Fortinet black logo

FortiGate VPN Integration

Home FortiNAC 9.4.0 FortiGate VPN Integration
9.4.0
9.4.0

Create FortiGate Firewall Policies

Create FortiGate Firewall Policies

Create firewall policies to:

  • Allow network access to VPN clients authenticated by FortiNAC (authorized hosts).

  • Restrict network access to all other VPN clients. They are considered untrusted.

Workflow:

  1. When a client initially connects to the VPN tunnel, network access is restricted.

  2. While restricted, FortiNAC answers all DNS queries. Limited network access is granted. The amount of network access allowed is dependent upon the organization’s policies. For example, it may be necessary to allow clients to update antivirus programs. In which case, network access to the internet may be required. FortiNAC would control which domains are resolved to the actual IP address.

  3. Once authenticated, clients match a FortiNAC Network Access Policy and a Logical Network is assigned. FortiNAC sends the group or tag associated with the Logical Network to the FortiGate.

  4. The matching FortiGate firewall policy applies the appropriate network access.

Note:

  • FOS v6.0: Adding FSSO groups in firewall policies via UI is not available when the policy’s source interface is set to SSL-VPN. Support added in 6.2.3, 6.4.0 and later. See Appendix for workaround.

  • The following examples are for illustration purposes. It is up to the firewall administrator to configure their policies as appropriate to achieve the above goals.

  • It is assumed the applicable components required for firewall policies have already been configured (such as network interfaces).

    UI: Policy & Objects > IPv4 Policy

Allow Network Access for Authorized Hosts

Create Firewall policy to allow network access for authorized hosts:

  • Block DNS (at a minimum) or all traffic to/from FortiNAC VPN Interface (Ensures DNS requests are forwarded to production DNS).

Block DNS to FortiNAC

Name

Name of Policy

Incoming Interface (From)

Any

Outgoing Interface (To)

FortiNAC VPN Isolation Network

Source

VPN IP Address Object(s)

FSSO Group

Destination

VPN Isolation Interface Address

Schedule

Always

Service

DNS or ALL

Action

DENY

Enable this policy

enable

  • Allow traffic to/from the desired network destinations.

Example

Legend:

FNAC_SSL_VPN_ADDR

VPN IP Address Object (SSL)

FNAC_IPsec_VPN_ADDR

VPN IP Address Object (IPsec)

VPN_AUTH

FSSO Group sent by FortiNAC

SERVER NET

FortiNAC VPN Isolation Network

FNAC_ETH1_VPN

VPN Isolation Interface Address

wan1

Interface to internet

MGMT NET

Internal

ID 10: Block VPN traffic from any network to FortiNAC VPN Interface

ID 11: Allow VPN traffic from any interface out to the internet

ID 13: Allow VPN traffic from any interface to the Management network

A screenshot of a cell phone Description automatically generated

Restrict Network Access for Unauthorized Hosts

Create policies for managed VPN connections to restrict network access for unauthorized hosts. These are the default policies used until a host is authenticated with FortiNAC.

  • Allow traffic to/from FortiNAC VPN Interface (to ensure DNS requests are forwarded to FortiNAC)

Name

Name of policy

Incoming Interface (From)

VPN Interface

Outgoing Interface (To)

FortiNAC VPN Isolation Network

(Inside)

Source

SSL_VPN Address Object

Destination

FortiNAC VPN Isolation Interface address

Schedule

Always

Service

All

Action

ACCEPT

  • Block all other traffic.

Example

Legend:

FNAC_SSL_VPN_ADDR

VPN IP Address Object (SSL)

FNAC_IPsec_VPN_ADDR

VPN IP Address Object (IPsec)

VPN_AUTH

FSSO Group sent by FortiNAC

SERVER NET

FortiNAC VPN Isolation Network

FNAC_ETH1_VPN

VPN Isolation Interface Address

wan1

Interface to internet

MGMT NET

Internal

ID 9 & 15: Allow SSL and IPsec VPN traffic to the FortiNAC VPN eth1 interface

ID 12 & 16: Block SSL and IPsec VPN traffic to all interfaces

A screenshot of a cell phone Description automatically generated

Rank new policies in the following order:

  1. Policies matching authenticated users (allowing regular network access)

  2. Policies allowing traffic to FortiNAC eth1 (restricting network traffic).

If endpoint does not match a policy that permits regular network access (ID’s 10, 11, 13), then endpoint is considered untrusted. Therefore, apply policies to restrict endpoint’s network access to the FortiNAC Service Network (ID’s 9, 12, 15 16).

