\/td>\nAll<\/td>\n<\/tr>\n
              Schedule<\/td>\nAlways<\/td>\n<\/tr>\n
              Service<\/td>\nPING<\/td>\n<\/tr>\n
              Action<\/td>\nDENY<\/td>\n<\/tr>\n
              Log Violation Traffic<\/td>\n<enable><\/td>\n<\/tr>\n
              Enable this policy<\/td>\n<enable><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n[caption id=\"attachment_53\" align=\"aligncenter\" width=\"500\"]\"Set Figure 2.14: Set firewall policy to block ping[\/caption]\n\nClick OK<\/strong> to save the changes. Add this policy on top of the previous policy.\n\n[caption id=\"attachment_53\" align=\"aligncenter\" width=\"984\"]\"Priority Figure 2.15: Priority of Block_Ping should be higher than LocalToInternet[\/caption]\n\nGo to Webterm1<\/strong> and ping 4.2.2.4<\/strong>. You shouldn't be able to ping!\n\n[caption id=\"attachment_53\" align=\"aligncenter\" width=\"1249\"]\"Webterm1 Figure 2.16: Verify ping in the WebTerm1[\/caption]","rendered":"
              \n
              \n

              Learning Objectives<\/p>\n<\/header>\n

              \n
                \n
              • Create a Security Policy in FortiGate<\/li>\n
              • Reorder Firewall Policies and Firewall Policy Actions<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
                Scenario<\/strong>: We are going to allow traffic from the local network to the Internet. We will set Security Policy that allows the traffic from Port 2 to Port 3. Then, WebTerm1 will be able to reach the Internet.<\/div>\n

                Security Policy<\/h2>\n
                \"Security
                Figure 2.1: Main scenario<\/figcaption><\/figure>\n

                 <\/p>\n

                \n\n\n\n\n\n
                Table 2.1: Devices configuration<\/caption>\n
                Device<\/th>\nConfiguration<\/th>\n<\/tr>\n
                FortiGate<\/td>\nPort 2: DHCP Server<\/p>\n

                Port 3: DHCP Client<\/td>\n<\/tr>\n

                \u00a0WebTerm<\/td>\nDHCP Client<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

                Configuration of port1 of the firewall in CLI is as follows:<\/p>\n

                \"Configuration
                Figure 2.2: Configuration of port1<\/figcaption><\/figure>\n
                  \n
                1. Open the browser in WebTerm2 and type https:\/\/192.168.0.1. You should be able to access the firewall.
                  \n
                  \"Login
                  Figure 2.3: Log in to the FortiGate<\/figcaption><\/figure>\n<\/li>\n
                2. Go to Network<\/strong> > Interfaces<\/strong> > Port2<\/strong>, set the interface IP address as 192.168.1.1\/24<\/strong> and configure DHCP server on interface port2 (Range of IP addresses should be: 192.168.1.20 to 192.168.1.30, DNS: 4.2.2.4) and Enable Device Detection<\/strong> under Port2.
                  \n
                  \"Enable
                  Figure 2.4: Enable DHCP Server<\/figcaption><\/figure>\n<\/li>\n
                3. Set a port3 as a DHCP client and enable Device Detection<\/strong> under Port3.
                  \n
                  \"Enable
                  Figure 2.5: Enable DHCP Client<\/figcaption><\/figure>\n<\/li>\n
                4. Set a Static route in the firewall to reach the NAT object. Go to Network > Static Route > Create a new<\/strong>.
                  \n
                  \"Configure
                  Figure 2.6: Configure a static route<\/figcaption><\/figure>\n<\/li>\n
                5. Go to Policy & Objects > Firewall Policy<\/strong> section, click Create New<\/strong> to add a new firewall policy, and configure the following settings:\n
                    \n
                  • Name: LocalToInternet<\/strong><\/li>\n
                  • From inside<\/strong> to outside (port2 to port3)<\/strong><\/li>\n
                  • Source: Create an address for local network (Subnet: 192.168.1.0\/24)<\/strong><\/li>\n
                  • Destination: all<\/strong><\/li>\n
                  • Schedule: Always<\/strong><\/li>\n
                  • Service: Only HTTP, HTTPS, DNS, Ping<\/strong><\/li>\n
                  • Action: Accept<\/strong><\/li>\n<\/ul>\n
                    \"set
                    Figure 2.7: Set local subnet<\/figcaption><\/figure>\n
                    \"Set
                    Figure 2.8: Set firewall policy<\/figcaption><\/figure>\n<\/li>\n
                  • Go to WebTerm1<\/strong>, Set interface as DHCP and then open the browser, you should be able to access the internet.
                    \n
                    \"Enable
                    Figure 2.9: Enable DHCP Client on WebTerm1<\/figcaption><\/figure>\n
                    \"Verify
                    Figure 2.10: Verify your configuration by testing Google.com<\/figcaption><\/figure>\n<\/li>\n<\/ol>\n

