FortiGate - Create Firewall Policies

Below are three examples of common Firewall policies and how to configure them via the Forti-OS web UI.

The default firewall policy is set to 'DENY'. This means that NO traffic will traverse the firewall unless you specifically allow it with a firewall policy first. 

We will work with you in the provisioning case to ensure that your default rules are suitable, in the case of existing services or migrations.

Example 1: Allow TCP Port 80 (HTTP) and TCP Port 443 (HTTPS) incoming, from any IP address.

Open the New Firewall Policy Dialog

1. Navigate to 'Policy & Objects'.

2. Click 'Firewall Policy'.

3. Click 'Create New'.

Name: Set the rule Name to something descriptive.

Type: Set the rule Type to 'Standard'.

Incoming Interface: Set the incoming interface to your WAN interface (internet). 

Outgoing Interface: Set the Outgoing interface to your LAN interface (behind firewall).

Source: Click the + button and select 'all'. This will allow ALL traffic access to the ports we specify in this rule, which is what we want for HTTP/HTTPS traffic in this case.

IP/MAC Based Access Control: Not used in this example.

Destination: Choose your Web-server address. If you haven't already added it, click the 'Create' Button, and add an 'Address',

Schedule: always

Service: Click the +, and now select HTTP and HTTPS from the list. You can also create custom services here.

Action: Accept

For a standard firewall rule, you can simply disable the 'NAT' tickbox, and leave everything else default.

Once you're happy with the rule, click OK and you're done!

Example 2: Allow custom application TCP Port 1234 incoming, but only from a specific list of IP addresses.

This type of rule is very similar to the first example above, however, before you create a rule like this you'll want to create two things:

1. A service that defines your port/protocol, in this example we're going to be using TCP port 1234.
Click here for the guide on creating services.

For this example, the below screenshot shows the service we created.

2. An Address or Address Group already defined that lists the IP addresses you want to access your service.
Click here for the guide on creating Addresses.

Once you have created your own custom service, and defined the addresses, you can continue to creating the rule itself:

Open the New Firewall Policy Dialog

1. Navigate to 'Policy & Objects'.

2. Click 'Firewall Policy'.

3. Click 'Create New'.

Name: Give your firewall policy a descriptive name.

Type: Standard

Incoming Interface: WAN Interface

Outgoing Interface: LAN Interface

Source: Select the address or address group you'd like to give access to.

IP/MAC Based Access Control: Not used in this example.

Destination: Select the IP address of your destination server (where your application listens).

Schedule: always

Service: Select the service you created (see first screenshot in example 2).

Action: Accept

Inspection Mode: Flow-Based

For the rest of the options, just disable NAT.

You can optionally add a comment or any other security profiles you'd like to apply to the rule, however, in this example we don't need any of those.

Click OK once complete.

Example 3: Allow all outgoing traffic to the internet.

Open the New Firewall Policy Dialog

1. Navigate to 'Policy & Objects'.

2. Click 'Firewall Policy'.

3. Click 'Create New'.

Name: Give your firewall policy a descriptive name.

Type: Standard

Incoming Interface: LAN Interface

Outgoing Interface: WAN Interface

Source: If we're just allowing ALL traffic outbound, we can set this to all.

IP/MAC Based Access Control: Not used in this example.

Destination: All

Schedule: always

Service: ALL

Action: Accept

Inspection Mode: Flow-Based

Disable NAT

This rule will allow ALL traffic that comes from your LAN and is destined for the internet (WAN interface).