firewall policies. module objectives by the end of this module participants will be able to:...
TRANSCRIPT
Firewall Policies
Module Objectives
• By the end of this module participants will be able to:• Identify the components used in a firewall policy
• Create firewall objects
• Create firewall policies and manage the order of their processing
Firewall Policies Source and destination interfaces
Source and destination IP addresses
Services
Schedules
Action = ACCEPT
Authentication
ThreatManagement
TrafficShaping
Logging
Firewall PoliciesSource and destination interfaces
Source and destination IP addresses
Services
Schedules
Action = ACCEPT
Authentication
ThreatManagement
TrafficShaping
Logging
• Firewall policies include the instructions used by the FortiGate device to determine what to do with a connection request• Packet analyzed, content compared to policy, action performed
Firewall Actions
Source and destination interfaces
Source and destination IP addresses
Services
Schedules
Accept Deny IPSec SSL VPN
Action
Policy Matching
From To Source Destination
Schedule
Service Action
internal wan1 192.168.1.110
All Always HTTP Accept
internal wan1 all all 9am-5pm
HTTP Accept
internal wan1 192.168.1.0/24
all always FTP Accept
any ANY All All Always ANY Deny
Click here to read more about policy matching
Policy Matching
From To Source Destination
Schedule
Service Action
internal wan1 192.168.1.110
All Always HTTP Accept
internal wan1 all all 9am-5pm
HTTP Accept
internal wan1 192.168.1.0/24
all always FTP Accept
any ANY All All Always Any Deny
• The FortiGate device searches list from top to bottom looking for a policy with matching conditions• The action on the first matched policy is
applied
•Move policies in list to influence order evaluated•Default Implicit DENY always at bottom of list
Click here to read more about policy matching
Policy Usage
• View policy usage by active sessions, bytes or packets• Firewall > Monitor > Policy Monitor
Firewall Policy Elements
Source and destination interfaces
Schedules
Action
Identity-based policies
Traffic shaping
Logging
Load balancing
Source and destination addresses
Services
NAT
Threat management
Endpoint NAC
Virtual IPs
Firewall Interfaces
Destinationinterface
Sourceinterface
Firewall Interfaces
Destinationinterface
Sourceinterface
• Select source to identify the interface or zone on which packets are received• Select an individual interface or ANY to
match all interfaces as the source• Can also set source to sslvpn tunnel
interface web-proxy and ftp-proxy• Select destination to identify the interface
or zone to which packets are forwarded• Select an individual interface or ANY to
match all interfaces as the source • SSL VPN and IPSEC tunnel interface also
available
Firewall Addresses
Source and destinationIP address
Packet
Source and destinationIP address
Firewall Policy
=
Firewall Addresses
Source and destinationIP address
Packet
Source and destinationIP address
Firewall Policy
=• The FortiGate device compares the source and destination address in the packet to the policies on the device• Default of ALL addresses available
• Addresses in policies configured with:• Name for display in policy list• IP address and mask• FQDN if desired
•Use Country to create addresses based on geographical location• Create address groups to simplify administration
Firewall Schedules
One-time orRecurring schedule
Firewall Policy
=
Firewall Schedules
One-time orRecurring schedule
Firewall Policy
=• Schedules control when policies are active or inactive• The FortiGate device compares the current date and time to the policies• The action on the first matched policy is
applied
•One-time or recurring schedule• Active sessions are timed out when the schedule expires•Group schedules to simplify administration
Firewall Services
Protocol and port
Packet
Protocol and port
Firewall Policy
=
Firewall Services
Protocol and port
Packet
Protocol and port
Firewall Policy
=• The FortiGate device uses services to
determine the types of communication accepted or denied• Default of ANY service available• Select a service from predefined list on the
FortiGate unit or create a custom service• Web Proxy Service also available if Source
Interface is set to web-proxy• Group services and Web Proxy Service
Group to simplify administration
