How to setup firewall rules (policies) in a FortiGate firewall allows you to control traffic flow between interfaces and networks

Setting up firewall rules (policies) in a FortiGate firewall allows you to control traffic flow between interfaces and networks. Firewall rules are fundamental for regulating access between your internal network (LAN), external network (WAN), and other segments of your network. Here’s a step-by-step guide to setting up firewall rules in FortiGate:

1. Access the FortiGate Device

• Log in to the FortiGate firewall using the Web GUI or CLI.
• For the Web GUI, connect to the FortiGate’s management IP (default is 192.168.1.99) via a web browser.

2. Navigate to the Firewall Policy Section

• Web GUI:
  • Go to Policy & Objects > IPv4 Policy (for IPv4 rules).
• CLI:
  • Use the command line to configure firewall policies. The basic command syntax is:

    config firewall policy
    edit <policy_id>
    set name <policy_name>
    set srcintf <source_interface>
    set dstintf <destination_interface>
    set action <accept|deny>
    set srcaddr <source_address>
    set dstaddr <destination_address>
    set schedule <time_schedule>
    set service <service_type>
    set logtraffic <enable|disable>
    next
    end
    

3. Create a New Firewall Rule

To create a firewall rule (policy) that controls traffic between interfaces:

Web GUI:

• Step 1: Click on Create New at the top of the IPv4 Policy page.
• Step 2: Configure the rule settings:
  • Name: Give the rule a descriptive name (e.g., Allow_LAN_to_WAN).
  • Incoming Interface: Select the source interface (e.g., LAN).
  • Outgoing Interface: Select the destination interface (e.g., WAN).
  • Source Address: Define the source IP range. To allow all devices on the LAN, select all or define a custom address group.
  • Destination Address: Define the destination IP range. To allow internet access, select all or a specific range.
  • Action: Choose Accept (to allow traffic) or Deny (to block traffic).
  • Schedule: You can set a time-based schedule if the policy should only apply at certain times.
  • Service: Select the type of traffic (e.g., ALL to allow all services or choose specific ones like HTTP, HTTPS, DNS, etc.).
  • NAT: Enable NAT (Network Address Translation) for traffic going from the internal network to the internet. This is typically required for outbound traffic.
  • Log Traffic: Enable this option if you want to log traffic that matches this rule for monitoring purposes.
• Step 3: Click OK to save the rule.

CLI:

You can also use the CLI to configure the firewall rule. Here’s an example to allow all LAN traffic to go out to the internet via the WAN interface:

config firewall policy
edit 1  # Assign an ID for the policy
set name "Allow_LAN_to_WAN"  # Rule name
set srcintf "lan"  # Source interface (LAN)
set dstintf "wan"  # Destination interface (WAN)
set srcaddr "all"  # Source address (all addresses on LAN)
set dstaddr "all"  # Destination address (all IPs)
set action accept  # Allow traffic
set schedule "always"  # Always apply the rule
set service "ALL"  # Allow all services (or specify specific services like HTTP, HTTPS, etc.)
set logtraffic all  # Log all matching traffic
next
end

4. Firewall Policy Rule Order

• Order of Execution: Firewall rules are processed from top to bottom in the policy list. The first rule that matches the traffic will be applied. Therefore, the order in which you place your rules is important.
• Move Rules: In the Web GUI, use the Move Up and Move Down buttons to reorder rules.
• CLI: Use the move command to change the position of rules.

5. Test the Firewall Rule

• Once you’ve created the rule, test it by initiating traffic from the source interface to the destination and verifying that it’s allowed or blocked based on the policy.
• You can use Diagnostics > Ping or Diagnostics > Traceroute to test connectivity through the firewall.
• Use Log & Report > Forward Traffic to review the traffic logs and ensure the rule is functioning as expected.

6. Common Firewall Rule Examples

• Allow LAN to WAN (Outbound Internet Access):
  • Incoming Interface: LAN
  • Outgoing Interface: WAN
  • Source Address: LAN (or a specific address group)
  • Destination Address: all
  • Service: ALL (or HTTP, HTTPS, etc.)
  • Action: Accept
  • NAT: Enable
  • Log Traffic: Enable
• Allow Specific Service from WAN to LAN (e.g., allowing remote SSH access to a server in the LAN):
  • Incoming Interface: WAN
  • Outgoing Interface: LAN
  • Source Address: all (or specific IP)
  • Destination Address: the internal server IP
  • Service: SSH (or any other service, like RDP)
  • Action: Accept
  • Log Traffic: Enable
• Block All Traffic from WAN to LAN:
  • Incoming Interface: WAN
  • Outgoing Interface: LAN
  • Source Address: all
  • Destination Address: all
  • Service: ALL
  • Action: Deny

7. Advanced Options

• Traffic Shaping: You can set bandwidth limits or prioritize traffic using the Traffic Shaping feature.
• Deep Packet Inspection (DPI): You can enable DPI to inspect the traffic for deeper inspection (e.g., for malware or content filtering).
• SSL/SSH Inspection: Enable SSL inspection for secure traffic monitoring.

8. Save and Backup Configuration

• Save: After creating the rules, click OK to save your changes.
• Backup: Always back up the configuration after making changes under System > Dashboard > System Information.

Summary of Key Parameters in Firewall Rules:

• Source Interface: The interface from which traffic originates (e.g., LAN).
• Destination Interface: The interface to which traffic is headed (e.g., WAN).
• Source Address: The IP addresses or address groups that are allowed or blocked.
• Destination Address: The destination IPs or address groups.
• Action: Whether to allow or deny traffic.
• Service: The type of traffic (e.g., HTTP, HTTPS, etc.).
• NAT: If network address translation should be applied.

By following these steps, you can configure firewall rules to control traffic flow and secure your network. If you have specific use cases or more complex configurations in mind (e.g., VPN rules, IPSec, etc.), let me know!