advertisement
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2
Firewall configuration
Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions used by the FortiGate unit to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service
(port number).
For the packet to be connected through the FortiGate unit, a firewall policy must have been added that matches the packet’s source address, destination address, and service. The policy directs the firewall action on the packet. The action can be to allow the connection, deny the connection, require authentication before the connection is allowed, or process the packet as an IPSec VPN packet. You can also add schedules to policies so that the firewall can process connections differently depending on the time of day or the day of the week, month, or year.
Each policy can be individually configured to route connections or to apply network address translation (NAT) to translate source and destination IP addresses and ports.
You can add IP pools to use dynamic NAT when the firewall translates source addresses. You can use policies to configure port address translation (PAT) through the FortiGate.
Content profiles can be added to policies to apply antivirus protection, web filtering, and email filtering to web, file transfer, and email services. You can create content profiles that perform one or any combination of the following actions:
• Apply antivirus protection to HTTP, FTP, SMTP, IMAP, or POP3 services.
• Quarantine files that are infected or that may be infected by a virus.
• Apply web filtering to HTTP services.
• Apply email filtering to IMAP and POP3 services.
You can also add logging to a firewall policy so that the FortiGate unit logs all connections that use this policy.
This chapter describes:
•
Default firewall configuration
•
•
•
•
•
•
•
•
•
FortiGate-400 Installation and Configuration Guide
169
Default firewall configuration Firewall configuration
Default firewall configuration
By default, the users on the network connected to port1 can connect through the
FortiGate unit to the network connected to port2. The firewall blocks all other connections. The firewall is configured with a default policy that matches any connection request received from the network connected to port1 and instructs the firewall to forward the connection to the network connected to port2.
Figure 4: Default firewall policy
•
•
•
•
•
•
•
Interfaces
1
2
3
Add policies to control connections between FortiGate interfaces and between the networks connected to these interfaces. By default, you can add policies for connections between the port1 to the port2 interfaces.
To add policies that include the port3 and port4/ha interfaces, you must use the following steps to add these interfaces to the firewall policy grid:
If they are down, bring the port3 and port4/ha interfaces up.
See
“Bringing up an interface” on page 135
Add IP addresses to port3 and port4/ha
See
“Changing an interface static IP address” on page 136 .
Add firewall addresses for these interfaces.
See
“Adding addresses” on page 179
.
VLAN subinterfaces
1
2
You can also add VLAN subinterfaces to the FortiGate configuration to control
connections between VLANs. For more information about VLANs, see “Configuring
To add policies that include VLAN subinterfaces, you must use the following steps to add the VLAN subinterfaces to the firewall policy grid:
Add VLAN subinterfaces to the FortiGate configuration.
See
“Adding VLAN subinterfaces” on page 141 .
Add firewall addresses for the VLAN subinterfaces.
See
“Adding addresses” on page 179
.
170
Fortinet Inc.
Firewall configuration Default firewall configuration
Zones
Addresses
1
2
3
You can add zones to the FortiGate configuration to group together related interfaces and VLAN subinterfaces to simplify firewall policy creation. For more information about zones, see
“Configuring zones” on page 133
.
To add policies for zones, you must use the following steps to add the zones to the firewall policy grid:
Add zones to the FortiGate configuration.
See
Add interfaces and VLAN subinterfaces to the zone.
See
“Adding interfaces to a zone” on page 134 and “Adding VLAN subinterfaces to a zone” on page 134 .
Add firewall addresses for the zone.
See
“Adding addresses” on page 179
.
To add policies between interfaces, VLAN subinterfaces and zones, the firewall configuration must contain addresses for each interface, VLAN subinterface, or zone.
By default the firewall configuration includes the addresses listed in Table 5 .
Table 5: Default addresses
Interface Address
Port1 Port1_All
Port2 Port2_All
Description
This address matches all addresses on the network connected to port1.
This address matches all addresses on the network connected to port2
The firewall uses these addresses to match the source and destination addresses of packets received by the firewall. The default policy matches all connections from the network connected to port1 because it includes the Port1_All address. The default policy also matches all connections to the network connected to port2 because it includes the Port2_All address.
You can add more addresses to each interface to improve the control you have over connections through the firewall. For more information about addresses, see
.
You can also add firewall policies that perform network address translation (NAT). To use NAT to translate destination addresses, you must add virtual IPs. Virtual IPs map addresses on one network to a translated address on another network. For more information about Virtual IPs, see
.
FortiGate-400 Installation and Configuration Guide
171
Adding firewall policies Firewall configuration
Services
Policies can also control connections based on the service or destination port number of packets. The default policy accepts connections to using any service or destination port number. The firewall is configured with over 40 predefined services. You can add these services to a policy for more control over the services that can be used by connections through the firewall. You can also add user-defined services. For more information about services, see
.
Schedules
Policies can also control connections based on the time of day or day of the week when the firewall receives the connection. The default policy accepts connections at any time. The firewall is configured with one schedule that accepts connections at any time. You can add more schedules to control when policies are active. For more
information about schedules, see “Schedules” on page 186 .
Content profiles
Content profiles can be added to policies to apply antivirus protection, web filtering, and email filtering to web, file transfer, and email services. The FortiGate unit includes the following default content profiles:
• Strict: to apply maximum content protection to HTTP, FTP, IMAP, POP3, and SMTP content traffic.
• Scan: to apply antivirus scanning to HTTP, FTP, IMAP, POP3, and SMTP content traffic.
• Web: to apply antivirus scanning and Web content blocking to HTTP content traffic.
• Unfiltered: to allow oversized files to pass through the FortiGate unit without scanned for viruses.
For more information about content profiles, see
“Content profiles” on page 197
.
Adding firewall policies
1
2
3
4
5
6
Add Firewall policies to control connections and traffic between FortiGate interfaces, zones and VLAN subinterfaces.
