Guía de Firewall Fortinet
Guía de Firewall Fortinet
Guía de Firewall Fortinet
FortiOS Handbook Firewall v3 24 January 2012 01-432-148222-20120124 Copyright 2012 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet without prior notice. Reproduction or transmission of this publication is encouraged.
Trademarks
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Visit these links for more information and documentation for your Fortinet products: Fortinet Knowledge Base - http://kb.fortinet.com Technical Documentation - http://docs.fortinet.com Training Services - http://campus.training.fortinet.com Technical Support - http://support.fortinet.com You can report errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.
FortiOS Handbook
Contents
Introduction 9
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 How this guide is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
11
11 11
How the firewall components create a FortiGate firewall and help in protecting your network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Understanding how a packet travels through the FortiGate unit. . . . . . . . . . . . How packets flow in and out of the FortiGate unit. . . . . . . . . . . . . . . . . 13 14
17
17 17 18 19 19 20 20 20 20 21 21 21 21
Firewall components
Using Interfaces and zones in the FortiGate firewall . . . . . . . . . . . . . . . . . . How to apply VLANs and zones and to a security policy . . . . . . . . . . . . . Understanding the firewall address component . . . . . . . . . . . . . . . . . . . . IP addresses for self-originated traffic . . . . . . . IP pools. . . . . . . . . . . . . . . . . . . . . . . IP Pools for security policies that use fixed ports . Source IP address and IP pool address matching. Geography-based addressing . . . . . . . . . . . Wildcard addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
23
23 23 24 25 26 27 27 28 29
Contents
Using wildcard addresses in the firewall configuration Fully Qualified Domain Name addresses . . . . . . . . . Address groups . . . . . . . . . . . . . . . . . . . . . . Virtual IP addresses . . . . . . . . . . . . . . . . . . . . Grouping virtual IPs . . . . . . . . . . . . . . . . . . Match-vip . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
31 31 32 32 32 32 33 33 38 38 39 39 39 40
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Predefined service list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Custom service groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Firewall schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Schedule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Schedule expiry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . UTM profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How to use UTM profiles to monitor and protect your network . . . . . . . . . .
Security policies
Security policy overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security policy list details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Policy order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How to arrange policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Identity-based policies . . . . . . . . . . . . . . . . . Identity-based policy example . . . . . . . . . . . SSL VPN policies. . . . . . . . . . . . . . . . . . . . IPsec policies. . . . . . . . . . . . . . . . . . . . . . Accept policies . . . . . . . . . . . . . . . . . . . . . Deny policies . . . . . . . . . . . . . . . . . . . . . . How to allow DNS queries to only one DNS server IPv6 policies . . . . . . . . . . . . . . . . . . . . . . Security policy 0 . . . . . . . . . . . . . . . . . . . . Local-in policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
43 44 45 45 47 47 47 48 49 49 50 50 50 51 51 51 52 52 53 53
Creating basic security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . How to create a basic security policy for Internet access . . . . . . . . . . . . . How to test the basic security policy . . . . . . . . . . . . . . . . . . . . . . . How to verify if traffic is hitting the basic security policy . . . . . . . . . . . . .
55
55 55 55 56 57 58
Contents
Proto_state fields: UDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proto_state field for ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring security policy traffic activity . . . . . . . . . . . . . . . . . . . . . . . .
58 58 58
61
61 61 62 62 62
65
65 66 66 67 68 68 69 69 70 71 72 73 74 74 77 79 81 83 84 84 85 85 85 86
Port pairing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Blocking port 25 to email server traffic . . . . . . . . . . . . . . . . . . . . . . . . . Dedicated traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Restricting traffic on port 25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . Blocking HTTP access by IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ICMP packet processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding NAT security policies in Transparent mode . . . . . . . . . . . . . . . . . . Adding a static NAT virtual IP for a single IP address and port . . . . . . . . . . . . Double NAT: combining IP pool with virtual IP . . . . . . . . . . . . . . . . . . . . . Using VIP range for Source NAT (SNAT) and static 1-to-1 mapping . . . . . . . . . Traffic shaping and per-IP traffic shaping . . . . . . . . . . . . . . . . . . . . . . . Endpoint Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logging traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Quality of Service (QoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Identity-based security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . Identity-based policy positioning . . . . . . . . . . . . . . . . . . . . . . . . . Identity-based sub-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents
Appendix
Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP addresses . . . . . . . . . . . . Example Network configuration . . Cautions, Notes and Tips . . . . . Typographical conventions . . . . CLI command syntax conventions . Entering text strings (names) . Entering numeric values . . . Selecting options from a list . Enabling or disabling options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
87
87 87 89 90 90 91 93 93 94 94 94 94 95 95 95 95 95 95 95
Registering your Fortinet product . . . . . . . . . . . . . . . . . . . . . . . . . . . Fortinet products End User License Agreement . . . . . . . . . . . . . . . . . . . . Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fortinet Tools and Documentation CD. . . . . . . . . . . . . . . . . . . . . . . Fortinet Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Comments on Fortinet technical documentation . . . . . . . . . . . . . . . . . Customer service and technical support . . . . . . . . . . . . . . . . . . . . . . . .
Index
97
Contents
Contents
FortiOS Handbook
Introduction
Welcome and thank you for selecting Fortinet products for your network protection. This document describes how to configure the FortiGate firewall on your FortiGate unit. This document also provides advanced firewall concepts. This chapter contains the following topics: Before you begin How this guide is organized
Introduction
Internet Protocol version 6 (IPv6) explains how IPv6 can be implemented in FortiOS, as well as what features support IPv6, such as IPsec VPN and dynamic routing. This section also explains a high-level summary of IPv6. Advanced FortiGate firewall concepts explains the advanced firewall features that you may want to configure for your network, as it expands. This section explains advanced firewall features that include stateful inspection of SCTP traffic, port pairing (Transparent mode only), and adding NAT security policies in Transparent mode.
10
FortiOS Handbook
11
interfaces (including VLANs) zones unified threat management (UTM) firewall addresses (this includes IPv4 and IPv6, IP pools,. wildcard addresses and netmasks, and geography-based addresses) monitoring traffic traffic shaping and per-ip traffic shaping (advanced) firewall schedules services (such as AOL, DHCP and FTP) logging traffic (advanced) QoS (advanced) identity-based policies (advanced) endpoint security (advanced) All of these components each provide an important role in configuring your FortiGate firewall. For example, the administrator applies the PING admin access to the wan1 interface so that he or she can ping this external interface and verify that Internet traffic is hitting the internal to wan1 security policy. If there was no PING admin access applied to the external interface, the administrator could not properly verify if traffic is hitting the policy. For more in-depth explanations of these components, see the Firewall components on page 23.
How the firewall components create a FortiGate firewall and help in protecting your network
The firewall components each help in protecting your network, as well as helping traffic to flow better through the network, for example traffic shaping helps to load balance traffic on your network. The following explains how all of the firewall components get combined to create the FortiGate firewall. 1 In System > Network > Interface, create VLAN subinterfaces for each department: sales, marketing and engineering. These VLAN subinterfaces will be grouped into a zone and the zone will then be applied to a security policy. 2 Create a zone for the VLAN subinterfaces. 3 In Firewall Objects > Address > Address, create the IP address ranges that are required: one for sales, one for marketing, and one for engineering. Each of these ranges corresponds to the departments that have these IP address ranges. For example, sales has 172.16.120.100 - 172.16.120.200. 4 Create a firewall schedule that allows sales and marketing Internet access all day; create another firewall schedule that allows engineering access to the Internet only during their lunch break. By creating two different firewall schedules, you can block access for one group for a specified time period, and allow another group all day access. 5 Group the firewall schedules together so that you can apply them both to a security policy.
12
6 Create a virtual IP address that will be used to allow Internet users access to a web server on your DMZ network. 7 In Policy > Policy > Policy, create the following: a security policy that allows Internet users access to the web server a security policy that applies the firewall schedule group for Internet access for the sales, marketing and engineering departments (this applies the zone) a deny policy that blocks FTP downloads 8 With all the policies now in the list, arrange them so that the most important policies are first, and least important are last. The list order is: deny policy security policy that allows Internet users access to the web server security policy for sales, engineering and marketing that allows Internet access Now that all the policies are in the correct order, you need to test that all are working properly. 9 To verify that traffic is hitting the policies, verify that there is a packet count increase occurring in the Count column of each of the policies in the policy list. Troubleshoot any issues using the diagnose sniffer and diagnose debug flow commands in the CLI. By testing that traffic is hitting the policies that you just created, you can see whether you need to solve any issues or not. When you use the diagnose commands, you can see detailed information about the traffic hitting the policy. 10 Back up the configuration after testing and troubleshooting. By backing up the changes your made to the configuration, you ensure that a current configuration of this FortiGate firewall configuration is available at any time.
13
14
Packet
Session Helpers
Management Traffic
SSL VPN
User Authentication
Traffic Shaping
Session Tracking
Policy Lookup
No (Fast Path)
UTM
Yes
No
Flow-based Antivirus
Application Control
IPS
Yes
VoIP Inspection Data Leak Prevention
Email Filter
Web Filter
Antivirus
ICAP
IPsec
NAT (SNAT)
3
Routing Interface
1 2
Packet
15
16
FortiOS Handbook
NAT in FortiOS
Network address translation (NAT) translates one IP address (either a source IP address or destination IP address) for another IP address. NAT in FortiOS, however, can translate IP addresses in many different ways, providing the flexibility you need for your specific network requirements. For example, you can use the Central NAT table to help in translating multiple IP addresses. When configuring NAT in FortiOS, you should also know how it works within the different modes that the FortiGate unit can be configured in. This topic contains the following: NAT/Route mode Route mode Transparent mode
NAT/Route mode
In NAT/Route mode, the FortiGate unit is visible to the network that is connected to. All of its interfaces are on different subnets. Each interface it is connected to a network that must be configured with an IP address that is valid for that subnetwork. NAT/Route mode is typically used when the FortiGate unit is deployed as a gateway between private and public networks. In its default NAT mode configuration, the FortiGate unit functions as a firewall. Security policies control communications through the FortiGate unit to both the Internet and between internal networks. In NAT/Route mode, the FortiGate unit performs network address translation before IP packets are sent to the destination network. For example, a company has a FortiGate unit as their interface to the Internet. The FortiGate unit also acts as a router to multiple sub-networks within the company. In Figure 2, the FortiGate unit is set to NAT/Route mode and is connected to a network. By using this mode, the FortiGate unit can have a designated port for the Internet, and the internal segments are behind the FortiGte unit, which are invisible to the public access. The FortiGate unit translates IP addresses passing through it to route the traffic to the correct subnet on the Internet.
17
NAT in FortiOS
172 .20 WA tra NAT .12 N 1 ffic po 0.1 29 ext betw licies ern ee al n n in contr etw tern ollin ork al a g s. nd P 10. ort 2 10. 10. 1
Route mode
In Route mode, the FortiGate unit is only routing traffic, not translating the IP addresses. In this mode, the FortiGate unit acts similar to a switch, passing the packet along to the destination network. This mode is not to be confused with Transparent mode, which is invisible on the network; rather, in Route mode, the FortiGate unit is visible to the network, but does only routing. The FortiGate unit is used in Route mode whenever no NAT translation needs to be done. For example, you want to connect two separate subnets without using NAT. You must select NAT/Route mode when configuring the FortiGate unit for Route mode. Figure 3: An example of a FortiGate unit in Route mode on a network
10
.10
0. 10
17
2.
