Fortinet black logo

Examples

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0

Updating firewall policies

Updating firewall policies

Let’s now add firewall policies to permit Internet traffic. Different treatment is required, depending whether it is DIA or RIA:

  • For DIA, since the traffic leaves our network directly from the Branch, we must ensure advanced protection. In this lab, we are going to apply full SSL inspection (while this alone is not particularly advanced, it is enough to demonstrate our point). In addition, this traffic must be NATed on the Spokes.
  • For RIA, the traffic will be backhauled via the DC, hence advanced security can be applied there, as it would happen in a legacy network. In this lab, DIA traffic will leave our network via the Hub, so we are going to apply full SSL inspection on the Hub, but not on Spokes. In addition, this traffic must be NATed on the Hubs, but not on the Spokes.

After you update the policy packages, install them.

Note

We must enable Application Control on all these firewall rules, since our SD-WAN rules rely on it!
To create a policy package and firewall policy rules for spokes:
  1. Go to Policy & Objects > Policy Packages.
  2. In the tree menu, select the policy package for spokes, for example, Branches-PP. The firewall policies in the policy package are displayed.
  3. Add policies to the firewall policy:
    1. In the toolbar, click Create New. The Create New Firewall Policy pane is displayed.
    2. Create the following policy for spokes, and click OK.

      Name

      From

      To

      Service

      NAT

      Action

      DIA

      vl_lan

      underlay

      All

      Yes

      Accept + App Control + SSL deep-inspection

      RIA

      vl_lan

      overlay

      ALL

      No

      Accept + App Control

      Note

      SD-WAN Zones on Spokes are used to configure different treatment for the traffic flowing to underlay versus overlay. Remember that this will be exactly the same type of traffic, and the actual path for each session will be determined by the SD-WAN rules

      The rules are added to the firewall policy.

  4. Install the policy package.
To create a policy package and firewall policy rules for hubs:
  1. Go to Policy & Objects > Policy Packages.
  2. In the tree menu, select the policy package for hubs, for example, DataCenter-PP. The firewall policies in the policy package are displayed.
  3. Add policies to the firewall policy:
    1. In the toolbar, click Create New. The Create New Firewall Policy pane is displayed.
    2. Create the following policy for spokes, and click OK.

      Name

      From

      To

      Service

      NAT

      Action

      Branch RIA

      OL_MPLS

      port1

      All

      Yes

      Accept + App Control + SSL deep-inspection

  4. Install the policy package.
Previous
Next

Updating firewall policies

Let’s now add firewall policies to permit Internet traffic. Different treatment is required, depending whether it is DIA or RIA:

  • For DIA, since the traffic leaves our network directly from the Branch, we must ensure advanced protection. In this lab, we are going to apply full SSL inspection (while this alone is not particularly advanced, it is enough to demonstrate our point). In addition, this traffic must be NATed on the Spokes.
  • For RIA, the traffic will be backhauled via the DC, hence advanced security can be applied there, as it would happen in a legacy network. In this lab, DIA traffic will leave our network via the Hub, so we are going to apply full SSL inspection on the Hub, but not on Spokes. In addition, this traffic must be NATed on the Hubs, but not on the Spokes.

After you update the policy packages, install them.

Note

We must enable Application Control on all these firewall rules, since our SD-WAN rules rely on it!
To create a policy package and firewall policy rules for spokes:
  1. Go to Policy & Objects > Policy Packages.
  2. In the tree menu, select the policy package for spokes, for example, Branches-PP. The firewall policies in the policy package are displayed.
  3. Add policies to the firewall policy:
    1. In the toolbar, click Create New. The Create New Firewall Policy pane is displayed.
    2. Create the following policy for spokes, and click OK.

      Name

      From

      To

      Service

      NAT

      Action

      DIA

      vl_lan

      underlay

      All

      Yes

      Accept + App Control + SSL deep-inspection

      RIA

      vl_lan

      overlay

      ALL

      No

      Accept + App Control

      Note

      SD-WAN Zones on Spokes are used to configure different treatment for the traffic flowing to underlay versus overlay. Remember that this will be exactly the same type of traffic, and the actual path for each session will be determined by the SD-WAN rules

      The rules are added to the firewall policy.

  4. Install the policy package.
To create a policy package and firewall policy rules for hubs:
  1. Go to Policy & Objects > Policy Packages.
  2. In the tree menu, select the policy package for hubs, for example, DataCenter-PP. The firewall policies in the policy package are displayed.
  3. Add policies to the firewall policy:
    1. In the toolbar, click Create New. The Create New Firewall Policy pane is displayed.
    2. Create the following policy for spokes, and click OK.

      Name

      From

      To

      Service

      NAT

      Action

      Branch RIA

      OL_MPLS

      port1

      All

      Yes

      Accept + App Control + SSL deep-inspection

  4. Install the policy package.
Previous
Next