DO NOT REPRINT

© FORTINET
Lab 3: Firewall Policies

In this lab, you will configure firewall policies on Local-FortiGate, and then perform various tests on the Local-
Client VM to confirm that traffic is matching the appropriate firewall policies based on the configuration.

Objectives
l Configure firewall objects and firewall policies
l Configure source and destination matching in firewall policies
l Apply service and schedule objects to a firewall policy
l Configure firewall policy logging options
l Reorder firewall policies
l Read and understand logs
l Use policy lookup to find a matching policy

Time to Complete
Estimated: 25 minutes

Prerequisites
Before beginning this lab, you must restore configuration files to Remote-FortiGate, ISFW, and Local-FortiGate.

To restore the Remote-FortiGate configuration file

1. Connect to the Remote-FortiGate GUI, and then log in with the username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Revisions.

3. Click the + sign to expand the list.

4. Select the configuration with the comment initial, and then click Revert.

FortiGate Security 7.0 Lab Guide 56

Fortinet Technologies Inc.
DO NOT REPRINT Lab 3: Firewall Policies

© FORTINET

5. Click OK to reboot.

To restore the ISFW configuration file

1. Connect to the ISFW GUI, and then log in with the username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Revisions.

3. Click the + sign to expand the list.

4. Select the configuration with the comment initial, and then click Revert.

5. Click OK to reboot.

To restore the Local-FortiGate configuration file

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Revisions.

57 FortiGate Security 7.0 Lab Guide

Fortinet Technologies Inc.
DO Lab
NOT REPRINT
3: Firewall Policies

© FORTINET

3. Click the + sign to expand the list.

4. Select the configuration with the comment local-firewall-policy, and then click Revert.

FortiGate Security 7.0 Lab Guide 58

Fortinet Technologies Inc.
DO NOT REPRINT Lab 3: Firewall Policies

© FORTINET

5. Click OK to reboot.

59 FortiGate Security 7.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Creating Firewall Address Objects and Firewall
Policies

In this exercise, you will configure firewall address objects. You will also configure an IPv4 firewall policy that you
will apply firewall address objects to, along with schedule, services, and log options. Then, you will test the firewall
policy by passing traffic through it and checking the logs for your traffic.

At its core, FortiGate is a firewall, so almost everything that it does to your traffic is related to your firewall policies.

Create Firewall Address Objects

By default, FortiGate has many preconfigured, well-known address objects in the factory default configuration.
However, if those objects don’t meet the needs of your organization, you can configure more.

To create a firewall address object

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click Policy & Objects > Addresses.
3. Click Create New > Address.
4. Configure the following settings:

Field Value

Name LOCAL_SUBNET

Type Subnet

IP/Netmask 10.0.1.0/24

Interface any

5. Click OK.

Create a Firewall Policy

First, you will disable the existing firewall policy. Then, you will create a more specific firewall policy using the
firewall address object that you created in the previous procedure. You will also select specific services and
configure log settings.

To disable an existing firewall policy

1. On the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.
2. Right-click the Full_Access firewall policy, and then for the Set Status option, select Disable.

FortiGate Security 7.0 Lab Guide 60

Fortinet Technologies Inc.
DO Test
NOT REPRINT
the Firewall Policy and View Generated Logs Exercise 1: Creating Firewall Address Objects and Firewall Policies

© FORTINET
To create a firewall policy
1. Continuing in the Policy & Objects > Firewall Policy section, click Create New to add a new firewall policy.
2. Configure the following settings:

Field Value

Name Internet_Access

Incoming Interface port3

Outgoing Interface port1

Source LOCAL_SUBNET

Destination all

Schedule always

Service ALL_ICMP, HTTP, HTTPS, DNS, SSH

Tip: Type the service name in the search box to quickly find it, and then
click the service object to add it to the policy.

Action ACCEPT

NAT <enable>

Log Allowed Traffic <enable> and select All Sessions

Generate Logs when Session <enable>

Starts

Enable this policy <enable>

3. Leave all other settings at their default values, and click OK to save the changes.

When you create firewall policies, remember that FortiGate is a stateful firewall. As a
result, you need to create only one firewall policy that matches the direction of the
traffic that initiates the session.

Test the Firewall Policy and View Generated Logs

Now that you configured the firewall policy, you will test it by passing traffic through it and viewing the generated
logs.

