Fortinet black logo

Handbook

Defining security policies

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:854589
Download PDF

Defining security policies

Security policies allow IP traffic to pass between interfaces on a FortiGate unit. You can limit communication to particular traffic by specifying source address and destination addresses. Then only traffic from those addresses will be allowed.

Policy-based and route-based VPNs require different security policies.

  • A policy-based VPN requires an IPsec security policy. You specify the interface to the private network, the interface to the remote peer and the VPN tunnel. A single policy can enable traffic inbound, outbound, or in both directions.
  • A route-based VPN requires an Accept security policy for each direction. As source and destination interfaces, you specify the interface to the private network and the virtual IPsec interface (Phase 1 configuration) of the VPN. The IPsec interface is the destination interface for the outbound policy and the source interface for the inbound policy. One security policy must be configured for each direction of each VPN interface.

There are examples of security policies for both policy-based and route-based VPNs throughout this guide. See Route-based or policy-based VPN.

note icon If the security policy, which grants the VPN Connection is limited to certain services, DHCP must be included, otherwise the client won’t be able to retrieve a lease from the FortiGate’s (IPsec) DHCP server, because the DHCP Request (coming out of the tunnel) will be blocked.

Policy-based VPN

An IPsec security policy enables the transmission and reception of encrypted packets, specifies the permitted direction of VPN traffic, and selects the VPN tunnel. In most cases, a single policy is needed to control both inbound and outbound IP traffic through a VPN tunnel. Be aware of the following considerations below before creating an IPsec security policy.

Allow traffic to be initiated from the remote site

Security policies specify which IP addresses can initiate a tunnel. By default, traffic from the local private network initiates the tunnel. When the Allow traffic to be initiated form the remote site option is selected, traffic from a dialup client, or a computer on a remote network, initiates the tunnel. Both can be enabled at the same time for bi-directional initiation of the tunnel.

Outbound and inbound NAT

When a FortiGate unit operates in NAT mode, you can also enable inbound or outbound NAT. Outbound NAT may be performed on outbound encrypted packets or IP packets in order to change their source address before they are sent through the tunnel. Inbound NAT is performed to intercept and decrypt emerging IP packets from the tunnel.

By default, these options are not selected in security policies and can only be set through the CLI.

Source and destination addresses

Most security policies control outbound IP traffic. A VPN outbound policy usually has a source address originating on the private network behind the local FortiGate unit, and a destination address belonging to a dialup VPN client or a network behind the remote VPN peer. The source address that you choose for the security policy identifies from where outbound cleartext IP packets may originate, and also defines the local IP address or addresses that a remote server or client will be allowed to access through the VPN tunnel. The destination address that you choose identifies where IP packets must be forwarded after they are decrypted at the far end of the tunnel, and determines the IP address or addresses that the local network will be able to access at the far end of the tunnel.

Enabling other policy features

You can fine-tune a policy for services such as HTTP, FTP, and POP3, enable logging, traffic shaping, antivirus protection, web filtering, email filtering, file transfer, email services, and optionally allow connections according to a predefined schedule.

As an option, differentiated services (diffserv or DSCP) for the security policy can be enabled through the CLI.

Before you begin

Before you define the IPsec policy, you must:

Defining an IPsec security policy
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New and set the following options:
  3. Name

    Enter a name for the security policy.

    Incoming Interface

    Select the local interface to the internal (private) network.

    Outgoing Interface

    Select the local interface to the external (public) network.

    Source

    Select the name that corresponds to the local network, server(s), or host(s) from which IP packets may originate.

    Destination Address

    Select the name that corresponds to the remote network, server(s), or host(s) to which IP packets may be delivered.

    Schedule

    Keep the default setting (always) unless changes are needed to meet specific requirements.

    Service

    Keep the default setting (ALL) unless changes are needed to meet your specific requirements.

    Action

    For the purpose of this configuration, set Action to IPsec. Doing this will close Firewall / Network Options and open VPN Tunnel options. Select the VPN tunnel of your choice, and select Allow traffic to be initiated from the remote site, which will allow traffic from the remote network to initiate the tunnel.

  4. You may enable UTM features, and/or event logging, or select advanced settings to authenticate a user group, or shape traffic.
  5. Select OK.
  6. Place the policy in the policy list above any other policies having similar source and destination addresses.

Defining multiple IPsec policies for the same tunnel

You must define at least one IPsec policy for each VPN tunnel. If the same remote server or client requires access to more than one network behind a local FortiGate unit, the FortiGate unit must be configured with an IPsec policy for each network. Multiple policies may be required to configure redundant connections to a remote destination or control access to different services at different times.

