Firewall - Fortinet

FortiOS HandbookIntroductionWelcome and thank you for selecting Fortinet products for your network protection. Thisdocument describes how to configure the FortiGate firewall on your FortiGate unit. Thisdocument also provides advanced firewall concepts.This chapter contains the following topics: Before you begin How this guide is organizedBefore you beginBefore you begin using this guide, please ensure that: You have administrative access to the web-based manager and/or CLI. The FortiGate unit is integrated into your network. The operation mode has been configured. The system time, DNS settings, administrator password, and network interfaces havebeen configured. Firmware, FortiGuard Antivirus and FortiGuard Antispam updates are completed. FortiGuard Analysis & Management Service is properly configured.While using the instructions in this guide, note that administrators are assumed to besuper admin administrators unless otherwise specified. Some restrictions will apply toother administrators.How this guide is organizedThis FortiOS Handbook chapter contains the following sections:Understanding the FortiGate firewall provides general information about what theFortiGate firewall does, what it is comprised of, and explains how a packet travelsthrough the FortiGate unit.Working with NAT in FortiOS provides information about how NAT works in FortiOS andthe combinations of NAT that you can use in your configuration. This section explainshow the different modes, such as Transparent mode, work and how the FortiGate unitbehaves when in each of these modes.Firewall components provides in-depth information about the firewall components thathelp in creating a FortiGate firewall configuration.Security policies explains what security policies are, as well as how these rules work tohelp protect your network. This section also explains the importance of how securitypolicies are ordered within the security policy list, and describes the different policies thatcan be created for different firewall configurations.Monitoring firewall traffic explains how you can monitor traffic within the web-basedmanager using the Session and Policy Monitoring pages.FortiOS Handbook v3: .com/9

How this guide is organizedIntroductionInternet Protocol version 6 (IPv6) explains how IPv6 can be implemented in FortiOS, aswell as what features support IPv6, such as IPsec VPN and dynamic routing. This sectionalso explains a high-level summary of IPv6.Advanced FortiGate firewall concepts explains the advanced firewall features that youmay want to configure for your network, as it expands. This section explains advancedfirewall features that include stateful inspection of SCTP traffic, port pairing (Transparentmode only), and adding NAT security policies in Transparent mode.10Firewall for FortiOS 4.0 MR301-432-148222-20120124http://docs.fortinet.com/

FortiOS HandbookUnderstanding the FortiGatefirewallThe FortiGate firewall is one of the most important features on the FortiGate unit, allowingnot only traffic to flow through, but also, with the help of security policies, scan the trafficfor vulnerabilities and misuse and abuse. This type of firewall provides flexibility forexpansion in a growing network environment.This section helps to explain the FortiGate firewall and its role in protecting your network.This section also explains the life of a packet, which helps you to understand how thetraffic flows through the FortiGate unit and the role the FortiGate firewall plays in the lifeof a packet.The following topics are included in this section: What is the FortiGate firewall? FortiGate firewall components Understanding how a packet travels through the FortiGate unitWhat is the FortiGate firewall?A firewall is, in the simplest of terms, a device that permits or denies network trafficbased on a set of rules. For the FortiGate firewall, it can do this and much more. TheFortiGate firewall scans the network traffic, and based on the set of rules (in Fortinet,however, these rules are called security policies), determines what action needs to betaken. The action may be to quarantine a virus that the FortiGate unit finds, or to recordthe activity, or both. These security policies provide the information the FortiGate unitneeds to determine what to do with the incoming and outgoing traffic.At the heart of these networking security functions, is the security policies. Securitypolicies control all traffic attempting to pass through the FortiGate unit, and betweenFortiGate interfaces, zones, and VLAN subinterfaces. They are instructions the FortiGateunit uses to decide connection acceptance and packet processing for traffic attemptingto pass through. When the firewall receives a connection packet, it analyzes the packet’ssource address, destination address, and service (by port number), and attempts tolocate a security policy matching the packet.Security policies can contain many instructions for the FortiGate unit to follow when itreceives matching packets. Some instructions are required, such as whether to drop oraccept and process the packets, while other instructions, such as logging andauthentication, are optional. It is through these policies that the FortiGate unit permits ordenies the packets to pass through to the network, who gets priority (bandwidth) overother users, and when the packets can come through.FortiGate firewall componentsThe FortiGate firewall is comprised of many different features that provides flexibility forthe specific needs of your network, both now and as it grows. These features are:FortiOS Handbook v3: .com/11

