FortiGate I

Module 3: Firewall Policies

FortiGate 5.2.1 Last Modified: 12 February 2019 1

Objectives

• Match traffic to firewall policies by:

o Source IP address, device ID/type, or user
o Interface or zone
• Reorder firewall policies for correct matching
• Identify components of firewall policies
• Explain ‘implicit fall through’ for authentication
• Choose between central NAT vs. source NAT in the policy
o Apply source NAT with IP pools (overload vs. one-to-one,
fixed port range and port block allocation)
• Configure destination NAT with virtual IPs
or a virtual server
• Log blocked traffic

2
Objectives

• Modify the session TTL

• Describe behavior differences when
processing is offloaded to network processors
• Use a SIP session helper for VoIP
• Shape traffic by shared and per-IP limits
• Compare flow-based vs. proxy-based inspection
• Enable SSL/SSH inspection
• Monitor & debug the flow of traffic
through firewall policies

3
What Are Firewall Policies?

• Policies define:
o Which traffic matches them
o How to process traffic that matches
• When packet for new IP session arrives,
FortiGate looks for matching policy
o Only first matching
policy applies
o Starts at top of list
• Implicit deny
o No matching policy?
FortiGate drops packet

4
What Are Firewall Policies?

• Policies define:
o Which traffic matches them
o How to process traffic that matches
• When packet for new IP session arrives,
FortiGate looks for matching policy
o Only first matching
policy applies
o Starts at top of list
• Implicit deny
o No matching policy?
FortiGate drops packet

5
How Are Policy Matches Determined?

Incoming & outgoing interfaces

Source & destination user/device
Services
Schedules
Action = ACCEPT

Authentication

Threat Traffic Logging

Management Shaping

6
Policy List: Section View

• Policy & Objects > Policy > IPv4

• Lists policies by ingress/egress interface pairs

7
Policy List: Global View

• When policy has multiple source/destination interfaces

or matches any

8
Adjusting Policy Order

• In CLI works, use policy ID number, not sequence number

config firewall policy
move <policy_id> {before|after} <policy_id>
end

• In GUI, drag-and-drop Seq. #

9
Components & Policy Types

Objects Policies Use

• Interface/interface groups
• Address/user definitions
• Service definitions
• Schedules
• NAT rules
• Security profiles
Types
• IPv4, IPv6
• Explicit proxy
• DoS
• Multicast
• Origin/destination is FortiGate itself
(Local traffic)

10
Simplify: Interfaces vs. Zones

Incoming Outgoing

• Incoming Interface: Interface / zone receiving packets

• Outgoing Interface: Interface / zone forwarding packets
Zone: Logical group of interfaces
To match policies with traffic, select one (or more) interfaces or ANY

11
Matching by Source

• Must specify at least one source

• May express either, neither, or both:
o Source User
o Source Device
• Source Address – IP address object
• Source User – Individual user or user group; may refer to:
o Local firewall accounts
o Accounts on a remote server (e.g. Active Directory)
o FSSO
o Personal certificate (PKI-authenticated) users
• Source Device – Identified or manually defined client device
o Enables device identification on the source interface

12
Device Identification

• Source Device Type – Device identification enabled on the

source interface(s) of that policy

13
Device Identification: Agent-based vs. Agentless
with FortiClient Agent

FC
FC

DMZ INTERNET

Agentless

Identification Techniques
• Agentless • Agent Based
o TCP Fingerprinting o Uses FortiClient
o MAC address vendor codes o Location & Infrastructure Independent
o HTTP user agent
o Requires “direct” connectivity to FortiGate

14
Device Identification: Device List (GUI)

• User & Device > Devices > Device List

15
Device Identification: Agentless Device List (CLI)

• Devices are indexed by MAC and identified from multiple

sources

16
Device Identification: FortiClient Device List (CLI)

• Registered FortiClient devices can be identified by their UID

17
Endpoint Control

• FortiGate can control FortiClient settings via profiles &

registration
• Firewall restrict clients with FortiClient installed
• Enable FCT Access on FortiGate interface for registration

