FortiGate can find a matching firewall policy based on the policy lookup input criteria. It is basically creating packet flow over FortiGate without real traffic. From this packet flow, the FortiGate can extract a policy ID and highlight it on the GUI policy configuration page.
In this lab, you will use the policy lookup feature to find matching firewall policy based on input criteria.
Enabling Existing Firewall Policies
As they were during the configuration and testing the of the firewall policies in the previous labs, most of the configured firewall policies are currently disabled. Now, you will enable the existing firewall policies.
To enable existing firewall policies
1. From the Local-Windows VM, open a web browser and log in as admin to the Local-FortiGate
GUI at 10.0.1.254.
2. Go to Policy & Objects > IPv4 Policy.
3. Right-click on the Seq.# column for the Fortinet firewall policy. 4. Select Status and click Enable.
5. Right-click the Seq.# column for the Full_Access firewall policy. 6. Select Status and click Enable.
Setting Up and Testing Policy Lookup Criteria
Now, you will set up the policy lookup criteria. FortiGate will search and highlight the matching firewall policy based on your input criteria.
To set up and test policy lookup criteria
1. In the Policy & Objects > IPv4 Policy, click Policy Lookup. 2. Set the following:
Field Value
Source Interface port3 Protocol TCP Source 10.0.1.100 Source Port Leave it blank Destination fortinet.com Destination Port 443
3. Click Search.
The search will match the Full_Access policy, but not the more specific firewall policy,
Fortinet.
DO NOT REPRINT
© FORTINET
LAB 3–Firewall Policies
In the search criteria, the source address is set to 10.0.1.100. This source address is not a part of firewall policy named Fortinet; therefore, the search does not match the Fortinet firewall policy.
Note: When the FortiGate is performing policy lookup, it does a series of checks on
ingress, stateful inspection, and egress for the matching firewall policy. It performs the checks from top to bottom, before providing results for the matching policy.
4. Click Policy Lookup and change the Source to 10.0.1.10.
Make sure all the other settings match the settings you used in step 2.
5. Click Search.
This time the search matches policy named Fortinet, in which destination is set to FQDN.
Reordering the Firewall Policy
Now you will reorder the firewall policies. You will be moving the Block_Ping firewall policy above the
Full_Access policy.
To reorder the firewall policy
1. In Policy & Objects > IPv4 Policy, click the Seq.# column for the Block_Ping firewall policy. 2. Drag it above the Full_Access firewall policy.
3. The order of your firewall policies should look similar to this:
Retesting Policy Lookup After Reordering the Firewall
Policies
Now you will test the policy lookup feature after reordering the firewall policies.
DO NOT REPRINT
© FORTINET
LAB 3–Firewall Policies
To retest policy lookup after reordering firewall policies
1. In Policy & Objects > IPv4 Policy, click Policy Lookup. 2. Set the following for Policy Lookup:Field Value
Source Interface port3
Protocol ICMP ICMP Type 8 ICMP Code 0 Source 10.0.1.100 Destination 10.200.1.254 3. Click Search.
The search will match the Full_Access policy, but not the more specific policy Block_Ping, because it is disabled.
4. Right click the Seq.# column of the Block_Ping policy and set the Status to Enable. 5. Click Search.
This time the search matches more specific and enabled policy, Block_Ping.
DO NOT REPRINT
© FORTINET
LAB 4–Network Address Translation (NAT)
LAB 4–Network Address
Translation (NAT)
NAT is used to perform source NAT and destination NAT for the traffic passing through FortiGate. There are two ways to configure source NAT (SNAT) and destination NAT (DNAT).
firewall policy NAT
central NAT
In this lab, you will configure and test firewall policy NAT for SNAT using IP pool, and for DNAT using virtual IP (VIP).
You will also enable central NAT. You will configure and test SNAT using central SNAT policy and DNAT using DNAT policy and VIPs.
Objectives
Configure destination NAT settings using a VIP.
Configure the source NAT settings using overload IP pools.
Enable central NAT.
Configure a central NAT policy for the source NAT.
Configure DNAT and VIPs for the destination NAT .
Time to Complete
Estimated: 50 minutes
Prerequisites
Before starting the procedures in this lab, you must restore a configuration file to each FortiGate.
Note: Make sure to restore the correct configuration in each FortiGate as following the steps below.
Failure to restore proper configuration in each FortiGate will prevent you from doing the lab exercise.
To restore the Remote-FortiGate configuration file
1. On the Local-Windows VM, open a web browser and log in as admin to the Remote-FortiGate
GUI at 10.200.3.1.
2. Go to Dashboard, and from the System Information widget click Restore.
DO NOT REPRINT
© FORTINET
LAB 4–Network Address Translation (NAT)
3. Select to restore from Local PC and click Upload.
4. Browse to Desktop > Resources > FortiGate-I > NAT and select remote-nat.conf. 5. Click OK.
6. Click OK to reboot.
To restore the Local-FortiGate configuration file
1. On the Local-Windows VM, open a new web browser and log in as admin to the Local-FortiGate
GUI at 10.0.1.254.
2. Go to Dashboard, and from the System Information widget click Restore.
3. Select to restore from Local PC and click Upload.
4. Browse to Desktop > Resources > FortiGate-I > NAT and select local-nat.conf. 5. Click OK.
6. Click OK to reboot.
DO NOT REPRINT
© FORTINET
LAB 4–Network Address Translation (NAT)