How to setup firewall rules (policies) in a FortiGate firewall from GUI

1. Log in to the FortiGate Web Interface

• Open a web browser and enter the IP address of the FortiGate device. The default IP address is typically 192.168.1.99, but it may differ based on your setup.
• Log in using the admin credentials (username: admin, password: blank by default).

2. Navigate to Firewall Policy Section

• After logging in, go to Policy & Objects in the left-hand menu.
• Then click on IPv4 Policy (for IPv4 rules).

3. Create a New Firewall Rule

• Click Create New at the top of the page.
• The Create New Policy page will open where you can configure the firewall rule.

4. Configure Rule Settings

• In the Create New Policy page, configure the following fields:

Basic Settings:

• Name: Give your policy a descriptive name (e.g., Allow_LAN_to_WAN).
• Incoming Interface: Select the interface where traffic will originate. For example, choose LAN if the source is the internal network.
• Outgoing Interface: Select the destination interface. For example, choose WAN for internet access.
• Source Address: This is the source of the traffic. For LAN-to-WAN access, select all (or specify the specific IP range you want to allow from the LAN).
• Destination Address: Choose all (or specify a particular destination address, like a server in the DMZ).
• Action: Choose Accept to allow traffic or Deny to block it.

Advanced Settings (Optional):

• Schedule: If you want the rule to apply only during specific times, select Always for continuous access, or set a custom schedule.
• Service: Choose the type of traffic you want to allow. For example, you can choose ALL to allow all types of traffic, or specify individual services like HTTP, HTTPS, DNS, etc.
• NAT (Network Address Translation): Enable NAT for the rule if you want the firewall to translate the source IP for outgoing traffic (typically required for LAN to WAN traffic).
• Log Traffic: If you want to log the traffic matching this rule, set Log Traffic to All Sessions (or a different option based on your needs).

5. Configure Additional Options (Optional)

• Security Profiles: If you want to apply security profiles (like Intrusion Prevention, Antivirus, Web Filtering, etc.) to this rule, you can enable them in this section.
• Deep Packet Inspection: If needed, enable DPI features for traffic inspection.

6. Save the Rule

• After filling out the necessary fields and making the desired selections, click OK to save the rule.

7. Reordering Firewall Rules

• The rules are processed from top to bottom in the policy list. Make sure your rules are in the correct order to avoid conflicts.
• In the Web GUI, you can reorder policies by selecting a rule and using the Move Up or Move Down buttons.

8. Verify and Test the Firewall Rule

• Test Connectivity: To verify the new rule, you can test connectivity. For example, if you created a LAN to WAN rule, try pinging an external IP (e.g., 8.8.8.8) from a device on the LAN.
• View Logs: Go to Log & Report > Forward Traffic to view the traffic logs for this rule. This will help you monitor if the rule is being applied correctly.

9. Backup Configuration

• After configuring the rule, it’s a good practice to back up your configuration:
  • Go to System > Dashboard > System Information.
  • Click Backup to download the configuration to your local machine.

Example Use Cases:

Example 1: Allow LAN to WAN Traffic (Outbound Internet Access)

• Incoming Interface: LAN
• Outgoing Interface: WAN
• Source Address: all (or specify the internal network IP range)
• Destination Address: all
• Action: Accept
• NAT: Enable (to allow devices on the LAN to access the internet)
• Service: ALL (or specify HTTP, HTTPS, etc.)
• Log Traffic: Enable

Example 2: Allow Remote SSH Access to a Server (WAN to LAN)

• Incoming Interface: WAN
• Outgoing Interface: LAN
• Source Address: all (or a specific remote IP)
• Destination Address: The internal server’s IP (e.g., 192.168.1.100)
• Action: Accept
• Service: SSH
• Log Traffic: Enable

Example 3: Block All WAN to LAN Traffic

• Incoming Interface: WAN
• Outgoing Interface: LAN
• Source Address: all
• Destination Address: all
• Action: Deny
• Service: ALL
• Log Traffic: Enable

Final Notes:

• Always ensure that the rules are ordered correctly. Firewall rules are evaluated in order, and the first rule that matches the traffic will apply.
• Test the connectivity and review logs to ensure the policies are functioning as expected.
• You can also configure advanced security features such as Deep Packet Inspection, Application Control, and SSL inspection depending on your requirements.