                    Verify Your Configuration<\/h2>\n
                      \n
                    • Go to Dashboard <\/strong>> FortiView Sessions<\/strong>. You should be able to see the traffic.<\/li>\n<\/ul>\n
                      \"Fortiview
                      Figure 2.11: FortiView Sessions<\/figcaption><\/figure>\n
                        \n
                      • \u00a0Go to Firewall Policy and on the right side of the screen, you should be able to see Hit count.<\/strong><\/li>\n<\/ul>\n
                        \"Hit
                        Figure 2.12: Hit count in the Firewall Policy<\/figcaption><\/figure>\n
                          \n
                        • Go to Dashboard<\/strong> > Users & Devices<\/strong> > Device Inventory<\/strong> and verify the IP and Mac address of the device.<\/li>\n<\/ul>\n
                          \"Device
                          Figure 2.13: Device Inventory<\/figcaption><\/figure>\n

                          Reordering Firewall Policies and Firewall Policy Actions<\/h2>\n

                          FortiGate will look for a matching policy, beginning at the top. Usually, you should put more specific policies at the top; otherwise, more general policies will match the traffic first, and your more granular policies will never be applied.<\/p>\n

                          You will create a new firewall policy with more specific settings such as source, destination, service, and action set to DENY<\/strong>. Then, you will move this firewall policy above the existing firewall policies and observe the behaviour of firewall policy reordering.<\/p>\n

                          Create a firewall policy<\/h3>\n

                          You will create a new firewall policy to match a specific source, destination, service, and action set to DENY<\/strong>.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
                          Table 2.2: Firewall policy configuration<\/caption>\n
                          Field<\/th>\nValue<\/th>\n<\/tr>\n
                          Name<\/td>\nBlock_Ping<\/td>\n<\/tr>\n
                          Incoming Interface<\/td>\nPort2<\/td>\n<\/tr>\n
                          Outgoing Interface<\/td>\nPort3<\/td>\n<\/tr>\n
                          Source<\/td>\nLOCAL_SUBNET<\/td>\n<\/tr>\n
                          Destination<\/td>\nAll<\/td>\n<\/tr>\n
                          Schedule<\/td>\nAlways<\/td>\n<\/tr>\n
                          Service<\/td>\nPING<\/td>\n<\/tr>\n
                          Action<\/td>\nDENY<\/td>\n<\/tr>\n
                          Log Violation Traffic<\/td>\n<enable><\/td>\n<\/tr>\n
                          Enable this policy<\/td>\n<enable><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
                          \"Set
                          Figure 2.14: Set firewall policy to block ping<\/figcaption><\/figure>\n

                          Click OK<\/strong> to save the changes. Add this policy on top of the previous policy.<\/p>\n

                          \"Priority
                          Figure 2.15: Priority of Block_Ping should be higher than LocalToInternet<\/figcaption><\/figure>\n

                          Go to Webterm1<\/strong> and ping 4.2.2.4<\/strong>. You shouldn’t be able to ping!<\/p>\n

                          \"Webterm1
                          Figure 2.16: Verify ping in the WebTerm1<\/figcaption><\/figure>\n","protected":false},"author":124,"menu_order":2,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[48],"contributor":[],"license":[],"class_list":["post-54","chapter","type-chapter","status-publish","hentry","chapter-type-standard"],"part":37,"_links":{"self":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/54","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/users\/124"}],"version-history":[{"count":1,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/54\/revisions"}],"predecessor-version":[{"id":55,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/54\/revisions\/55"}],"part":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/parts\/37"}],"metadata":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/54\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/media?parent=54"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapter-type?post=54"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/contributor?post=54"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/opentextbc.ca\/fortigatefirewall\/wp-json\/wp\/v2\/license?post=54"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}