Go to Firewall > Policy.
Select the policy list to which you want to add the policy.
Select New to add a new policy.
You can also select Insert Policy before policy above a specific policy.
on a policy in the list to add the new
Configure the policy:
See
“Firewall policy options” on page 173 for information about policy options.
Select OK to add the policy.
Arrange policies in the policy list so that they have the results that you expect.
Arranging policies in a policy list is described in
“Configuring policy lists” on page 177 .
172
Fortinet Inc.
Firewall configuration
Figure 5: Adding a NAT/Route policy
Adding firewall policies
Firewall policy options
This section describes the options that you can add to firewall policies.
Source
Select an address or address group that matches the source address of the packet.
Before you can add this address to a policy, you must add it to the source interface. To
add an address, see “Addresses” on page 179
.
Destination
Select an address or address group that matches the destination address of the packet. Before you can add this address to a policy, you must add it to the destination
interface, VLAN subinterface, or zone. To add an address, see “Addresses” on page 179 .
FortiGate-400 Installation and Configuration Guide
173
Adding firewall policies Firewall configuration
For NAT/Route mode policies where the address on the destination network is hidden from the source network using NAT, the destination can also be a virtual IP that maps the destination address of the packet to a hidden destination address. See
Schedule
Select a schedule that controls when the policy is available to be matched with
connections. See “Schedules” on page 186 .
Service
Select a service that matches the service (port number) of the packet. You can select from a wide range of predefined services or add custom services and service groups.
See
Action
Select how the firewall should respond when the policy matches a connection attempt.
ACCEPT
DENY
ENCRYPT
Accept the connection. If you select ACCEPT, you can also configure NAT and Authentication for the policy.
Deny the connection. The only other policy option that you can configure is log traffic, to log the connections denied by this policy.
Make this policy an IPSec VPN policy. If you select ENCRYPT, you can select an AutoIKE key or Manual Key VPN tunnel for the policy and configure other IPSec settings. You cannot add authentication to an ENCRYPT policy.
ENCRYPT is not available in Transparent mode. See
“Configuring encrypt policies” on page 224 .
NAT
Configure the policy for NAT. NAT translates the source address and the source port of packets accepted by the policy. If you select NAT, you can also select Dynamic IP
Pool and Fixed Port. NAT is not available in Transparent mode.
Dynamic IP
Pool
Fixed Port
Select Dynamic IP Pool to translate the source address to an address randomly selected from an IP pool added to the destination interface of the policy. To add IP pools, see
Select Fixed Port to prevent NAT from translating the source port. Some applications do not function correctly if the source port is changed. If you select Fixed Port, you must also select Dynamic IP Pool and add a dynamic
IP pool address range to the destination interface of the policy. If you do not select Dynamic IP Pool, a policy with Fixed Port selected can only allow one connection at a time for this port or service.
VPN Tunnel
Select a VPN tunnel for an ENCRYPT policy. You can select an AutoIKE key or
Manual Key tunnel. VPN Tunnel is not available in Transparent mode.
174
Fortinet Inc.
Firewall configuration Adding firewall policies
Allow inbound Select Allow inbound so that users behind the remote VPN gateway can connect to the source address.
Allow outbound Select Allow outbound so that users can connect to the destination address behind the remote VPN gateway.
Inbound NAT Select Inbound NAT to translate the source address of incoming packets to the FortiGate internal IP address.
Outbound NAT Select Outbound NAT to translate the source address of outgoing packets to the FortiGate external IP address.
Traffic Shaping
Traffic Shaping controls the bandwidth available to and sets the priority of the traffic processed by the policy. Traffic Shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the
FortiGate device. For example, the policy for the corporate web server might be given higher priority than the policies for most employees’ computers. An employee who needs unusually high-speed Internet access could have a special outgoing policy set up with higher bandwidth.
If you set both guaranteed bandwidth and maximum bandwidth to 0 the policy does not allow any traffic.
Guaranteed
Bandwidth
You can use traffic shaping to guarantee the amount of bandwidth available through the firewall for a policy. Guarantee bandwidth (in Kbytes) to make sure that there is enough bandwidth available for a high-priority service.
Maximum
Bandwidth
You can also use traffic shaping to limit the amount of bandwidth available through the firewall for a policy. Limit bandwidth to keep less important services from using bandwidth needed for more important services.
Traffic Priority Select High, Medium, or Low. Select Traffic Priority so that the FortiGate unit manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to lowpriority connections only when bandwidth is not needed for high-priority connections.
Authentication
Select Authentication and select a user group to require users to enter a user name and password before the firewall accepts the connection. Select the user group to control the users that can authenticate with this policy. To add and configure user
groups, see “Configuring user groups” on page 207
. You must add user groups before you can select Authentication.
You can select Authentication for any service. Users can authenticate with the firewall using HTTP, Telnet, or FTP. For users to be able to authenticate you must add an
HTTP, Telnet, or FTP policy that is configured for authentication. When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password.
If you want users to authenticate to use other services (for example POP3 or IMAP) you can create a service group that includes the services for which you want to require authentication as well as HTTP, Telnet, and FTP. Then users could authenticate with the policy using HTTP, Telnet, or FTP before using the other service.
FortiGate-400 Installation and Configuration Guide
175
Adding firewall policies Firewall configuration
In most cases you should make sure that users can use DNS through the firewall without authentication. If DNS is not available users cannot connect to a web, FTP, or
Telnet server using a domain name.
Anti-Virus & Web filter
Enable antivirus protection and web filter content filtering for traffic controlled by this policy. You can select Anti-Virus & Web filter if Service is set to ANY, HTTP, SMTP,
POP3, IMAP, or FTP or to a service group that includes the HTTP, SMTP, POP3,
IMAP, or FTP services.
