Firewall Policies

Module 3

© 2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or
1 distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
 Module Objectives

• By the end of this module participants will be able to:

» Identify the components used in a firewall policy
» Create firewall objects
» Create Address and Device Identity policies and manage the order of their
processing
» Monitor traffic through policies

2
 Firewall Policies

Incoming and outgoing interfaces

Source and destination IP addresses
Services
Schedules
Action = ACCEPT
• Firewall policies include the
instructions used by the FortiGate
Authentication
device to determine what to do with a
connection request
Threat Traffic Logging • Packet analyzed, content compared to
Management Shaping
policy, action performed

3
 Types of Policies

• Address
» Policy match based on IPs
• User Identity
» Policy match based on authentication information (user)
• Device Identity
» Policy match based on OS

4
 Firewall Actions

Traffic matches a policy

Policy Action

Accept Deny

Traffic does not match a Policy

Deny

5
 Firewall Policy Elements - Address Subtype

6
 Firewall Policy Elements – User Identity Subtype

7
 Firewall Policy Elements - Device Identity Subtype

• OS identity device based on packet behavior and details

» MAC address (Forti-Device only), DHCP VCI, TCP SYN Fingerprint, HTTP
UserAgent
» Identification rules updated with FortiGuard definitions
8
 Device Identification (BYOD)

• Device detection is dependent on it being enabled in the interface via

the device-identification command
config system interface
edit "port1"
set device-identification (enable|disable*)
set device-user-identification (enable*|disable)
end
• Per-VDOM settings on what to detect
config system network-visibility
• Global setting of the device types FortiOS detects is hardcoded

9
 Device Identification (BYOD)

• Devices can be manually identified in the config

config user device
edit “me”
set mac-address
set type “type name”
set user “user name”
end
• Once the device is created it can be added to a device group
config user device-group

10
 Device Identification (BYOD)

• Captive Portal options:

» Device identification (default)
» Email collection (attach an email to the device)
» FortiClient download (force FortiClient install)

11
 Device Identification (BYOD)

• Device-identify
» Identifies the device through the HTTP user-agent

12
 Device Identification (BYOD)

• Email-collection
» Used in conjunction with device type Collected Emails
» Collects an email to be associated with the device

13
 Device Identification (BYOD)

config sys setting

set email-portal-check-dns [enable|disable]

14
 Device Identification (BYOD)

• User & Devices > Device > Device

diag user device list

15
 Device Identification (BYOD)

• Each device-identity policy entry may have one or more devices,

device-groups or device categories specified
• 3 possible actions:
» Accept (the default)
» Deny
» Captive portal
• UTM options are only available when the action is Accept

16
 Firewall Address objects

• The FortiGate device compares the source and destination address in

the packet to the policies on the device
» Default of ALL addresses available
• Addresses in policies configured with:
» Name for display in policy list
» IP address and mask
» FQDN if desired (DNS used to resolve)
• Use Country to create addresses based on geographical location
• Create address groups to simplify administration

17
 Firewall Interfaces

Incoming Outgoing
Interface Interface

• Select Incoming Interface to identify the interface or zone on which

packets are received
» Select an individual interface or ANY to match all interfaces as the source
• Select Outgoing Interface to identify the interface or zone to which
packets are forwarded
» Select an individual interface or ANY to match all interfaces as the source

18
 Firewall Service Objects

Packet Firewall Policy

Protocol and Port

= Protocol and Port

• FortiGate unit uses Services to determine the types of communication accepted or denied
• Default of ALL services available
• Select a Service from predefined list on FortiGate unit or create a custom service
• Web Proxy Service also available if Incoming Interface is set to web-proxy
• Group Services and Web Proxy Service Group to simplify administration
19
 Traffic Logging

Accept Deny

Log Allowed Traffic Log Violation Traffic

20
 Network Address Translation (Source NAT)

11.12.13.14
Firewall policy
with NAT enabled
wan1 IP address: 200.200.200.200

wan1
200.200.200.200

Source IP address:
200.200.200.200
internal
Source port: 30912
10.10.10.1
Destination IP address:
11.12.13.14
Source IP address: Destination Port: 80
10.10.10.1
Source port: 1025

Destination IP address:
11.12.13.14
Destination Port: 80

21
 NAT Dynamic IP Pool (Source Nat)

11.12.13.14
Firewall policy
with NAT + IP pool enabled
wan1 IP pool: 200.200.200.2-200.200.200.10

wan1
200.200.200.200

Source IP address:
200.200.200.?
internal Source port: 30957
10.10.10.1
Destination IP address:
11.12.13.14
Destination Port: 80
Source IP address:
10.10.10.1
Source port: 1025

Destination IP address:
11.12.13.14
Destination Port: 80

22
 Central NAT Table

• Allows creation of NAT rules and NAT mappings set up by the

global firewall table
• Control port translation instead of allowing the system to assign
them randomly