To test and view logs for a firewall policy

1. On the Local-Client VM, open several web browser tabs, and connect to several external websites, such as:

61 FortiGate Security 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Creating
REPRINT
Firewall Address Objects and Firewall Policies Test the Firewall Policy and View Generated Logs

© FORTINET
l www.google.com
l kb.fortinet.com
l docs.fortinet.com
l www.bbc.com
2. Return to the browser tab with the Local-FortiGate GUI, and click Policy & Objects > Firewall Policy.
3. Right-click the Internet_Access policy, and then click Show Matching Logs.

4. Identify the log entries for your internet browsing traffic.

With the current settings, you should have a few log messages that have Accept: session start in the Result
column. These are the session start logs.

When sessions close, there is a separate log entry for the amount of data that was sent and received.

Enabling Generate Logs when Session Starts in the firewall policy will generate
twice the amount of log messages. You should use this option only when this level of
detail is absolutely necessary.

When you click Show Matching Logs in the firewall policy, it adds the Policy UUID
filter in the forward traffic logs.

5. In the Forward Traffic logs, click X to remove the Policy UUID filter.

When you remove the Policy UUID filter, the logs are displayed unfiltered. You will use the logs in upcoming
labs.

FortiGate Security 7.0 Lab Guide 62

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Reordering Firewall Policies and Firewall
Policy Actions

In the applicable interface pair section, FortiGate looks for a matching policy, beginning at the top. Usually, you
should put more specific policies at the top—otherwise, more general policies will match the traffic first, and more
granular policies will never be applied.

In this exercise, you will create a new firewall policy with more specific settings, such as source, destination,
service, and action set to DENY. Then, you will move this firewall policy above the existing firewall policies and
observe the behavior created by reordering the firewall policy.

Create a Firewall Policy

You will create a new firewall policy to match a specific source, destination, service, and action set to DENY.

The firewall address LINUX_ETH1 with IP/Netmask 10.200.1.254/32 is

preconfigured for you, and you will use this address when you create the firewall policy.

Take the Expert Challenge!

Configure a firewall policy on the Local-FortiGate GUI using the following settings:

l Name the firewall policy Block_Ping.

l Use port3 as the incoming interface and port1 as the outgoing interface.
l Block all ping traffic from the 10.0.1.0/24 subnet destined for the 10.200.1.254 address. Use the
preconfigured address objects LOCAL_SUBNET and LINUX_ETH1.
l Enable log violation traffic.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you have performed these steps, see Test the Reordering of a Firewall Policy on page 64.

To create a firewall policy

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click Policy & Objects > Firewall Policy, and then click Create New.
3. Configure the following settings:

63 FortiGate Security 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Reordering
REPRINT Firewall Policies and Firewall Policy Actions Test the Reordering of a Firewall Policy

© FORTINET
Field Value

Name Block_Ping

Incoming Interface port3

Outgoing Interface port1

Source LOCAL_SUBNET

Destination LINUX_ETH1

Schedule always

Service PING

Tip: Type the service name in the search box to quickly find it, and then
click the service object to add it to the policy.

Action DENY

Log Violation Traffic <enable>

Enable this policy <enable>

4. Click OK to save the changes.

Test the Reordering of a Firewall Policy

Now that your configuration is ready, you will test it by moving the Block_Ping firewall policy above the Internet_
Access firewall policy. The objective is to confirm that, after you reorder the firewall policy, the following occurs:

l Traffic is matched to a more specific firewall policy.

l The policy ID remains the same.

To confirm traffic matches a more granular firewall policy after reordering the firewall policy
1. On the Local-Client VM, open a terminal.
2. Ping the destination address (LINUX_ETH1) that you configured in the Block_Ping firewall policy.
ping 10.200.1.254

Stop and think!

Why are you still able to ping the destination address, even though you just configured a policy to block it?

The ping should still work because it matches the ACCEPT policy and not the DENY policy that you created.
The Block_Ping policy was never checked, because the traffic matched the policy at the top (Internet_
Access). This demonstrates the behavior that FortiGate looks for a matching policy, beginning at the top.

