This article describes how to implement basic policy for Policy Based NGFW Mode
Scope
Basic internet policy for PC users (tested on FOS 6.4.8).
Solution
Fortigate has 2 (two) NGFW mode:
- Profile Based ( default ) – – not covered for this example.
- Policy Based.
There are 3 (three) components which need to pay attention to, in order to implement basic policy in Policy-based NGFW mode.
| GUI ( Policy & Objects ) | CLI |
|---|---|
| Security Policy | Firewall Security Policy |
| Central SNAT | Firewall central-snat-map |
| SSL Inspection & Authentication | Firewall Policy |
Note: Routing must be in place to address the network requirement
FGT1 (client_vdom) # get system settings | grep ngfw
ngfw-mode : policy-based
FGT1 (client_vdom) # show firewall security-policy 1
config firewall security-policy
edit 1
set uuid 1aab8348-6cea-51ed-51f6-d59f43e4848e
set name "internet"
set srcintf "port7" --> intf to user pc
set dstintf "vdom_link1" --> intf to internet
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set logtraffic all
next
end
FGT1 (client_vdom) # show firewall central-snat-map 1
config firewall central-snat-map
edit 1
set uuid 26bcef28-6cea-51ed-4867-befe6c338372
set srcintf "port7"
set dstintf "vdom_link1"
set orig-addr "all"
set dst-addr "all"
next
end
FGT1 (client_vdom) # show firewall policy 1
config firewall policy
edit 1
set name "internet_ssl"
set uuid 041ce39c-6cea-51ed-2ac9-a858f21eedd5
set srcintf "port7"
set dstintf "vdom_link1"
set srcaddr "all"
set dstaddr "all"
set service "ALL"
next
endWarning: Changing NGFW Mode from profile to policy-based and vice versa will remove all the firewall policy configurations.