Select a content profile to configure how antivirus protection and content filtering is applied to the policy. See
“Content profiles” on page 197 .
Figure 6: Adding a Transparent mode policy
176
Fortinet Inc.
Firewall configuration Configuring policy lists
Log Traffic
Select Log Traffic to write messages to the traffic log whenever the policy processes a connection. For more information about logging, see
“Logging and reporting” on page 281 .
Comments
Optionally add a description or other information about the policy. The comment can be up to 63 characters long, including spaces.
Configuring policy lists
The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. You must arrange policies in the policy list from more specific to more general.
For example, the default policy is a very general policy because it matches all connection attempts. When you create exceptions to this policy, you must add them to the policy list above the default policy. No policy below the default policy will ever be matched.
This section describes:
•
•
Changing the order of policies in a policy list
•
Enabling and disabling policies
Policy matching in detail
When the FortiGate unit receives a connection attempt at an interface, it must select a policy list to search through for a policy that matches the connection attempt. The
FortiGate unit chooses the policy list based on the source and destination addresses of the connection attempt.
The FortiGate unit then starts at the top of the selected policy list and searches down the list for the first policy that matches the connection attempt source and destination addresses, service port, and time and date at which the connection attempt was received. The first policy that matches is applied to the connection attempt. If no policy matches, the connection is dropped.
The default policy accepts all connection attempts from the network connected to port1 to the network connected to port2. From the network connected to port1, users can browse the web, use POP3 to get email, use FTP to download files through the firewall, and so on. If the default policy is at the top of the port1
-> port2 policy list, the firewall allows all connections from the network connected to port1 to the Internet because all connections match the default policy. If more specific policies are added to the list below the default policy, they are never matched.
FortiGate-400 Installation and Configuration Guide
177
Configuring policy lists Firewall configuration
A policy that is an exception to the default policy, for example, a policy to block FTP connections, must be placed above the default policy in the port1
-> port2 policy list. In this example, all FTP connection attempts from the internal network would then match the FTP policy and be blocked. Connection attempts for all other kinds of services would not match with the FTP policy but they would match with the default policy.
Therefore, the firewall would still accept all other connections from the internal network.
Note: Policies that require authentication must be added to the policy list above matching policies that do not; otherwise, the policy that does not require authentication is selected first.
Changing the order of policies in a policy list
1
2
3
4
Go to Firewall > Policy.
Select the policy list that you want to rearrange.
Choose a policy to move and select Move To to change its order in the policy list.
Type a number in the Move to field to specify where in the policy list to move the policy and select OK.
Enabling and disabling policies
You can enable and disable policies in the policy list to control whether the policy is active or not. The FortiGate unit matches enabled policies but does not match disabled policies.
1
2
3
1
2
3
Disabling a policy
Disable a policy to temporarily prevent the firewall from selecting the policy. Disabling a policy does not stop active communications sessions that have been allowed by the policy. To stop active communication sessions, see
.
Go to Firewall > Policy.
Select the policy list containing the policy to disable.
Clear the check box of the policy to disable.
Enabling a policy
Enable a policy that has been disabled so that the firewall can match connections with the policy.
Go to Firewall > Policy.
Select the policy list containing the policy to enable.
Select the check box of the policy to enable.
178
Fortinet Inc.
Firewall configuration
Addresses
Addresses
All policies require source and destination addresses. To add addresses to a policy, you must first add addresses to the address list for the interfaces, zones, or VLAN subinterfaces of the policy.
You can add, edit, and delete all firewall addresses as required. You can also organize related addresses into address groups to simplify policy creation.
A firewall address consists of an IP address and a netmask. This information can represent:
• The address of a subnet (for example, for a class C subnet,
IP address: 192.168.20.0 and Netmask: 255.255.255.0).
• A single IP address (for example, IP Address: 192.168.20.1 and
Netmask: 255.255.255.255)
• All possible IP addresses (represented by IP Address: 0.0.0.0 and Netmask:
0.0.0.0)
Note: IP address: 0.0.0.0 and Netmask: 255.255.255.255 is not a valid firewall address.
NO
This section describes:
•
•
•
•
Organizing addresses into address groups
Adding addresses
1
2
3
4
5
Go to Firewall > Address.
Select the interface, VLAN subinterface, or zone to which to add the address.
Select New to add a new address.
Enter an Address Name to identify the address.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Spaces and other special characters are not allowed.
Enter the IP Address.
The IP address can be:
• The IP address of a single computer (for example, 192.45.46.45).
• The IP address of a subnetwork (for example, 192.168.1.0 for a class C subnet).
• 0.0.0.0 to represent all possible IP addresses
FortiGate-400 Installation and Configuration Guide
179
Addresses Firewall configuration
6
7
Enter the NetMask.
The netmask should correspond to the type of address that you are adding. For example:
• The netmask for the IP address of a single computer should be 255.255.255.255.
• The netmask for a class A subnet should be 255.0.0.0.
• The netmask for a class B subnet should be 255.255.0.0.
• The netmask for a class C subnet should be 255.255.255.0.
• The netmask for all addresses should be 0.0.0.0
Note: To add an address to represent any address on a network set the IP Address to 0.0.0.0 and the Netmask to 0.0.0.0
To add an address
Select OK to add the address.
Figure 7: Adding an internal address
180
Editing addresses
1
2
3
4
Edit an address to change its IP address and netmask. You cannot edit the address name. To change the address name, you must delete the address entry and then add the address again with a new name.
Go to Firewall > Address.
Select the interface list containing the address that you want to edit.
Choose an address to edit and select Edit Address .
Make the required changes and select OK to save your changes.
Deleting addresses
1
2
Deleting an address removes it from an address list. To delete an address that has been added to a policy, you must first remove the address from the policy.