3. Leave the terminal window open and running.

4. On the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.

FortiGate Security 7.0 Lab Guide 64

Fortinet Technologies Inc.
DO Test
NOT REPRINT
the Reordering of a Firewall Policy Exercise 2: Reordering Firewall Policies and Firewall Policy Actions

© FORTINET
5. Hover over the Name column.
A settings icon will appear beside Name.

6. Click the settings icon, scroll down to select the ID column in the Select Columns section, and then click Apply.

7. The ID column appears as the last column in the table. Drag the ID column to the left of the Name column, so it
becomes the first column in the table.
Note the current ID values for both the Internet_Access and Block_Ping firewall policies.

8. From the ID column, drag the Block_Ping firewall policy up, and place it above the Internet_Access firewall
policy.
When you move the Block_Ping policy up, the ID value remains the same.

65 FortiGate Security 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Reordering
REPRINT Firewall Policies and Firewall Policy Actions Test the Reordering of a Firewall Policy

© FORTINET
Refresh the page if the changes that you made are not displayed. Alternatively, you
can log off and log back in to the FortiGate GUI.

9. On the Local-Client VM, review the terminal window that is running the continuous ping.
You should see that the pings now fail.

Stop and think!

Why are the pings failing now?

This demonstrates the outcome of the policy reordering. After moving the more granular policy above the
general access policy, the traffic is matched to the more granular policy and, based on the DENY action, the
traffic stops processing.

10. Close the terminal window.

11. On the Local-FortiGate GUI, click Log & Report > Forward Traffic.
You should see many policy violation logs reporting the blocked ping.

Clear the log filter that you applied in the previous exercise.

FortiGate Security 7.0 Lab Guide 66

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Applying ISDB Objects as Destinations

FortiGate can match destination traffic using address objects or internet service database (ISDB) objects. ISDB
objects are predefined entries that are regularly updated by FortiGuard and contain a database of IP addresses,
protocols, and port numbers used by the most common internet services.

You can use ISDB objects to allow or deny traffic to well-known internet destinations, without having to configure
IP addresses, protocols, or ports used by those destinations in the firewall policy.

In this lab, you will apply an ISDB object as a destination criteria on a firewall policy to block traffic to a well-known
internet service.

Review the Internet Service Database

You will review the entries in the internet service database.

To review the internet service database

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click Policy & Objects > Internet Service Database.
3. Expand the Predefined Internet Services and IP Reputation Database sections.
4. Double-click any entry, and then click View/Edit Entries.
You will see the corresponding IP addresses, ports, and protocols that the internet service uses.

5. Click Return.

Configure a Firewall Policy Destination as an ISDB Object

You will modify an existing firewall policy, and use an ISDB object as a destination.

To configure an internet service as a destination

1. On the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.
2. Right-click the ID column for the Block_Ping firewall policy, and then click Edit.
3. Change the Name to Block_Facebook.
4. Click Destination, and then in the right pane, click LINUX_ETH1 to clear it.
5. Click Internet Service.
6. Select Facebook-Web.

Type the internet service object name in the search box to quickly find it, and then click
the object to add it to the policy.

Your configuration should look like the following example:

67 FortiGate Security 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Applying
REPRINT
ISDB Objects as Destinations Test the Internet Service Firewall Policy

© FORTINET

When Internet Service is selected as the Destination, you cannot:

l Use Address in the Destination

l Select Service in the firewall policy

7. Click OK.

Test the Internet Service Firewall Policy

Now that you configured the firewall policy, you will test it by passing traffic through it.

To test the internet service firewall policy

1. On the Local-Client VM, open a few browser tabs, and go to the following websites:
l www.facebook.com
l www.twitter.com

FortiGate Security 7.0 Lab Guide 68

Fortinet Technologies Inc.
DO Test
NOT REPRINT
the Internet Service Firewall Policy Exercise 3: Applying ISDB Objects as Destinations

© FORTINET
Stop and think!

Why is Facebook blocked but Twitter is allowed?

FortiGate checks for the matching policy from top to bottom. Facebook is blocked by the ID 4 firewall policy
because the destination is set to Facebook-Web. Twitter is allowed by the ID 3 firewall policy, which allows
internet access.

2. On the Local-FortiGate GUI, click Log & Report > Forward Traffic.
You should see many policy violation logs reported by the Block_Facebook policy.

3. On the Local-FortiGate GUI, click Policy & Objects > Firewall Policy, and then right-click the Block_Facebook
firewall policy, select Set Status, and then click Disable.