18
Transparent mode
In Transparent mode, the FortiGate unit is invisible to the network. All of its interfaces are on the same subnet and share the same IP address. If you want to configure the FortiGate unit in Transparent mode, all you need to do is to configure a management IP address and a default route. You would typically use Transparent mode on a private network behind an existing firewall or behind a router. In Transparent mode, the FortiGate unit functions as a firewall and can even perform NAT. Security policies control communications through the FortiGate unit to the Internet and internal network. Traffic cannot pass through until you add security policies when the FortiGate unit is in Transparent mode. In Transparent mode, you can also perform NAT by creating a security policy or policies that translates the source addresses of packets passing through the FortiGate unit as well as virtual IP addresses and/or IP pools. If you want NAT to be performed in Transparent mode, you must configure two management IP addresses that are on different subnets. Figure 4: A FortiGate unit in Transparent mode
20
4.2
3.1
.5 10 .10
G ic bl pu to k ay or ew tw at ne
.10 .2 WA N1 Inte rna
19
20
21
These combinations can help you when creating your FortiGate firewall configuration. The combinations help when you have multiple addresses (IP pools) and when you need to use a virtual IP address with the IP pool. An example of this combination is called Double NAT. You can also combine dynamic NAT types, such as dynamic source address translation, to help you with creating the FortiGate firewall using dynamic NAT. An example of this combination is using the Central NAT table. When considering your FortiGate firewall configuration, you should also consider how to combine NAT types. By combining NAT types, you can easily use multiple addresses when configuring security policies, as well as when you want to provide specific NAT translations, such as using dynamic source NAT that will not change the source port; this combination allows for the handling of specific protocols or services that function only if they use a specific port and that port does not change. The following are some combinations of NAT that you can use in your FortiGate firewall configuration: Double NAT Central NAT table (similar to IP pools) virtual IP range for SNAT static one-to-one mapping dynamic source NAT (also known as one-to-one source NAT) dynamic source NAT (this uses Dynamic IP pool and a virtual IP)
22
FortiOS Handbook
Firewall components
The FortiGate units primary purpose is to act as a firewall to protect your networks from unwanted attacks and to control the flow of network traffic. The firewall consists of many different and important components so that you can better protect your network as your network requirements grow. This section explains these components. The following topics are included in this section: Using Interfaces and zones in the FortiGate firewall Understanding the firewall address component UTM profiles
23
Firewall components
4 Create the security policy for the zone to control traffic in Policy > Policy > Policy. In the Source Interface/Zone list, you would instead choose the zone. The Destination Interface/Zone is the external interface, wan1. By choosing the zone, you apply all the subinterfaces at once. 5 Select Enable NAT and Use Destination Interface Address; ensure that Log Allowed Traffic is also enabled so that you can use the logs to help determine if traffic is hitting the security policy.
24
Firewall components
When representing hosts by an IP address range, the range indicates hosts with continuous IP addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.* to indicate the complete range of hosts on that subnet. Valid IP Range formats include: x.x.x.x-x.x.x.x, such as 192.168.110.100-192.168.110.120 x.x.x.[x-x], such as 192.168.110.[100-120] x.x.x.*, such as 192.168.110.* When representing hosts by an FQDN, the domain name can be a subdomain, such as mail.example.com. A single FQDN firewall address may be used to apply a security policy to multiple hosts, as in load balancing and high availability (HA) configurations. FortiGate units automatically resolve and maintain a record of all addresses to which the FQDN resolves. Valid FQDN formats include: <host_name>.<second_level_domain_name>.<top_level_domain_name>, such as mail.example.com <host_name>.<top_level_domain_name> Be cautious when employing FQDN firewall addresses. By using a fully qualified domain name in a security policy, while convenient, does present some security risks, because policy matching then relies on a trusted DNS server. If the DNS server should ever be compromised, security policies requiring domain name resolution may no longer function properly. This topic contains the following: IP addresses for self-originated traffic IP pools IP Pools for security policies that use fixed ports Source IP address and IP pool address matching Geography-based addressing Wildcard addresses Fully Qualified Domain Name addresses Address groups Virtual IP addresses
25
Firewall components
FortiManager connection IP FortiGuard services FortiAnalyzer logging NTP DNS Authorization requests such as RADIUS FSSO Configuration of these services is performed in the CLI. In each instance, there is a command set source-ip. For example, to set the source IP of NTP to be on the DMZ1 port with an IP of 192.168.4.5, the commands are: config system ntp set ntpsyn enable
set syncinterval 5 set source-ip 192.168.4.5
end To see which services are configured with source-ip settings, use the get command: get system source-ip status The output will appear similar to the sample below: NTP: x.x.x.x DNS: x.x.x.x SNMP: x.x.x.x Central Management: x.x.x.x FortiGuard Updates (AV/IPS): x.x.x.x FortiGuard Queries (WebFilter/SpamFilter): x.x.x.x
IP pools
An IP pool defines a single IP address or a range of IP addresses. A single IP address in an IP pool becomes a range of one IP address. For example, if you enter an IP pool as 1.1.1.1, the IP pool is actually the address range, 1.1.1.1 to 1.1.1.1. Use IP pools to add NAT policies that translate source addresses to addresses randomly selected from the IP pool, rather than the IP address assigned to that FortiGate interface. You can use the Central NAT table as a way to configure IP pools. For more information, see Central NAT table on page 65. If a FortiGate interface IP address overlaps with one or more IP pool address ranges, the interface responds to ARP requests for all of the IP addresses in the overlapping IP pools. For example, consider a FortiGate unit with the following IP addresses for the port1 and port2 interfaces: port1 IP address: 1.1.1.1/255.255.255.0 (range is 1.1.1.0-1.1.1.255) port2 IP address: 2.2.2.2/255.255.255.0 (range is 2.2.2.0-2.2.2.255) And the following IP pools: IP_pool_1: 1.1.1.10-1.1.1.20 IP_pool_2: 2.2.2.10-2.2.2.20 IP_pool_3: 2.2.2.30-2.2.2.40 The port1 interface overlap IP range with IP_pool_1 is: (1.1.1.0-1.1.1.255) and (1.1.1.10-1.1.1.20) = 1.1.1.10-1.1.1.20 The port2 interface overlap IP range with IP_pool_2 is:
26
Firewall components
(2.2.2.0-2.2.2.255) & (2.2.2.10-2.2.2.20) = 2.2.2.10-2.2.2.20 The port2 interface overlap IP range with IP_pool_3 is: (2.2.2.0-2.2.2.255) & (2.2.2.30-2.2.2.40) = 2.2.2.30-2.2.2.40 And the result is: The port1 interface answers ARP requests for 1.1.1.10-1.1.1.20 The port2 interface answers ARP requests for 2.2.2.10-2.2.2.20 and for 2.2.2.302.2.2.40 Select Enable NAT in a security policy and then select Dynamic IP Pool. Select an IP pool to translate the source address of packets leaving the FortiGate unit to an address randomly selected from the IP pool. IP pools cannot be set up for a zone. IP pools are connected to individual interfaces.
27
Firewall components
Scenario 2: The number of source addresses is more than that of IP pool addresses In this case, the FortiGate unit translates IP addresses using a wrap-around mechanism. If you enable fixedport in such a case, the FortiGate unit preserves the original source port. But conflicts may occur since users may have different sessions using the same TCP 5 tuples. Original address 192.168.1.1 192.168.1.2 ...... 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 ...... Change to 172.16.30.10 172.16.30.11 ...... 172.16.30.19 172.16.30.10 172.16.30.11 172.16.30.12 ......
Scenario 3: The number of source addresses is fewer than that of IP pool addresses In this case, some of the IP pool addresses are used and the rest of them are not be used. Original address 192.168.1.1 192.168.1.2 192.168.1.3 Change to 172.16.30.10 172.16.30.11 172.16.30.12
No more source addresses 172.16.30.13 and other addresses are not used
Geography-based addressing
An option is available to add a geography-based address scheme. With this type of addressing, you indicate the geographic region, or country. The FortiGate unit includes an internal list of countries and IP addresses based on historical data from the FortiGuard network. IPv6 does not support geography-based addressing. This feature is for IPv4 addresses only. When used in security policies, traffic originating or going to a particular country can be logged, blocked or specific filtering applied. In the following examples, an geographic-based address for China is added for the WAN1 port. To add a geography-based address - web-based manager 1 Go to Firewall Objects > Address > Address and select Create New. 2 Enter the Name of China 3 For the Type, select Geography.
Firewall for FortiOS 4.0 MR3 01-432-148222-20120124 http://docs.fortinet.com/
28
Firewall components
4 From the Country list, select China. 5 Select the Interface of WAN1. 6 Select OK. To add a geography-based address - CLI config firewall address edit China set type geography set country CN set interface wan1 end You can use a diagnose command to view more information about geography-based addressing. The command displays country and address information for the countries that have been added to firewall addresses. diagnose firewall ipgeo {country-list | ip-list | ip2country} Where: country-list shows all of the countries that have been added to a firewall address. ip-list shows the IP addresses of a specified country or all of the countries added to firewall addresses. ip2country shows the country of origin for a specified IP address. The address must be assigned to one of the countries that has been added to a firewall address.
Wildcard addresses
Wildcard addresses are addresses that identify ranges of IP addresses, reducing the amount of firewall addresses and security policies required to match some of the traffic on your network. Wildcard addresses are an advanced feature, usually required only for complex networks with complex firewall filtering requirements. By using these wildcard addresses in the firewall configuration, administrators can eliminate creating multiple, separate IP addresses and then grouping them to then apply to multiple security policies. A wildcard address consists of an IP address and a wildcard netmask, for example, 192.168.0.56 255.255.0.255. In this example, the IP address is 192.168.0.56 and the wildcard netmask is 255.255.0.255. The IP address defines the networks to match and the wildcard netmask defines the specific addresses to match on these networks. In a wildcard netmask, zero means ignore the value of the octet in the IP address, which means the wildcard firewall address matches any number in this address octet. This also means that the number included in this octet of IP address is ignored and can be any number. Usually, if the octet in the wildcard netmask is zero, the corresponding octet in the IP address is also zero. In a wildcard netmask, a number means match addresses according to how the numbers translate into binary addresses. For example, the wildcard netmask is 255; the wildcard address will only match addresses with the value for this octet that is in the IP address part of the wildcard address. So, if the first octet of the IP address is 192 and the first octet of the wildcard netmask is 255, the wildcard address will only match addresses with 192 in the first octet. In the above example, the wildcard address 192.168.0.56 255.255.0.255 would match the following IP addresses: 192.168.0.56, 192.168.1.56, 192.168.2.56, ..., 192.168.255.56
29
Firewall components
The wildcard addresses 192.168.0.56 255.255.0.255 and 192.168.1.56 255.255.0.255 define the same thing since the 0 in the wildcard mask means to match any address in the third octet. If we use the wildcard address 172.0.20.10 255.0.255.255, it would match the following IP addresses: 172.1.20.10, 172.2.20.10, 172.3.20.10, ..., 172.255.20.10 In a wildcard netmask, a number other than 255 matches multiple addresses for this octet. You can perform a binary conversion to calculate the addresses that would be matched by a given value. For example, to create the IP address and wildcard netmask to match the following network addresses: 192.168.32.0/24 192.168.33.0/24 192.168.34.0/24 192.168.35.0/24 192.168.36.0/24 192.168.37.0/24 192.168.38.0/24 192.168.39.0/24 Table 1 shows how to write the third octet for these networks according to the octet bit position and address value for each bit.