Firewall Logging
DenyAccept IPSec
Log Allowed Traffic Log Violation Traffic
Network Address Translation (NAT)
10.10.10.1
172.16.1.1Firewall policy
with NAT enabledwan1 IP address: 192.168.2.2
Source IP address:10.10.10.1
Source port: 1025
Destination IP address:172.16.1.1
Destination Port: 80
Source IP address:192.168.2.2
Source port: 30912
Destination IP address:172.16.1.1
Destination Port: 80
internal
wan1192.168.2.2
NAT Dynamic IP Pool
Firewall policywith NAT + IP pool enabled
wan1 IP pool: 172.16.12.2-172.16.12.12
Source IP address:10.10.10.1
Source port: 1025
Destination IP address:172.16.1.1
Destination Port: 80
Source IP address:172.16.12.12
Source port: 30957
Destination IP address:172.16.1.1
Destination Port: 80
10.10.10.1
internal
wan1
172.16.1.1
192.168.2.2
Central NAT Table
• Allows creation of NAT rules and NAT mappings setup by the global firewall table• Control port translation instead of allowing the system to assign them randomly
Fixed Port
Firewall policywith NAT + IP pool enabled + fixed port (CLI only)
wan1 IP pool: 172.16.12.2-172.16.12.12
Source IP address:172.16.12.12
Source port: 1025
Destination IP address:172.16.1.1
Destination Port: 80
Source IP address:10.10.10.1
Source port: 1025
Destination IP address:172.16.1.1
Destination Port: 80
10.10.10.1
internal
172.16.1.1
wan1192.168.2.2
Source NAT IP Address and Port
• Session table identifies IP and port with NAT applied
Identity-Based Policies
LDAPDirectoryServices
TACACS+
RADIUSLocal
Identity-Based Policies
LDAPDirectoryServices
TACACS+
RADIUSLocal•When enabled, a user must authenticate before the device will allow traffic• Authentication rules specify group details for users being forced to authenticate
Local-in Firewall Policies
• Policies designed for traffic that is localized to the FortiGate unit• Central management
• Update announcement
• NetBIOS forward
•Destination address of firewall policies for local-in traffic is limited to the FortiGate interface IP and secondary IP addresses• Can create local-in firewall policies for IPv4 and IPv6
Local-in Firewall Policies
• Policies designed for traffic that is localized to the FortiGate unit• Central management
• Update announcement
• NetBIOS forward
•Destination address of firewall policies for local-in traffic is limited to the FortiGate interface IP and secondary IP addresses• Can create local-in firewall policies for IPv4 and IPv6
• Configurable only in the CLIconfig firewall interface-policy
edit <0>
set interface <source_interface_name>
set srcaddr <source_address_name>
set dstaddr <destination_address_name>
set service <service_name>
end
Threat Management
Protocol options
AntivirusIPS
Web filteringEmail filtering
Data leak preventionApplication control
Threat Management
Protocol Options
HTTP HTTPSFTP
FTPSIMAP POP3 SMTP IM NNTP IMAPS POP3S SMTPS
Protocol Options List
Protocol Options - File Size
Firewall Policy
Enable UTM
Protocol Options
Oversize File/EmailPass or Block
Threshold
+
Protocol Options - File size
Firewall Policy
Enable UTM
Protocol Options
Oversize File/EmailPass or Block
Threshold
+
• File size is checked against preset thresholds• If larger than threshold and action set to
block, file is rejected• If larger than threshold and action set to
allow, uncompressed file must fit within memory buffer • If not, by default no further scanning
operations performed
Traffic Shaping
High priority
Medium priority
Low priority
HTTPFTPIM
Click here to read more about traffic shaping
Traffic Shaping
High priority
Medium priority
Low priority
Click here to read more about traffic shaping
• Traffic shaping controls which policies have higher priority when large amounts of data is passing through the FortiGate unit•Normalize traffic bursts by prioritizing certain flows over others
Traffic Shapers
Shared Traffic Shaper Per-IP Traffic Shaper
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
Traffic Shapers
Shared Traffic Shaper Per-IP Traffic Shaper
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
• Traffic shapers apply Guaranteed Bandwidth and Maximum Bandwidth values to addresses affected by policy• Share values between all IP address
affected by the policy
• Values applied to each IP address affected by the policy
Endpoint Control
?
Up to date ?
Disallowed software installed ?
