Fortinet black logo

Handbook

Configuring security policies for SD-WAN

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:597606
Download PDF

Configuring security policies for SD-WAN

After you create an SD-WAN interface, the FortiGate adds a virtual interface for SD-WAN to the interface list. You can create security policies using this SD-WAN interface.

You must configure a security policy that allows traffic from your organization’s internal network to the SD-WAN interface. You don’t need to configure multiple security policies for individual SD-WAN member interfaces because security policies that you configure with the SD-WAN interface apply to all SD-WAN member interfaces.

Configure security policies for SD-WAN – GUI
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. In the Name field, enter a name for the policy.
  4. Set Incoming Interface to the interface that connects to your organization’s internal network.
  5. In the Outgoing Interface field, select the SD-WAN interface from the drop-down menu.
  6. In the Source field, select +. In the Select Entries window, select all. Select Close.
  7. In the Destination field, select +. In the Select Entries window, select all. Select Close.
  8. In the Schedule field, select always from the drop-down menu.
  9. In the Service field, select +. In the Select Entries window, select ALL. Select Close.
  10. In the Action field, select ACCEPT.
  11. In the Firewall/Network Options section, set the following:
    • Enable NAT.
    • In the IP Pool Configuration field, select Use Outgoing Interface Address.
  12. In the Security Profiles section, apply AntiVirus, Web Filter, DNS Filter, Application Control, and SSL Inspection profiles, as required.
  13. In the Logging Options section, set the following:
    • Enable Log Allowed Traffic and select All Sessions. This allows you to verify the results later.
    • Enable the Enable this policy option.
  14. Select OK.

If you previously removed or redirected existing references in security policies to interfaces that you wanted to add as SD-WAN interface members, you can now reconfigure those policies to reference the SD-WAN interface

Configure security policies for SD-WAN – CLI

config firewall {policy | policy6}

edit <policy_id>

set name <policy_name>

set srcintf <interface_name>

set dstintf virtual-wan-link

set srcaddr <address_name>

set dstaddr <address_name>

set action accept

set status enable

set schedule <schedule_name>

set service <service_name>

set utm-status enable

set logtraffic all

set av-profile <profile_name>

set webfilter-profile <profile_name>

set dnsfilter-profile <profile_name>

set application-list <app_list>

set ssl-ssh-profile <profile_name>

set nat enable

set ippool enable

set poolname <pool_name>

next

end

where:

  • virtual-wan-link is the SD-WAN interface
  • dnsfilter-profile option isn't available for IPv6, since IPv6 isn't supported for DNS profiles

Configuring security policies for SD-WAN

After you create an SD-WAN interface, the FortiGate adds a virtual interface for SD-WAN to the interface list. You can create security policies using this SD-WAN interface.

You must configure a security policy that allows traffic from your organization’s internal network to the SD-WAN interface. You don’t need to configure multiple security policies for individual SD-WAN member interfaces because security policies that you configure with the SD-WAN interface apply to all SD-WAN member interfaces.

Configure security policies for SD-WAN – GUI
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. In the Name field, enter a name for the policy.
  4. Set Incoming Interface to the interface that connects to your organization’s internal network.
  5. In the Outgoing Interface field, select the SD-WAN interface from the drop-down menu.
  6. In the Source field, select +. In the Select Entries window, select all. Select Close.
  7. In the Destination field, select +. In the Select Entries window, select all. Select Close.
  8. In the Schedule field, select always from the drop-down menu.
  9. In the Service field, select +. In the Select Entries window, select ALL. Select Close.
  10. In the Action field, select ACCEPT.
  11. In the Firewall/Network Options section, set the following:
    • Enable NAT.
    • In the IP Pool Configuration field, select Use Outgoing Interface Address.
  12. In the Security Profiles section, apply AntiVirus, Web Filter, DNS Filter, Application Control, and SSL Inspection profiles, as required.
  13. In the Logging Options section, set the following:
    • Enable Log Allowed Traffic and select All Sessions. This allows you to verify the results later.
    • Enable the Enable this policy option.
  14. Select OK.

If you previously removed or redirected existing references in security policies to interfaces that you wanted to add as SD-WAN interface members, you can now reconfigure those policies to reference the SD-WAN interface

Configure security policies for SD-WAN – CLI

config firewall {policy | policy6}

edit <policy_id>

set name <policy_name>

set srcintf <interface_name>

set dstintf virtual-wan-link

set srcaddr <address_name>

set dstaddr <address_name>

set action accept

set status enable

set schedule <schedule_name>

set service <service_name>

set utm-status enable

set logtraffic all

set av-profile <profile_name>

set webfilter-profile <profile_name>

set dnsfilter-profile <profile_name>

set application-list <app_list>

set ssl-ssh-profile <profile_name>

set nat enable

set ippool enable

set poolname <pool_name>

next

end

where:

  • virtual-wan-link is the SD-WAN interface
  • dnsfilter-profile option isn't available for IPv6, since IPv6 isn't supported for DNS profiles