Policy Enforcement Module
The optional Policy Enforcement Module feature makes it possible to control network content by dropping/allowing traffic based on configured policies applied on a firewall tag associated with a user group. This includes Captive Portal users in release 3.7 and later.
Policy Enforcement Module
Fortinet’s firewall is generic, and can be used to prevent any subnet to subnet communication, for specific ports or all ports. With the Filter ID, we can also prevent any user from any SSID from accessing specific subnets.
The per-user firewall filtering is implemented either by:
- A RADIUS-returned filter-id attribute, that is created on the RADIUS server and assigned to users
- A configured firewall filter-id parameter that is part of the Security profile configuration and is applied to clients associated with an ESS
For the RADIUS-based per-user firewall, the returned filter-id attribute is part of AccessAccept message returned for a user, and is used as the firewall tag. The filtering action is determined by the configured firewall polices for this firewall tag.
In the absence of a RADIUS configuration, a configured firewall tag in the Security profile can be used for defining the filtering based on the configured firewall polices. In this case, all users connecting to a given ESS profile are allocated the same firewall tag as configured for the profile.
For successful operation using a RADIUS configuration, the Filter-id attribute that is configured on the RADIUS Server must match that used on the controller. In some RADIUS Servers, a Filter ID must be created.
The policies that filter the traffic are created using the standard QoS qosrule configuration, and the inherent priorities and configuration parameters are described in detail in Chapter 15 of this manual as well as in the qosrule entry in the FortiWLC (SD) Command Reference.
Configure Firewall Policies with the CLI
Begin the Policy Enforcement Module configuration by configuring a set of qosrule policies to manage the traffic.
The following example shows the creation of qosrule 200 as a policy for Firewall filter-id 1:
default# configure terminal default(config)# qosrule 200 netprotocol 6 qosprotocol none default(config)# netprotocol‐match default(config‐qosrule)# dstport 80 default(config‐qosrule)# dstport‐match on default(config‐qosrule)# action drop default(config‐qosrule)# firewall‐filter‐id 1 default(config‐qosrule)# firewall‐filter‐id‐match on default(config‐qosrule)# qosrule‐logging on default(config‐qosrule)# qosrule‐logging‐frequency 30
Policy Enforcement Module
default(config‐qosrule)# exit default(config)# exit
To check the configuration of the policy, use the show qosrule command:
default# show qosrule
ID Dst IP Dst Mask DPort Src IP Src Mask SPort Prot QoS Action Drop Firewall Filter
- 0.0.0 0.0.0.0 1720 0.0.0.0 0.0.0.0 0 6 h323 capture head
- 0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 1720 6 h323 capture head
- 0.0.0 0.0.0.0 5060 0.0.0.0 0.0.0.0 0 17 sip capture head
- 0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 5060 17 sip capture head
- 0.0.0 0.0.0.0 5200 0.0.0.0 0.0.0.0 0 17 none forward head
- 0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 5200 17 none forward head
200 0.0.0.0 0.0.0.0 80 0.0.0.0 0.0.0.0 0 6 none drop tail 1
QoS Rules(7 entries) default#
The following commands are required to apply the example filter ID 1 to the Security Profile.
default(config‐security)# firewall‐capability configured default(config‐security)# firewall‐filter‐id 1 default(config‐security)# security‐logging off
Once you create a firewall rule, you cannot modify the rule to enable or disable firewall logging. As a workaround, either create the firewall rule with the required option or delete the rule and re-apply it with the required option.
Troubleshooting Per-User Firewall
- Turn on the QoS rule logging feature available in QoS rule page. If the client traffic hits the rule, the same will be displayed in the syslog server or via the CLI command show syslogfile firewall.
Policy Enforcement Module
For command details, see the FortiWLC (SD) Configuration Guide.