Fortigate Multiple Interface Policy
“Welcome to my channel! In this video, I will describe how to configure firewall policies with multiple source and destination interfaces in FortiGate. We’ll be looking at how to allow traffic between multiple interfaces on your FortiGate firewall, which is particularly useful when you have different subnets that you want to control traffic between or when you have multiple VLANs that need to communicate with each other. By the end of this video, you’ll have a better understanding of how to configure these policies in FortiGate and how they can help secure your network.
As you can see in this topology, we have three PCs located in three different VLANs or interfaces, and we want to write a policy to give access to the web server that is located in VLAN 4. If you want to use FortiGate’s default features, you must write a policy for each VLAN or interface to access the web server VLAN because input interfaces are different. However, by using multiple interface policies, you can accomplish this job with just one policy. Another example in this topology is when you want to give system administrators access to their servers from the VPN. In a normal and standard feature, you have to write a policy for each VLAN. Still, with multiple interface policies, you can grant access to all desired servers with just one policy, making managing your firewall and policies more manageable.
Now, let’s move on to the configuration. In my topology that was shown earlier, I have four interfaces, but because I am using a trial license, I only have three interfaces. That’s not important; you can add all your interfaces to policies in your production environment. First, I need to enable this feature in my firewall.
I’m going to feature visibility under the System menu and enable multiple interface policies, then click on apply.
Next, I’ll write the policy that allows access from different VLANs to the web server.
I’ll go to Policy and Objects > Firewall Policy > Create New and write the name of the policy, for example, “Allow all Interfaces to Webserver.”
Click on incoming interface and select the incoming interface. Select the outgoing interface and select your web server interface. You can add multiple outgoing interfaces if your web servers are located on different interfaces.
For the source, you can specify your source IP; it can be all or specific IP addresses.
For the destination, you can add all or specific addresses, and for the service, I’ll leave it as HTTPS.
These settings are based on your production environment. With just one policy, I grant access to the web server from different interfaces.
For the other topology shown at the beginning of this video, the policy is the same.
I’ll create the policy, name it “Allow System Admin to Servers,”
select incoming interface, select SSL VPN,
select outgoing interface, for example, Port 1, 2, and 3 are our server VLANs.
For the source, select all or your VPN addresses and select VPN username.
For the destination IP addresses, you can add all or IP addresses.
For the service, you can select SSH, RDP, or other services based on your production environment.
Click OK, and the policy is complete.
that is finished , by writing just one policy you can grant access for system administrator vpn connection to the multiple servers that raised on different vlans.
I hope this video will be useful for you to manage your firewall. If you would like to see more videos, please subscribe to my channel and like my videos. Also, if you have any questions, you can ask them in the comments. Have a good day! Bye-bye.”