Version:


Table of Contents

7.2.0
Download PDF
Copy Link

Creating policy packages and firewall policies

Note

The following policies are provided to allow traffic to flow between branches and hub. They require further security configuration to secure the communication.

Following is a summary of how to create the policy package:

  1. Create a policy package for branch devices. See Creating the branch policy package and policies.

    These firewall policies leverage the SD-WAN zones and interfaces.

  2. Create a policy package for the hub device. See Creating the hub policy package and policies.

Creating the branch policy package and policies

To create the branch policy package and policies:
  1. In FortiManager, go to Policy & Objects.
  2. Create a policy package named Branches:
    1. From the Policy Package menu, select New.

      The Create New Policy Package dialog box is displayed.

    2. Set name to Branches, and click OK.

      The policy package named Branches is created.

  3. In the branches policy package, create a firewall policy named Branch to DC :
    1. Select the Branches policy package, and click Create New. The Create New Firewall Policy pane opens.
    2. Set the following options, and click OK:

      Name

      Branch to DC

      Incoming Interface

      LAN

      Outgoing Interface

      HUB1, HUB2

      IPv4 Source Address

      Branch network

      IPv4 Destination Address

      Datacenter LAN1,Cloud LAN1

      Action

      Accept

      Note

      You may need to split the above rule into individual rules for each HUB, if their security needs differ, such as permitted services and security profiles.

      The firewall policy is created.

  4. In the branches policy package, create a firewall policy named Direct Internet Access:
    1. Select the Branches policy package, and click Create New. The Create New Firewall Policy pane opens.
    2. Set the following options, and click OK:

      Name

      Direct Internet Access

      Incoming Interface

      LAN

      Outgoing Interface

      WAN1, WAN2

      IPv4 Source Address

      Branch network

      IPv4 Destination Address

      all

      Action

      Accept

      NAT

      Enable

      The firewall policy is created.

  5. Assign the branches policy package to the branch device group:
    1. On the Policy & Objects pane, expand the Branches policy package, and select Installation Targets.
    2. In the toolbar, click Edit. The Edit Installation Targets dialog box opens.
    3. In the Available Entries list, select the Branches group, and click the right arrow (>) to move it to the Selected Entries list.

    4. Click OK.

      The installation target for the branches policy package is the Branches device group.

Creating the hub policy package and policies

To create the hub policy package and policies:
  1. In FortiManager, go to Policy & Objects.
  2. Create a policy package named HUB:
    1. From the Policy Package menu, select New.

      The Create New Policy Package dialog box is displayed.

    2. Set name to HUB, and click OK.

      The policy package named HUB is created.

  3. In the HUB policy package, create a firewall policy named SLA-HealthCheck :
    1. Select the HUB policy package, and click Create New. The Create New Firewall Policy pane opens.
    2. Set the following options, and click OK:

      Name

      SLA-HealthCheck

      Incoming Interface

      VPN1, VPN2

      Outgoing Interface

      HUB-Loopback

      IPv4 Source Address

      Overlay Tunnels, 10.10.0.0/16 (create new address object)

      IPv4 Destination Address

      all

      Action

      Accept

      The firewall policy is created.

  4. In the HUB policy package, create a firewall policy named Branch to Datacenter:
    1. Select the HUB policy package, and click Create New. The Create New Firewall Policy pane opens.
    2. Set the following options, and click OK:

      Name

      Branch to Datacenter

      Incoming Interface

      VPN1, VPN2

      Outgoing Interface

      LAN

      IPv4 Source Address

      Branch Network

      IPv4 Destination Address

      Datacenter LAN1

      Action

      Accept

      The firewall policy is created.

  5. Assign the HUB policy package to the HUB1 and HUB2 devices:
    1. On the Policy & Objects pane, expand the HUB policy package, and select Installation Targets.
    2. In the toolbar, click Edit. The Edit Installation Targets dialog box opens.
    3. In the Available Entries list, select the HUB1 and Cloud-Gateway devices, and click the right arrow (>) to move it to the Selected Entries list.

    4. Click OK.

      The installation target for the HUB policy package is the HUB1 and HUB2 devices.

