Professional Documents
Culture Documents
Module 3
© 2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or
1 distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
Module Objectives
2
Firewall Policies
3
Types of Policies
• Address
» Policy match based on IPs
• User Identity
» Policy match based on authentication information (user)
• Device Identity
» Policy match based on OS
4
Firewall Actions
Policy Action
Accept Deny
Deny
5
Firewall Policy Elements - Address Subtype
6
Firewall Policy Elements – User Identity Subtype
7
Firewall Policy Elements - Device Identity Subtype
9
Device Identification (BYOD)
10
Device Identification (BYOD)
11
Device Identification (BYOD)
• Device-identify
» Identifies the device through the HTTP user-agent
12
Device Identification (BYOD)
• Email-collection
» Used in conjunction with device type Collected Emails
» Collects an email to be associated with the device
13
Device Identification (BYOD)
14
Device Identification (BYOD)
15
Device Identification (BYOD)
16
Firewall Address objects
17
Firewall Interfaces
Incoming Outgoing
Interface Interface
18
Firewall Service Objects
• FortiGate unit uses Services to determine the types of communication accepted or denied
• Default of ALL services available
• Select a Service from predefined list on FortiGate unit or create a custom service
• Web Proxy Service also available if Incoming Interface is set to web-proxy
• Group Services and Web Proxy Service Group to simplify administration
19
Traffic Logging
Accept Deny
20
Network Address Translation (Source NAT)
11.12.13.14
Firewall policy
with NAT enabled
wan1 IP address: 200.200.200.200
wan1
200.200.200.200
Source IP address:
200.200.200.200
internal
Source port: 30912
10.10.10.1
Destination IP address:
11.12.13.14
Source IP address: Destination Port: 80
10.10.10.1
Source port: 1025
Destination IP address:
11.12.13.14
Destination Port: 80
21
NAT Dynamic IP Pool (Source Nat)
11.12.13.14
Firewall policy
with NAT + IP pool enabled
wan1 IP pool: 200.200.200.2-200.200.200.10
wan1
200.200.200.200
Source IP address:
200.200.200.?
internal Source port: 30957
10.10.10.1
Destination IP address:
11.12.13.14
Destination Port: 80
Source IP address:
10.10.10.1
Source port: 1025
Destination IP address:
11.12.13.14
Destination Port: 80
22
Central NAT Table
23
Central NAT Table
24
Traffic Shaping
HTTP
FTP
IM
25
Source NAT IP Address and Port
26
Fixed Port (Source NAT)
11.12.13.14
Firewall policy
with NAT + IP pool enabled + fixed port (CLI only)
wan1 IP pool: 200.200.200.201
wan1
200.200.200.200
Source IP address:
200.200.200.201
internal Source port: 1025
10.10.10.1
Destination IP address:
Source IP address: 11.12.13.14
10.10.10.1 Destination Port: 80
Source port: 1025
Destination IP address:
11.12.13.14
Destination Port: 80
27
Virtual IPs (Destination NAT)
wan1
Source IP address:
internal 11.12.13.14
10.10.10.10
Destination IP address:
200.200.200.222
Destination Port: 80
28
Virtual IPs (Destination NAT)
wan1
• Used to allow connections through a FortiGate
using NAT firewall policies
Source IP address:
internal 11.12.13.14
» FortiGate unit can respond to ARP requests on a
10.10.10.10
network for a server that is installed
Destination on another
IP address:
200.200.200.200
network Destination Port: 80
» Used for (1) Server Redundancy and Load Balancing;
(2) IPSec VPN site-to-site with identical subnets at
VIP translates destination
both sites;
200.200.200.200 -> etc.
10.10.10.10
» VIP Group: A group of Virtual IPs for ease-of-use
29
Local-In Firewall Policies
30
Threat Management
31
Threat Management – Client Reputation
32
UTM Proxy Options - File Size
Guaranteed Bandwidth
Maximum Bandwidth
Guaranteed Bandwidth
Guaranteed Bandwidth
Maximum Bandwidth Maximum Bandwidth
Guaranteed Bandwidth
Maximum Bandwidth
34
Traffic Shapers
Guaranteed Bandwidth
Maximum Bandwidth
35
DoS Policies
36
Endpoint Control
Up to date ?
Disallowed software
installed ?
37
Firewall Object Usage
38
Object Tagging
39
Monitor
40
Labs
(OPTIONAL)
• Lab 2: Traffic Log
» Ex 1: Enabling Traffic Logging
» Ex 2: Device Policies
41
Classroom Lab Topology
42