18
Endpoint Control

• FortiClient registers with FortiGate

19
Endpoint Control

• FortiClient added to device list

20
Endpoint Control

• FortiClient profile

21
Endpoint Control

• Settings in FortiClient profile pushed to registered device

22
Endpoint Control

• Firewall polices with device type sources defined may be

restricted to devices compliant with the defined profile

23
Simplify: Groups of Sources/Services

• Each address and service object referenced individually

• Using service and address groups, the above policy can be
rewritten

24
Example: Matching Policy by Source

• Matches by source address, user, and device type

25
Implicit Fall Through

• “If this authentication policy does not match, try the next”
o Previous firmware used an identity policy
o Flows that failed authentication with 1st matching authentication policy
were blocked unless the option ‘fall-though-unauthenticated’ was
enabled, causing FortiGate to try subsequent authentication policies

26
Matching by Destination

• Like source, address objects can use IP or FQDN

o DNS query used to resolve FQDN
• Country defines addresses by ISP’s geographical location
o Database updated periodically with FortiGuard

27
Scheduling

• Policies apply only during specific times / days

o Example: A less restrictive ‘Lunch time’ policy
o Default schedule applies all the time
o Recurring
• Happens every time during specified day(s) of the week

o One-time
• Happens only once

28
 Matching by Service

Packet Firewall Policy

Protocol and Port

= Protocol and Port

• Services determines matching transmission protocol and port number

• Can be predefined or custom
• ALL matches all ports and protocols
• Web Proxy Service also available if Incoming Interface is set to web-proxy
• Group Services and Web Proxy Service Group to simplify administration

29
Object Usage

• Allows for faster changes to settings

• Reference column shows if the object is being used
o Links directly to the referencing object

30
How Packets are Handled: Step 1

Phase 1 - Ingress
• Denial of service (DoS) sensor
• Packet integrity check
• IPSec tunnel match
• Destination NAT
• Routing

31
How Packets are Handled: Step 2

Phase 1 - Ingress
• Denial of service (DoS) sensor
• Packet integrity check
• IPSec tunnel match
• Destination NAT
• Routing
Phase 2 - Stateful Inspection
• Management traffic
• Policy lookup
o Session tracking
o Session helpers
o SSL VPN
o User authentication
o Traffic shaping

32
How Packets are Handled: Step 3
Phase 1 - Ingress
• Denial of service (DoS) sensor
• Packet integrity check
• IPSec tunnel match
• Destination NAT
• Routing
Phase 2 - Stateful Inspection
• Management traffic
• Policy lookup
o Session tracking
o Session helpers
o SSL VPN
o User authentication
o Traffic shaping
Phase 3 - UTM Scanning
• Flow-based Inspection
o IPS
o Application Control
o Email Filtering
o Web Filtering
o Antivirus
• Proxy-based Inspection
o VoIP Inspection
o Data Leak Prevention
o Email Filtering
o Web Filtering
o Antivirus
o ICAP
33
How Packets are Handled: Step 4

Phase 1 - Ingress Phase 3 - UTM Scanning

• Flow-based Inspection
• Denial of service (DoS) sensor o IPS
• Packet integrity check o Application Control
• IPSec tunnel match o Email Filtering
o Web Filtering
• Destination NAT o Antivirus
• Routing • Proxy-based Inspection
o VoIP Inspection
Phase 2 - Stateful Inspection o Data Leak Prevention
• Management traffic o Email Filtering
o Web Filtering
• Policy lookup o Antivirus
o Session tracking o ICAP
o Session helpers Phase 4 - Egress
o SSL VPN • IPSec
o User authentication • Source NAT
o Traffic shaping • Routing

34
Logging

Accept Deny

config system setting

set ses-denied-traffic enable

35
Monitor

• Active sessions, bytes or packets per policy

• Policy & Objects > Monitor > Policy Monitor

36
Session Table

• Accepted IP sessions tracked in session table

• Stores information about the state
o Source and destination addresses, port number pairs, state, timeout
o Source and destination interfaces
o Source and destination NAT actions
• Performance metrics
o Max. concurrent sessions
o New sessions per second

37
Session TTL

• Reducing timers may improve performance when table full by closing

sessions earlier
• TCP default TTL
config system session-ttl
set default 3600
end

• Specific state timers

config system global
set tcp-halfclose-timer 120
set tcp-halfopen-timer 60
set udp-idle-timer 180
end

• Timers can be applied in policies and objects, and have precedence:

o Application Control List > Firewall Services > Firewall Policies > Global
Sessions

