Gateway-to-gateway configurations

Define the hub-spoke security policies

1. Define a name for the address of the private network behind the hub. For more information, see Defining VPN security policies on page 1648.

2. Define names for the addresses or address ranges of the private networks behind the spokes. For more information, see Defining VPN security policies on page 1648.

3. Define the VPN concentrator. See To define the VPN concentrator on page 1676.

4. Define security policies to permit communication between the hub and the spokes. For more information, see Defining VPN security policies on page 1648.

 

Routebased VPN security policies

Define ACCEPT security policies to permit communications between the hub and the spoke. You need one policy for each direction.

 

To add policies

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter these settings in particular:

Incoming Interface                   Select the VPN Tunnel (IPsec Interface) you configured in Step 1.

Source Address                        Select the address name you defined in Step 2 for the private network behind the spoke FortiGate unit.

Outgoing Interface                   Select the hub’s interface to the internal (private) network.

Destination Address                 Select the source address that you defined in Step 1.

Action                                         Select ACCEPT.

Enable NAT                                Enable.

Incoming Interface                   Select the VPN Tunnel (IPsec Interface) you configured inStep 1.

Source Address                        Select the address name you defined in Step 2 for the private network behind the spoke FortiGate units.

Outgoing Interface                   Select the source address that you defined in Step 1.

Destination Address                 Select the hub’s interface to the internal (private) network.

Action                                         Select ACCEPT.

Enable NAT                                Enable.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.