Go to Firewall > Address.
Select the interface list containing the address that you want to delete.
You can delete any listed address that has a Delete Address icon .
Fortinet Inc.
Firewall configuration Addresses
3
4
Choose an address to delete and select Delete .
Select OK to delete the address.
Organizing addresses into address groups
1
2
3
4
5
6
You can organize related addresses into address groups to make it easier to add policies. For example, if you add three addresses and then add them to an address group, you only have to add one policy using the address group rather than a separate policy for each address.
You can add address groups to any interface, VLAN subinterface, or zone. The address group can only contain addresses from that interface, VLAN subinterface, or zone. Address groups are available in interface, VLAN subinterface, or zone source or destination address lists.
Address groups cannot have the same names as individual addresses. If an address group is included in a policy, it cannot be deleted unless it is first removed from the policy.
Go to Firewall > Address > Group.
Select the interface, VLAN subinterface, or zone to which to add the address group.
Enter a Group Name to identify the address group.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
To add addresses to the address group, select an address from the Available
Addresses list and select the right arrow to add it to the Members list.
To remove addresses from the address group, select an address from the Members list and select the left arrow to remove it from the group.
Select OK to add the address group.
Figure 8: Adding an internal address group
FortiGate-400 Installation and Configuration Guide
181
Services Firewall configuration
Services
Use services to control the types of communication accepted or denied by the firewall.
You can add any of the predefined services to a policy. You can also create your own custom services and add services to service groups.
This section describes:
•
•
Providing access to custom services
•
Predefined services
The FortiGate predefined firewall services are listed in
services to any policy.
Table 6: FortiGate predefined services
Service name
ANY
GRE
AH
ESP
AOL
BGP
DHCP-Relay
DNS
FINGER
FTP
GOPHER
Description
Match connections on any port. A connection that uses any of the predefined services is allowed through the firewall.
Generic Routing Encapsulation. A protocol that allows an arbitrary network protocol to be transmitted over any other arbitrary network protocol, by encapsulating the packets of the protocol within GRE packets.
Authentication Header. AH provides source host authentication and data integrity, but not secrecy. This protocol is used for authentication by IPSec remote gateways set to aggressive mode.
Encapsulating Security Payload. This service is used by manual key and AutoIKE VPN tunnels for communicating encrypted data. AutoIKE key VPN tunnels use ESP after establishing the tunnel using IKE.
AOL instant messenger protocol.
Border Gateway Protocol routing protocol.
BGP is an interior/exterior routing protocol.
Dynamic Host Configuration Protocol (DHCP) allocates network addresses and delivers configuration parameters from DHCP servers to hosts.
Domain name service for translating domain names into IP addresses.
Protocol all tcp tcp udp
A network service that provides information about users.
FTP service for transferring files.
Gopher communication service. Gopher organizes and displays Internet server contents as a hierarchically structured list of files.
tcp udp tcp tcp tcp
Port all
47
51
50
5190-5194
179
67
53
53
79
21
70
182
Fortinet Inc.
Firewall configuration Services
Table 6: FortiGate predefined services (Continued)
Service name
H323
HTTP
HTTPS
IKE
IMAP
Internet-Locator-
Service
IRC
L2TP
LDAP
NetMeeting
NFS
NNTP
NTP
OSPF
PC-Anywhere
PING
POP3
PPTP
QUAKE
Description
H.323 multimedia protocol. H.323 is a standard approved by the International
Telecommunication Union (ITU) that defines how audiovisual conferencing data is transmitted across networks.
HTTP is the protocol used by the word wide web for transferring data for web pages.
HTTP with secure socket layer (SSL) service for secure communication with web servers.
IKE is the protocol to obtain authenticated keying material for use with ISAKMP for
IPSEC.
Internet Message Access Protocol is a protocol used for retrieving email messages.
Internet Locator Service includes LDAP, User
Locator Service, and LDAP over TLS/SSL.
Internet Relay Chat allows people connected to the Internet to join live discussions.
L2TP is a PPP-based tunnel protocol for remote access.
Lightweight Directory Access Protocol is a set of protocols used to access information directories.
NetMeeting allows users to teleconference using the Internet as the transmission medium.
Network File System allows network users to access shared files stored on computers of different types.
Network News Transport Protocol is a protocol used to post, distribute, and retrieve USENET messages.
Network time protocol for synchronizing a computer’s time with a time server.
Open Shortest Path First (OSPF) routing protocol. OSPF is a common link state routing protocol.
PC-Anywhere is a remote control and file transfer protocol.
Packet Internet Groper is a utility to determine whether a specific host is accessible by its IP address.
Post office protocol email protocol for downloading email from a POP3 server.
Point-to-Point Tunneling Protocol is a protocol that allows corporations to extend their own corporate network through private tunnels over the public Internet.
For connections used by the popular Quake multi-player computer game.
Protocol tcp tcp tcp udp tcp tcp tcp tcp tcp tcp tcp tcp tcp udp icmp tcp tcp udp
Port
1720, 1503
80
443
500
143
389
6660-6669
1701
389
1720
111, 2049
119
123
89
5632
8
110
1723
26000,
27000,
27910,
27960
FortiGate-400 Installation and Configuration Guide
183
Services Firewall configuration
Table 6: FortiGate predefined services (Continued)
Service name
RAUDIO
RLOGIN
RIP
SMTP
SNMP
SSH
SYSLOG
TALK
TCP
TELNET
TFTP
UDP
UUCP
VDOLIVE
WAIS
WINFRAME
X-WINDOWS
Description
For streaming real audio multimedia traffic.
Rlogin service for remotely logging into a server.
Routing Information Protocol is a common distance vector routing protocol.
For sending mail between email servers on the
Internet.