38
Session Table: TCP Example

# diagnose sys session list TCP state

session info: proto=6 proto_state=05 expire=89
timeout=3600 flags=00000000 av_idx=0 use=3
bandwidth=204800/sec guaranteed_bandwidth=102400/sec
traffic=332/sec prio=0 logtype=session ha_id=0Session TTL
hakey=4450
tunnel=/
state=log shape may_dirty
statistic(bytes/packets/err): org=3408/38/0 Traffic shaping
reply=3888/31/0 tuples=2
orgin->sink: org pre->post, reply pre->post oif=3/5
gwy=192.168.11.254/10.0.5.100
hook=post dir=org act=snat 10.0.5.100:1251- Traffic counts
>192.168.11.254:22(192.168.11.105:1251)
hook=pre dir=reply act=dnat 192.168.11.254:22-
>192.168.11.105:1251(10.0.5.100:1251)
pos/(before,after) 0/(0,0), 0/(0,0)
NAT operation

39
TCP States

State Value
NONE 0
ESTABLISHED 1
SYN_SENT 2
SYN & SYN/ACK 3
FIN_WAIT 4
TIME_WAIT 5
CLOSE 6
CLOSE_WAIT 7
LAST_ACK 8
LISTEN 9

40
diagnose sys session

• Like debug flow, the session table also indicates policy actions
o Clear any previous filter
diagnose sys session filter clear
o Set the filter
diagnose sys session filter ?
dport destination port
dst destination IP address
policy policy id
sport source port
src source ip address
o List all entries matching the configured filter
diagnose sys session list
o Clear all entries matching the configured filter
diagnose sys session clear

41
diagnose sys session

# diag sys session filter dport 53

# diag sys session filter dst 8.8.4.4
# diag sys session list
session info: proto=17 proto_state=01 duration=6 expire=173 timeout=0
flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/
state=log may_dirty ndr none app_ntf
statistic(bytes/packets/allow_err): org=70/1/1 reply=370/1/1 tuples=3
orgin->sink: org pre->post, reply pre->post dev=4->2/2->4
gwy=10.200.1.254/10.0.1.10
hook=post dir=org act=snat 10.0.1.10:56100-
>8.8.4.4:53(10.200.1.1:56100)
hook=pre dir=reply act=dnat 8.8.4.4:53-
>10.200.1.1:56100(10.0.1.10:56100)
hook=post dir=reply act=noop 8.8.4.4:53->10.0.1.10:56100(0.0.0.0:0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=000024de tos=ff/ff ips_view=1 app_list=2000 app=16195
dd_type=0 dd_mode=0
total session 1

42
Network Address / Port Translation

• Network Address Translation – NAT

o Change an IP layer address of a packet
• Some protocols like HTTP also have addresses
at the application layer, requiring session helpers/proxies
o Source Network Address Translation – SNAT
o Destination Network Address Translation – DNAT
• Port Address Translation – PAT
Destination IP address
o Change the IP layer port number of a packet Destination port

Source IP address
Source port

43
 Network Address / Port Translation: NAT

11.12.13.14
Firewall policy
with NAT enabled
wan1 IP address: 200.200.200.200

wan1
200.200.200.200

Source IP address:
internal 200.200.200.200
Source port: 30912
10.10.10.10
Destination IP address:
11.12.13.14
Source IP address:
Destination Port: 80
10.10.10.1
Source port: 1025

Destination IP address:
11.12.13.14
Destination Port: 80

44
 Network Address / Port Translation: IP Pool

11.12.13.14
Firewall policy
with NAT + IP pool enabled
wan1 IP pool: 200.200.200.2-200.200.200.10

wan1
200.200.200.200

Source IP address:
internal 200.200.200.?
Source port: 30957
10.10.10.10
Destination IP address:
11.12.13.14
Source IP address:
Destination Port: 80
10.10.10.1
Source port: 1025

Destination IP address:
11.12.13.14
Destination Port: 80

45
IP Pool Type: One-to-One

• Default type is overload

• Type one-to-one associates internal IP with pool IP on a
first-come, first-served basis
o Port address translation is disabled

• Refuses connection if no unallocated address

46
IP Pool Type: Fixed Port Range

• Type fixed port range associates an internal IP range with an

external IP range
o Port address translation is disabled

47
IP Pool Type: Port Block Allocation

• Type port block allocation assigns a block size & number per
host for a range of external IP addresses
o Using a small 64 block size and 1 block
hping --faster –p 80 –S 10.200.1.254

o Using an overload type

hping --faster –p 80 –S 10.200.1.254

48
Virtual IPs (VIP)

• Destination NAT objects

• Default type is static NAT
o Can be restricted to forward only certain ports
• From the CLI, you can select either load-balance or
server-load-balance
• VIPs should be routable to the external facing (ingress)
interface for return traffic