Table 1: Octet bit position and address value for each bit
Decimal 128 32 33 34 35 36 37 38 39 0 0 0 0 0 0 0 0 M
64 0 0 0 0 0 0 0 0 M
32 1 1 1 1 1 1 1 1 M
16 0 0 0 0 0 0 0 0 M
8 0 0 0 0 0 0 0 0 M
4 0 0 0 0 1 1 1 1 D
2 0 0 1 1 0 0 1 1 D
1 0 1 0 1 0 1 0 1 D
Since the first five bits match, the networks can be summarized into one network (192.168.32.0/21 or 192.168.32.0 255.255.248.0). All eight possible combinations of the three low-order bits are relevant for the network ranges. The wildcard address that would match all of these subnet addresses can be written as 192.168.32.0 255.255.248.0. Wildcard addresses are similar to routing access list wildcard masks. You add routing access lists containing wildcard masks using the config router access-list command. However, router access list wildcard masks use the inverse of the masking system used for firewall wildcard addresses. For the router access list wildcard masks, zero (0)means match all IP addresses and one (1)means ignore all IP addresses. So to match IP addresses 192.168.0.56, 192.268.1.56, 192.168.2.56, ... 192.168.255.56 you would use the following router access IP address prefix and wildcard mask: 192.168.0.56 0.0.255.0. Wildcard firewall addresses are configured only in the CLI. The following is an example of how to configure a wildcard firewall address. config firewall address
Firewall for FortiOS 4.0 MR3 01-432-148222-20120124 http://docs.fortinet.com/
30
Firewall components
edit example_wildcard_address set type wildcard set wildcard 192.168.0.56 255.255.0.255 end
31
Firewall components
Address groups
Similar to zones, if you have a number of addresses or address ranges that require the same security policies, you can put them into address groups, rather than creating multiple similar policies. Because security policies require addresses with homogenous network interfaces, address groups should contain only addresses bound to the same network interface, or to Any addresses whose selected interface is Any are bound to a network interface during creation of a security policy, rather than during creation of the firewall address. For example, if address 1.1.1.1 is associated with port1, and address 2.2.2.2 is associated with port2, they cannot be in the same group. However, if 1.1.1.1 and 2.2.2.2 are configured with an interface of Any, they can be grouped, even if the addresses involve different networks. You cannot mix IPv4 firewall addresses and IPv6 firewall addresses in the same address group.
Virtual IP addresses
In FortiOS, virtual IP addresses (VIPs) can be used when configuring security policies to translate IP addresses and ports of packets received by a network interface. When the FortiGate unit receives inbound packets matching a security policy whose Destination Address field is a virtual IP, the FortiGate unit applies NAT, replacing packetss IP addresses with the virtual IPs mapped IP address. VIPs can specify translation of packets port numbers and/or IP addresses for both inbound and outbound connections. In Transparent mode, virtual IPs are available only in the CLI. VIP addresses are typically used to map external (public) to internal (private) IP addresses for Destination NAT (DNAT).
Match-vip
The match-vip feature allows the FortiGate unit to log virtual IP traffic that gets implicitly dropped. This feature eliminates the need to create two policies for virtual IPs; one that allows the virtual IP, and the other to get proper log entry for DROP rules. For example, you have a virtual IP security policy and enabled the match-vip feature; the virtual IP traffic that is not matched by the policy is now caught. The match-vip feature is available only in the CLI. Use the following command syntax to enable this feature. By default, it is disabled. config firewall policy
Firewall for FortiOS 4.0 MR3 01-432-148222-20120124 http://docs.fortinet.com/
32
Firewall components
Services
Services
Services represent typical traffic types and application packets that pass through the FortiGate unit. Firewall services define one or more protocols and port numbers associated with each service. Security policies use service definitions to match session types. You can organize related services into service groups to simplify your security policy list. Many well-known traffic types have been predefined in firewall services and protocols on the FortiGate unit. These predefined services and protocols are defaults, and cannot be edited or removed. However, if you require different services, you can create custom services. To view the predefined servers, go to Firewall Objects > Service > Predefined. If there is a service that does not appear on the list, or you have a unique service or situation, you can create your own custom service. You need to know the ports, IP addresses or protocols of that particular service or application uses, to create the custom service.
33
Services
Firewall components
Service name
Description Advanced File Security Encrypted File, version 3, of the AFS distributed file system protocol.
AFS3
AH
IP Authentication Header. AH provides source host authentication and data integrity, but not secrecy. This protocol is used for authentication by IPSec remote gateways set to aggressive mode. Matches connections using any protocol over all IP. America Online Instant Message protocol. Border Gateway Protocol. BGP is an interior/exterior routing protocol. Concurrent Versions System Proxy Server.CSSPServer is very good for providing anonymous CVS access to a repository. TCP TCP TCP UDP
CVSPSERVER
DCE-RPC
Distributed Computing Environment / Remote TCP Procedure Calls. Applications using DCEUDP RPC can call procedures from another application without having to know on which host the other application is running. Dynamic Host Configuration Protocol. DHCP allocates network addresses and delivers configuration parameters from DHCP servers to hosts. Dynamic Host Configuration Protocol for IPv6. Domain Name Service. DNS resolves domain names into IP addresses. Encapsulating Security Payload. ESP is used by manual key and AutoIKE IPSec VPN tunnels for communicating encrypted data. AutoIKE VPN tunnels use ESP after establishing the tunnel by IKE. A network service providing information about users. File Transfer Protocol. File Transfer Protocol. FTP GET sessions transfer remote files from an FTP server to an FTP client computer. UDP
67 68
DHCP
DHCP6 DNS
546, 547 53 53 50
ESP
79 21 21
34
Firewall components
Services
Description File Transfer Protocol. FTP PUT sessions transfer local files from an FTP client to an FTP server. Gopher organizes and displays Internet server contents as a hierarchically structured list of files. Generic Routing Encapsulation. GRE allows an arbitrary network protocol to be transmitted over any other arbitrary network protocol, by encapsulating the packets of the protocol within GRE packets. GPRS Tunneling protocol (GTP). GTP is used with GSM and UMTS networks to carry user data within GPRS core networks. FortiOS Carrier can accept and process IPv4 GTP packet. H.323 multimedia protocol. H.323 is a standard approved by the International Telecommunication Union (ITU) defining how audiovisual conferencing data can be transmitted across networks. For more information, see the FortiGate Support for H.323 Technical Note. Hypertext Transfer Protocol. HTTP is used to browse web pages on the World Wide Web. HTTP with secure socket layer (SSL). HTTPS is used for secure communication with web servers. Internet Control Message Protocol. ICMP allows control messages and error reporting between a host and gateway (Internet).
Protocol TCP
Port 21
TCP
70
GOPHER
IP
47
GRE
UDP
2123,21 52,3386
TCP UDP
H323
HTTP
TCP TCP
80 443
HTTPS
ICMP
Any
ICMP_ANY
IKE
UDP Internet Key Exchange. IKE obtains authenticated keying material for use with the Internet Security Association and Key Management Protocol (ISAKMP) for IPSEC. Internet Message Access Protocol. IMAP is used by email clients to retrieves email messages from email servers. IMAP with SSL. IMAPS is used for secure IMAP communication between email clients and servers. IMAPS is only available on Fortinet units that support SSL content scanning and inspection. For more information, see the UTM chapter of the FortiOS Handbook. ICMP information request messages. TCP
500, 4500
143
IMAP
TCP
993
IMAPS
INFO_ADDRESS
ICMP
17
35
Services
Firewall components
Description ICMP address mask request messages. Internet Relay Chat. IRC allows users to join chat channels. Internet Locator Service. ILS includes LDAP, User Locator Service, and LDAP over TLS/SSL. Layer 2 Tunneling Protocol. L2TP is a PPPbased tunnel protocol for remote access. Lightweight Directory Access Protocol. LDAP is used to access information directories. Media Gateway Control Protocol. MGCP is used by call agents and media gateways in distributed Voice over IP (VoIP) systems. MMS tunneling protocol. MMS is used when sending and receiving multimedia content to a mobile phone. Microsoft SQL Server is a relational database management system (RDBMS) produced by Microsoft. Its primary query languages are MS-SQL and T-SQL. MySQL is a relational database management system (RDBMS) which runs as a server providing multi-user access to a number of databases. Network File System. NFS allows network users to mount shared files.
MS-SQL
TCP
3306
MYSQL
TCP UDP
NFS
NNTP
Network News Transport Protocol. NNTP is used to post, distribute, and retrieve Usenet messages. Network Time Protocol. NTP synchronizes a hosts time with a time server.
NetMeeting allows users to teleconference using the Internet as the transmission medium.
TCP
TCP UDP
TCP
123 123
1720
Open Network Computing Remote Procedure TCP Call. ONC-RPC is a widely deployed remote UDP procedure call system. Open Shortest Path First. OSPF is a common link state routing protocol. PC-Anywhere is a remote control and file transfer protocol. IP TCP UDP
OSPF PC-Anywhere
36
Firewall components
Services
Description Ping sends ICMP echo request/replies to test connectivity to other hosts. Ping6 sends ICMPv6 echo request/replies to network hosts to test IPv6 connectivity to other hosts. Post Office Protocol v3. POP retrieves email messages. Post Office Protocol v3 with secure socket layer (SSL). POP3S is used for secure retrieval of email messages. POP3S is only available on Fortinet units that support SSL content scanning and inspection. For more information, see the UTM chapter of the FortiOS Handbook. Point-to-Point Tunneling Protocol. PPTP is used to tunnel connections between private network hosts over the Internet. Note: Also requires IP protocol 47. Quake multi-player computer game traffic.
Port 8 58
PING6
POP3
TCP TCP
110 995
POP3S
47 TCP 1723
PPTP
UDP
QUAKE
RADIUS
Remote Authentication Dial In User Service. RADIUS is a networking protocol that provides centralized access, authorization and accounting management for people or computers to connect and use a network service. RealAudio multimedia traffic. Remote Desktop Protocol is a multi-channel protocol that allows a user to connect to a networked computer. Rexec traffic allows specified commands to be executed on a remote host running the rexecd service (daemon). Routing Information Protocol. RIP is a common distance vector routing protocol. This service matches RIP v1. Remote login traffic. Remote Shell traffic allows specified commands to be executed on a remote host running the rshd service (daemon).
TCP
RAUDIO RDP
UDP TCP
7070 3389
TCP
512
REXEC
UDP
520
TCP TCP
513 514
37
Services
Firewall components
Service name
Description
Protocol
RTSP
TCP Real Time Streaming Protocol is a protocol for use in streaming media systems which allows a client to remotely control a streaming media server, issuing VCR-like commands UDP such as play and pause, and allowing timebased access to files on a server. Server Message Block. SMB allows clients to use file and print shares from enabled hosts. This is primarily used for Microsoft Windows hosts, but may be used with operating systems running the Samba daemon. Skinny Client Control Protocol. SCCP is a Cisco proprietary standard for terminal control for use with voice over IP (VoIP). Session Initiation Protocol. SIP allows audiovisual conferencing data to be transmitted across networks. For more information, see the Voice Solutions: SIP chapter of the FortiOS Handbook. Session Initiation Protocol used by Microsoft Messenger to initiate an interactive, possibly multimedia session. Simple Mail Transfer Protocol. SMTP is used for sending email messages between email clients and email servers, and between email servers. SMTP with SSL. Used for sending email messages between email clients and email servers, and between email servers securely. SMTPS is only available on Fortinet units that support SSL content scanning and inspection. For more information, see the UTM chapter of the FortiOS Handbook. Simple Network Management Protocol. SNMP can be used to monitor and manage complex networks. TCP UDP TCP
139
SAMBA
TCP
2000
SCCP
UDP
5060
SIP
SIPMSNmessenger
TCP
1863
TCP
25
SMTP
TCP
465
SMTPS
SNMP
SOCKS
SOCKetS. SOCKS is an Internet protocol that TCP allows client-server applications to UDP transparently use the services of a network firewall.
38
Firewall components
Services
Service name
Description A proxy server and web cache daemon that has a wide variety of uses that includes speeding up a web server by caching repeated requests; caching web, DNS and other computer network lookups for a group of people sharing network resources; aiding security by filtering traffic. Secure Shell. SSH allows secure remote management and tunneling. Syslog service for remote logging. Talk allows conversations between two or more users. Matches connections using any TCP port. Allows plain text remote management.
Protocol TCP
Port 3128
SQUID
Trivial File Transfer Protocol. TFTP is similar to UDP FTP, but without security features such as authentication. ICMP timestamp request messages. A computer network tool used to determine the route taken by packets across an IP network. Matches connections using any UDP port. Unix to Unix Copy Protocol. UUCP provides simple file copying. VDO Live streaming multimedia traffic. ICMP TCP UDP UDP UDP TCP
VNC
TCP Virtual Network Computing.VNC is a graphical desktop sharing system which uses the RFB protocol to remotely control another computer. Wide Area Information Server. WAIS is an Internet search protocol which may be used in conjunction with Gopher. TCP
210
WAIS
WINFRAME
WinFrame provides communications between TCP computers running Windows NT, or Citrix WinFrame/MetaFrame. TCP Windows Internet Name Service is Microsoft's implementation of NetBIOS Name UDP Service (NBNS), a name server and service for NetBIOS computer names.
