Scribd Logo
Upload

Welcome to Scribd!

  • 04.NGFW Firewall Feature

    Uploaded by

    dika
    7 views32 pages
    1. The document discusses various network address translation (NAT) techniques, denial-of-service (DOS) protection, and other firewall features supported by the Sangfor NGFW. 2. Case studies demonstrate configuring source NAT (SNAT) to access the internet, destination NAT (DNAT) for external access to internal servers, and bi-directional NAT for internal access to servers via a public IP. 3. Other features covered include connection control, DNS mapping for internal access via public names, and ARP spoofing prevention to protect against internal attacks.

    Original Description:

    sangfor NGFW

    Original Title

    04.NGFW_Firewall_Feature

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    1. The document discusses various network address translation (NAT) techniques, denial-of-service (DOS) protection, and other firewall features supported by the Sangfor NGFW. 2. Case studies demonstrate configuring source NAT (SNAT) to access the internet, destination NAT (DNAT) for external access to internal servers, and bi-directional NAT for internal access to servers via a public IP. 3. Other features covered include connection control, DNS mapping for internal access via public names, and ARP spoofing prevention to protect against internal attacks.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    7 views32 pages

    04.NGFW Firewall Feature

    Uploaded by

    dika
    1. The document discusses various network address translation (NAT) techniques, denial-of-service (DOS) protection, and other firewall features supported by the Sangfor NGFW. 2. Case studies demonstrate configuring source NAT (SNAT) to access the internet, destination NAT (DNAT) for external access to internal servers, and bi-directional NAT for internal access to servers via a public IP. 3. Other features covered include connection control, DNS mapping for internal access via public names, and ARP spoofing prevention to protect against internal attacks.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    of 32

    SANGFOR NGFW

    Firewall feature
    NAT
    Understand source address translation, destination
    address translation or both way address translation.
    Master on configuration.
    DOS/DDOS Protection
    Master DOS and DDOS protection function and
    applicable environment.
    Others Feature
    Connection Control : Master on configuration.

    DNS mapping : Under stand applicable environment


    and master configuration.

    ARP Spoofing : Under stand applicable environment


    and master configuration

    2
    NAT Introduction
    NAT Introduction
    NAT :

    Network Address Translation (NAT) is a technology use to re-write


    source IP/destination IP when the packet pass through router or firewall.

    Source network address translation(SNAT) :

    Source network address translation is when private IP address access


    to public IP address (internet), translate the private IP address to public
    IP address. We can have more than one private IP address translate to
    one public IP address.

    Typical applicable environment :

    Device deploy as route mode and as a gateway to allow internal user


    access internet
    NAT Introduction
    Destination Network Address Translation
    (DNAT) :
    DNAT is translate destination IP. Port Mapping or Port Forwarding also is
    a DNAT.

    Typical applicable environment :


    Users want to access internal server from out of office by using office
    public IP address.
    NAT Introduction

    Bi-direction address translation :


    Bi-direction address translation is indicate in one NAT rules translate
    source and destination address.

    Typical applicable environment :


    Internal user want to access internal server via Public IP address.
    NAT Case Study
    NGFW deploy as a internet gateway
    and connect a layer 3 switch. Internal
    network have PC and server.

    Requirement :

    Internal PC and server need access


    internet via NGFW.

    Solution : NGFW configure SNAT.


    NAT Case Study
    Step 1: Define interface, zone and IP Group.
    NAT Case Study
    NAT Case Study 2

    Requirement : NGFW deploy as


    internet gateway. Internal have a
    web server. Customer want publish
    web server to internet and external
    user can access web server by
    http://2.2.2.2

    Solution : Configure DNAT on


    NGFW
    NAT Case Study 2
    Step 1: Configure interface/Zone and IP Group.
    NAT Case Study 2
    Step 2 : Add in DNAT rule.
    NAT Case Study 3

    Requirement : NGFW deploy as


    internet gateway , internal have web
    server and customer had apply a
    domain name www.test.com and point
    to 2.2.2.2 Customer want internal user
    access web server also via
    www.test.com
    NAT Case Study 3
    Step 1 : Configure interface , zone and IP group.
    NAT Case Study
    Step 2 : Add in Bi-direction NAT rule.
    Attention
    1. If configured Bi-NAT for internal mail server , can’t enabled antivirus scanning for
    mail in the same time because for email scanning , NGFW will perform a DNAT to
    redirect email traffic to local antivirus scanning engine for scanning.