69 FortiGate Security 7.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 4: Using Policy Lookup

FortiGate can find a matching firewall policy based on the policy lookup input criteria. The policy lookup feature
basically creates a packet flow over FortiGate without real traffic. From this packet flow, FortiGate can extract a
policy ID and highlight it on the GUI policy configuration page.

In this lab, you will use the policy lookup feature to find a matching firewall policy based on input criteria.

Enable Existing Firewall Policies

As required in the previous exercises, most of the configured firewall policies are currently disabled. Now, you will
enable some of the existing firewall policies.

Take the Expert Challenge!

On the Local-FortiGate GUI, enable Policy Status for the Fortinet and Full_Access firewall policies.

If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you have performed these steps, see Set Up and Test the Policy Lookup Criteria on page 70.

To enable existing firewall policies

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click Policy & Objects > Firewall Policy.
3. Right-click the Fortinet firewall policy, select Set Status, and then click Enable.
4. Right-click the Full_Access firewall policy, select Set Status, and then click Enable.

Set Up and Test the Policy Lookup Criteria

You will set up the policy lookup criteria. FortiGate searches and highlights the matching firewall policy based on
your input criteria.

To set up and test the policy lookup criteria

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy, and then click Policy Lookup.
2. Configure the following settings:

Field Value

Source Interface port3

FortiGate Security 7.0 Lab Guide 70

Fortinet Technologies Inc.
DO Reorder
NOTtheREPRINT
Firewall Policies Exercise 4: Using Policy Lookup

© FORTINET
Field Value

Protocol TCP

Source 10.0.1.100

Source Port <Leave it empty>

Destination fortinet.com

Destination Port 443

3. Click Search.
The search matches the Full_Access policy, but not the more specific Fortinet firewall policy.

In the search criteria, the source address is set to 10.0.1.100. This source address is not included in the
Fortinet firewall policy; therefore, the search does not match the Fortinet firewall policy.

When FortiGate is performing a policy lookup, it does a series of checks on ingress,

stateful inspection, and egress for the matching firewall policy. It performs the checks
from top to bottom, before providing results for the matching policy.

4. Click Policy Lookup, and then change the Source to 10.0.1.10.

Make sure all the other settings match the settings you configured in step 2.

5. Click Search.
This time, the search matches the Fortinet firewall policy, in which the destination is set to the FQDN address
object.

Reorder the Firewall Policies

You will reorder the firewall policies. You will move the Block_Facebook firewall policy above the Full_Access
policy.

Take the Expert Challenge!

On the Local-FortiGate GUI, move the Block_Facebook firewall policy above the Full_Access policy.

If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you have performed these steps, see Retest Policy Lookup After Reordering the Firewall Policies on
page 72.

71 FortiGate Security 7.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Using
REPRINT
Policy Lookup Retest Policy Lookup After Reordering the Firewall Policies

© FORTINET
To reorder the firewall policies
1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.
2. From the ID column, drag the Block_Facebook firewall policy above the Full_Access firewall policy.
The order of the firewall policies should match the following example:

Retest Policy Lookup After Reordering the Firewall Policies

You will retest the policy lookup feature after reordering the firewall policies.

To retest policy lookup after reordering the firewall policies

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy, and then click Policy Lookup.
2. Configure the following settings:

Field Value

Source Interface port3

Protocol TCP

Source 10.0.1.10

Destination facebook.com

Destination Port 443

3. Click Search.

Stop and think!

Why did the search not match the more specific policy, Block_Facebook?

When FortiGate is performing a policy lookup, it skips all disabled policies.

The search matches the Full_Access policy, but not the more specific Block_Facebook policy, because it
is disabled.

FortiGate Security 7.0 Lab Guide 72

Fortinet Technologies Inc.
DO Retest
NOT REPRINT
Policy Lookup After Reordering the Firewall Policies Exercise 4: Using Policy Lookup

© FORTINET
4. Right-click the Block_Facebook firewall policy, select Set Status, and then click Enable.
5. Click Policy Lookup.
Make sure all the settings match the settings you configured in step 2.

6. Click Search.
This time the search matches the more specific policy, Block_Facebook.

73 FortiGate Security 7.0 Lab Guide

Fortinet Technologies Inc.