FortiGate firewall componentsUnderstanding the FortiGate firewall interfaces (including VLANs) zones unified threat management (UTM) firewall addresses (this includes IPv4 and IPv6, IP pools,. wildcard addresses andnetmasks, and geography-based addresses) monitoring traffic traffic shaping and per-ip traffic shaping (advanced) firewall schedules services (such as AOL, DHCP and FTP) logging traffic (advanced) QoS (advanced) identity-based policies (advanced) endpoint security (advanced)All of these components each provide an important role in configuring your FortiGatefirewall. For example, the administrator applies the PING admin access to the wan1interface so that he or she can ping this external interface and verify that Internet traffic ishitting the internal to wan1 security policy. If there was no PING admin access applied tothe external interface, the administrator could not properly verify if traffic is hitting thepolicy.For more in-depth explanations of these components, see the “Firewall components” onpage 23.How the firewall components create a FortiGate firewall and help in protectingyour networkThe firewall components each help in protecting your network, as well as helping traffic toflow better through the network, for example traffic shaping helps to load balance trafficon your network.The following explains how all of the firewall components get combined to create theFortiGate firewall.1 In System Network Interface, create VLAN subinterfaces for eachdepartment: sales, marketing and engineering.These VLAN subinterfaces will be grouped into a zone and the zone will then beapplied to a security policy.2 Create a zone for the VLAN subinterfaces.3 In Firewall Objects Address Address, create the IP address ranges that arerequired: one for sales, one for marketing, and one for engineering.Each of these ranges corresponds to the departments that have these IP addressranges. For example, sales has 172.16.120.100 - 172.16.120.200.4 Create a firewall schedule that allows sales and marketing Internet access allday; create another firewall schedule that allows engineering access to theInternet only during their lunch break.By creating two different firewall schedules, you can block access for one group for aspecified time period, and allow another group all day access.5 Group the firewall schedules together so that you can apply them both to asecurity policy.12Firewall for FortiOS 4.0 MR301-432-148222-20120124http://docs.fortinet.com/

Understanding the FortiGate firewallUnderstanding how a packet travels through the FortiGate unit6 Create a virtual IP address that will be used to allow Internet users access to aweb server on your DMZ network.7 In Policy Policy Policy, create the following: a security policy that allows Internet users access to the web server a security policy that applies the firewall schedule group for Internet access for thesales, marketing and engineering departments (this applies the zone) a deny policy that blocks FTP downloads8 With all the policies now in the list, arrange them so that the most importantpolicies are first, and least important are last. The list order is: deny policy security policy that allows Internet users access to the web server security policy for sales, engineering and marketing that allows Internet accessNow that all the policies are in the correct order, you need to test that all are workingproperly.9 To verify that traffic is hitting the policies, verify that there is a packet countincrease occurring in the Count column of each of the policies in the policy list.Troubleshoot any issues using the diagnose sniffer and diagnose debug flowcommands in the CLI.By testing that traffic is hitting the policies that you just created, you can see whetheryou need to solve any issues or not. When you use the diagnose commands, youcan see detailed information about the traffic hitting the policy.10 Back up the configuration after testing and troubleshooting.By backing up the changes your made to the configuration, you ensure that a currentconfiguration of this FortiGate firewall configuration is available at any time.Understanding how a packet travels through the FortiGate unitDirected by security policies, a FortiGate unit screens network traffic from the IP layer upthrough the application layer of the TCP/IP stack. The FortiGate firewall plays animportant role in how the packet travels through the FortiGate unit out to its destination.The following explains how the packet travels through the FortiGate unit and how theFortiGate firewall plays a role in the life of a packet.The FortiGate unit performs three types of security inspection: stateful inspection, that provides individual packet-based security within a basicsession state flow-based inspection, that buffers packets and uses pattern matching to identifysecurity threats proxy-based inspection, that reconstructs content passing through the FortiGate unitand inspects the content for security threats.Each inspection component plays a role in the processing of a packet as it traverses theFortiGate unit en route to its destination. When you understand these inspections, youwill understand the packet’s journey through the FortiGate unit and how the FortiGatefirewall helps the packet along to its destination.For more information about how packets travel through the FortiGate unit, see theTroubleshooting chapter in the FortiOS Handbook. The following explains, in a high-leveldescription, of how a packet travels through the FortiGate unit.FortiOS Handbook v3: .com/13