A screenshot of a cell phone Description automatically generated

Proceed to Validate.

Previous
Next

Create FortiGate Firewall Policies

Create firewall policies to:

  • Allow network access to VPN clients authenticated by FortiNAC (authorized hosts).

  • Restrict network access to all other VPN clients. They are considered untrusted.

Workflow:

  1. When a client initially connects to the VPN tunnel, network access is restricted.

  2. While restricted, FortiNAC answers all DNS queries. Limited network access is granted. The amount of network access allowed is dependent upon the organization’s policies. For example, it may be necessary to allow clients to update antivirus programs. In which case, network access to the internet may be required. FortiNAC would control which domains are resolved to the actual IP address.

  3. Once authenticated, clients match a FortiNAC Network Access Policy and a Logical Network is assigned. FortiNAC sends the group or tag associated with the Logical Network to the FortiGate.

  4. The matching FortiGate firewall policy applies the appropriate network access.

Note:

  • FOS v6.0: Adding FSSO groups in firewall policies via UI is not available when the policy’s source interface is set to SSL-VPN. Support added in 6.2.3, 6.4.0 and later. See Appendix for workaround.

  • The following examples are for illustration purposes. It is up to the firewall administrator to configure their policies as appropriate to achieve the above goals.

  • It is assumed the applicable components required for firewall policies have already been configured (such as network interfaces).

    UI: Policy & Objects > IPv4 Policy

Allow Network Access for Authorized Hosts

Create Firewall policy to allow network access for authorized hosts:

  • Block DNS (at a minimum) or all traffic to/from FortiNAC VPN Interface (Ensures DNS requests are forwarded to production DNS).

Block DNS to FortiNAC

Name

Name of Policy

Incoming Interface (From)

Any

Outgoing Interface (To)

FortiNAC VPN Isolation Network

Source

VPN IP Address Object(s)

FSSO Group

Destination

VPN Isolation Interface Address

Schedule

Always

Service

DNS or ALL

Action

DENY

Enable this policy

enable

  • Allow traffic to/from the desired network destinations.

Example

Legend:

FNAC_SSL_VPN_ADDR

VPN IP Address Object (SSL)

FNAC_IPsec_VPN_ADDR

VPN IP Address Object (IPsec)

VPN_AUTH

FSSO Group sent by FortiNAC

SERVER NET

FortiNAC VPN Isolation Network

FNAC_ETH1_VPN

VPN Isolation Interface Address

wan1

Interface to internet

MGMT NET

Internal

ID 10: Block VPN traffic from any network to FortiNAC VPN Interface

ID 11: Allow VPN traffic from any interface out to the internet

ID 13: Allow VPN traffic from any interface to the Management network

A screenshot of a cell phone Description automatically generated

Restrict Network Access for Unauthorized Hosts

Create policies for managed VPN connections to restrict network access for unauthorized hosts. These are the default policies used until a host is authenticated with FortiNAC.

  • Allow traffic to/from FortiNAC VPN Interface (to ensure DNS requests are forwarded to FortiNAC)

Name

Name of policy

Incoming Interface (From)

VPN Interface

Outgoing Interface (To)

FortiNAC VPN Isolation Network

(Inside)

Source

SSL_VPN Address Object

Destination

FortiNAC VPN Isolation Interface address

Schedule

Always

Service

All

Action

ACCEPT

  • Block all other traffic.

Example

Legend:

FNAC_SSL_VPN_ADDR

VPN IP Address Object (SSL)

FNAC_IPsec_VPN_ADDR

VPN IP Address Object (IPsec)

VPN_AUTH

FSSO Group sent by FortiNAC

SERVER NET

FortiNAC VPN Isolation Network

FNAC_ETH1_VPN

VPN Isolation Interface Address

wan1

Interface to internet

MGMT NET

Internal

ID 9 & 15: Allow SSL and IPsec VPN traffic to the FortiNAC VPN eth1 interface

ID 12 & 16: Block SSL and IPsec VPN traffic to all interfaces

A screenshot of a cell phone Description automatically generated

Rank new policies in the following order:

  1. Policies matching authenticated users (allowing regular network access)

  2. Policies allowing traffic to FortiNAC eth1 (restricting network traffic).

If endpoint does not match a policy that permits regular network access (ID’s 10, 11, 13), then endpoint is considered untrusted. Therefore, apply policies to restrict endpoint’s network access to the FortiNAC Service Network (ID’s 9, 12, 15 16).

A screenshot of a cell phone Description automatically generated

Proceed to Validate.

Previous
Next