1494
1512 1512
WINS
39
Firewall schedules
Firewall components
Description X Window System (also known as X11) can forward the graphical shell from an X Window server to X Window client.
Protocol TCP
Port 60006063
Firewall schedules
When you add security policies on a FortiGate unit, those policies are always on, policing the traffic through the device. Firewall schedules control when policies are in effect, that is, when they are on. You can create one-time schedules which are schedules that are in effect only once for the period of time specified in the schedule. You can also create recurring schedules that are in effect repeatedly at specified times of specified days of the week. You can create a recurring schedule that activates a policy during a specified period of time. For example, you might prevent game playing during office hours by creating a recurring schedule that covers office hours. If a recurring schedule has a stop time that is earlier than the start time, the schedule will take effect at the start time but end at the stop time on the next day. You can use this technique to create recurring schedules that run from one day to the next. For example, to prevent game playing except at lunchtime, you might set the start time for a recurring schedule at 1:00 p.m. and the stop time at 12:00 noon. To create a recurring schedule that runs for 24 hours, set the start and stop times to 00. You can organize multiple firewall schedules into a schedule group to simplify your security policy list. For example, instead of having five identical policies for five different but related firewall schedules, you might combine the five schedules into a single schedule group that is used by a single security policy. Schedule groups can contain both recurring and one-time schedules. Schedule groups cannot contain other schedule groups.
40
Firewall components
UTM profiles
Schedule groups
You can organize multiple firewall schedules into a schedule group to simplify your security policy list. For example, instead of having five identical policies for five different but related firewall schedules, you might combine the five schedules into a single schedule group that is used by a single security policy. Schedule groups can contain both recurring and on-time schedules. Schedule groups cannot contain other schedule groups.
Schedule expiry
The schedule in a security policy enables certain aspects of network traffic to occur for a specific length of time. What it does not do however, is police that time. That is, the policy is active for a given time frame, and as long as the session is open, traffic can continue to flow. For example, in an office environment, Skype use is allowed between noon and 1pm. During that hour, any Skype traffic continues. As long as that session is open, after the 1pm end time, the Skype conversations can continue, yet new sessions will be blocked. Ideally, the Skype session should close at 1pm. Using a CLI command you can set the schedule to terminate all sessions when the end time of the schedule is reached. Within the config firewall command enter the command: set schedule-timeout enable By default, this is set to disable.
UTM profiles
Where security policies provide the instructions to the FortiGate unit as to what traffic is allowed through the device, the Unified Threat Management (UTM) profiles provide the screening that filters the content coming and going on the network. The UTM profiles enable you to instruct the FortiGate unit what to look for in the traffic that you dont want, or want to monitor, as it passes through the device. A UTM profile is a group of options and filters that you can apply to one or more firewall policies. UTM profiles can be used by more than one security policy. You can configure sets of UTM profiles for the traffic types handled by a set of security policies that require identical protection levels and types, rather than repeatedly configuring those same UTM profile settings for each individual security policy. For example, while traffic between trusted and untrusted networks might need strict antivirus protection, traffic between trusted internal addresses might need moderate antivirus protection. To provide the different levels of protection, you might configure two separate protection profiles: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks. UTM profiles are available for various unwanted traffic and network threats. Each are configured separately and can be used in different groupings as needed. You configure UTM profiles in the UTM menu and applied when creating a security policy by selecting the UTM profile type. For more information about configuring profiles that will be used in a security policy, see the UTM chapter of the FortiOS Handbook.
41
UTM profiles
Firewall components
42
FortiOS Handbook
Security policies
Security policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN subinterfaces. This section explains what security policies are and how they affect all traffic to and from your network. This section also describes how to configure basic policies which are used as a building block to more complex policies, but they enable you to get the FortiGate unit running on the network quickly. The following topics are included in this section: Security policy overview Policy order Security policies Creating a basic security policy
43
Security policies
Schedule and time of the sessions initiation Service and the packets port numbers. If the initial packet matches the security policy, the FortiGate unit performs the configured Action and any other configured options on all packets in the session. Packet handling actions can be ACCEPT, DENY, IPSEC or SSL-VPN. ACCEPT policy actions permit communication sessions, and may optionally include other packet processing instructions, such as requiring authentication to use the policy, or specifying one or more UTM profiles to apply features such as virus scanning to packets in the session. An ACCEPT policy can also apply interface-mode IPsec VPN traffic if either the selected source or destination interface is an IPsec virtual interface. DENY policy actions block communication sessions, and you can optionally log the denied traffic. If no security policy matches the traffic, the packets are dropped, therefore it is not required to configure a DENY security policy in the last position to block the unauthorized traffic. A DENY security policy is needed when it is required to log the denied traffic, also called violation traffic. IPSEC and SSL-VPN policy actions apply a tunnel mode IPsec VPN or SSL VPN tunnel, respectively, and may optionally apply NAT and allow traffic for one or both directions. If permitted by the firewall encryption policy, a tunnel may be initiated automatically whenever a packet matching the policy arrives on the specified network interface, destined for the local private network. You need to create security policies based on how the network traffic is going to be flowing through the FortiGate unit. For example, a policy for POP3, where the email server is outside of the internal network, traffic should be from an internal interface to an external interface rather than the other way around. It is typically the user on the network requesting email content from the email server and thus the originator of the open connection is on the internal port, not the external one of the email server. This is also important to remember when view log messages as to where the source and destination of the packets can seem backwards. If you make any changes to existing policies, those changes take effect immediately.
44
Security policies
Policy order
Policy order
Each time a FortiGate unit receives a connection attempting to pass through one of its interfaces, the unit searches its security policy list for a matching security policy. The search begins at the top of the policy list and progresses in order towards the bottom. The FortiGate unit evaluates each policy in the security policy list for a match until a match is found. When the FortiGate unit finds the first matching policy, it applies the matching policys specified actions to the packet, and disregards subsequent security policies. Matching security policies are determined by comparing the security policy and the packets: source and destination interfaces source and destination firewall addresses
FortiOS Handbook v3: Firewall 01-432-148222-20120124 http://docs.fortinet.com/
45
Policy order
Security policies
services time/schedule. If no policy matches, the connection is dropped. As a general rule, you should order the security policy list from most specific to most general because of the order in which policies are evaluated for a match, and because only the first matching security policy is applied to a connection. Subsequent possible matches are not considered or applied. Ordering policies from most specific to most general prevents policies that match a wide range of traffic from superseding and effectively masking policies that match exceptions. For example, you might have a general policy that allows all connections from the internal network to the Internet, but want to make an exception that blocks FTP. In this case, you would add a policy that denies FTP connections above the general policy. Figure 6: Example: Blocking FTP Correct policy order
}Exception
}General
FTP connections would immediately match the deny policy, blocking the connection. Other kinds of services do not match the FTP policy, and so policy evaluation would continue until reaching the matching general policy. This policy order has the intended effect. But if you reversed the order of the two policies, positioning the general policy before the policy to block FTP, all connections, including FTP, would immediately match the general policy, and the policy to block FTP would never be applied. This policy order would not have the intended effect. Figure 7: Example: Blocking FTP Incorrect policy order }General
}Exception
Similarly, if specific traffic requires authentication, IPsec VPN, or SSL VPN, you would position those policies above other potential matches in the policy list. Otherwise, the other matching policies would always take precedence, and the required authentication, IPsec VPN, or SSL VPN might never occur. A default security policy may exist, which accepts all connections. You can move, disable or delete it. If you move the default policy to the bottom of the security policy list and no other policy matches the packet, the connection will be accepted. If you disable or delete the default policy and no other policy matches the packet, the connection will be dropped. You can arrange the security policy list to influence the order in which policies are evaluated for matches with incoming traffic. When more than one policy has been defined for the same interface pair, the first matching security policy will be applied to the traffic session.
46
Security policies
Security policies
Security policies
There are many different security policies that you can configure for the FortiGate firewall. These policies include SSL VPN, wireless, and identity-based policies. With different configurations come different security policies, and each contain different information for processing the packets coming into the FortiGate unit. The following explain each type of security policy that can be configured and the reason for configuring such a security policy. This topic contains the following: Identity-based policies SSL VPN policies IPsec policies Accept policies Deny policies IPv6 policies Security policy 0 Local-in policies
If you make any changes to existing policies, those changes take effect immediately.
47
Security policies
Security policies
Identity-based policies
If you enable Enable Identity Based Policy in a security policy, network users must send traffic involving a supported firewall authentication protocol to trigger the firewall authentication challenge, and successfully authenticate, before the FortiGate unit will allow any other traffic matching the security policy. User authentication can occur through any of the following supported protocols: HTTP HTTPS FTP Telnet Authentication can also occur through automatic login using NTLM and FSAE, to bypass user intervention. The authentication style depends on which of these supported protocols you have included in the selected firewall services group and which of those enabled protocols the network user applies to trigger the authentication challenge. The authentication style will be one of two types. For certificate-based (HTTPS or HTTP redirected to HTTPS only) authentication, you must install customized certificates on the FortiGate unit and on the browsers of network users, which the FortiGate unit matches. For user name and password-based (HTTP, FTP, and Telnet) authentication, the FortiGate unit prompts network users to input their firewall user name and password. For example, if you want to require HTTPS certificate-based authentication before allowing SMTP and POP3 traffic, you must select a firewall service (in the security policy) that includes SMTP, POP3 and HTTPS services. Prior to using either POP3 or SMTP, the network user would send traffic using the HTTPS service, which the FortiGate unit would use to verify the network users certificate; upon successful certificate-based authentication, the network user would then be able to access his or her email. In most cases, you should ensure that users can use DNS through the FortiGate unit without authentication. If DNS is not available, users will not be able to use a domain name when using a supported authentication protocol to trigger the FortiGate units authentication challenge. If you do not install certificates on the network users web browser, then network users may see an SSL certificate warning message and have to manually accept the default FortiGate certificate, which the network users web browser may then deem as invalid. When you use certificate authentication, if you do not specify any certificate when you create a security policy, the FortiGate unit will use the default certificate from the global settings. If you specify a certificate, the per-policy setting will override the global setting. Authentication requires that Action is ACCEPT or SSL-VPN, and that you first create users, assign them to a firewall user group, and assign UTM profiles to that user group. For additional information about identity-based-policy positioning and identity-based sub-policies, see Identity-based security policies on page 85.
48
Security policies
Security policies
edit 1 set srcintf internal set srcaddr 10.13.20.22 set dstintf wan1 set dstaddr 172.20.120.141 set action accept set schedule always set identity-based enable config identity-based-policy edit 1 set group accounting set service HTTPS set schedule always end end
49
Security policies
Security policies
IPsec policies
IPsec policies allow IPsec VPN traffic access to the internal network from a remote location. These policies include authentication information that authenticates users and user group or groups. These policies specify the following: the FortiGate interface that provides the physical connection to the remote VPN gateway, usually an interface connected to the Internet the FortiGate interface that connects to the private network IP addresses associated with data that has to be encrypted and decrypted optional: a schedule that restricts when the VPN can operate, and services (or types of data) that can be sent. For a route-based (interface mode) VPN, you do not configure an IPsec security policy. Instead, you configure two regular ACCEPT security policies, one for each direction of communication, with the IPsec virtual interface as the source or destination interface, as appropriate.
Accept policies
Accept security policies accept traffic that is coming into the network. These policies allow traffic through the FortiGate unit, where the packets are scanned, translated if NAT is enabled, and then sent out to its destination. Accept security policies are the most common security policies that are created in FortiOS. These security policies are basic policies, such as allowing Internet access, as well as complex policies, such as IPsec VPN. For information about how to configure accept policies, see Security policy list details on page 44.