Understanding how a packet travels through the FortiGate unitUnderstanding the FortiGate firewallHow packets flow in and out of the FortiGate unitThe following provides a high-level description of the steps a packet takes when it entersthe FortiGate unit, travelling to its destination, the internal network. Similar steps occurfor outbound traffic; they are just in reverse.1 An incoming packet enters the external interface of the FortiGate unit to start itsjourney through to the internal network. This is called ingress. During ingress,the following processes occur: DoS Sensor IP integrity header checking IPsec Destination NAT (DNAT) Routing2 After the Routing process finishes, the stateful inspection engine processes thepacket, and does the following: Session Helpers Management Traffic SSL VPN User Authentication Traffic Shaping Session Tracking Policy lookup3 If nothing comes from the stateful inspection engine, then the packet travels tothe UTM scanning process. This process may have either a flow-based or proxybased inspection engine that also processes the packet.4 If nothing matches the UTM rules, the packet then travels to other processingsteps, which include: IPsec NAT (Source NAT) Routing Internal Interface5 After step 4 is finished, the packet travels out of the internal interface of theFortiGate unit, heading towards its final destination, the internal network. This isreferred to as Egress.14Firewall for FortiOS 4.0 MR301-432-148222-20120124http://docs.fortinet.com/

Understanding the FortiGate firewallUnderstanding how a packet travels through the FortiGate unitFigure 1: Packet flow312PacketPacket flow: IngressInterface(Link ersIP IntegrityHeader icationSSL pNo (Fast ion EngineIPSYesVoIPInspectionIPsecNAT(SNAT)Data LeakPreventionEmail FilterWeb FilterICAP3RoutingInterfacePacket flow: EgressFortiOS Handbook v3: 5

Understanding how a packet travels through the FortiGate unit16Understanding the FortiGate firewallFirewall for FortiOS 4.0 MR301-432-148222-20120124http://docs.fortinet.com/