To ensure a secure connection, the FortiGate unit must evaluate policies with Action set to IPsec before ACCEPT and DENY. Because the FortiGate unit reads policies starting at the top of the list, you must move all IPsec policies to the top of the list, and be sure to reorder your multiple IPsec policies that apply to the tunnel so that specific constraints can be evaluated before general constraints.

note icon Adding multiple IPsec policies for the same VPN tunnel can cause conflicts if the policies specify similar source and destination addresses, but have different settings for the same service. When policies overlap in this manner, the system may apply the wrong IPsec policy or the tunnel may fail.

For example, if you create two equivalent IPsec policies for two different tunnels, it does not matter which one comes first in the list of IPsec policies — the system will select the correct policy based on the specified source and destination addresses. If you create two different IPsec policies for the same tunnel (that is, the two policies treat traffic differently depending on the nature of the connection request), you might have to reorder the IPsec policies to ensure that the system selects the correct IPsec policy.

Route-based VPN

When you define a route-based VPN, you create a virtual IPsec interface on the physical interface that connects to the remote peer. You create ordinary Accept security policies to enable traffic between the IPsec interface and the interface that connects to the private network. This makes configuration simpler than for policy-based VPNs, which require IPsec security policies.

Defining security policies for a route-based VPN
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New and define an ACCEPT security policy to permit communication between the local private network and the private network behind the remote peer. Enter these settings in particular:
  3. Name

    Enter a name for the security policy.

    Incoming Interface

    Select the interface that connects to the private network behind this FortiGate unit.

    Outgoing Interface

    Select the IPsec Interface you configured.

    Source

    Select the address name that you defined for the private network behind this FortiGate unit.

    Destination Address

    Select the address name that you defined for the private network behind the remote peer.

    Action

    Select ACCEPT.

    NAT

    Disable NAT.

    To permit the remote client to initiate communication, you need to define a security policy for communication in that direction.

  4. Select Create New and enter these settings in particular:
  5. Name

    Enter a name for the security policy.

    Incoming Interface

    Select the IPsec Interface you configured.

    Outgoing Interface

    Select the interface that connects to the private network behind this FortiGate unit.

    Source

    Select the address name that you defined for the private network behind the remote peer.

    Destination Address

    Select the address name that you defined for the private network behind this FortiGate unit.

    Action

    Select ACCEPT.

    NAT

    Disable NAT.

Defining security policies

Security policies allow IP traffic to pass between interfaces on a FortiGate unit. You can limit communication to particular traffic by specifying source address and destination addresses. Then only traffic from those addresses will be allowed.

Policy-based and route-based VPNs require different security policies.

  • A policy-based VPN requires an IPsec security policy. You specify the interface to the private network, the interface to the remote peer and the VPN tunnel. A single policy can enable traffic inbound, outbound, or in both directions.
  • A route-based VPN requires an Accept security policy for each direction. As source and destination interfaces, you specify the interface to the private network and the virtual IPsec interface (Phase 1 configuration) of the VPN. The IPsec interface is the destination interface for the outbound policy and the source interface for the inbound policy. One security policy must be configured for each direction of each VPN interface.

There are examples of security policies for both policy-based and route-based VPNs throughout this guide. See Route-based or policy-based VPN.

note icon If the security policy, which grants the VPN Connection is limited to certain services, DHCP must be included, otherwise the client won’t be able to retrieve a lease from the FortiGate’s (IPsec) DHCP server, because the DHCP Request (coming out of the tunnel) will be blocked.

Policy-based VPN

An IPsec security policy enables the transmission and reception of encrypted packets, specifies the permitted direction of VPN traffic, and selects the VPN tunnel. In most cases, a single policy is needed to control both inbound and outbound IP traffic through a VPN tunnel. Be aware of the following considerations below before creating an IPsec security policy.

Allow traffic to be initiated from the remote site

Security policies specify which IP addresses can initiate a tunnel. By default, traffic from the local private network initiates the tunnel. When the Allow traffic to be initiated form the remote site option is selected, traffic from a dialup client, or a computer on a remote network, initiates the tunnel. Both can be enabled at the same time for bi-directional initiation of the tunnel.

Outbound and inbound NAT

When a FortiGate unit operates in NAT mode, you can also enable inbound or outbound NAT. Outbound NAT may be performed on outbound encrypted packets or IP packets in order to change their source address before they are sent through the tunnel. Inbound NAT is performed to intercept and decrypt emerging IP packets from the tunnel.

By default, these options are not selected in security policies and can only be set through the CLI.