49
Network Address / Port Translation: VIP

Firewall policy 11.12.13.14

with destination address virtual IP + Static NAT
wan1 IP address: 200.200.200.200

wan1

Source IP address:
internal
11.12.13.14
10.10.10.10
Destination IP address:
200.200.200.222
Destination Port: 80

VIP translates destination

200.200.200.222 -> 10.10.10.10

50
Network Address / Port Translation: Central NAT

51
Session Helpers

• Some traffic types require additional packet modification for the

application to work
o Configurable via CLI
• For example:
o Handling of ports with FTP passive mode connections
o Header rewrites in SIP SDP payloads required because of NAT actions
• To show configured session helpers:
show system session-helper

52
Session Helpers: SIP Example

• Stateful firewall with NAT of 172.16.1.2 to 201.11.13

Firewall opens a
“pinhole” to allow the
IP address inside the
traffic that will come to
payload is NATed
port 12546
Send the media traffic Send the media traffic
to IP address to IP address
172.16.1.2, UDP port 201.11.1.3, UDP port
12546 12546

172.16.1.1 201.11.1.3

172.16.1.2
Media traffic to Media traffic to
172.16.1.2, port 12546 201.11.1.3, port 12546

Incoming media traffic is

allowed even when no
firewall policy has been
explicitly configured

53
Traffic Shaping

• Rate limiting is configurable

o Inbandwidth and Outbandwidth
• Each physical interface has 6 transmit queues
• Forwarded traffic subject to ToS/DSCP priority queuing
• Traffic shaping applied by a firewall policy may guarantee,
increase or decrease priority queue, or drop packets (policing)

54
Traffic Shapers

Shared Traffic Shaper Per-IP Traffic Shaper

Guaranteed Bandwidth
Maximum Bandwidth

Guaranteed Bandwidth
Guaranteed Bandwidth
Maximum Bandwidth Maximum Bandwidth

Guaranteed Bandwidth
Maximum Bandwidth

55
NP Session Offloading & Packet Forwarding

Not ASIC-compatible:
First packet in IP When session ends, or
Session remains with
session handled by OS if errors, NP returns
CPU
kernel (CPU) session to CPU
(“slow path”)

ASIC compatible:
Kernel offloads session
to specialized NP,
freeing CPU…
(“fast path”)

56
Security Profiles

57
Proxy vs Flow: Proxy-Based Scanning

• Transparent proxy
buffers file as it arrives
• Once transmission is
complete, FortiGate
examines file
o No action until buffer is full
or file is finished
• Communication is terminated
on Layer 4
o Proxy initiates secondary
connection after scan

58
Proxy Options

59
Proxy vs Flow: Flow-Based Scanning

• File is scanned on a
TCP flow basis as it
passes through FortiGate
o IPS engine
• Faster scanning,
but lower accuracy
• Requires more signatures
than proxy-based techniques

60
SSL/SSH Inspection

61
Debugging Firewall Policies

• Understand the flow

o Ingress
o Egress
o Source NAT action
o Destination NAT action
o VPN
o Content inspection proxy/flow
• What is the trouble?
o Slowness/delay?
o Timeout too fast?
o Connection failure?

62
Packet Capture (CLI)

• Can be used to find it out where a packet comes in and

if/where a packet goes out, but not why
• To view in Wireshark, convert the output
o First, save the output to a file
o Perl script on KB (article ID: 11186)
diag sniff packet interface ‘filter’ level

Interface Level (1-6)

1: print header of packets
Use physical/logical name 2: print header and data from IP of packets
port1, lan, wan1 3: print header and data from Ethernet of packets
4: print header of packets with interface name
'any' 5: print header and data from IP of packets with interface
name
6: print header and data from Ethernet of packets with
interface name

63
Example: Packet Capture

• Do not specify a host that will change due to NAT

• Use interface ‘any’ and verbose level 4 for most requirements
• Examples:
o IP
diag sniff packet any ‘dst host 10.200.1.254’ 4
o ICMP
diag sniff packet any ‘host 10.200.1.254 and icmp’ 4
diag sniff packet any ‘icmp[icmptype] !=0 and icmp[icmptype] !=8’ 4
o TCP
• Packets with SYN flag set (see tcpdump man page)
diag sniff packet any ‘tcp[13]&2==2’ 4
o FTP
• Connection and data, passive FTP
diag sniff packet any ‘host 10.200.1.254 and (port 21 or port ??)’ 4
• Connection and data, active FTP
diag sniff packet any ‘host 10.200.1.254 and (port 21 or port 20)’ 4
• If using ssh, don’t sniff your own packets
diag sniff packet any ‘!port 22’ 4

