Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.

Published byLeslie Norton Modified over 9 years ago

Similar presentations

Presentation on theme: "Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create."— Presentation transcript:

1 Firewall Policies

2 Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create firewall objects Create firewall policies and manage the order of their processing

3 Firewall Policies Source and destination interfaces Source and destination IP addresses Services Schedules Action = ACCEPT Authentication Threat Management Traffic Shaping Logging

4 Firewall Policies Source and destination interfaces Source and destination IP addresses Services Schedules Action = ACCEPT Authentication Threat Management Traffic Shaping Logging Firewall policies include the instructions used by the FortiGate device to determine what to do with a connection request Packet analyzed, content compared to policy, action performed

5 Firewall Actions Source and destination interfaces Source and destination IP addresses Services Schedules Accept Deny IPSec SSL VPN Action

6 Policy Matching FromToSourceDestinationScheduleServiceAction internalwan1192.168.1.110AllAlwaysHTTPAccept internalwan1all 9am-5pmHTTPAccept internalwan1192.168.1.0/24allalwaysFTPAccept anyANYAll AlwaysANYDeny Click here to read more about policy matching

7 Policy Matching FromToSourceDestinationScheduleServiceAction internalwan1192.168.1.110AllAlwaysHTTPAccept internalwan1all 9am-5pmHTTPAccept internalwan1192.168.1.0/24allalwaysFTPAccept anyANYAll AlwaysAnyDeny The FortiGate device searches list from top to bottom looking for a policy with matching conditions The action on the first matched policy is applied Move policies in list to influence order evaluated Default Implicit DENY always at bottom of list Click here to read more about policy matching

8 Policy Usage View policy usage by active sessions, bytes or packets Firewall > Monitor > Policy Monitor

9 Firewall Policy Elements Source and destination interfaces Schedules Action Identity-based policies Traffic shaping Logging Load balancing Source and destination addresses Services NAT Threat management Endpoint NAC Virtual IPs

10 Firewall Interfaces Destination interface Source interface

11 Firewall Interfaces Destination interface Source interface Select source to identify the interface or zone on which packets are received Select an individual interface or ANY to match all interfaces as the source Can also set source to sslvpn tunnel interface web-proxy and ftp-proxy Select destination to identify the interface or zone to which packets are forwarded Select an individual interface or ANY to match all interfaces as the source SSL VPN and IPSEC tunnel interface also available

12 Firewall Addresses Source and destination IP address Packet Source and destination IP address Firewall Policy =

13 Firewall Addresses Source and destination IP address Packet Source and destination IP address Firewall Policy = The FortiGate device compares the source and destination address in the packet to the policies on the device Default of ALL addresses available Addresses in policies configured with: Name for display in policy list IP address and mask FQDN if desired Use Country to create addresses based on geographical location Create address groups to simplify administration

14 Firewall Schedules One-time or Recurring schedule Firewall Policy =

15 Firewall Schedules One-time or Recurring schedule Firewall Policy = Schedules control when policies are active or inactive The FortiGate device compares the current date and time to the policies The action on the first matched policy is applied One-time or recurring schedule Active sessions are timed out when the schedule expires Group schedules to simplify administration

16 Firewall Services Protocol and port Packet Protocol and port Firewall Policy =

17 Firewall Services Protocol and port Packet Protocol and port Firewall Policy = The FortiGate device uses services to determine the types of communication accepted or denied Default of ANY service available Select a service from predefined list on the FortiGate unit or create a custom service Web Proxy Service also available if Source Interface is set to web-proxy Group services and Web Proxy Service Group to simplify administration

18 Firewall Logging Deny Accept IPSec Log Allowed Traffic Log Violation Traffic

19 Network Address Translation (NAT) 10.10.10.1 172.16.1.1 Firewall policy with NAT enabled wan1 IP address: 192.168.2.2 Source IP address: 10.10.10.1 Source port: 1025 Destination IP address: 172.16.1.1 Destination Port: 80 Source IP address: 192.168.2.2 Source port: 30912 Destination IP address: 172.16.1.1 Destination Port: 80 internal wan1 192.168.2.2