    2.After configure NAT , make sure you have allow the corresponding traffic in “ Access
    Control”.

    3.When configure DNAT , please make sure server reply to internet traffic also go
    through NGFW. If not go through then need to add one SNAT to translate public IP
    address to NGFW IP.
    Anti DOS/DDOS
    Anti DOS/DDOS
    DOS attack : DOS (Denial of Service) , is an attempt to make a
    machine or network resource unavailable to its intended users.

    DDOS attack : DDOS (Distributed Denial of service) is a lot of DOS


    attack on a machine or network resource.

    NGFW anti-DOS/DDOS have two type “outside attack” and “inside


    attack”

    Outside attack : Mainly for protect internal server not being attack
    from external zone.

    Inside attack : Mainly for protect device itself.


    Anti DOS/DDOS
    Outside Attack
    Dst IP: protected IP

    Not recommend to turn on


    IP packet splitting. (IP
    fragment attack)
    Anti DOS/DDOS
    Inside Attack :
    Attention

    1.Anti DOS/DDOS policy is read from top to bottom.

    2. When enable software bypass, Packet base attack and abnormal


    message probe is still function.

    3. Recommend configure destination IP to server IP group only but not


    to all IP and inside 1 IP group should not more than 400 IP address.
    Others Feature
    Connection Control

    Connection Control : Control maximum


    con-current connection for a single IP
    address.

    * Connection control match for source zone


    only.
    Connection Control
    Configuration :
    DNS Mapping
    Function: DNS Mapping applicable for internal user access to internal server
    via Public IP or Public domain name. It is similar like bi-direction NAT.

    Different between Bi-NAT:

    1.After configure DNS Mapping, internal user access to server will not pass
    through NGFW anymore and it is directly access to server internal IP address.
    In Bi-NAT, all traffic still will pass through NGFW therefore DNS Mapping can
    reduce processing usage of NGFW.

    2.DNS Mapping configuration is more easier than Bi-NAT, doesn’t need to


    configure zone, IP group and port.

    3.DNS Mapping not support single public IP mapping to multiple internal


    server. Bi-NAT doesn’t have this limitation.
    DNS Mapping
    1 、 PC request IP for www.test.com to DNS
    2
    2 、 DNS return IP is 2.2.2.3

    3 、 NGFW modified IP to 192.168.1.2

    4 、 pc access to192.168.1.2

    Configuration :
    1

    4
    ARP Spoofing Prevention
    ARP spoofing is a common internal virus. Infected PC will  sends
    fake Address Resolution Protocol (ARP) messages onto a Local Area
    Network and interrupt internal network communication . The entire
    network can cause serious disconnection

    NGFW ARP Spoofing Prevention is reject abnormal ARP request or


    ARP reply to protect ARP cache in device itself and also will broadcast
    device MAC address to internal user to prevent internal user get fake
    ARP record.
    ARP Spoofing Prevention
    Configuration :
    Attention
    1. When configure DNS mapping and Bi-NAT in the same time,
    DNS mapping will take effect when user access server via
    domain name and Bi-NAT will take effect when user access
    server via public IP address.

    2. MAC broadcast in ARP Spoofing Prevention will broadcast non


    WAN attribute interface only. If want to broadcast WAN attribute
    interface, need to enable “gratuitous ARP” in [system] – [General]
    – [Network]
    Practice
    NGFW deploy as a internet gateway
    and WAN interface IP is 2.2.2.2 bind
    to domain name :www.test.com.
    Internal have an email server,
    internal PC want to access email
    server via ww.test.com, How to
    comply this requirement? Which
    configuration need to be done.
    Q&A

    1.NGFW support what kind of NAT and applicable on which environment ?

    2.Customer network have layer 3 switch. After enable Anti-DOS for internal attack,
    network down and in the logs showing have DOS attack from layer 3 switch MAC
    address. So how to resolve this issue.

    3.Please describe different between Bi-NAT and DNS Mapping.


    www.sangfor.com

    You might also like