This article describes how to implement basic policy for Policy Based NGFW Mode
Basic internet policy for PC users (tested on FOS 6.4.8).
Fortigate has 2 (two) NGFW mode:
- Profile Based ( default ) – – not covered for this example.
- Policy Based.
There are 3 (three) components which need to pay attention to, in order to implement basic policy in Policy-based NGFW mode.
|GUI ( Policy & Objects )||CLI|
|Security Policy||Firewall Security Policy|
|Central SNAT||Firewall central-snat-map|
|SSL Inspection & Authentication||Firewall Policy|
Note: Routing must be in place to address the network requirement
FGT1 (client_vdom) # get system settings | grep ngfw ngfw-mode : policy-based FGT1 (client_vdom) # show firewall security-policy 1 config firewall security-policy edit 1 set uuid 1aab8348-6cea-51ed-51f6-d59f43e4848e set name "internet" set srcintf "port7" --> intf to user pc set dstintf "vdom_link1" --> intf to internet set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set logtraffic all next end FGT1 (client_vdom) # show firewall central-snat-map 1 config firewall central-snat-map edit 1 set uuid 26bcef28-6cea-51ed-4867-befe6c338372 set srcintf "port7" set dstintf "vdom_link1" set orig-addr "all" set dst-addr "all" next end FGT1 (client_vdom) # show firewall policy 1 config firewall policy edit 1 set name "internet_ssl" set uuid 041ce39c-6cea-51ed-2ac9-a858f21eedd5 set srcintf "port7" set dstintf "vdom_link1" set srcaddr "all" set dstaddr "all" set service "ALL" next end
Warning: Changing NGFW Mode from profile to policy-based and vice versa will remove all the firewall policy configurations.