20 NAT Dynamic IP Pool Firewall policy with NAT + IP pool enabled wan1 IP pool: 172.16.12.2-172.16.12.12 Source IP address: 10.10.10.1 Source port: 1025 Destination IP address: 172.16.1.1 Destination Port: 80 Source IP address: 172.16.12.12 Source port: 30957 Destination IP address: 172.16.1.1 Destination Port: 80 10.10.10.1 internal wan1 172.16.1.1 192.168.2.2

21 Central NAT Table Allows creation of NAT rules and NAT mappings setup by the global firewall table Control port translation instead of allowing the system to assign them randomly

22 Fixed Port Firewall policy with NAT + IP pool enabled + fixed port (CLI only) wan1 IP pool: 172.16.12.2-172.16.12.12 Source IP address: 172.16.12.12 Source port: 1025 Destination IP address: 172.16.1.1 Destination Port: 80 Source IP address: 10.10.10.1 Source port: 1025 Destination IP address: 172.16.1.1 Destination Port: 80 10.10.10.1 internal 172.16.1.1 wan1 192.168.2.2

23 Source NAT IP Address and Port Session table identifies IP and port with NAT applied

24 Identity-Based Policies LDAP Directory Services TACACS+ RADIUS Local

25 Identity-Based Policies LDAP Directory Services TACACS+ RADIUS Local When enabled, a user must authenticate before the device will allow traffic Authentication rules specify group details for users being forced to authenticate

26 Local-in Firewall Policies Policies designed for traffic that is localized to the FortiGate unit Central management Update announcement NetBIOS forward Destination address of firewall policies for local-in traffic is limited to the FortiGate interface IP and secondary IP addresses Can create local-in firewall policies for IPv4 and IPv6

27 Local-in Firewall Policies Policies designed for traffic that is localized to the FortiGate unit Central management Update announcement NetBIOS forward Destination address of firewall policies for local-in traffic is limited to the FortiGate interface IP and secondary IP addresses Can create local-in firewall policies for IPv4 and IPv6 Configurable only in the CLI config firewall interface-policy edit set interface set srcaddr set dstaddr set service end

28 Threat Management Protocol options Antivirus IPS Web filtering Email filtering Data leak prevention Application control

29 Threat Management

30 Protocol Options HTTPHTTPS FTP FTPS IMAPPOP3SMTPIMNNTPIMAPSPOP3SSMTPS Protocol Options List

31 Protocol Options - File Size Firewall Policy Enable UTM Protocol Options Oversize File/Email Pass or Block Threshold +

32 Protocol Options - File size Firewall Policy Enable UTM Protocol Options Oversize File/Email Pass or Block Threshold + File size is checked against preset thresholds If larger than threshold and action set to block, file is rejected If larger than threshold and action set to allow, uncompressed file must fit within memory buffer If not, by default no further scanning operations performed

33 Traffic Shaping High priority Medium priority Low priority HTTP FTP IM Click here to read more about traffic shaping

34 Traffic Shaping High priority Medium priority Low priority Click here to read more about traffic shaping Traffic shaping controls which policies have higher priority when large amounts of data is passing through the FortiGate unit Normalize traffic bursts by prioritizing certain flows over others

35 Traffic Shapers Shared Traffic ShaperPer-IP Traffic Shaper Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth

36 Traffic Shapers Shared Traffic ShaperPer-IP Traffic Shaper Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth Traffic shapers apply Guaranteed Bandwidth and Maximum Bandwidth values to addresses affected by policy Share values between all IP address affected by the policy Values applied to each IP address affected by the policy

37 Endpoint Control ? Up to date ? Disallowed software installed ?

38 Virtual IPs Firewall policy with destination address virtual IP + Static NAT wan1 IP address: 172.16.1.1 → 192.168.1.100 wan1 IP pool: 172.16.12.2-172.16.12.12 Source IP address: 10.10.10.1 Source port: 1025 Destination IP address: 172.16.1.1 Destination Port: 80 Source IP address: 172.16.12.2 Source port: 1025 Destination IP address: 192.168.1.100 Destination Port: 80 Click here to read more about virtual IPs 10.10.10.1 172.16.1.100 internal wan1

