Fortinet black logo

Handbook

Configuring firewall policies for the SSID

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:56879
Download PDF

Configuring firewall policies for the SSID

For users on the WiFi LAN to communicate with other networks, firewall policies are required. This section describes creating a WiFi network to Internet policy.

Before you create firewall policies, you need to define any firewall addresses you will need.

To create a firewall address for WiFi users - GUI
  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information and select OK.

Name

Enter a name for the address, wifi_net for example.

Type

Select Subnet.

Subnet / IP Range

Enter the subnet address, 10.10.110.0/24 for example.

Interface

Select the interface where this address is used, e.g., example_wifi

To create a firewall address for WiFi users - CLI

config firewall address

edit "wifi_net"

set associated-interface "example_wifi"

set subnet 10.10.110.0 255.255.255.0

end

To create a firewall policy - GUI
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. In Incoming Interface, select the wireless interface.
  3. In Source Address, select the address of your WiFi network, wifi_net for example.
  4. In Outgoing Interface, select the Internet interface, for example, port1.
  5. In Destination Address, select All.
  6. In Service, select ALL, or select the particular services that you want to allow, and then select the right arrow button to move the service to the Selected Services list.
  7. In Schedule, select always, unless you want to define a schedule for limited hours.
  8. In Action, select ACCEPT.
  9. Select Enable NAT.
  10. Optionally, set up UTM features for wireless users.
  11. Select OK.
To create a firewall policy - CLI

config firewall policy

edit 0

set srcintf "example_wifi"

set dstintf "port1"

set srcaddr "wifi_net"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set nat enable

end

Configuring firewall policies for the SSID

For users on the WiFi LAN to communicate with other networks, firewall policies are required. This section describes creating a WiFi network to Internet policy.

Before you create firewall policies, you need to define any firewall addresses you will need.

To create a firewall address for WiFi users - GUI
  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information and select OK.

Name

Enter a name for the address, wifi_net for example.

Type

Select Subnet.

Subnet / IP Range

Enter the subnet address, 10.10.110.0/24 for example.

Interface

Select the interface where this address is used, e.g., example_wifi

To create a firewall address for WiFi users - CLI

config firewall address

edit "wifi_net"

set associated-interface "example_wifi"

set subnet 10.10.110.0 255.255.255.0

end

To create a firewall policy - GUI
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. In Incoming Interface, select the wireless interface.
  3. In Source Address, select the address of your WiFi network, wifi_net for example.
  4. In Outgoing Interface, select the Internet interface, for example, port1.
  5. In Destination Address, select All.
  6. In Service, select ALL, or select the particular services that you want to allow, and then select the right arrow button to move the service to the Selected Services list.
  7. In Schedule, select always, unless you want to define a schedule for limited hours.
  8. In Action, select ACCEPT.
  9. Select Enable NAT.
  10. Optionally, set up UTM features for wireless users.
  11. Select OK.
To create a firewall policy - CLI

config firewall policy

edit 0

set srcintf "example_wifi"

set dstintf "port1"

set srcaddr "wifi_net"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set nat enable

end