Simple Network Management Protocol is a set of protocols for managing complex networks
SSH service for secure connections to computers for remote management.
Syslog service for remote logging.
A protocol supporting conversations between two or more users.
All TCP ports.
Telnet service for connecting to a remote computer to run commands.
Trivial file transfer protocol, a simple file transfer protocol similar to FTP but with no security features.
All UDP ports.
Unix to Unix copy utility, a simple file copying protocol.
For VDO Live streaming multimedia traffic.
Wide Area Information Server. An Internet search protocol.
For WinFrame communications between computers running Windows NT.
For remote communications between an
X-Window server and X-Window clients.
Protocol udp tcp udp tcp tcp udp tcp udp udp udp tcp tcp udp udp udp tcp tcp tcp tcp
0-65535
540
7000-7010
210
1494
6000-6063
Providing access to custom services
1
2
3
4
Add a custom service if you need to create a policy for a service that is not in the predefined service list.
Go to Firewall > Service > Custom.
Select New.
Enter a Name for the service. This name appears in the service list used when you add a policy.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Select the Protocol (either TCP or UDP) used by the service.
Port
7070
513
520
25
161-162
161-162
22
22
514
517-518
0-65535
23
69
184
Fortinet Inc.
Firewall configuration Services
5
6
7
Specify a Source and Destination Port number range for the service by entering the low and high port numbers. If the service uses one port number, enter this number in both the low and high fields.
If the service has more than one port range, select Add to specify additional protocols and port ranges.
If you mistakenly add too many port range rows, select Delete to remove each extra row.
Select OK to add the custom service.
You can now add this custom service to a policy.
Grouping services
1
2
3
4
5
6
To make it easier to add policies, you can create groups of services and then add one policy to provide or block access for all the services in the group. A service group can contain predefined services and custom services in any combination. You cannot add service groups to another service group.
Go to Firewall > Service > Group.
Select New.
Enter a Group Name to identify the group.
This name appears in the service list when you add a policy and cannot be the same as a predefined service name.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
To add services to the service group, select a service from the Available Services list and select the right arrow to copy it to the Members list.
To remove services from the service group, select a service from the Members list and select the left arrow to remove it from the group.
Select OK to add the service group.
Figure 9: Adding a service group
FortiGate-400 Installation and Configuration Guide
185
Schedules Firewall configuration
Schedules
Use scheduling to control when policies are active or inactive. You can create one-time schedules and recurring schedules. You can use one-time schedules to create policies that are effective once for the period of time specified in the schedule.
Recurring schedules repeat weekly. You can use recurring schedules to create policies that are effective only at specified times of the day or on specified days of the week.
This section describes:
•
•
•
Creating one-time schedules
1
2
3
4
5
6
You can create a one-time schedule that activates or deactivates a policy for a specified period of time. For example, your firewall might be configured with the default policy that allows access to all services on the Internet at all times. You can add a one-time schedule to block access to the Internet during a holiday period.
Go to Firewall > Schedule > One-time.
Select New.
Enter a Name for the schedule.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Set the Start date and time for the schedule.
Set Start and Stop times to 00 for the schedule to be active for the entire day.
Set the Stop date and time for the schedule.
One-time schedules use the 24-hour clock.
Select OK to add the one-time schedule.
Figure 10: Adding a one-time schedule
186
Fortinet Inc.
Firewall configuration Schedules
Creating recurring schedules
1
2
3
4
5
6
You can create a recurring schedule that activates or deactivates policies at specified times of the day or on specified days of the week. For example, you might want to prevent Internet use outside of working hours by creating a recurring schedule.
If you create a recurring schedule with a stop time that occurs before the start time, the schedule will start at the start time and finish at the stop time on the next day. You can use this technique to create recurring schedules that run from one day to the next.
You can also create a recurring schedule that runs for 24 hours by setting the start and stop times to the same time.
Go to Firewall > Schedule > Recurring.
Select New to create a new schedule.
Enter a Name for the schedule.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Select the days of the week on which the schedule should be active.
Set the Start and Stop hours in between which the schedule should be active.
Recurring schedules use the 24-hour clock.
Select OK to save the recurring schedule.
Figure 11: Adding a recurring schedule
FortiGate-400 Installation and Configuration Guide
187
Virtual IPs Firewall configuration
Adding a schedule to a policy
6
7
4
5
1
2
3
After you have created schedules, you can add them to policies to schedule when the policies are active. You can add the new schedules to policies when you create the policy, or you can edit existing policies and add a new schedule to them.
Go to Firewall > Policy.
Select the tab corresponding to the type of policy to add.
Select New to add a policy or select Edit to edit a policy to change its schedule.
Configure the policy as required.
Add a schedule by selecting it from the Schedule list.
Select OK to save the policy.
Arrange the policy in the policy list to have the effect that you expect.
For example, to use a one-time schedule to deny access to a policy, add a policy that matches the policy to be denied in every way. Choose the one-time schedule that you added and set Action to DENY. Then place the policy containing the one-time schedule in the policy list above the policy to be denied.
Virtual IPs
Use virtual IPs to access IP addresses on a destination network that are hidden from the source network by NAT security policies. To allow connections between these networks, you must create a mapping between an address on the source network and the real address on the destination network. This mapping is called a virtual IP.
For example, if the computer hosting your web server is located on the network connected to port3, it could have a private IP address such as 10.10.10.3. If port2 connects to the Internet, to get packets from the Internet to the web server, you must have an external address for the web server on the Internet. You must then add a virtual IP to the firewall that maps the external IP address of the web server to the actual address of the web server on the port3 network. To allow connections from the
Internet to the web server, you must then add a port2
-> port3 firewall policy and set
Destination to the virtual IP.
You can create two types of virtual IPs:
Static NAT Used in to translate an address on a source network to a hidden address on a destination network. Static NAT translates the source address of return packets to the address on the source network.