Deny policies
Deny security policies deny traffic that is coming into the network. The FortiGate unit automatically blocks traffic that is associated with a deny security policy. Deny security policies are usually configured when you need to restrict specific traffic, for example, SSH traffic. Deny security policies can also help when you want to block a service, such as DNS, but allow a specific DNS server. For information about how to configure DENY policies, see Security policy list details on page 44.
50
Security policies
Security policies
3 Create a new policy that allows access to only the DNS server. This policy is used by the FortiGate unit to allow DNS requests to the DNS server that is specified. 4 Move the policies so that they are in the correct order. If the policies are not in the correct order, the FortiGate unit will not process the instructions properly and the policies will not work properly. The allowed policy needs to be first and the deny policy needs to come right after. 5 Test the policies. You can test the policies by using diagnose debug command in the CLI or view the packet count in the Count columns of the policies. For more information about how to test and/or verify if traffic is hitting a policy, see How to create a basic security policy for Internet access on page 53.
IPv6 policies
IPv6 security policies are created both for an IPv6 network, and a transitional network. A transitional network is a network that is transitioning over to IPv6, but must still have access to the Internet or must connect over an IPv4 network. These policies allow for this specific type of traffic to travel between the IPv6 and IPv4 networks. The IPv6 options for creating these policies is hidden by default. You must enable this feature in System > Admin > Settings. For more information about IPv6 in FortiOS, see Internet Protocol version 6 (IPv6) on page 61.
Security policy 0
Any security policy that is automatically added by the FortiGate unit has a policy ID number of zero (0). The most common reasons the FortiGate unit creates this policy is: The IPsec policy for FortiAnalyzer (and FortiManager version 3.0) is automatically added when an IPsec connection to the FortiAnalyzer unit or FortiManager is enabled. The policy to allow FortiGuard servers to be automatically added has a policy ID number of zero. The (default) drop rule that is the last rule in the policy and that is automatically added has a policy ID number of zero. When a network zone is defined within a VDOM, the intra-zone traffic set to allow or block is managed by policy 0 if it is not processed by a configured security policy. This policy can appear in logs but will never appear in the security policy list, and therefore, can never be repositioned in the list. When viewing the FortiGate logs, you may find a log field entry indicating policyid=0. The following log message example indicates the log field policyid=0 in bold. 2008-10-06 00:13:49 log_id=0022013001 type=traffic subtype=violation pri=warning vd=root SN=179089 duration=0 user=N/A group=N/A rule=0 policyid=0 proto=17 service=137/udp app_type=N/A status=deny src=10.181.77.73 srcname=10.181.77.73 dst=10.128.1.161 dstname=10.128.1.161 src_int=N/A dst_int="Internal" sent=0 rcvd=0 src_port=137 dst_port=137 vpn=N/A tran_ip=0.0.0.0 tran_port=0
51
Security policies
Local-in policies
Security policies control the flow of traffic through the FortiGate unit. The FortiGate unit also includes the option of controlling internal traffic, that is, management traffic. Each interface includes an allow access configuration to allow management access for specific protocols. Local policies are set up automatically to allow all users all access. Local-in policies takes this a step further, to enable or restrict the user with that access. This also extends beyond the allow access selection. Local-in policies are configured in the CLI with the commands: config firewall local-in-policy edit <policy_number> set intf <source_interface> set srcaddr <source_address> set dstaddr <destination_address> set action {accept | deny} set service <service name> set schedule <schedule_name> end For example, you can configure a local-in policy so that only administrators can access the FortiGate unit on weekends from a specific management computer at 192.168.21.12 using SSH on port 3 (192.168.21.77) using the Weekend schedule which defines the time the of access. config firewall local-in-policy edit <1> set intf port3 set srcaddr 192.168.21.12 set dstaddr 192.168.21.77 set action accept set service SSH set schedule Weekend end You can also disable a policy should there be a requirement to turn off a policy for troubleshooting or other purpose. To disable a policy enter the commands: config firewall local-in-policy edit <policy_number> set status disable end Use the same commands with a status of enable to use the policy again. Local-in policies are also supported for IPv6 by entering the command config firewall local-in-policy6.
52
Security policies
53
Security policies
54
FortiOS Handbook
Session tables
Firewall session tables include entries to record source and destination IP addresses and port numbers. For each packet received by a FortiGate unit, it references the session table for a match. Packets of an established session are checked against the session table continually throughout the communication. The performance of depends on the performance of processing session table. Firewall sessions clear from the table based on the timeout, that is, Time-to-live (TTL) setting. Equally, a completely inactive session with no FIN or RESET will be flushed by the by the session TTL timer. Sessions are not closed based on FIN or a RESET. A FIN that is acknowledged with a FIN ACK would slush the session.
Sessions Monitor
Session information display in Policy > Monitor > Session Monitor. You can delete sessions, refresh so that you are viewing current sessions, and you can also filter the session information on the page as well. Filtering allows you to view specific information. For example, you want to view only TCP sessions. Session Monitor page Displays the sessions that are currently being monitored by the unit. Refresh Select to refresh the information in the list.
55
Session tables
Filter Settings
Select to filter the information on the page. Filters appears automatically after selecting Filter Settings, below the column headings. Use to configure filter settings. Note: Filter Settings configures all filter settings. Filter icons are used to configure filter settings within that column. To apply a filter setting, select the plus sign beside Add new filter and then select and enter the information required. Repeat to add other filter settings. To modify the settings, select Change beside the setting and edit the settings. To clear all filters settings. Select the icon beside Clear all filters. To use a filter icon to filter settings within a column, select the filter icon in the column. Filters appears. Within Filters, configure the settings for that column.
Select to display only IPv4 addresses. Select to display only IPv6 addresses. Select to display both IPv4 and IPv6 addresses.
Indicates the total number of concurrent sessions, as well as new Total Concurrent sessions that are occurring each second. Sessions: <number>/ New Sessions per Second: <number> Page Controls Total: <number> # Protocol Src Address Src Port Src NAT IP Src NAT Port Dst Address Dst Port Policy ID Expiry (sec) Duration (sec) Delete Use to navigate through the list. The total number of current sessions. The number of the session within the list. The service protocol of the connection, for example, UDP. The source IP address of the connection. The source port of the connection. The source NAT IP address. The source NAT IP port. The destination address of the connection. The destination port of the connection. The security policy identification number. The time, in seconds, before the connection expires. The duration, in seconds, of the session. Select to remove a session from within the list.
56
Session tables
session info: proto=17 proto_state=01 duration=121 expire=58 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= per_ip_shaper= ha_id=0 hakey=0 policy_dir=0 tunnel=/ state=may_dirty br statistic(bytes/packets/allow_err): org=63/1/1 reply=133/1/1 tuples=2 orgin->sink: org pre->post, reply pre->post dev=6->2/2->6 gwy=0.0.0.0/0.0.0.0 hook=pre dir=org act=noop 172.20.120.85:51167>8.8.8.8:53(0.0.0.0:0) hook=post dir=reply act=noop 8.8.8.8:53>172.20.120.85:51167(0.0.0.0:0) misc=0 policy_id=3 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0 serial=000171db tos=ff/ff app_list=0 app=0 dd_type=0 dd_rule_id=0 per_ip_bandwidth meter: addr=172.20.120.85, bps=1984 total session 189 To clear a session enter the following command:
diagnose sys session clear
Meaning Session is being logged Session is originating from, or destined for, a local stack. Session is created by a firewall session helper. Session is created by a policy. For example, the session for FTP channel control will have this state but the FTP data channel will not. Session will be checked by an IPS signature. Session will be checked by an IPS anomaly. Session is being bridged, that is, in transparent mode. Session will possibly be offloaded to NPU. Session is handled by WCCP.
57
3 4 5 6 7 8 9
58
The Policy Monitor page allows you to view the information in either a graphical format, or in a table. The graphical format, or chart, provides an easy and user-friendly view of the traffic activity that is occurring. The chart also provides a way to drill-down to more information; you can view this information by selecting on a bar within the chart. The drill-down information can be displayed by source address or destination address or by destination port. Below the chart, a table provides information as well about each policy include the type of action the policy Policy Monitor page Displays information about the security policy traffic occurring on the unit. Tip: View additional and more detailed information by selecting a bar within the chart. Refresh Reset Top Policy Usage Report By Select to refresh the information on the page. Select to reset the information to clear the current information from the page. New information is included on the page. Displays the top security policy usage in a bar chart. Select to view information by the current active sessions, bytes or packets. The security policy identification number. The source address or zone used within that security policy. The destination address of zone used within that security policy. The type of action that is specified in the security policy. For example Action is set to DENY. The action displays as an icon; for example, a green check mark is ALLOW. The number of bytes used by the security policy. This is reflected in the bar chart. The number of packets.
(Table explaining detailed information about the top policy usage) Policy ID Source Interface/Zone Destination Interface/Zone Action
Bytes Packets
59
60
FortiOS Handbook
What is IPv6?
Internet Protocol version 6 (IPv6) is the next-generation version of IP addressing. This updated version of IP addressing provides many advances, such as more routing efficiency and eliminating the need for NAT. IPv6 also provides better security and mobility support, as well as stateless auto-reconfiguration of hosts which allows IPv6 hosts to automatically configure when connected to a routed IPv6 network. IPv6 uses 128-bit addressing, which is written in hexadecimal digits separated by a colon. For example, 2001:DB8::6334. This revised version of IP addressing has the potential to provide trillions and trillions of addresses, or an address for each device on the Internet. For IPv6 address examples, documents use the IPv6 special address 2001:DB8::/32 to indicate that the address is an example. This is stated in RFC 3849. For more information about the specific addresses that are used in IPv6, see ipv6.com.
IPv6 in FortiOS
By default, the FortiGate unit is not enabled to use IPv6 options and settings; however, they are there. To enable IPv6, go to System > Admin > Settings and select IPv6 Support on GUI. When enabled, you can use IPv6 addressing on any of the address-dependant components of the FortiGate unit, including security policies, interface addressing and DNS servers. IPv6 addressing can be configured on the web-based manager and in the CLI. There are many different features that FortiOS supports in IPv6. The following is what FortiOS supports in IPv6: Static routing Dynamic routing (RIPv6, BGP4+, and OSPFv3) DNS Network interface addressing Packet and network sniffing IPsec VPN SSL VPN UTM protection
61
Routing access lists and prefix lists NAT/Route and Transparent mode IPv6 tunnel over IPv4 and IPv4 tunnel over IPv6 Security policies Authentication IPv6 over SCTP UTM protection When configuring IPv6 in FortiOS, you can create a dual stack route or IPv4-IPv6 tunnel. A dual stack routing configuration implements dual IP layers, supporting both IPv4 and IPv6, in both hosts and routers. An IPv4-IPv6 tunnel is essentially similar, creating a tunnel that encapsulates IPv6 packets within IPv4 headers that carry these IPv6 packets over IPv4 tunnels. The FortiGate unit can also be easily integrated into an IPv6 network. IPv6 works almost the same as IPv4 in FortiOS. The only main difference is the IP addresses, since you are using IPv6 addressing instead of IPv4. There is also no NAT, unless you are configuring a dual stack routing or IPv4 tunnelling configuration. Connecting the FortiGate unit to an IPv6 network is exactly the same as connecting it to an IPv4 network, the only difference is that you are using IPv6 addresses. Logging and reporting SNMP Virtual IPs and groups IPv6-specific troubleshooting, such as ping6
62
All traffic between the IPv6 networks are tunnelled over IPv4, which in this case is the Internet. Each FortiGate unit extracts the IPv6 traffic from the IPv4 tunnel and traffic on the internal networks uses IPv6. In FortiOS, you configure this type of network configuration using IPsec VPN because IPv6 is supported for IPsec VPNs. The VPN provides higher security for the data transmitted between the IPv6 networks. This configuration includes an interface-based IPsec VPN between IPv6 interfaces on each FortiGate unit.