23
 Central NAT Table

24
 Traffic Shaping

• Traffic shaping controls which policies

have higher priority when large
amounts of data is passing through
the FortiGate unit
• Normalize traffic bursts by prioritizing
certain flows over others

HTTP
FTP
IM

25
 Source NAT IP Address and Port

• Session table identifies IP and port with NAT applied

26
 Fixed Port (Source NAT)

11.12.13.14
Firewall policy
with NAT + IP pool enabled + fixed port (CLI only)
wan1 IP pool: 200.200.200.201

wan1
200.200.200.200

Source IP address:
200.200.200.201
internal Source port: 1025
10.10.10.1
Destination IP address:
Source IP address: 11.12.13.14
10.10.10.1 Destination Port: 80
Source port: 1025

Destination IP address:
11.12.13.14
Destination Port: 80

27
 Virtual IPs (Destination NAT)

Firewall policy 11.12.13.14

with destination address virtual IP + Static NAT
wan1 IP address: 200.200.200.200

wan1

Source IP address:
internal 11.12.13.14
10.10.10.10
Destination IP address:
200.200.200.222
Destination Port: 80

VIP translates destination

200.200.200.222 -> 10.10.10.10

28
 Virtual IPs (Destination NAT)

Firewall policy 11.12.13.14

with destination address virtual IP + Static NAT
wan1 IP address: 200.200.200.200

wan1
• Used to allow connections through a FortiGate
using NAT firewall policies
Source IP address:
internal 11.12.13.14
» FortiGate unit can respond to ARP requests on a
10.10.10.10
network for a server that is installed
Destination on another
IP address:
200.200.200.200
network Destination Port: 80
» Used for (1) Server Redundancy and Load Balancing;
(2) IPSec VPN site-to-site with identical subnets at
VIP translates destination
both sites;
200.200.200.200 -> etc.
10.10.10.10
» VIP Group: A group of Virtual IPs for ease-of-use

29
 Local-In Firewall Policies

• Policies designed for traffic that is localized to the FortiGate unit

» Central management
» Update announcement
» NetBIOS forward
• Destination address of firewall policies for local-in traffic is limited to the
FortiGate interface IP and secondary IP addresses
• Can create local-in firewall policies for IPv4 and IPv6 (CLI Only)

30
 Threat Management

31
 Threat Management – Client Reputation

32
 UTM Proxy Options - File Size

• File size is checked against

Firewall Policy preset thresholds
• If larger than threshold
Enable UTM (Policy> UTM Proxy Options >
Common Options > Block
Oversized File/Email >
UTM Proxy Options Threshold) and action set to
block, file is rejected
• If larger than threshold and
Oversize File/Email action set to allow,
Pass or Block uncompressed file must fit
+ within memory buffer
Threshold » If not, by default no further
scanning operations
performed
33
 Traffic Shapers

Shared Traffic Shaper Per-IP Traffic Shaper

Guaranteed Bandwidth
Maximum Bandwidth

Guaranteed Bandwidth
Guaranteed Bandwidth
Maximum Bandwidth Maximum Bandwidth

Guaranteed Bandwidth
Maximum Bandwidth

34
 Traffic Shapers

Shared Traffic Shaper Per-IP Traffic Shaper

Guaranteed Bandwidth
Maximum Bandwidth

• Traffic shapers apply Guaranteed Bandwidth

Guaranteed Bandwidth and Maximum Bandwidth values to addresses
Guaranteed Bandwidth
Maximum Bandwidth
affected by policyMaximum Bandwidth
» Share values between all IP address affected by the
policy
» Values applied toGuaranteed
each IP address affected by the
Bandwidth
Maximum Bandwidth
policy

35
 DoS Policies

• DoS policies identify network traffic

that does not fit known or common
patterns of behavior DoS Policy Firewall Policy
» If determined to be an attack,
action in DoS sensor is taken
• DoS policies applied before firewall
policies
» If traffic passes DoS sensor, it
continues to firewall policies

36
 Endpoint Control

Up to date ?
Disallowed software
installed ?

37
 Firewall Object Usage

• Allows for faster changes to settings

• The Reference column allows administrators to determine where
the object is being used
» Navigate directly to the appropriate edit page

38
 Object Tagging

• Simplifies firewall policy object management

» Useful for administering multiple VDOMs
» Easier to find and access specific firewall policies within specific VDOMs
• Available for firewall policies, address objects, IPS predefined
signatures and application entries/filters
• Objects can provide useful organizational information

39
 Monitor

• View policy usage by active sessions, bytes or packets

• Policy > Monitor > Policy Monitor

40
 Labs

• Lab 1: Firewall Policy

» Ex 1: Creating Firewall Objects and Rules
» Ex 2: Policy Action
» Ex 3: Configuring Virtual IP Access
» Ex 4: Configuring IP Pools

(OPTIONAL)
• Lab 2: Traffic Log
» Ex 1: Enabling Traffic Logging
» Ex 2: Device Policies

41
 Classroom Lab Topology

42