FortiOS HandbookWorking with NAT in FortiOSThis section explains NAT and the NAT/Route mode of the FortiGate unit, as well asTransparent mode and its role with NAT. This section also explains the types of NAT thatFortiOS supports, including combinations of NAT that you can configure in FortiOS.This section also includes information about Route mode and how it behaves in FortiOS.The following topics are included in this section: NAT in FortiOS Types of NAT in FortiOS Combining types of NATNAT in FortiOSNetwork address translation (NAT) translates one IP address (either a source IP addressor destination IP address) for another IP address. NAT in FortiOS, however, can translateIP addresses in many different ways, providing the flexibility you need for your specificnetwork requirements. For example, you can use the Central NAT table to help intranslating multiple IP addresses.When configuring NAT in FortiOS, you should also know how it works within the differentmodes that the FortiGate unit can be configured in.This topic contains the following: NAT/Route mode Route mode Transparent modeNAT/Route modeIn NAT/Route mode, the FortiGate unit is visible to the network that is connected to. All ofits interfaces are on different subnets. Each interface it is connected to a network thatmust be configured with an IP address that is valid for that subnetwork.NAT/Route mode is typically used when the FortiGate unit is deployed as a gatewaybetween private and public networks. In its default NAT mode configuration, theFortiGate unit functions as a firewall. Security policies control communications throughthe FortiGate unit to both the Internet and between internal networks. In NAT/Routemode, the FortiGate unit performs network address translation before IP packets are sentto the destination network. For example, a company has a FortiGate unit as theirinterface to the Internet. The FortiGate unit also acts as a router to multiple sub-networkswithin the company.In Figure 2, the FortiGate unit is set to NAT/Route mode and is connected to a network.By using this mode, the FortiGate unit can have a designated port for the Internet, andthe internal segments are behind the FortiGte unit, which are invisible to the publicaccess. The FortiGate unit translates IP addresses passing through it to route the trafficto the correct subnet on the Internet.FortiOS Handbook v3: .com/17

NAT in FortiOSWorking with NAT in FortiOSFigure 2: An example of a FortiGate unit in NAT/Route mode on a network172.20 WAtra NAT.12 N 1ffic po0.129ext betw liciesern eeal n n in contretw tern ollinork al a gs.ndP10. ort 210.10.1P192 ort 1.168.1.1gl inront n .co e ss e rkie tw oic e twol b eP fic al nftra erntinkortw 4e2N /al .0rn 8.1et6In 2.119kortw 4eN 2al 0/rn .10.etIn .1010Route modeIn Route mode, the FortiGate unit is only routing traffic, not translating the IP addresses.In this mode, the FortiGate unit acts similar to a switch, passing the packet along to thedestination network. This mode is not to be confused with Transparent mode, which isinvisible on the network; rather, in Route mode, the FortiGate unit is visible to thenetwork, but does only routing.The FortiGate unit is used in Route mode whenever no NAT translation needs to be done.For example, you want to connect two separate subnets without using NAT.You must select NAT/Route mode when configuring the FortiGate unit for Route mode.Figure 3: An example of a FortiGate unit in Route mode on a networkPr19 ivate2.1 in68 ter n.1.0/2 al ne55 two.25 rk5.255.0.10172.D 217 efa 0.1 w2. ul 20 an120 t r .1.1 ou 420 te.2100.in19 ter2. na16 l8.1.99z 0.1dm 0.1110.0rkwo 5.255teZ n .25DM /255.0.1018Firewall for FortiOS 4.0 MR301-432-148222-20120124http://docs.fortinet.com/

Working with NAT in FortiOSTypes of NAT in FortiOSTransparent modeIn Transparent mode, the FortiGate unit is invisible to the network. All of its interfaces areon the same subnet and share the same IP address. If you want to configure theFortiGate unit in Transparent mode, all you need to do is to configure a management IPaddress and a default route.You would typically use Transparent mode on a private network behind an existingfirewall or behind a router. In Transparent mode, the FortiGate unit functions as a firewalland can even perform NAT. Security policies control communications through theFortiGate unit to the Internet and internal network. Traffic cannot pass through until youadd security policies when the FortiGate unit is in Transparent mode.In Transparent mode, you can also perform NAT by creating a security policy or policiesthat translates the source addresses of packets passing through the FortiGate unit aswell as virtual IP addresses and/or IP pools. If you want NAT to be performed inTransparent mode, you must configure two management IP addresses that are ondifferent subnets.Figure 4: A FortiGate unit in Transparent mode204.23.1.5Gicblputo kay orew twat ne10.10.10.2WAN1gl in ndro l ant naco r .s te k

Advanced FortiGate firewall concepts explains the advanced firewall features that you may want to configure for your network, as it expands. This section explains advanced firewall features that include stateful inspection of SCTP traffic, port pairing (Transparent mode onl