63
64
FortiOS Handbook
65
The NAT table also functions in the same way as the security policy table. That is, the FortiGate unit reads the NAT rules in a top-down methodology, until it hits a matching rule for the incoming address. This enables you to create multiple NAT policies that dictate which IP pool is used based on the source address. The NAT policies can be rearranged within the policy list as well, the same way as security policies. NAT policies are applied to network traffic after a security policy. To view the Central NAT configuration page, and use them in a security policy, you need to first enable it. To enable Central NAT - web-based manager 1 Go to System > Admin > Settings. 2 In the Display Options on GUI section, select the check box beside Central NAT table. 3 Select Apply. To enable Central NAT - CLI config system global set gui-central-nat-table end NAT policies are created in the web-based manager by going to Policy > Policy > Central NAT Table. The NAT policies are enabled when you configure the security policy by selecting the Use Central NAT Table option. NAT policies are created in the CLI by using the commands under config firewall central-nat. To enable the policies use the commands config security policy edit <policy_number> set central-nat enable end
Source Address
66
Some common applications of SCTP include supporting transmission of the following protocols over IP networks: SCTP is important in 3G and 4G/LTE networks (for example, HomeNodeB = FemtoCells) SS7 over IP (for example, for 3G mobile networks) SCTP is also defined and used for SIP over SCTP and H.248 over SCTP Transport of Public Switched Telephone Network (PSTN) signaling messages over IP networks. SCTP is a reliable transport protocol that runs on top of a connectionless packet network (IP). SCTP provides the following services: Acknowledged error-free non-duplicated transfer of user data Data fragmentation to conform to discovered path MTU size Sequenced delivery of user messages within multiple streams, with an option for order-of-arrival delivery of individual user messages Optional bundling of multiple user messages into a single SCTP packet network-level fault tolerance through supporting of multi-homing at either or both ends of an association Congestion avoidance behavior and resistance to flooding and masquerade attacks SCTP is effective as the transport protocol for applications that require monitoring and session-loss detection. For such applications, the SCTP path and session failuredetection mechanisms actively monitor the connectivity of the session. SCTP differs from TCP in having multi-homing capabilities at either or both ends and several streams within a connection, typically referred to as an association. A TCP stream represents a sequence of bytes; an SCTP stream represents a sequence of messages.
67
Protection against INIT/ACK flood DoS attacks, and long-INIT flooding Protection against association hijacking FortiOS also supports SCTP sessions over IPsec VPN tunnels, as well as full traffic and event logging for SCTP sessions.
Destination Port (Low) 2905 Destination Port (High) 2905 To add the SCTP custom service - CLI config firewall service custom edit M3UA_service set protocol TCP/UDP/SCTP set sctp-portrange 2905 end
68
Port pairing
Force traffic to: Outgoing interface Gateway Address To add the policy route - CLI config router policy edit 1 set input-device internal set src 0.0.0.0 0.0.0.0 set dst 0.0.0.0 0.0.0.0 set output-device external set gateway 1.1.1.1 set protocol 132 set start-port 2905 set end-port 2905 end external 1.1.1.1
Port pairing
Port pairing is an option in Transparent mode to bind two ports together. In doing this, you can create security policies that regulate traffic only between two specific ports, VLANs or VDOMs. In its simplest form, this enables an administrator to create security policies that are only between these two ports. Traffic is captured between these ports. No other traffic can enter DNS services or leave a port pairing. For example, a FortiGate unit has three ports, where port 1 and port 2 are paired together, because the two networks only need to communicate with each other. If packet arrives on port 1, the FortiGate unit needs to figure out whether the packet goes to port 2 or port 3. With port pairing configured, it is more simple. If packet arrives on port 1, then the FortiGate automatically directs the packet to port 2. The opposite is also true in the other direction. This can be ideal when to groups only need to transfer data between each other.
69
WA N1 3 ort
Po
To configure port pairing - web-based manager 1 Go to System > Network > Interface. 2 Select the arrow beside Create New, and select Port Pair. 3 Enter a Name for the port pair. 4 Select the physical or virtual ports from the Available Members list and select the right-facing arrow to add the ports to the Selected Members list. There can be only two ports added. 5 Select OK. To configure port pairing - CLI config system port-pair edit <pair_name> set member <port_names> end When configuring security policies with the port pairs, selecting the Source Interface automatically populates the Destination Interface, and vice versa. All other aspects of the security policy configuration remains the same.
70
Dedicated traffic
This example show the steps to ensure only traffic exits from the DMZ where the email server is connected. The internal port is connected to the internal network and the WAN1 port connects to the Internet. First, create a security policy that will not allow any traffic through port 25 from the internal interface, which connects to the internal network. Place this policy at the top of the security policy list. To block traffic on port 25 - web-based manager 1 Go to Policy > Policy > Policy and select Create New. 2 Set the following options and select OK. Source Interface Source Address Destination Interface Destination Address Schedule Service Action Comments Internal ALL WAN1 ALL ALWAYS SMTP DENY Prevent Malware spam.
You may also want to enable Log Violation Traffic to see if there is any potential malware or other user sending email using the non-corporate email server. To block traffic on port 25 - CLI config security policy edit <policy_number> set srcintf Internal set srcaddr all set dstintf wan1 set dstaddr all set schedule always set service smtp set action deny set comment Prevent Malware spam. end Next, create a security policy for the email server, IP address 10.10.11.29 that only allows SMTP traffic from the email server on port 25. To allow traffic on port 25 for the email server - web-based manager 3 Go to Policy > Policy > Policy and select Create New. 4 Set the following options and select OK. Source Interface Source Address Destination Interface Destination Address DMZ 10.10.11.29 WAN1 ALL
71
To allow traffic on port 25 for the email server- CLI config security policy edit <policy_number> set srcintf dmz set srcaddr 10.10.11.29 set dstintf wan1 set dstaddr all set schedule always set service smtp set action allow end
To allow traffic on port 25 for the email server- CLI config security policy edit <policy_number> set srcintf internal set srcaddr 10.10.10.29 set dstintf wan1 set dstaddr all set schedule always set service smtp set action allow end Next, add a deny security policy that blocks all SMTP traffic from the Internal port to the WAN1 port. Ensure this policy is directly after the policy created above. To block SMTP traffic on port 25 for the rest of the company - web-based manager 3 Go to Policy > Policy > Policy and select Create New.
Firewall for FortiOS 4.0 MR3 01-432-148222-20120124 http://docs.fortinet.com/
72
4 Set the following options and select OK. Source Interface Source Address Destination Interface Destination Address Schedule Service Action INTERNAL ALL WAN1 ALL ALWAYS SMTP DENY
To block SMTP traffic on port 25 for the rest of the company - CLI config security policy edit <policy_number> set srcintf internal set srcaddr all set dstintf wan1 set dstaddr all set schedule always set service smtp set action deny end
73
10 Set the Type to Regex. 11 Set the Action to Block. 12 Select OK. Position these at the end of the URL filter list so that any exemptions or blocks before that are still effective. Both of these filter entries are required. If you only enter the second one, the FortiGate unit will also catch a URL lookup as they both behave in a similar fashion after the URL is resolved to an IP. The first entry is needed to break out of the URL filter and allow the web site before it does the second check if they entered text.
74
Add IP pools as required for source address translation For NAT firewall policies to work in NAT mode you must have two interfaces on two different networks with two different subnet addresses. Then you can create firewall policies to translate source or destination addresses for packets as they are relayed by the FortiGate unit from one interface to the other. A FortiGate unit operating in Transparent mode normally has only one IP address, the management IP. To support NAT in Transparent mode, you can add a second management IP. These two management IPs must be on different subnets. When you add two management IP addresses, all FortiGate unit network interfaces will respond to connections to both of these IP addresses. In the example shown in Figure 9, all of the PCs on the internal network (subnet address 192.168.1.0/24) are configured with 192.168.1.99 as their default route. One of the management IPs of the FortiGate unit is set to 192.168.1.99. This configuration results in a typical NAT mode firewall. When a PC on the internal network attempts to connect to the Internet, the PC's default route sends packets destined for the Internet to the FortiGate unit internal interface. Similarly on the DMZ network (subnet address 10.1.1.0/24) all of the PCs have a default route of 10.1.1.99. This example describes adding an internal to WAN1 security policy to relay these packets from the internal interface out the WAN1 interface to the Internet. Because the WAN1 interface does not have an IP address of its own, you must add an IP pool to the WAN1 interface that translates the source addresses of the outgoing packets to an IP address on the network connected to the wan1 interface. The example describes adding an IP pool with a single IP address of 10.1.1.201. So all packets sent by a PC on the internal network that are accepted by the Internal to WAN1 policy leave the WAN1 interface with their source address translated to 10.1.1.201. These packets can now travel across the Internet to their destination. Reply packets return to the WAN1 interface because they have a destination address of 10.1.1.201. The Internal to WAN1 NAT policy translates the destination address of these return packets to the IP address of the originating PC and sends them out the internal interface to the originating PC. Use the following steps to configure NAT in Transparent mode Add two management IPs Add an IP pool to the WAN1 interface Add an Internal to WAN1 security policy You can add the security policy from the web-based manager and then use the CLI to enable NAT and add the IP pool.
75
10
.1.
1.0
/24
Tra n
To add a source address translation NAT policy in Transparent mode 1 Enter the following command to add two management IPs. The second management IP is the default gateway for the internal network. config system settings set manageip 10.1.1.99/24 192.168.1.99/24 end 2 Enter the following command to add an IP pool to the WAN1 interface: config firewall ippool edit nat-out set interface "wan1" set startip 10.1.1.201 set endip 10.1.1.201 end 3 Enter the following command to add an Internal to WAN1 security policy with NAT enabled that also includes an IP pool: config security policy edit 1 set srcintf "internal" set dstintf "wan1" set scraddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable set ippool enable set poolname nat-out end
Firewall for FortiOS 4.0 MR3 01-432-148222-20120124 http://docs.fortinet.com/
R ou te r
sp
k or tw 24 ne 0/ Z 1. M 1. D 0. 1
k or tw /24 ne .0 al .1 rn 68 te .1 In 92 1
76
wit
ha
vir
tua
l IP
1 3 2
To add a static NAT virtual IP for a single IP address and port - web-based manager 1 Go to Firewall Objects > Virtual IP > Virtual IP. 2 Select Create New. 3 Complete the following and select OK.
.
IP r 42 ve 0. er .1 S 10 . 10
19
External IP Address/Range 192.168.37.4. Mapped IP Address/Range 10.10.10.42 Port Forwarding Protocol External Service Port Map to Port Selected TCP 80 8000
77
To add a static NAT virtual IP for a single IP address and port - CLI config firewall vip edit static_NAT set extintf wan1 set type static-nat set extip 192.168.37.4 set mappedip 10.10.10.42 set portforward enable set extport 80 set mappedport 8000 end Add a external to dmz1 security policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP address packets pass through the FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the external IP to the DMZ network IP address of the web server. To add a static NAT virtual IP for a single IP address to a security policy - webbased manager 1 Go to Policy > Policy > Policy and select Create New. 2 Complete the following: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action 3 Select NAT. 4 Select OK. To add a static NAT virtual IP for a single IP address to a security policy - CLI config security policy edit 1 set srcintf wan1 set dstintf internal set srcaddr all set dstaddr static_nat set action accept set schedule always set service ANY set nat enable end wan1 All Internal static_nat always HTTP ACCEPT
78
To create an IP pool - web-based manager 1 Go to Firewall Objects > Virtual IP > IP Pool. 2 Select Create New. 3 Enter the Name pool-1. 4 Enter the IP Range/Subnet 10.1.3.1-10.1.3.254. 5 Select OK. To create an IP pool - CLI config firewall ippool edit pool-1
set startip 10.1.3.1 set endip 10.1.3.254 end
Next, create the virtual IP with port translation to translate the user internal IP used by the network users to the DMZ port and IP address of the server. To create a Virtual IP with port translation - web-based manager 1 Go to Firewall Objects > Virtual IP > Virtual IP. 2 Select Create New.
k or w et 4 N /2 al .0 rn .1 te .1 In 10 r ve .1 er 0 S .12 eb 20 W 2. 17
FortiOS Handbook v3: Firewall 01-432-148222-20120124 http://docs.fortinet.com/
17
Z 2 DM120. 0. 2.2
79
3 Enter the following information and select OK. Name External Interface Type External IP Address/Range Mapped IP Address/Range Port Forwarding Protocol External Service Port Map to Port server-1 Internal Static NAT 172.20.120.1 Note: This address is the same as the server address. 172.20.120.1 Enable TCP 8080 80
To create a Virtual IP with port translation - CLI config firewall vip edit server-1 set extintf internal set type static-nat set extip 172.20.120.1 set mappedip 172.20.120.1 set portforward enable set extport 80 set mappedport 8080 end Add an internal to DMZ security policy that uses the virtual IP to translate the destination port number and the IP pool to translate the source addresses. To create the security policy - web-based manager 1 Go to Policy > Policy > Policy and select Create New. 2 Complete the following and select OK: Source Interface/Zone internal Source Address Destination Interface/Zone Destination Address Schedule Service Action NAT Dynamic IP Pool all dmz server-1 always HTTP ACCEPT Select Select, and select the pool-1 IP pool.