Port Forwarding Used to translate an address and a port number on a source network to a hidden address and, optionally, a different port number on a destination network. Using port forwarding you can also route packets with a specific port number and a destination address that matches the IP address of the interface that receives the packets. This technique is called port forwarding or port address translation (PAT). You can also use port forwarding to change the destination port of the forwarded packets.
188
Fortinet Inc.
Firewall configuration Virtual IPs
This section describes:
•
•
Adding port forwarding virtual IPs
•
Adding policies with virtual IPs
Adding static NAT virtual IPs
5
6
1
2
3
4
Go to Firewall > Virtual IP.
Select New to add a virtual IP.
Enter a Name for the virtual IP.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Select the virtual IP External Interface:
The External Interface is the interface connected to the source network that receives the packets to be forwarded to the destination network.
You can select a firewall interface or a VLAN subinterface.
Make sure Type is set to Static NAT.
In the External IP Address field, enter the external IP address to be mapped to an address on the destination network.
For example, if the virtual IP provides access from the Internet to a web server on a destination network, the external IP address must be a static IP address obtained from your ISP for your web server. This address must be a unique address that is not used by another host and cannot be the same as the IP address of the External Interface
selected in step 4 . However, this address must be routed to this interface.
Figure 12: Adding a static NAT virtual IP
7 In the Map to IP field, enter the real IP address on the destination network, for example, the IP address of a web server on an internal network.
FortiGate-400 Installation and Configuration Guide
189
Virtual IPs Firewall configuration
Note: The firewall translates the source address of outbound packets from the host with the
Map to IP address to the virtual IP External IP Address, instead of the firewall external address.
8 Select OK to save the virtual IP.
You can now add the virtual IP to firewall policies.
Adding port forwarding virtual IPs
10
11
5
6
1
2
3
4
7
8
9
Go to Firewall > Virtual IP.
Select New to add a virtual IP.
Enter a Name for the virtual IP.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Select the virtual IP External Interface. The External Interface is the interface connected to the source network that receives the packets to be forwarded to the destination network.
You can select a firewall interface or a VLAN subinterface.
Change Type to Port Forwarding.
In the External IP Address field, enter the external IP address to be mapped to an address on the destination zone.
You can set the External IP Address to the IP address of external interface selected in step
For example, if the virtual IP provides access from the Internet to a server on your internal network, the External IP Address must be a static IP address obtained from your ISP for this server. This address must be a unique address that is not used by another host. However, this address must be routed to the External Interface selected in step
Enter the External Service Port number for which to configure port forwarding.
The external service port number must match the destination port of the packets to be forwarded. For example, if the virtual IP provides access from the Internet to a Web server, the external service port number would be 80 (the HTTP port).
In Map to IP, enter the real IP address on the destination network.
For example, the real IP address could be the IP address of a web server on an internal network.
Set Map to Port to the port number to be added to packets when they are forwarded.
If you do not want to translate the port, enter the same number as the External Service
Port.
If you want to translate the port, enter the port number to which to translate the destination port of the packets when they are forwarded by the firewall.
Select the protocol to be used by the forwarded packets.
Select OK to save the port forwarding virtual IP.
190
Fortinet Inc.
Firewall configuration
Figure 13: Adding a port forwarding virtual IP
Virtual IPs
Adding policies with virtual IPs
1
2
3
Use the following procedure to add a policy that uses a virtual IP to forward packets.
Go to Firewall > Policy.
Select the type of policy to add.
• The source interface must match the interface selected in the External Interface list.
• The destination interface must match the interface connected to the network with the Map to IP address.
Use the following information to configure the policy.
Source
Destination
Schedule
Service
Action
NAT
Select the source address from which users can access the server.
Select the virtual IP.
Select a schedule as required.
Select the service that matches the Map to Service that you selected for the port-forwarding virtual IP.
Set action to ACCEPT to accept connections to the internal server.
You can also select DENY to deny access.
Select NAT if the firewall is protecting the private addresses on the destination network from the source network.
FortiGate-400 Installation and Configuration Guide
191
IP pools Firewall configuration
4
Authentication Optionally select Authentication and select a user group to require users to authenticate with the firewall before accessing the server using port forwarding.
Log Traffic
Anti-Virus & Web filter
Select these options to log port-forwarded traffic and apply antivirus and web filter protection to this traffic.
Select OK to save the policy.
IP pools
An IP pool (also called a dynamic IP pool) is a range of IP addresses added to a firewall interface. If you add IP pools to an interface, you can select Dynamic IP Pool when you configure a policy with the destination set to this interface. You can add an
IP pool if you want to add NAT mode policies that translate source addresses to addresses randomly selected from the IP pool rather than being limited to the IP address of the destination interface.
The addresses in the IP pool must be on the same subnet as the IP address of the interface. For example, if the IP address of a FortiGate interface is 192.168.1.99, a valid IP pool could start IP at 192.168.1.10 and end at 192.168.1.20. This IP pool would give the firewall 11 addresses to select from when translating the source address.
The addresses in the IP pool range cannot conflict with other addresses on the same network as the interface for which you are adding the IP pool.
You can add multiple IP pools to any interface, but only the first IP pool is used by the
Firewall.
This section describes:
•
•
IP Pools for firewall policies that use fixed ports
•
Adding an IP pool
3
4
1
2
5
To add an IP pool:
Go to Firewall > IP Pool.
Select the interface to which to add the IP pool.
You can select a firewall interface or a VLAN subinterface.
Select New to add a new IP pool to the selected interface.
Enter the Start IP and End IP addresses for the range of addresses in the IP pool.
The Start IP and End IP must define the start and end of an address range. The Start
IP must be lower than the End IP. The Start IP and End IP must be on the same subnet as the IP address of the interface for which you are adding the IP pool.
