Firewall

1
Introduction
What is a Firewall?
• A firewall is a network security system designed to prevent unauthorized
access to or from a private network, based on a predetermined rule set.
• A firewall can either be software-based or hardware-based and is used to
help keep a network secure.
• A network's firewall builds a bridge between an internal network that is
assumed to be secure and trusted, and another network, usually an external
(inter)network, such as the Internet, that is not assumed to be secure and
trusted.

2
Types of Firewall
1. Network layer or packet filter firewalls
1. Stateless firewalls
2. Stateful firewalls
2. Application layer firewalls
3. Proxy Servers
4. UTM/NGFW

3
1. Packet-Filtering Firewalls
The firewall performs a simple check of the data packets coming through the router—
inspecting information such as the destination and origination IP address, packet type,
port number, and other surface-level information without opening up the packet to
inspect its contents.
I. Stateless Firewalls
• Stateless firewalls are the oldest form of these firewalls.
• They are faster and simple in design requiring less memory because they process
each packet individually and don't require the resources necessary to hold onto
packets like stateful firewalls.

4
II. Stateful Firewalls
• Stateful firewalls inspect each packet individually and check to see if it matches a
predetermined set of rules. According to the matching rule the packet is either be
allowed, dropped or rejected.
• Stateful firewalls retain packets in memory so that they can maintain context about
active sessions and make judgments about the state of an incoming packet's
connection. This enables Stateful firewalls to determine if a packet is the start of a
new connection, a part of an existing connection, or not part of any connection.

5
2. Application Layer Firewalls
• It works primarily on the Application Layer of the OSI Model.
• Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all
browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to
or from an application. They block other packets (usually dropping them without
acknowledgment to the sender). Application firewalls work much like a packet filter
but application filters apply filtering rules (allow/block) on a per process basis
instead of filtering connections on a per port basis.

6
3. Proxy Servers
• A proxy server is an appliance or application that acts as an intermediary for
communicating between computers.
• Proxy firewalls operate at the application layer to filter incoming traffic between
your network and the traffic source. Rather than letting traffic connect directly, the
proxy firewall first establishes a connection to the source of the traffic and inspects
the incoming data packet.

7
Features of Firewall
• AntiVirus
• Intrusion Prevention System (IPS)
• Web filtering
• E-mail filtering, including protection against spam and grayware
• Data Leak Prevention (DLP)
• Application Control
• ICAP

8
Fortigate Modes
• The fortigate unit can run in two modes: NAT mode and transparent mode
• Both modes function the same, with some minor differences in feature
availability due to the nature of the mode.
• With both modes, however, firewall policies define how traffic moves, or is
prevented, from moving within the local network or to an external network or
the Internet.

9
NAT Mode
• All of its interfaces are as different subnets.
• This mode is typically used when the fortigate unit is deployed between Public and
Private network.
• In default NAT configuration, the fortigate unit acts as a firewall and firewall policies
control communications between both fortigate unit and Internet and between
internal networks.
• The fortigate unit performs NAT before IP packets are sent to the destination
network.
• It also acts as a router for communication between two internal networks.

10
Transparent Mode
• In this mode, the Fortigate unit is invisible to the network.
• All of its interfaces are on the same subnet and share the same IP address. We only
have to configure a management IP address so that we can make configuration
changes.
• It is usually deployed in topologies where the Fortigate unit is in a private network,
behind a router.
• In transparent mode, the Fortigate unit also functions as a firewall.

11
Interfaces
Interfaces, both physical and virtual, enable traffic to flow to and from the
internal network, and the Internet and between internal networks.
1. Physical
FortiGate units have a number of physical ports where you connect Ethernet or optical
cables. Depending on the model, they can have anywhere from four to 40 physical
ports.
Figure : FortiGate-100A physical interfaces

12
2. Wireless:
A wireless interface is similar to a physical interface only it does not include a physical
connection. The FortiWiFi units enables you to add multiple wireless interfaces that can be
available at the same time.
3. Aggregate:
Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together
to form an aggregated (combined) link. This new link has the bandwidth of all the links
combined.
4. Virtual Domains(VDOMs)
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual
units that function as multiple independent units. By default, each FortiGate unit has a VDOM
named root. This VDOM includes all of the FortiGate physical interfaces, modem, VLAN
subinterfaces, zones, firewall policies, routing settings, and VPN settings.
5. Virtual LANs:
You add a VLAN subinterface to the physical interface that receives VLAN-tagged packets.
13
6. Zones
Zones are a group of one or more FortiGate interfaces, both physical and virtual, that
you can apply firewall policies to control inbound and outbound traffic. Grouping
interfaces and VLAN subinterfaces into zones simplifies the creation of firewall
policies where a number of network segments can use the same policy settings and
protection profiles. When you add a zone, you select the names of the interfaces and
VLAN subinterfaces to add to the zone.
Figure: Network zones

14
15