80
Using VIP range for Source NAT (SNAT) and static 1-to-1 mapping
edit 1 set srcintf internal set dstintf dmz1 set srcaddr all set dstaddr server-1 set action accept set schedule always set service HTTP set nat enable set ippool enable set poolname pool-1 end
Using VIP range for Source NAT (SNAT) and static 1-to-1 mapping
VIP addresses are typically used to map external (public) to internal (private) IP addresses for Destination NAT (DNAT). This example shows how to use VIP ranges to perform source NAT (SNAT) with a static 1to-1 mapping from internal to external IP addresses. This is similar to using an IP pool with the advantage of having predictable and static 1-to-1 address mapping. Figure 12: Network diagram
46
Sou
rce
NA T
.37
.4 -
This example will associate each internal IP address to one external IP address for the Source NAT (SNAT) translation. Using the diagram above, the translations will look like the following: Traffic from Source IP Translated to Source IP (SNAT) 10.10.10.42 10.10.10.43 192.168.37.4 192.168.37.5
81
Using VIP range for Source NAT (SNAT) and static 1-to-1 mapping
... 10.10.10.46
... 192.168.37.8
First, configure the virtual IP. To configure the virtual IP - web-based manager 1 Go to Firewall Objects > Virtual IP > Virtual IP and select Create New. 2 Enter the Name of Static_NAT_1to1. 3 Select the External Interface of port 1 from the drop-down list. 4 Enter the External IP Address of 192.168.37.4. 5 Enter the Mapped IP Address range of 10.10.10.42 to 10.10.10.46. 6 Select OK. To configure the virtual IP - CLI config firewall vip edit "Static_NAT_1to1" set extip 192.168.37.4 set extintf "port1" set mappedip 10.10.10.42-10.10.10.46 next end Next, configure the firewall policies. Even if no connection needs to be initiated from external to internal, a second security policy number is required to activate the VIP range. Otherwise the IP address of the physical interface is used for NAT. In this example it is set as a DENY security policy for security purpose. To configure the firewall policies - web-based manager 1 Go to Policy > Policy > Policy and select Create New. 2 Complete the following and select OK: Source Interface/Zone port2 Source Address Destination Interface/Zone Destination Address Schedule Service Action NAT all port1 all always ANY ACCEPT Select
3 Complete the following and select OK: Source Interface/Zone port 1 Source Address Destination Interface/Zone Destination Address all port 2 Static_NAT_1to1
Firewall for FortiOS 4.0 MR3 01-432-148222-20120124 http://docs.fortinet.com/
82
To configure the firewall policies - CLI config firewall policy edit 1 set srcintf port2 set dstintf port1 set srcaddr all set dstaddr all set action accept set schedule always set service ANY set nat enable next edit 2 set srcintf port1 set dstintf port2 set srcaddr all" set dstaddr Static_NAT_1to1 set schedule always set service ANY set action deny set comments (Used to activate static Source NAT 1-to-1) next end end
83
Endpoint Security
Endpoint Security
Endpoint security enforces the use of the FortiClient End Point Security (FortiClient and FortiClient Lite) application on your network. It can also allow or deny endpoints access to the network based on the application installed on them. By applying endpoint security to a security policy, you can enforce this type of security on your network. FortiClient enforcement can check that the endpoint is running the most recent version of the FortiClient application, that the antivirus signatures are up-to-date, and that the firewall is enabled. An endpoint is usually often a single PC with a single IP address being used to access network services through a FortiGate unit. With endpoint security enabled on a policy, traffic that attempts to pass through, the FortiGate unit runs compliance checks on the originating host on the source interface. Non-compliant endpoints are blocked. If someone is browsing the web, the endpoints are redirected to a web portal which explains the non-compliance and provides a link to download the FortiClient application installer. The web portal is already installed on the FortiGate unit, as a replacement message, which you can modify if required. Endpoint Security requires that all hosts using the security policy have the FortiClient Endpoint Security agent installed. Currently, FortiClient Endpoint Security is available for Microsoft Windows 2000 and later only. For more information about endpoint security, see the UTM chapter in the FortiOS Handbook.
Logging traffic
When you enable logging on a security policy, the FortiGate unit records the scanning process activity that occurs, as well as whether the FortiGate unit allowed or denied the traffic according to the rules stated in the security policy. This information can provide insight into whether a security policy is working properly, as well as if there needs to be any modifications to the security policy, such as adding traffic shaping for better traffic performance. Traffic is logged in the traffic log file and provides detailed information that you may not think you need, but do. For example, the traffic log can have information about an application used (web: HTTP.Image), and whether or not the packet was SNAT or DNAT translated. The following is an example of a traffic log message. 2011-04-13 05:23:47 log_id=4 type=traffic subtype=other pri=notice vd=root status="start" src="10.41.101.20" srcname="10.41.101.20" src_port=58115 dst="172.20.120.100" dstname="172.20.120.100" dst_country="N/A" dst_port=137 tran_ip="N/A" tran_port=0 tran_sip="10.31.101.41" tran_sport=58115 service="137/udp" proto=17 app_type="N/A" duration=0 rule=1 policyid=1 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 src_int="internal" dst_int="wan1" SN=97404 app="N/A" app_cat="N/A" carrier_ep="N/A" If you want to know more about logging, see the Logging and Reporting chapter in the FortiOS Handbook. If you want to know more about traffic log messages, see the FortiGate Log Message Reference.
84
Traffic shaping
Queuing
QoS can be helpful for organizations that are trying to manage their voice and streaming multi-media traffic, which can rapidly consume bandwidth. Both voice and streaming multi-media are sensitive to latency. For additional information about QoS, see the Traffic Shaping chapter in the FortiOS Handbook.
85
With identity-based policies, once the FortiGate unit matches the source and destination addresses, it processes the identity sub-rules for the user groups and services. That is, it acts on the authentication and completes the remainder of that policy and goes no further in the policy list. The way identity based policies work is that once src/dest are matched, it will process the identity based sub-rules (for lack of a better term) around the user groups and services. It will never process the rest of your rulebase. For this reason, unique security policies should be placed before an identity-based policy. For example, consider the following policies:
DNS traffic goes through successfully as does any HTTP traffic after being authenticated. However, if there was FTP traffic, it would not get through. As the FortiGate unit processes FTP traffic, it skips rule one since its matching the source, destination and service. When it moves to rule two it matches the source and destination, it determines there is a match and, sees there are also processes the group/service rules, which requires authentication and acts on those rules. Once satisfied, the FortiGate unit will never go to rule three. In this situation, where you would want FTP traffic to traverse the FortiGate unit, create a security policy specific to the services you require and place it above the authentication policy.
Identity-based sub-policies
When adding authentication to a security policy, you can add multiple authentication rules, or sub-policies. Within these policies you can include additional UTM profiles, traffic shaping and so on, to take affect on the selected services. Figure 13: Authentication sub-policies
These sub-policies work on the same principle as normal security policies, that is, top down until the criteria has been met. As such, if there is no matching policy within the list, the packet can still be dropped even after authentication is successful.
86
FortiOS Handbook
Appendix
Document conventions
Fortinet technical documentation uses the conventions described below.
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918. Most of the examples in this document use the following IP addressing: IP addresses are made up of A.B.C.D A - can be one of 192, 172, or 10 - the non-public addresses covered in RFC 1918. B - 168, or the branch / device / virtual device number. Branch number can be 0xx, 1xx, 2xx - 0 is Head office, 1 is remote, 2 is other. Device or virtual device - allows multiple FortiGate units in this address space (VDOMs). Devices can be from x01 to x99. C - interface - FortiGate units can have up to 40 interfaces, potentially more than one on the same subnet 001 - 099- physical address ports, and non -virtual interfaces 100-255 - VLANs, tunnels, aggregate links, redundant links, vdom-links, etc.
189
Document conventions
Appendix
D - usage based addresses, this part is determined by what device is doing The following gives 16 reserved, 140 users, and 100 servers in the subnet. 001 - 009 - reserved for networking hardware, like routers, gateways, etc. 010 - 099 - DHCP range - users 100 - 109 - FortiGate devices - typically only use 100 110 - 199 - servers in general (see later for details) 200 - 249 - static range - users 250 - 255 - reserved (255 is broadcast, 000 not used) The D segment servers can be farther broken down into: 110 - 119 - Email servers 120 - 129 - Web servers 130 - 139 - Syslog servers 140 - 149 - Authentication (RADIUS, LDAP, TACACS+, FSAE, etc) 150 - 159 - VoIP / SIP servers / managers 160 - 169 - FortiAnalyzers 170 - 179 - FortiManagers 180 - 189 - Other Fortinet products (FortiScan, FortiDB, etc.) 190 - 199 - Other non-Fortinet servers (NAS, SQL, DNS, DDNS, etc.) Fortinet products, non-FortiGate, are found from 160 - 189. The following table shows some examples of how to choose an IP number for a device based on the information given. For internal and dmz, it is assumed in this case there is only one interface being used. Table 8: Examples of the IP numbering Location and device Head Office, one FortiGate Head Office, second FortiGate Branch Office, one FortiGate Office 7, one FortiGate with 9 VDOMs Internal 10.011.101.100 10.012.101.100 10.021.101.100 10.079.101.100 Dmz 10.011.201.100 10.012.201.100 10.021.201.100 10.079.101.100 10.031.201.110 n/a External 172.20.120.191 172.20.120.192 172.20.120.193 172.20.120.194 n/a n/a
Office 3, one FortiGate, web n/a server Bob in accounting on the corporate user network (dhcp) at Head Office, one FortiGate Router outside the FortiGate 10.0.11.101.200
n/a
n/a
172.20.120.195
190
Appendix
Document conventions
Linux PC 10.11.101.20
IN 10 T .11 .10
1.1
01
10
.11
FortiAnalyzer-100B
Switch
10
.11
.14
Po an rt 2 d3 Po rt 1
Switch
f rt 8 r o Po mirro (
rt po
s2
an
d3
He
ad
o ff
ice
01
Linux PC 10.21.101.10
Bra
17
nch
o ff
Bra ice
2.2
0.1
nch
o ff
ice
1. rt 1 10 Po 0.21. 1
16
Windows PC 10.31.101.10
FortiManager-3000B
10
.2
rt 4 Po .100 1 .10 2
Cluster
Port 1: 10.21.101.102
FortiGate-5005FA2
Port 1: 10.21.101.102
FortiGate-5005FA2
Port 1: 10.21.101.103
FortiSwitch-5003A
Port 1: 10.21.101.161
FortiGate-5050-SM
Port 1: 10.21.101.104
191
Document conventions
Appendix
Information highlights
A Must Read item details things that are easily missed: configuration changes that only apply to the current session, or services that need restarting before an update will apply. Ignoring a box labeled 'Important' will not cause data loss but may cause irritation and frustration.