64
Packet Capture (GUI)

• Downloaded captures are automatically converted into

Wireshark format
• Available on devices with internal storage (HD or SMC card)

65
Packet Flow

• “diag debug flow” shows FortiGate actions at the packet level

diag deb flow show function enable
diag deb flow show console enable
diag deb flow filter addr 10.200.1.254
diag deb flow filter port 80
diag deb enable
diag deb flow trace start 20

66
diagnose debug flow (Output)

id=20085 trace_id=101 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=6,

10.0.1.10:58163->10.200.1.254:80) from port3. flag [S], seq 3433587993, ack 0, win 8192"
id=20085 trace_id=101 func=init_ip_session_common line=4517 msg="allocate a new session-
0000221d"
id=20085 trace_id=101 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-
10.200.1.254 via port1"
id=20085 trace_id=101 func=fw_forward_handler line=671 msg="Allowed by Policy-1: SNAT"
id=20085 trace_id=101 func=ids_receive line=237 msg="send to ips"
id=20085 trace_id=101 func=__ip_session_run_tuple line=2518 msg="SNAT 10.0.1.10-
>10.200.1.1:58163"
SYN
id=20085 trace_id=102 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=6,
10.200.1.254:80->10.200.1.1:58163) from port1. flag [S.], seq 4280488498, ack 3433587994, win
5840"
id=20085 trace_id=102 func=resolve_ip_tuple_fast line=4427 msg="Find an existing session, id-
0000221d, reply direction"
id=20085 trace_id=102 func=__ip_session_run_tuple line=2532 msg="DNAT 10.200.1.1:58163-
>10.0.1.10:58163"
id=20085 trace_id=102 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-
10.0.1.10 via port3"
id=20085 trace_id=102 func=ids_receive line=237 msg="send to ips" SYN/ACK
id=20085 trace_id=103 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=6,
10.0.1.10:58163->10.200.1.254:80) from port3. flag [.], seq 3433587994, ack 4280488499, win
256"
id=20085 trace_id=103 func=resolve_ip_tuple_fast line=4427 msg="Find an existing session, id-
0000221d, original direction"
id=20085 trace_id=103 func=ids_receive line=237 msg="send to ips"
id=20085 trace_id=103 func=__ip_session_run_tuple line=2518 msg="SNAT 10.0.1.10- ACK
>10.200.1.1:58163"

67
Combining Packet Traces and Flow

• Follows packets from arrival through FortiOS actions

o Consider
Student # diagnose sniffer packet any 'host 10.200.1.254 and port
80' 4

interfaces=[any]
filters=[host 10.200.1.254 and port 80]
51.685869 port3 in 10.0.1.10.58376 -> 10.200.1.254.80: syn
3479847099
51.937927 port3 in 10.0.1.10.58378 -> 10.200.1.254.80: syn
1978227929
54.679653 port3 in 10.0.1.10.58376 -> 10.200.1.254.80: syn
3479847099
54.930621 port3 in 10.0.1.10.58378 -> 10.200.1.254.80: syn
1978227929
o Better
• Setup the debug flow, then start the sniffer

68
Debugging Firewall Policies: debug flow & sniffer

69
Review

 How packets match a firewall policy

 How FortiGate defines matching traffic
 Interfaces vs. zones
 Domain name / IP address objects
 Device list & endpoint control
 Network services
 Packet handling
 NAT & session helpers
 How to interpret the session table
 Quality of service (QoS) & traffic shaping
 Proxy- vs. flow-based UTM scans
 Debugging packet handling
 Monitor in GUI
 CLI

70
Labs

• Lab 1: Firewall Policy

» Ex 1: Creating Firewall Objects and Rules
» Ex 2: Policy Action
» Ex 3: Configuring Virtual IP Access
» Ex 4: Configuring IP Pools

(OPTIONAL)
• Lab 2: Traffic Log
» Ex 1: Enabling Traffic Logging

• Lab 3: Device Policies

» Ex 1: Enabling Device Identification

71
Classroom Lab Topology

72