In the previous part we have discussed some basic firewall policies that is must require to setup a firewall. Let’s move towards some advance policies.
You can access previous article from
Here: - The FortiGate recipe part 1
In this article we are going to create
some polices that is much required to make safe your network from unauthorized
access or also safe from bad traffics.
So without of much theory let’s begin
it.
Table of content
·
Block Whole Social Media using
FortiGuard categories
·
Site-to-Site IPsec VPN Tunnel with two FortiGates
·
Simplifying Policies with Zone
Block
Whole Social media using FortiGuard categories
In this part we
are going to explain how to block access to social media websites using
FortiGuard categories.
Must remind one
thing an active license of FortiGuard web filtering service is required for
using this type of function.
Web filtration
with FortiGuard categories enables you to take action against a group of
websites on the other hand a static URL filter is intended to block or monitor
specific URL.
Enable web
Filter
Go to system > feature Visibility
and enable the Web Filter Feature
Edit Default
Web Filter Profile
Go to Security
Profiles > Web Filter and edit the Default web filter profile and make
sure that “FortiGuard category based” filter service is enabled.
Right click on General
interest FortiGuard category. scroll down to Social networking
subcategory and select action to “Block” as shown below.
Add Web Filter
Profile to Internet Access Policy
Go to Policy & objects > Firewall
Policy and create a new policy
Give the name to the policy
“Blocking-social-media” to make it identifiable. Set incoming interface to
internal network and outgoing interface to internet facing interface. Set the
rest to allow “ALL” Traffic or
you can select multiple rules by selecting the + icon and the action to “Accept”
enable the “NAT” and make sure “Use Outgoing Interface Address is
enabled”.
Scroll down to Security profiles
enable Web Filter and select default web filter profile and save
the configuration.
Now you have successfully enabled the
social media blocking policy to move this policy to Top of the list to make it
effective.
Site-to-Site
IPsec VPN Tunnel with two FortiGates
In this part we are going to configure a
site-to-site IPsec VPN tunnel to allow communication between two networks
between two networks that a situated behind different FortiGates.
We are going to create an IPsec VPN
tunnel between two FortiGates one is called HQ (Headquarter) another is called
Branch.
Configure IPsec VPN on HQ
On HQ FortiGate, GO to VPN > IPsec
wizard and create a new tunnel.
In the section VPN setup describe a VPN
name to make it identifiable, set Template type to Site-to-Site, set NAT
configuration to NO NAT between sites and set Remote Device type to FortiGate.
In the Authentication Section, set IP
address to Public IP address of the Branch FortiGate.
After entering the IP address an
interface is assigned to outgoing interface. You can change the interface by
the drop-down menu as per your requirement.
Set a secure Pre-shared key that
is used to connect and verification for both FortiGates.
In the section of Policy and Routing
set Local interface to “LAN” in my case “Port1” is dedicated to
the LAN and local subnets will add automatically further then set “Remote
Subnets” to the Branch network and set internet access to “None” as
shown below
Review the configuration summary that
you configured that shows the interfaces, firewall addresses, routes, and
policies after verifying it select create icon
After creating the VPN, you can verify
the details as shown below.
Configure
IPsec VPN on branch
On Branch FortiGate, GO to VPN >
IPsec wizard and create a new tunnel.
In the section VPN setup describe a VPN
name to make it identifiable, set Template type to Site-to-Site, set NAT
configuration to “NO NAT” between sites and set Remote Device type to
FortiGate.
In the Authentication Section, set IP
address to Public IP address of the Branch FortiGate.
After entering the IP address an
interface is assigned to outgoing interface. You can change the interface by
the drop-down menu as per your requirement.
Set a secure Pre-shared key that was used on the VPN of HQ FortiGate.
In the section of Policy and Routing set Local interface to “LAN” in my case “Port2” is dedicated to the LAN and local subnets will add automatically further then set “Remote Subnets” to the HQ (Headquarter) network and set internet access to “None” as shown below
Review the configuration summary that you configured that shows the interfaces, firewall addresses, routes, and policies after verifying it select create icon
After creating the VPN, you can verify the details as shown below.
You
can also verify it by users of the Headquarter (HQ) can access resources on the
Branch internal network and so on Vice Versa.
To
test the connection, ping HQ LAN interface from the device Branch Internal
network.
Or
you Can also check the LOG events of VPN by going to Log & Report >
Events > VPN Events and where you can see every Single logs of VPN.
Simplifying
Policies with Zone
In this Part we’re Going to Explain how
to group multiple interfaces into Zone to simplify Firewall Policies.
By creating multiple VLANs we are going
to add them into a zone, so that we can just use the single zone object as a
source interface in our firewall policy, rather than having to reference each
interface separately.
Create VLAN
Interfaces
Go to Network > interfaces and and
create a new interface
Enter then name for the interface VLAN10
or whatever you want, select the type to VLAN, select Interface to LAN, enter
the VLAN ID, enter the VRF Id. assign the Role to LAN, set the Addressing mode
to manual, enter the IP/Netmask provided by your ISP and select the
Administrative Access to HTTPS, PING
Enable the DHCP server and assign the
address range further then save the configuration.
Next, create another by making the same
selections…
Go to Network > interfaces and create
a new interface.
Enter then name for the interface VLAN20
or whatever you want, select the type to VLAN, select Interface to LAN, enter
the VLAN ID, enter the VRF Id. assign the Role to LAN, set the Addressing mode
to manual, enter the IP/Netmask provided by your ISP and select the
Administrative Access to HTTPS, PING
Enable the DHCP server and assign the
address range further then save the configuration.
Finally create a 3rd VLAN
by making same selection
Go to Network > interfaces and create
a new interface.
Enter then name for the interface VLAN30 or whatever you want, select the type to VLAN, select Interface to LAN, enter the VLAN ID, enter the VRF Id. assign the Role to LAN, set the Addressing mode to manual, enter the IP/Netmask provided by your ISP and select the Administrative Access to HTTPS, PING
Enable the DHCP server and assign the address range further then save the configuration.
Review the Interface list to see the VLAN’s that you have created
Create an
Interface Zone
GO to the Network > Interfaces and select create new Zone
Name the zone to “VLAN Zone” to
make it identifiable and add the newly created VLAN’s to it as shown below.
Review the Zone list to see the VLAN’s
that you have Added.
Create a
Zone Firewall Policy
Go to Policy & Objects > Firewall
Policy and create a new policy that will allow any VLAN in the Zone that we
have created to access the internet.
Assign a name to “VLAN Zone Policy” make it identifiable, set the Incoming interface to your Zone and the outgoing interface to the internet facing interface. configure the rest as needed or as per your requirement.
Select the security Profiles as per your
requirements and save the configuration by selecting OK.
To make this Policy Effective move this
Policy to the TOP of the List as per your environment which policy should be on
Top.
Similarly, you can create as much policy
as you want.
Let’s end up here.
Reference: -http://docs.fortinet.com/document/fortigate/6.2.4/cookbook/856100/dashboard
0 comments:
Post a Comment