Virtual IPs
Firewall policywith destination address virtual IP + Static NAT
wan1 IP address: 172.16.1.1 → 192.168.1.100
wan1 IP pool: 172.16.12.2-172.16.12.12
Source IP address:10.10.10.1
Source port: 1025
Destination IP address:172.16.1.1
Destination Port: 80
Source IP address:172.16.12.2
Source port: 1025
Destination IP address:192.168.1.100
Destination Port: 80
Click here to read more about virtual IPs
10.10.10.1
172.16.1.100
internal
wan1
Virtual IPs
Firewall policywith destination address virtual IP + Static NAT
wan1 IP address: 172.16.1.1 → 192.168.1.100
wan1 IP pool: 172.16.12.2-172.16.12.12
Source IP address:10.10.10.1
Source port: 1025
Destination IP address:172.16.1.1
Destination Port: 80
Source IP address:172.16.12.2
Source port: 1025
Destination IP address:192.168.1.100
Destination Port: 80
Click here to read more about virtual IPs
10.10.10.1
172.16.1.100
internal
wan1
•Used to allow connections through a FortiGate using NAT firewall policies• FortiGate unit can respond to ARP
requests on a network for a server that is installed on another network
• For example, add a virtual IP to an external interface so that the interface can respond to connection requests for users connecting to a server on the dmz or internal network
Virtual IPs
Firewall policywith NAT
Source IP address:172.16.1.1
Source port: 1025
Destination IP address:10.10.10.2
Destination Port: 80
Source IP address:172.16.1.100
Source port: 1025
Destination IP address:10.10.10.2
Destination Port: 80
10.10.10.1
172.16.1.100
internal
wan1
Load Balancing
Low priority
Real server
Real server
Real server
Virtual server
Click here to read more about load balancing
Load Balancing
Low priority
Real server
Real server
Real server
Virtual server
Click here to read more about load balancing
• FortiGate unit intercepts incoming traffic and shares it across available servers•Multiple servers can respond as if they were a single device• Service provided can be highly available
Load Balancing Methods
Source IP Hash
A B C D E
A D C
Traffic load spread evenly across all servers according to hash of source IP address
Load Balancing Methods
Round Robin
Requests are directed to next server, all servers are treated equally
Load Balancing Methods
Weighted
Weight=1 Weight=5 Weight=3 Weight=4Weight=2
Servers with higher weight value receive larger % of connections
Load Balancing Methods
First Alive
Requests are always directed to first alive server
Load Balancing Methods
Least round trip
Round trip time
Requests are directed to servers with the least round trip time
Load Balancing Methods
Least session
Requests are directed to server that has the least number of current connections
Load Balancing Methods
HTTP-host
A B C D E
A D C
Host HTTP header used to guide connection to the correct server
Persistence
Session
SessionSession
Persistence
Session
SessionSession• Persistence ensures that a user is
connected to same server every time they make a request within the same session• Persistence options:• No persistence
• HTTP cookie
• SSL session ID
DoS Policies
DoS Policy Firewall Policy
DoS Policies
DoS Policy Firewall Policy
•DoS policies identify network traffic that does not fit known or common patterns of behavior• If determined to be an attack, action in
DoS sensor is taken
•DoS policies applied before firewall policies• If traffic passes DoS sensor, it continues
to firewall policies
Sniffer Policies
DoS Policy
Sniffer Policies
DoS Policy
• FortiGate unit sniffs packets for attacks and various UTM events without actually receiving them• DoS Sensor• IPS• Application Control• Antivirus• Web Filter• DLP Sensor
• Can not block traffic, but can log detected events
Firewall Object Usage
• Allows for faster changes to settings• The Reference column allows administrators to
determine where the object is being used• Navigate directly to the appropriate edit page
Object Tagging
• Simplifies firewall policy object management• Useful for administering multiple VDOMs
• Easier to find and access specific firewall policies within specific VDOMs
• Available for firewall policies, address objects, IPS predefined signatures and application entries/filters•Objects can provide useful organizational information• Use of tags must be enable through administrative settings
or through the CLIconfig system object-tag
set gui-object-tags-enable
Object Tagging
Labs
• Lab - Firewall Policies• Creating Firewall Policy Objects
• Creating Firewall Policies
• Verifying the Firewall Policies
• Configuring Virtual IP Access
• Configuring IP Pools
• Configuring Traffic Shaping
• Testing Traffic Shaping
Click here for step-by-step instructions on completing this lab
Student Resources
Click here to view the list of resources used in this module