Creating policy packages and firewall policies
The following policies are provided to allow traffic to flow between branches and hub. They require further security configuration to secure the communication. |
Following is a summary of how to create the policy package:
- Create a policy package for branch devices. See Creating the branch policy package and policies.
These firewall policies leverage the SD-WAN zones and interfaces.
-
Create a policy package for the hub device. See Creating the hub policy package and policies.
Creating the branch policy package and policies
To create the branch policy package and policies:
- In FortiManager, go to Policy & Objects.
- Create a policy package named Branches:
- From the Policy Package menu, select New.
The Create New Policy Package dialog box is displayed.
- Set name to Branches, and click OK.
The policy package named Branches is created.
- From the Policy Package menu, select New.
- In the branches policy package, create a firewall policy named Branch to DC :
- Select the Branches policy package, and click Create New. The Create New Firewall Policy pane opens.
- Set the following options, and click OK:
Name
Branch to DC
Incoming Interface
LAN
Outgoing Interface
HUB1
IPv4 Source Address
Branch network
IPv4 Destination Address
Datacenter LAN1
Action
Accept
The firewall policy is created.
- In the branches policy package, create a firewall policy named Direct Internet Access:
- Select the Branches policy package, and click Create New. The Create New Firewall Policy pane opens.
- Set the following options, and click OK:
Name
Direct Internet Access
Incoming Interface
LAN
Outgoing Interface
wan1, wan2
IPv4 Source Address
Branch network
IPv4 Destination Address
all
Action
Accept
NAT
Enable
The firewall policy is created.
- Assign the branches policy package to the branch device group:
- On the Policy & Objects pane, expand the Branches policy package, and select Installation Targets.
- In the toolbar, click Edit. The Edit Installation Targets dialog box opens.
In the Available Entries list, select the Branches group, and click the right arrow (>) to move it to the Selected Entries list.
Click OK.
The installation target for the branches policy package is the Branches device group.
Creating the hub policy package and policies
To create the hub policy package and policies:
- In FortiManager, go to Policy & Objects.
- Create a policy package named HUB:
- From the Policy Package menu, select New.
The Create New Policy Package dialog box is displayed.
- Set name to HUB, and click OK.
The policy package named HUB is created.
- From the Policy Package menu, select New.
- In the HUB policy package, create a firewall policy named SLA-HealthCheck :
- Select the HUB policy package, and click Create New. The Create New Firewall Policy pane opens.
- Set the following options, and click OK:
Name
SLA-HealthCheck
Incoming Interface
VPN1, VPN2
Outgoing Interface
HUB-Lo
IPv4 Source Address
Overlay Tunnels, 10.10.0.0/16 (create new address object)
IPv4 Destination Address
all
Action
Accept
The firewall policy is created.
- In the HUB policy package, create a firewall policy named Branch to Datacenter:
- Select the HUB policy package, and click Create New. The Create New Firewall Policy pane opens.
- Set the following options, and click OK:
Name
Branch to Datacenter
Incoming Interface
VPN1, VPN2
Outgoing Interface
LAN
IPv4 Source Address
Overlay tunnels
IPv4 Destination Address
Datacenter LAN1
Action
Accept
The firewall policy is created.
- In the HUB policy package, create a firewall policy named Datacenter to Branch:
- Select the HUB policy package, and click Create New. The Create New Firewall Policy pane opens.
- Set the following options, and click OK:
Name
Datacenter to Branch
Incoming Interface
LAN
Outgoing Interface
VPN1, VPN2
IPv4 Source Address
Datacenter LAN1
IPv4 Destination Address
Branch network
Action
Accept
The firewall policy is created.
- Assign the HUB policy package to the HUB1 device:
- On the Policy & Objects pane, expand the HUB policy package, and select Installation Targets.
- In the toolbar, click Edit. The Edit Installation Targets dialog box opens.
In the Available Entries list, select the HUB1 device, and click the right arrow (>) to move it to the Selected Entries list.
Click OK.
The installation target for the HUB policy package is the HUB1 device.