Select OK to save the IP pool.
192
Fortinet Inc.
Firewall configuration
Figure 14: Adding an IP Pool
IP/MAC binding
IP Pools for firewall policies that use fixed ports
Some network configurations will not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service. You can select fixed port for NAT policies to prevent source port translation. However, selecting fixed port means that only one connection can be supported through the firewall for this service. To be able to support multiple connections, you can add an IP pool to the destination interface, and then select Dynamic P pool in the policy. The firewall randomly selects an IP address from the IP pool and assigns it to each connection. In this case the number of connections that the firewall can support is limited by the number of IP addresses in the IP pool.
IP pools and dynamic NAT
You can use IP pools for dynamic NAT. For example, your organization may have purchased a range of Internet addresses, but you may have only one Internet connection: the external interface of your FortiGate unit.
You can assign one of your organization’s Internet IP addresses to the external interface of your FortiGate unit. If your FortiGate unit is operating in NAT/Route mode, all connections from your network to the Internet appear to come from this IP address.
If you want connections to originate from all of your Internet IP addresses, you can add this address range to an IP pool for the external interface. Then you can select
Dynamic IP Pool for all policies with the external interface as the destination. For each connection the firewall dynamically selects an IP address from the IP pool to be the source address for the connection. As a result connections to the Internet will appear to be originating from all of the IP addresses in the IP pool.
IP/MAC binding
IP/MAC binding protects the FortiGate unit and your network from IP spoofing attacks.
IP spoofing attempts to use the IP address of a trusted computer to connect to or through the FortiGate unit from a different computer. The IP address of a computer can easily be changed to a trusted address, but MAC addresses are added to
Ethernet cards at the factory and cannot easily be changed.
FortiGate-400 Installation and Configuration Guide
193
IP/MAC binding Firewall configuration
You can enter the static IP addresses and corresponding MAC addresses of trusted computers in the Static IP/MAC table.
IP/MAC binding can be enabled for packets connecting to the firewall or passing through the firewall.
Note: If you enable IP/MAC binding and change the IP address of a computer with an IP or
MAC address in the IP/MAC list, you must also change the entry in the IP/MAC list or the computer will not have access to or through the FortiGate unit. You must also add the IP/MAC address pair of any new computer that you add to your network or this computer will not have access to or through the FortiGate unit.
This section describes:
•
Configuring IP/MAC binding for packets going through the firewall
•
Configuring IP/MAC binding for packets going to the firewall
•
•
Viewing the dynamic IP/MAC list
•
Configuring IP/MAC binding for packets going through the firewall
1
2
3
4
Use the following procedure to use IP/MAC binding to filter packets that would normally be allowed through the firewall by a firewall policy.
Go to Firewall > IP/MAC Binding > Setting.
Select Enable IP/MAC binding going through the firewall.
Go to Firewall > IP/MAC Binding > Static IP/MAC.
Select New to add IP/MAC binding pairs to the IP/MAC binding list.
All packets that would normally be allowed through the firewall by a firewall policy are first compared with the entries in the IP/MAC binding list. If a match is found, then the firewall attempts to match the packet with a policy.
For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the
IP/MAC binding list:
• A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is allowed to go on to be matched with a firewall policy.
• A packet with IP 1.1.1.1 but with a different MAC address is dropped immediately to prevent IP spoofing.
• A packet with a different IP address but with a MAC address of
12:34:56:78:90:ab:cd is dropped immediately to prevent IP spoofing.
• A packet with both the IP address and MAC address not defined in the IP/MAC binding table:
• is allowed to go on to be matched with a firewall policy if IP/MAC binding is set to Allow traffic,
• is blocked if IP/MAC binding is set to Block traffic.
194
Fortinet Inc.
Firewall configuration IP/MAC binding
Configuring IP/MAC binding for packets going to the firewall
1
2
3
4
Use the following procedure to use IP/MAC binding to filter packets that would normally connect with the firewall (for example, when an administrator is connecting to the FortiGate unit for management).
Go to Firewall > IP/MAC Binding > Setting.
Select Enable IP/MAC binding going to the firewall.
Go to Firewall > IP/MAC Binding > Static IP/MAC.
Select New to add IP/MAC binding pairs to the IP/MAC binding list.
All packets that would normally connect to the firewall are first compared with the entries in the IP/MAC binding table.
For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the
IP/MAC binding list:
• A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is allowed to connect to the firewall.
• A packet with IP 1.1.1.1 but with a different MAC address is dropped immediately to prevent IP spoofing.
• A packet with a different IP address but with a MAC address of
12:34:56:78:90:ab:cd is dropped immediately to prevent IP spoofing.
• A packet with both the IP address and MAC address not defined in the IP/MAC binding table:
• is allowed to connect to the firewall if IP/MAC binding is set to Allow traffic,
• is blocked if IP/MAC binding is set to Block traffic.
Adding IP/MAC addresses
5
6
1
2
3
4
Go to Firewall > IP/MAC Binding > Static IP/MAC.
Select New to add an IP address/MAC address pair.
Enter the IP address and the MAC address.
You can bind multiple IP addresses to the same MAC address. You cannot bind multiple MAC addresses to the same IP address.
However, you can set the IP address to 0.0.0.0 for multiple MAC addresses. This means that all packets with these MAC addresses are matched with the IP/MAC binding list.
Similarly, you can set the MAC address to 00:00:00:00:00:00 for multiple IP addresses. This means that all packets with these IP addresses are matched with the
IP/MAC binding list.
Enter a Name for the new IP/MAC address pair.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Select Enable to enable IP/MAC binding for the IP/MAC pair.
Select OK to save the IP/MAC binding pair.
