Firewall Policies

Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create firewall objects Create firewall policies and manage the order of their processing

Firewall Policies Source and destination interfaces Source and destination IP addresses Services Schedules Action = ACCEPT Authentication Threat Management Traffic Shaping Logging

Firewall Policies Source and destination interfaces Source and destination IP addresses Services Schedules Action = ACCEPT Authentication Threat Management Traffic Shaping Logging Firewall policies include the instructions used by the FortiGate device to determine what to do with a connection request Packet analyzed, content compared to policy, action performed

Firewall Actions Source and destination interfaces Source and destination IP addresses Services Schedules Accept Deny IPSec SSL VPN Action

Policy Matching FromToSourceDestinationScheduleServiceAction internalwan AllAlwaysHTTPAccept internalwan1all 9am-5pmHTTPAccept internalwan /24allalwaysFTPAccept anyANYAll AlwaysANYDeny Click here to read more about policy matching

Policy Matching FromToSourceDestinationScheduleServiceAction internalwan AllAlwaysHTTPAccept internalwan1all 9am-5pmHTTPAccept internalwan /24allalwaysFTPAccept anyANYAll AlwaysAnyDeny The FortiGate device searches list from top to bottom looking for a policy with matching conditions The action on the first matched policy is applied Move policies in list to influence order evaluated Default Implicit DENY always at bottom of list Click here to read more about policy matching

Policy Usage View policy usage by active sessions, bytes or packets Firewall > Monitor > Policy Monitor

Firewall Policy Elements Source and destination interfaces Schedules Action Identity-based policies Traffic shaping Logging Load balancing Source and destination addresses Services NAT Threat management Endpoint NAC Virtual IPs

Firewall Interfaces Destination interface Source interface

Firewall Interfaces Destination interface Source interface Select source to identify the interface or zone on which packets are received Select an individual interface or ANY to match all interfaces as the source Can also set source to sslvpn tunnel interface web-proxy and ftp-proxy Select destination to identify the interface or zone to which packets are forwarded Select an individual interface or ANY to match all interfaces as the source SSL VPN and IPSEC tunnel interface also available

Firewall Addresses Source and destination IP address Packet Source and destination IP address Firewall Policy =

Firewall Addresses Source and destination IP address Packet Source and destination IP address Firewall Policy = The FortiGate device compares the source and destination address in the packet to the policies on the device Default of ALL addresses available Addresses in policies configured with: Name for display in policy list IP address and mask FQDN if desired Use Country to create addresses based on geographical location Create address groups to simplify administration

Firewall Schedules One-time or Recurring schedule Firewall Policy =

Firewall Schedules One-time or Recurring schedule Firewall Policy = Schedules control when policies are active or inactive The FortiGate device compares the current date and time to the policies The action on the first matched policy is applied One-time or recurring schedule Active sessions are timed out when the schedule expires Group schedules to simplify administration

Firewall Services Protocol and port Packet Protocol and port Firewall Policy =

Firewall Services Protocol and port Packet Protocol and port Firewall Policy = The FortiGate device uses services to determine the types of communication accepted or denied Default of ANY service available Select a service from predefined list on the FortiGate unit or create a custom service Web Proxy Service also available if Source Interface is set to web-proxy Group services and Web Proxy Service Group to simplify administration

Firewall Logging Deny Accept IPSec Log Allowed Traffic Log Violation Traffic

Network Address Translation (NAT) Firewall policy with NAT enabled wan1 IP address: Source IP address: Source port: 1025 Destination IP address: Destination Port: 80 Source IP address: Source port: Destination IP address: Destination Port: 80 internal wan

NAT Dynamic IP Pool Firewall policy with NAT + IP pool enabled wan1 IP pool: Source IP address: Source port: 1025 Destination IP address: Destination Port: 80 Source IP address: Source port: Destination IP address: Destination Port: internal wan

Central NAT Table Allows creation of NAT rules and NAT mappings setup by the global firewall table Control port translation instead of allowing the system to assign them randomly

Fixed Port Firewall policy with NAT + IP pool enabled + fixed port (CLI only) wan1 IP pool: Source IP address: Source port: 1025 Destination IP address: Destination Port: 80 Source IP address: Source port: 1025 Destination IP address: Destination Port: internal wan

Source NAT IP Address and Port Session table identifies IP and port with NAT applied

Identity-Based Policies LDAP Directory Services TACACS+ RADIUS Local

Identity-Based Policies LDAP Directory Services TACACS+ RADIUS Local When enabled, a user must authenticate before the device will allow traffic Authentication rules specify group details for users being forced to authenticate

Local-in Firewall Policies Policies designed for traffic that is localized to the FortiGate unit Central management Update announcement NetBIOS forward Destination address of firewall policies for local-in traffic is limited to the FortiGate interface IP and secondary IP addresses Can create local-in firewall policies for IPv4 and IPv6

Local-in Firewall Policies Policies designed for traffic that is localized to the FortiGate unit Central management Update announcement NetBIOS forward Destination address of firewall policies for local-in traffic is limited to the FortiGate interface IP and secondary IP addresses Can create local-in firewall policies for IPv4 and IPv6 Configurable only in the CLI config firewall interface-policy edit set interface set srcaddr set dstaddr set service end

