Professional Documents
Culture Documents
FGT1 03 Firewall Policies
FGT1 03 Firewall Policies
FGT1 03 Firewall Policies
Firewall Policies
2
Objectives
3
What Are Firewall Policies?
• Policies define:
o Which traffic matches them
o How to process traffic that matches
• When packet for new IP session arrives,
FortiGate looks for matching policy
o Only first matching
policy applies
o Starts at top of list
• Implicit deny
o No matching policy?
FortiGate drops packet
4
How Are Policy Matches Determined?
Authentication
5
Policy List: Section View
6
Policy List: Global View
7
Adjusting Policy Order
8
Components & Policy Types
9
Simplify: Interfaces vs. Zones
Incoming Outgoing
10
Matching by Source
11
Device Identification
12
Device Identification: Agent-based vs. Agentless
with FortiClient Agent
FC
FC
DMZ INTERNET
Agentless
Identification Techniques
• Agentless • Agent Based
o TCP Fingerprinting o Uses FortiClient
o MAC address vendor codes o Location & Infrastructure Independent
o HTTP user agent
o Requires “direct” connectivity to FortiGate
13
Device Identification: Device List (GUI)
14
Device Identification: Agentless Device List (CLI)
15
Device Identification: FortiClient Device List (CLI)
16
Endpoint Control
17
Endpoint Control
18
Endpoint Control
19
Endpoint Control
• FortiClient profile
20
Endpoint Control
21
Endpoint Control
22
Simplify: Groups of Sources/Services
23
Example: Matching Policy by Source
24
Implicit Fall Through
• “If this authentication policy does not match, try the next”
o Previous firmware used an identity policy
o Flows that failed authentication with 1st matching authentication policy
were blocked unless the option ‘fall-though-unauthenticated’ was
enabled, causing FortiGate to try subsequent authentication policies
25
Matching by Destination
26
Scheduling
o One-time
• Happens only once
27
Matching by Service
28
Object Usage
29
How Packets are Handled: Step 1
Phase 1 - Ingress
• Denial of service (DoS) sensor
• Packet integrity check
• IPSec tunnel match
• Destination NAT
• Routing
30
How Packets are Handled: Step 2
Phase 1 - Ingress
• Denial of service (DoS) sensor
• Packet integrity check
• IPSec tunnel match
• Destination NAT
• Routing
Phase 2 - Stateful Inspection
• Management traffic
• Policy lookup
o Session tracking
o Session helpers
o SSL VPN
o User authentication
o Traffic shaping
31
How Packets are Handled: Step 3
32
How Packets are Handled: Step 4
33
Logging
Accept Deny
34
Monitor
35
Session Table
36
Session TTL
37
Session Table: TCP Example
38
TCP States
State Value
NONE 0
ESTABLISHED 1
SYN_SENT 2
SYN & SYN/ACK 3
FIN_WAIT 4
TIME_WAIT 5
CLOSE 6
CLOSE_WAIT 7
LAST_ACK 8
LISTEN 9
39
diagnose sys session
• Like debug flow, the session table also indicates policy actions
o Clear any previous filter
diagnose sys session filter clear
o Set the filter
diagnose sys session filter ?
dport destination port
dst destination IP address
policy policy id
sport source port
src source ip address
o List all entries matching the configured filter
diagnose sys session list
o Clear all entries matching the configured filter
diagnose sys session clear
40
diagnose sys session
41
Network Address / Port Translation
Source IP address
Source port
42
Network Address / Port Translation: NAT
11.12.13.14
Firewall policy
with NAT enabled
wan1 IP address: 200.200.200.200
wan1
200.200.200.200
Source IP address:
internal 200.200.200.200
Source port: 30912
10.10.10.10
Destination IP address:
Source IP address: 11.12.13.14
10.10.10.1 Destination Port: 80
Source port: 1025
Destination IP address:
11.12.13.14
Destination Port: 80
43
Network Address / Port Translation: IP Pool
11.12.13.14
Firewall policy
with NAT + IP pool enabled
wan1 IP pool: 200.200.200.2-200.200.200.10
wan1
200.200.200.200
Source IP address:
internal 200.200.200.?
Source port: 30957
10.10.10.10
Destination IP address:
11.12.13.14
Source IP address:
Destination Port: 80
10.10.10.1
Source port: 1025
Destination IP address:
11.12.13.14
Destination Port: 80
44
IP Pool Type: One-to-One
45
IP Pool Type: Fixed Port Range
46
IP Pool Type: Port Block Allocation
• Type port block allocation assigns a block size & number per
host for a range of external IP addresses
o Using a small 64 block size and 1 block
hping --faster –p 80 –S 10.200.1.254
47
Virtual IPs (VIP)
48
Network Address / Port Translation: VIP
wan1
Source IP address:
internal
11.12.13.14
10.10.10.10
Destination IP address:
200.200.200.222
Destination Port: 80
49
Network Address / Port Translation: Central NAT
50
Session Helpers
51
Session Helpers: SIP Example
172.16.1.1 201.11.1.3
172.16.1.2
Media traffic to Media traffic to
172.16.1.2, port 12546 201.11.1.3, port 12546
52
Traffic Shaping
53
Traffic Shapers
Guaranteed Bandwidth
Maximum Bandwidth
Guaranteed Bandwidth
Guaranteed Bandwidth
Maximum Bandwidth Maximum Bandwidth
Guaranteed Bandwidth
Maximum Bandwidth
54
NP Session Offloading & Packet Forwarding
Not ASIC-compatible:
First packet in IP When session ends, or
Session remains with
session handled by OS if errors, NP returns
CPU
kernel (CPU) session to CPU
(“slow path”)
ASIC compatible:
Kernel offloads session
to specialized NP,
freeing CPU…
(“fast path”)
55
Security Profiles
56
Proxy vs Flow: Proxy-Based Scanning
• Transparent proxy
buffers file as it arrives
• Once transmission is
complete, FortiGate
examines file
o No action until buffer is full
or file is finished
• Communication is terminated
on Layer 4
o Proxy initiates secondary
connection after scan
57
Proxy Options
58
Proxy vs Flow: Flow-Based Scanning
• File is scanned on a
TCP flow basis as it
passes through FortiGate
o IPS engine
• Faster scanning,
but lower accuracy
• Requires more signatures
than proxy-based techniques
59
SSL/SSH Inspection
60
Debugging Firewall Policies
61
Packet Capture (CLI)
62
Example: Packet Capture
63
Packet Capture (GUI)
64
Packet Flow
65
diagnose debug flow (Output)
66
Combining Packet Traces and Flow
interfaces=[any]
filters=[host 10.200.1.254 and port 80]
51.685869 port3 in 10.0.1.10.58376 -> 10.200.1.254.80: syn
3479847099
51.937927 port3 in 10.0.1.10.58378 -> 10.200.1.254.80: syn
1978227929
54.679653 port3 in 10.0.1.10.58376 -> 10.200.1.254.80: syn
3479847099
54.930621 port3 in 10.0.1.10.58378 -> 10.200.1.254.80: syn
1978227929
o Better
• Setup the debug flow, then start the sniffer
67
Debugging Firewall Policies: debug flow & sniffer
68
Review
69