FortiGate-400 Installation and Configuration Guide
195
IP/MAC binding Firewall configuration
Viewing the dynamic IP/MAC list
1 Go to Firewall > IP/MAC Binding > Dynamic IP/MAC.
Enabling IP/MAC binding
1
2
!
3
4
5
Caution: Make sure that you have added the IP/MAC Address pair of your management computer before enabling IP/MAC binding.
Go to Firewall > IP/MAC Binding > Setting.
Select Enable IP/MAC binding going through the firewall to turn on IP/MAC binding for packets that could be matched by policies.
Select Enable IP/MAC binding going to the firewall to turn on IP/MAC binding for packets connecting to the firewall.
Configure how IP/MAC binding handles packets with IP and MAC addresses that are not defined in the IP/MAC list.
Select Allow traffic to allow all packets with IP and MAC address pairs that are not added to the IP/MAC binding list.
Select Block traffic to block packets with IP and MAC address pairs that are not added to the IP/MAC binding list.
Select Apply to save your changes.
Figure 15: IP/MAC settings
196
Fortinet Inc.
Firewall configuration Content profiles
Content profiles
Use content profiles to apply different protection settings for content traffic controlled by firewall policies. You can use content profiles to:
• Configure antivirus protection for HTTP, FTP, POP3, SMTP, and IMAP policies
• Configure web filtering for HTTP policies
• Configure email filtering for IMAP and POP3 policies
• Configure oversized file and email blocking for HTTP, FTP, POP3, SMTP, and
IMAP policies
• Passing fragmented email for POP3, SMTP, and IMAP policies
Using content profiles you can build up protection configurations that can be easily applied to different types of Firewall policies. This allows you to customize different types and different levels of protection for different firewall policies.
For example, while traffic between internal and external addresses might need strict protection, traffic between trusted internal addresses might need moderate protection.
You can configure policies for different traffic services to use the same or different content profiles.
Content profiles can be added to NAT/Route mode and Transparent mode policies.
•
•
•
Adding a content profile to a policy
Default content profiles
The FortiGate unit has the following four default content profiles under Firewall >
Content Profile. You can use these existing content profiles or create your own:
Strict
Scan
Web
Unfiltered
To apply maximum content protection to HTTP, FTP, IMAP, POP3, and
SMTP content traffic. You would not use the strict content profile under normal circumstances, but it is available if you are having extreme problems with viruses and require maximum content screening protection.
Apply antivirus scanning to HTTP, FTP, IMAP, POP3, and SMTP content traffic. Quarantine is also selected for all content services. On FortiGate models with a hard drive, if antivirus scanning finds a virus in a file, the file is quarantined on the FortiGate hard disk. If required, system administrators can recover quarantined files.
Apply antivirus scanning and Web content blocking to HTTP content traffic.
You can add this content profile to firewall policies that control HTTP traffic.
Use the unfiltered content profile if you do not want to apply any content protection to content traffic. You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected.
Adding a content profile
1
2
If the default content profiles do not provide the protection that you require, you can create new content profiles customized to your requirements.
Go to Firewall > Content Profile.
Select New.
FortiGate-400 Installation and Configuration Guide
197
Content profiles Firewall configuration
3
4
Type a Profile Name.
Enable antivirus protection options.
Anti Virus Scan
File Block
Quarantine
Scan web, FTP, and email traffic for viruses and worms. See “Antivirus scanning” on page 260 .
Delete files with blocked file patterns even if they do not contain viruses. You should only enable file blocking when a virus has been found that is so new that virus scanning does not detect it. See
.
Quarantine blocked and infected files according to the quarantine configuration.
5
6
7
8
Note: If both virus Scan and File Block are enabled, the FortiGate unit blocks files that match enabled file patterns before they are scanned for viruses.
Enable Web filtering options.
Web URL Block Block unwanted web pages and web sites. This option adds Fortinet
URL blocking (see
“URL blocking” on page 269 ) and Cerberian URL
filtering (see “Using the Cerberian web filter” on page 272
) to HTTP traffic accepted by a policy.
Web Content Block Block web pages that contain unwanted words or phrases. See
“Content blocking” on page 268 .
Web Script Filter
Web Exempt List
Remove scripts from web pages. See
“Script filtering” on page 274
.
Exempt URLs from web filtering and virus scanning. See
Enable Email filter protection options.
Email Block List
Email Exempt List
Add a subject tag to email from unwanted addresses. See
“Email block list” on page 279 .
Exempt sender address patterns from email filtering. See
“Email exempt list” on page 279
.
Email Content Block Add a subject tag to email that contains unwanted words or phrases.
See “Email banned word list” on page 278 .
Enable fragmented email and oversized file and email options.
Oversized File/Email
Block
Pass Fragmented
Block or pass files and email that exceed thresholds configured as a percent of system memory. See
“Blocking oversized files and emails” on page 266 .
Allow email messages that have been fragmented to bypass antivirus
scanning. See “Exempting fragmented email from blocking” on page 266
.
Select OK.
198
Fortinet Inc.
Firewall configuration
Figure 16: Example content profile
Content profiles
Adding a content profile to a policy
You can add content profiles to policies with action set to allow or encrypt and with
Service set to ANY, HTTP, FTP, IMAP, POP3, SMTP, or a service group that includes these services.
5
6
3
4
7
8
1
2
Go to Firewall > Policy.
Select a policy list that contains policies to which to add a content profile.
For example, to enable network protection for files downloaded by internal network users from the web, select an internal to external policy list.
.
Select New to add a new policy, or choose a policy and select Edit
Select Anti-Virus & Web filter.
Select a content profile.
Configure the remaining policy settings if required.
Select OK.
Repeat this procedure for any policies for which to enable network protection.
FortiGate-400 Installation and Configuration Guide
199
Content profiles Firewall configuration
200
Fortinet Inc.
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