Source and destination addresses

Most security policies control outbound IP traffic. A VPN outbound policy usually has a source address originating on the private network behind the local FortiGate unit, and a destination address belonging to a dialup VPN client or a network behind the remote VPN peer. The source address that you choose for the security policy identifies from where outbound cleartext IP packets may originate, and also defines the local IP address or addresses that a remote server or client will be allowed to access through the VPN tunnel. The destination address that you choose identifies where IP packets must be forwarded after they are decrypted at the far end of the tunnel, and determines the IP address or addresses that the local network will be able to access at the far end of the tunnel.

Enabling other policy features

You can fine-tune a policy for services such as HTTP, FTP, and POP3, enable logging, traffic shaping, antivirus protection, web filtering, email filtering, file transfer, email services, and optionally allow connections according to a predefined schedule.

As an option, differentiated services (diffserv or DSCP) for the security policy can be enabled through the CLI.

Before you begin

Before you define the IPsec policy, you must:

Defining an IPsec security policy
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New and set the following options:
  3. Name

    Enter a name for the security policy.

    Incoming Interface

    Select the local interface to the internal (private) network.

    Outgoing Interface

    Select the local interface to the external (public) network.

    Source

    Select the name that corresponds to the local network, server(s), or host(s) from which IP packets may originate.

    Destination Address

    Select the name that corresponds to the remote network, server(s), or host(s) to which IP packets may be delivered.

    Schedule

    Keep the default setting (always) unless changes are needed to meet specific requirements.

    Service

    Keep the default setting (ALL) unless changes are needed to meet your specific requirements.

    Action

    For the purpose of this configuration, set Action to IPsec. Doing this will close Firewall / Network Options and open VPN Tunnel options. Select the VPN tunnel of your choice, and select Allow traffic to be initiated from the remote site, which will allow traffic from the remote network to initiate the tunnel.

  4. You may enable UTM features, and/or event logging, or select advanced settings to authenticate a user group, or shape traffic.
  5. Select OK.
  6. Place the policy in the policy list above any other policies having similar source and destination addresses.

Defining multiple IPsec policies for the same tunnel

You must define at least one IPsec policy for each VPN tunnel. If the same remote server or client requires access to more than one network behind a local FortiGate unit, the FortiGate unit must be configured with an IPsec policy for each network. Multiple policies may be required to configure redundant connections to a remote destination or control access to different services at different times.

To ensure a secure connection, the FortiGate unit must evaluate policies with Action set to IPsec before ACCEPT and DENY. Because the FortiGate unit reads policies starting at the top of the list, you must move all IPsec policies to the top of the list, and be sure to reorder your multiple IPsec policies that apply to the tunnel so that specific constraints can be evaluated before general constraints.

note icon Adding multiple IPsec policies for the same VPN tunnel can cause conflicts if the policies specify similar source and destination addresses, but have different settings for the same service. When policies overlap in this manner, the system may apply the wrong IPsec policy or the tunnel may fail.

For example, if you create two equivalent IPsec policies for two different tunnels, it does not matter which one comes first in the list of IPsec policies — the system will select the correct policy based on the specified source and destination addresses. If you create two different IPsec policies for the same tunnel (that is, the two policies treat traffic differently depending on the nature of the connection request), you might have to reorder the IPsec policies to ensure that the system selects the correct IPsec policy.

Route-based VPN

When you define a route-based VPN, you create a virtual IPsec interface on the physical interface that connects to the remote peer. You create ordinary Accept security policies to enable traffic between the IPsec interface and the interface that connects to the private network. This makes configuration simpler than for policy-based VPNs, which require IPsec security policies.

Defining security policies for a route-based VPN
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New and define an ACCEPT security policy to permit communication between the local private network and the private network behind the remote peer. Enter these settings in particular:
  3. Name

    Enter a name for the security policy.

    Incoming Interface

    Select the interface that connects to the private network behind this FortiGate unit.

    Outgoing Interface

    Select the IPsec Interface you configured.

    Source

    Select the address name that you defined for the private network behind this FortiGate unit.

    Destination Address

    Select the address name that you defined for the private network behind the remote peer.

    Action

    Select ACCEPT.

    NAT

    Disable NAT.

    To permit the remote client to initiate communication, you need to define a security policy for communication in that direction.

  4. Select Create New and enter these settings in particular:
  5. Name

    Enter a name for the security policy.

    Incoming Interface

    Select the IPsec Interface you configured.

    Outgoing Interface

    Select the interface that connects to the private network behind this FortiGate unit.

    Source

    Select the address name that you defined for the private network behind the remote peer.

    Destination Address

    Select the address name that you defined for the private network behind this FortiGate unit.

    Action

    Select ACCEPT.

    NAT

    Disable NAT.