A Troubleshooting tip provides information to help you track down why your configuration is not working.
A Tip provides shortcuts or alternative approaches to the task at hand. Ignoring a tip should have no negative consequences, but you might miss out on a trick that makes your life easier.
Typographical conventions
Table 9: Typographical conventions in Fortinet technical documentation Convention Button, menu, text box, field, or check box label CLI input Example From Minimum log level, select Notification.
config system dns set primary <address_ipv4> end FGT-602803030703 # get system settings comments : (null) opmode : nat HTTP connections are not secure and can be intercepted by a third party. <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.</H4> Visit the Fortinet Technical Support web site, https://support.fortinet.com. Type a name for the remote VPN peer or client, such as Central_Office_1. Go to VPN > IPSEC > Auto Key (IKE). For details, see the FortiOS Handbook.
CLI output
Emphasis
File content
192
Appendix
193
Appendix
Most web-based manager numeric value fields make it easy to add the acceptable number of digits within the allowed range. CLI help includes information about allowed numeric value ranges. Both the web-based manager and the CLI prevent you from entering invalid numbers.
Training
Fortinet Training Services offers courses that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide. Visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email training@fortinet.com.
Technical Documentation
See the Fortinet Technical Documentation web site, http://docs.fortinet.com, for the most up-to-date technical documentation. The Fortinet Knowledge Base provides troubleshooting, how-to articles, examples, FAQs, technical notes, and more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.
194
Appendix
195
Appendix
196
FortiOS Handbook
Index
A
accept, 44 adding configuring defining deny security policy, 50 how firewalll components create a FortiGate firewall, 12 how packets flow, 14 how to apply VLANs and zones to security policies, 23 how to arrange security poliices, 47 how to create a basic security policy for Internet access, 52 interfaces and zones, 23 ipv4 tunneling, 62 ipv6, dual stack routing, 62 remotely connecting to an IPv6 over the Internet, 62 adding, configuring defining central NAT table, 66 address CIDR format, 24 FDQN, 31 geography-based, 28 groups, 32 IP pool, 26 IP range, 25 IPv6, 61 matching, IP pool, 27 addresses ipv6, 61 addresses, firewall, 24 AFS3, advanced file security encrypted file AFS3, 34 AH, predefined service, 34 ANY service, 34 AOL service, 34 arranging security policies, 47 comments, documentation, 94 conventions, 87 Cross-Site Scripting protection from, 92 custom services, 33 customer service, 94 CVSPSERVER, concurrent versions system proxy server, 34
D
DCE-RPC firewall service, 34 default password, 9 deny, 44 deny policy, 50 details, security policies, 44 DHCP (Dynamic Host Configuration Protocol) service, 34 DHCP6 service, 34 DNS service, 34 TTL, 31 document conventions CLI syntax, 90 documentation, 94 commenting on, 94 conventions, 87 Fortinet, 94 double NAT example, 79 dual stack routing, ipv6, 62
E
ESP service, 34
B
BGP service, 34 blocking http access by ip, 73 port 25, 70
F
FAQ, 94 FDQN, 31 FINGER service, 34 firewall applying VLANs and zones to security policies, 23 central NAT table, 66 how firewall components create a FortiGate firewall, 12 interfaces and zones, 23 ipv6, 61 predefined services, 33 what is it, 11 wildcard addresses, 29 firewall address, 24
C
central NAT, 65 central NAT table configuring, 66 certification, 94 CLI syntax conventions, 90 column settings, security policies, 44
97
Index
98
Index
firewall service AFS3, 34 AH, 34 ANY, 34 AOL, 34 BGP, 34 CVSPSERVER, 34 DCE-RPC, 34 DHCP, 34 DHCP6, 34 DNS, 34 ESP, 34 FINGER, 34 FTP, 34 FTP_GET, 34 FTP_PUT, 34 GOPHER, 34 GRE, 34 H323, 35 HTTP, 35 HTTPS, 35 ICMP_ANY, 35 IKE, 35 IMAP, 35 INFO_ADRESS, 35 INFO_REQUEST, 35 Internet-Locator-Service, 35 IRC, 35 L2TP, 35 LDAP, 35 MGCP, 35 MS-SQL, 35 MYSQL, 35 NetMeeting, 36 NFS, 35 NNTP, 36 NTP, 36 ONC-RPC, 36 OSPF, 36 PC-Anywhere, 36 PING, 36 PING6, 36 POP3, 36 PPTP, 36 QUAKE, 36 RAUDIO, 36 REXEC, 36 RIP, 36 RLOGIN, 36 RSH, 36 RTSP, 37 SAMBA, 37 SCCP, 37 SIP, 37 SIP-MSNmessenger, 37 SMTP, 37 SNMP, 37 SOCKS, 37 SQUID, 37 SSH, 37 SYSLOG, 37 TALK, 37 TCP, 37 TELNET, 37
TFTP, 37 TIMESTAMP, 37 UDP, 38 UUCP, 38 VDOLIVE, 38 viewing predefined list, 33 VNC, 38 WAIS, 38 WINFRAME, 38 WINS, 38 X-WINDOWS, 38 fixed ports, IP pools, 27 FortiGate documentation commenting on, 94 FortiGate firewall creating, 12 FortiGuard Antispam, 9 Antivirus, 9, 93 services, 93 Fortinet Knowledge Center, 94 Technical Documentation, 94 Technical Documentation, conventions, 87 Technical Support, 94 Technical Support, registering with, 93 Technical Support, web site, 93 Training Services, 94 Fortinet customer service, 94 Fortinet documentation, 94 Fortinet Knowledge Center, 94 FortiOS ipv6, 61 FTP service, 34 FTP_GET service, 34 FTP_PUT service, 34
G
geography-based addressing, 28 glossary, 94 GOPHER service, 34 GRE service, 34 groups, addressing, 32
H
H323 service, 35 how to allow DNS queries to only one DNS server, 50 how to apply VLANs and zones to security policies, 23 how to arrange policies, 47 how to create basic security policy for Internet access, 52 how to test basic security, 53 how to use match-vip, 33 how to use UTM profiles to monitor and protect your network, 40
99
Index
I
ICMP processing, 74 ICMP_ANY service, 35 identity-based policy, 47 position, 85 IKE service, 35 IMAP service, 35 INFO_ADDRESS service, 35 INFO_REQUEST service, 35 interfaces, 23 ANY, ANY interface option, 45 Internet-Locator-Service service, 35 introduction Fortinet documentation, 94 IP address private network, 87 IP pool, 26 address matching, 27 policies and fixed ports, 27 IP range, 25 IPsec, 44 ipv4 tunneling configuration, ipv6, 62 IPv6, 61 ipv6, 61 dual stack routing configuration, 62 ipv4 tunneling configuration, 62 remotely connecting over the Internet, 62 ipv6 in FortiOS, 61 IRC service, 35
match-vip, 32 how to, 33 Message Transfer Part 3, 68 MGCP service, 35 mode operation, 9 MS-SQL service, 35 MTP3 User Adaptation Layer, 68 MYSQL service, 35
N
NAT, 65 netmask wildcard firewall addresses, 29 NetMeeting service, 36 NFS service, 35 NNTP service, 36 NTP service, 36
O
ONC-RPC service, 36 operation mode, 9 OSPF service, 36
P
packet ICMP, 74 life of, 13 packet flow, 14 packets flow, 14 password administrator, 9 PC-Anywhere service, 36 PING service, 36 PING6 firewall service, 36 policies, 44 column settings, 44 expiry, 39 ICMP packets, 74 identity-based, 47 NAT to transparent mode, 74 order, 45 timeout, 39 viewing, 45 policy local-in, 51 policy 0, 51 Firewall for FortiOS 4.0 MR3 01-432-148222-20120124 http://docs.fortinet.com/
K
Knowledge Center, 94
L
L2TP service, 35 LDAP service, 35 life of a packet, 13 local-in policy, 51
M
M3UA, 68
100
Index
POP3 service, 36 port blocking port 25, 70 ports services, 33 position identity-based policy, 85 PPTP service, 36 predefined services, 33 product registration, 93 protocol service, 34 PSTN, 67 Public Switched Telephone Network See PSTN, 67
S
SAMBA service, 37 SCCP firewall service, 37 schedule timeout, 39 schedules expiry, 39 group, 39 one time, 38 recurring, 38 schedule-timeout command, 39 security policies, 51 accept, 44 column settings, 44 deny, 44 deny policy, 50 how to apply VLANs and zones, 23 how to arrange, 47 ICMP packets, 74 identity-based, 47 IPsec, 44 policy order, 45 ssl-vpn policies, 44 viewing, 45 security policy how to allow Internet access, 52 local-in, 51 verifying traffic is hitting a policy, 53
Q
QUAKE service, 36
R
RAUDIO service, 36 registering with Fortinet Technical Support, 93 remotely connecting to IPv6 over the Internet, 62 REXEC firewall service, 36 RFC 1918, 87 RIP service, 36
101
Index
service AH, 34 ANY, 34 AOL, 34 BGP, 34 CVSPSERVER, 34 DCE-RPC, 34 DHCP, 34 DHCP6, 34 DNS, 34 ESP, 34 FINGER, 34 FTP, 34 FTP_GET, 34 FTP_PUT, 34 GOPHER, 34 GRE, 34 H323, 35 HTTPS, 35 ICMP_ANY, 35 IKE, 35 IMAP, 35 INFO_ADDRESS, 35 INFO_REQUEST, 35 Internet-Locator-Service, 35 IRC, 35 L2TP, 35 LDAP, 35 MGCP, 35 MS-SQL, 35 MYSQL, 35 NetMeeting, 36 NFS, 35 NNTP, 36 NTP, 36 ONC-RPC, 36 OSPF, 36 PC-Anywhere, 36 PING, 36 PING6, 36 POP3, 36 PPTP, 36 predefined, 33 QUAKE, 36 RAUDIO, 36 REXEC, 36 RIP, 36 RLOGIN, 36 RSH, 36 RTSP, 37 SAMBA, 37 SCCP, 37 service name, 34 SIP, 37 SIP-MSNmessenger, 37 SMTP, 37 SNMP, 37 SOCKS, 37 SQUID, 37 SSH, 37 SYSLOG, 37 TALK, 37 TCP, 37 TELNET, 37
TFTP, 37 TIMESTAMP, 37 UDP, 38 UUCP, 38 VDOLIVE, 38 VNC, 38 WAIS, 38 WINFRAME, 38 WINS, 38 X-WINDOWS, 38 services, 33 custom, 33 list, 33 SIP service, 37 SIP-MSNmessenger service, 37 SMTP service, 37 smtp traffic, 70 SNMP service, 37 SOCKS service, 37 SQUID service, 37 SS7, 68 SSH service, 37 SSL service definition, 35, 36 ssl-vpn, 44 SYSLOG service, 37
T
TALK service, 37 TCP service, 37 technical documentation, 94 documentation conventions, 87 notes, 94 support, 94 technical support, 94 TELNET service, 37 testing a basic security policy, 53 TFTP service, 37 TIMESTAMP service, 37 Training Services, 94 transparent mode adding NAT policies, 74
U
UDP service, 38 understanding firewall addresses, 24
102
Index
using UTM profiles to monitor and protect your network, 40 UTM profiles, 39 UUCP service, 38
W
WAIS service, 38 wildcard firewall addresses, 29 wildcard addresses, 29 WINFRAME service, 38 WINS service, 38
V
VDOLIVE service, 38 verifying traffic is hitting a policy, 53 viewing firewall predefined service list, 33 viewing security policies, 45 vip, 32 vip, grouping, 32 vip, match-vip, 32 virtual ip addresses, 32 VNC service, 38 vulnerability Cross-Site Scripting, 92 XSS, 92
X
XSS vulnerability protection from, 92 X-WINDOWS service, 38
Z
zones, 23
103
Index
104