39 Virtual IPs Firewall policy with destination address virtual IP + Static NAT wan1 IP address: 172.16.1.1 → 192.168.1.100 wan1 IP pool: 172.16.12.2-172.16.12.12 Source IP address: 10.10.10.1 Source port: 1025 Destination IP address: 172.16.1.1 Destination Port: 80 Source IP address: 172.16.12.2 Source port: 1025 Destination IP address: 192.168.1.100 Destination Port: 80 Click here to read more about virtual IPs 10.10.10.1 172.16.1.100 internal wan1 Used to allow connections through a FortiGate using NAT firewall policies FortiGate unit can respond to ARP requests on a network for a server that is installed on another network For example, add a virtual IP to an external interface so that the interface can respond to connection requests for users connecting to a server on the dmz or internal network

40 Virtual IPs Firewall policy with NAT Source IP address: 172.16.1.1 Source port: 1025 Destination IP address: 10.10.10.2 Destination Port: 80 Source IP address: 172.16.1.100 Source port: 1025 Destination IP address: 10.10.10.2 Destination Port: 80 10.10.10.1 172.16.1.100 internal wan1

41 Load Balancing Low priority Real server Virtual server Click here to read more about load balancing

42 Load Balancing Low priority Real server Virtual server Click here to read more about load balancing FortiGate unit intercepts incoming traffic and shares it across available servers Multiple servers can respond as if they were a single device Service provided can be highly available

43 Load Balancing Methods Source IP Hash ABCDE A D C Traffic load spread evenly across all servers according to hash of source IP address

44 Load Balancing Methods Round Robin Requests are directed to next server, all servers are treated equally

45 Load Balancing Methods Weighted Weight=1Weight=5Weight=3Weight=4Weight=2 Servers with higher weight value receive larger % of connections

46 Load Balancing Methods First Alive Requests are always directed to first alive server

47 Load Balancing Methods Least round trip Round trip time Requests are directed to servers with the least round trip time

48 Load Balancing Methods Least session Requests are directed to server that has the least number of current connections

49 Load Balancing Methods HTTP-host ABCDE A D C Host HTTP header used to guide connection to the correct server

50 Persistence Session

51 Persistence Session Persistence ensures that a user is connected to same server every time they make a request within the same session Persistence options: No persistence HTTP cookie SSL session ID

52 DoS Policies DoS Policy Firewall Policy

53 DoS Policies DoS Policy Firewall Policy DoS policies identify network traffic that does not fit known or common patterns of behavior If determined to be an attack, action in DoS sensor is taken DoS policies applied before firewall policies If traffic passes DoS sensor, it continues to firewall policies

54 Sniffer Policies DoS Policy

55 Sniffer Policies DoS Policy FortiGate unit sniffs packets for attacks and various UTM events without actually receiving them DoS Sensor IPS Application Control Antivirus Web Filter DLP Sensor Can not block traffic, but can log detected events

56 Firewall Object Usage Allows for faster changes to settings The Reference column allows administrators to determine where the object is being used Navigate directly to the appropriate edit page

57 Object Tagging Simplifies firewall policy object management Useful for administering multiple VDOMs Easier to find and access specific firewall policies within specific VDOMs Available for firewall policies, address objects, IPS predefined signatures and application entries/filters Objects can provide useful organizational information Use of tags must be enable through administrative settings or through the CLI config system object-tag set gui-object-tags-enable

58 Object Tagging

59 Labs Lab - Firewall Policies Creating Firewall Policy Objects Creating Firewall Policies Verifying the Firewall Policies Configuring Virtual IP Access Configuring IP Pools Configuring Traffic Shaping Testing Traffic Shaping Click here for step-by-step instructions on completing this lab

60 Student Resources Click here Click here to view the list of resources used in this module

Download ppt "Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Diagnostics. Module Objectives By the end of this module participants will be able to: Use diagnostic commands to troubleshoot and monitor performance.

Diagnostics. Module Objectives By the end of this module participants will be able to: Use diagnostic commands to troubleshoot and monitor performance.
Introduction to Fortinet Unified Threat Management

Introduction to Fortinet Unified Threat Management
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
WAN Optimization. Module Objectives By the end of this module participants will be able to: Describe the factors that can impact the performance of applications.

WAN Optimization. Module Objectives By the end of this module participants will be able to: Describe the factors that can impact the performance of applications.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.

Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
Fortinet Single Sign On

Fortinet Single Sign On
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Department Of Computer Engineering

Department Of Computer Engineering
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Similar presentations

Ads by Google