Threat Management Protocol options Antivirus IPS Web filtering filtering Data leak prevention Application control

Threat Management

Protocol Options HTTPHTTPS FTP FTPS IMAPPOP3SMTPIMNNTPIMAPSPOP3SSMTPS Protocol Options List

Protocol Options - File Size Firewall Policy Enable UTM Protocol Options Oversize File/ Pass or Block Threshold +

Protocol Options - File size Firewall Policy Enable UTM Protocol Options Oversize File/ Pass or Block Threshold + File size is checked against preset thresholds If larger than threshold and action set to block, file is rejected If larger than threshold and action set to allow, uncompressed file must fit within memory buffer If not, by default no further scanning operations performed

Traffic Shaping High priority Medium priority Low priority HTTP FTP IM Click here to read more about traffic shaping

Traffic Shaping High priority Medium priority Low priority Click here to read more about traffic shaping Traffic shaping controls which policies have higher priority when large amounts of data is passing through the FortiGate unit Normalize traffic bursts by prioritizing certain flows over others

Traffic Shapers Shared Traffic ShaperPer-IP Traffic Shaper Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth

Traffic Shapers Shared Traffic ShaperPer-IP Traffic Shaper Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth Traffic shapers apply Guaranteed Bandwidth and Maximum Bandwidth values to addresses affected by policy Share values between all IP address affected by the policy Values applied to each IP address affected by the policy

Endpoint Control ? Up to date ? Disallowed software installed ?

Virtual IPs Firewall policy with destination address virtual IP + Static NAT wan1 IP address: → wan1 IP pool: Source IP address: Source port: 1025 Destination IP address: Destination Port: 80 Source IP address: Source port: 1025 Destination IP address: Destination Port: 80 Click here to read more about virtual IPs internal wan1

Virtual IPs Firewall policy with destination address virtual IP + Static NAT wan1 IP address: → wan1 IP pool: Source IP address: Source port: 1025 Destination IP address: Destination Port: 80 Source IP address: Source port: 1025 Destination IP address: Destination Port: 80 Click here to read more about virtual IPs internal wan1 Used to allow connections through a FortiGate using NAT firewall policies FortiGate unit can respond to ARP requests on a network for a server that is installed on another network For example, add a virtual IP to an external interface so that the interface can respond to connection requests for users connecting to a server on the dmz or internal network

Virtual IPs Firewall policy with NAT Source IP address: Source port: 1025 Destination IP address: Destination Port: 80 Source IP address: Source port: 1025 Destination IP address: Destination Port: internal wan1

Load Balancing Low priority Real server Virtual server Click here to read more about load balancing

Load Balancing Low priority Real server Virtual server Click here to read more about load balancing FortiGate unit intercepts incoming traffic and shares it across available servers Multiple servers can respond as if they were a single device Service provided can be highly available

Load Balancing Methods Source IP Hash ABCDE A D C Traffic load spread evenly across all servers according to hash of source IP address

Load Balancing Methods Round Robin Requests are directed to next server, all servers are treated equally

Load Balancing Methods Weighted Weight=1Weight=5Weight=3Weight=4Weight=2 Servers with higher weight value receive larger % of connections

Load Balancing Methods First Alive Requests are always directed to first alive server

Load Balancing Methods Least round trip Round trip time Requests are directed to servers with the least round trip time

Load Balancing Methods Least session Requests are directed to server that has the least number of current connections

Load Balancing Methods HTTP-host ABCDE A D C Host HTTP header used to guide connection to the correct server

Persistence Session

Persistence Session Persistence ensures that a user is connected to same server every time they make a request within the same session Persistence options: No persistence HTTP cookie SSL session ID

DoS Policies DoS Policy Firewall Policy

DoS Policies DoS Policy Firewall Policy DoS policies identify network traffic that does not fit known or common patterns of behavior If determined to be an attack, action in DoS sensor is taken DoS policies applied before firewall policies If traffic passes DoS sensor, it continues to firewall policies

Sniffer Policies DoS Policy

Sniffer Policies DoS Policy FortiGate unit sniffs packets for attacks and various UTM events without actually receiving them DoS Sensor IPS Application Control Antivirus Web Filter DLP Sensor Can not block traffic, but can log detected events

Firewall Object Usage Allows for faster changes to settings The Reference column allows administrators to determine where the object is being used Navigate directly to the appropriate edit page

Object Tagging Simplifies firewall policy object management Useful for administering multiple VDOMs Easier to find and access specific firewall policies within specific VDOMs Available for firewall policies, address objects, IPS predefined signatures and application entries/filters Objects can provide useful organizational information Use of tags must be enable through administrative settings or through the CLI config system object-tag set gui-object-tags-enable

Object Tagging

Labs Lab - Firewall Policies Creating Firewall Policy Objects Creating Firewall Policies Verifying the Firewall Policies Configuring Virtual IP Access Configuring IP Pools Configuring Traffic Shaping Testing Traffic Shaping Click here for step-by-step instructions on completing this lab

Student Resources Click here Click here to view the list of resources used in this module