Creating policy packages and firewall policies

Note

The following policies are provided to allow traffic to flow between branches and hub. They require further security configuration to secure the communication.

Following is a summary of how to create the policy package:

  1. Create a policy package for branch devices. See Creating the branch policy package and policies.

    These firewall policies leverage the SD-WAN zones and interfaces.

  2. Create a policy package for the hub device. See Creating the hub policy package and policies.

Creating the branch policy package and policies

To create the branch policy package and policies:
  1. In FortiManager, go to Policy & Objects.
  2. Create a policy package named Branches:
    1. From the Policy Package menu, select New.

      The Create New Policy Package dialog box is displayed.

    2. Set name to Branches, and click OK.

      The policy package named Branches is created.

  3. In the branches policy package, create a firewall policy named Branch to DC :
    1. Select the Branches policy package, and click Create New. The Create New Firewall Policy pane opens.
    2. Set the following options, and click OK:

      Name

      Branch to DC

      Incoming Interface

      LAN

      Outgoing Interface

      HUB1, HUB2

      IPv4 Source Address

      Branch network

      IPv4 Destination Address

      Datacenter LAN1,Cloud LAN1

      Action

      Accept

      Note

      You may need to split the above rule into individual rules for each HUB, if their security needs differ, such as permitted services and security profiles.

      The firewall policy is created.

  4. In the branches policy package, create a firewall policy named Direct Internet Access:
    1. Select the Branches policy package, and click Create New. The Create New Firewall Policy pane opens.
    2. Set the following options, and click OK:

      Name

      Direct Internet Access

      Incoming Interface

      LAN

      Outgoing Interface

      WAN1, WAN2

      IPv4 Source Address

      Branch network

      IPv4 Destination Address

      all

      Action

      Accept

      NAT

      Enable

      The firewall policy is created.

  5. Assign the branches policy package to the branch device group:
    1. On the Policy & Objects pane, expand the Branches policy package, and select Installation Targets.
    2. In the toolbar, click Edit. The Edit Installation Targets dialog box opens.
    3. In the Available Entries list, select the Branches group, and click the right arrow (>) to move it to the Selected Entries list.

    4. Click OK.

      The installation target for the branches policy package is the Branches device group.

Creating the hub policy package and policies

To create the hub policy package and policies:
  1. In FortiManager, go to Policy & Objects.
  2. Create a policy package named HUB:
    1. From the Policy Package menu, select New.

      The Create New Policy Package dialog box is displayed.

    2. Set name to HUB, and click OK.

      The policy package named HUB is created.

  3. In the HUB policy package, create a firewall policy named SLA-HealthCheck :
    1. Select the HUB policy package, and click Create New. The Create New Firewall Policy pane opens.
    2. Set the following options, and click OK:

      Name

      SLA-HealthCheck

      Incoming Interface

      VPN1, VPN2

      Outgoing Interface

      HUB-Loopback

      IPv4 Source Address

      Overlay Tunnels, 10.10.0.0/16 (create new address object)

      IPv4 Destination Address

      all

      Action

      Accept

      The firewall policy is created.

  4. In the HUB policy package, create a firewall policy named Branch to Datacenter:
    1. Select the HUB policy package, and click Create New. The Create New Firewall Policy pane opens.
    2. Set the following options, and click OK:

      Name

      Branch to Datacenter

      Incoming Interface

      VPN1, VPN2

      Outgoing Interface

      LAN

      IPv4 Source Address

      Branch Network

      IPv4 Destination Address

      Datacenter LAN1

      Action

      Accept

      The firewall policy is created.

  5. Assign the HUB policy package to the HUB1 and HUB2 devices:
    1. On the Policy & Objects pane, expand the HUB policy package, and select Installation Targets.
    2. In the toolbar, click Edit. The Edit Installation Targets dialog box opens.
    3. In the Available Entries list, select the HUB1 and Cloud-Gateway devices, and click the right arrow (>) to move it to the Selected Entries list.

    4. Click OK.

      The installation target for the HUB policy package is the HUB1 and HUB2 devices.