Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
..
Tuesday Wednesday Fnday
02 03
13
1fi 17 IS
14
20 21 22 23 24 25 26
27
’
Lesson Overview
Firewall Policies
iübjectives
• ldentify components of firewall policies
• ldentify how FortiGate matches traPic to firewall policies
What Are Firewall Policies?
• Policies define:
Which ta&c matches them
How to process tméc that matches
• When a new IP session packet arrives, FoliGate:
) Slaps at the top of the list to look Dr a policy match
‹ Applies the first ma&hing policy
• Implicit Deny
No matching policy?
FoliGate dops
packet
»«:ennc«
Components and Pclicy /O rigin and destination i3 FortiGate
itselg
Multicast
• Lnr.al In Poli«y
(•
:l '•, .l .,'- i
i•...'a'i l i ‹ '."
*•°..l'
How Are Policy Matches Determined?
»xinrinm:
Ir«IImùg a3d
od›g‹Ià1gmlB
tfξB
Smirœ: IP
aϾss,
user,
device
AGion =
ACCEPT
or DENY
Leggirig
Simplify—inteJ aces and Zones
• Incoming Interface and Outgoing Interface can be interface(s) or a zone
Zone. Lagiæl goup o interfaces
• To match policies with trafiïc, select one {or more) inte¥aœs or any inte¥aœ
By Role
O zone
i9›.tæ1.t zss.zss.zss.o BPl+,›‹ «ii«x«
t9J.tô&to.t 25u55.J55.0
t9 2.tö&?D.t 25 5.255.J 5 5.0 @ Physical I•tz rfa
D.0.0.DD.0.0.0 îcai Interface
Seiecting InteJ aces or AnynteJ ace
• Disabled by default
Cannot seiect muapie interfaces or any interface in firewaii policy £om the GUi
• Can be made visible in the GUI
Single InE
Incc›ming Interfwe
Outgol og In e‹fa<e
Matching Saurce
• 4fuæ specdy Æ bast orÆ sourœ {ad&ess;
FQDê4
LDAÄ RADIJS;
FSSO
Authentic
a\low Ssrvor
ill s swnr‹I
identification—Agentiess vs. Agent
Fo¢tiCliem
osoftwi
SIP user agent
FotݣI%VM &tecton
• ForéOS-VM vendQ ID & IKE messages
ForaOS-VM ven&r ID ?iFoaGuAd b fi¥er
arxl
warn fi¥p reg‹msD
Device identificatinn
• Source Device type enables Device Detection on the source interface(s) of that
pOliCÿ
Networls > Interfaces
I•
Policy & Ob@cQ » IPv4 Policy *
e
Can enable
Actlve 9cannlng
Endpoint Controi
• FortiGate can control FortiClient settings through F ortiClient profiles and v..›Rvincv
registration
• Enable FortiTelemetry on FortiGate interface(s) fof registration
Reg•sterad
FortiCI%n1
Device Identification: Device List (GUI and CLi)
• Detected devices are saved in the FoJiGate flash drive for 28 days
A device expires and is removed from the Device Inventory list if no traffic is seen for th at device
Can change the dura tion on the CLI
Policy & Objects > IPv4 Policy & Ob)ecQ > IPv4 Polley
Policy
, ,/ User
AddrRSS v-.
evinn
v Device
Intemat
Service
Matching Destination
Like source, destination criteria can use.
• Address objects:
Subnet (IP or netmask)
IP address or addrt3ss rarI/R
FODN
f3NS q‹›ery used to resDlve FQGN
Geography
• Country defines addresses by ISP's geographical
IDcation Database updated periodically through
FortiGuard
• Recurring
Happens every time during specified day(s) • One-time
of the week Happens only once
vï::ovinsv
Matchinp Sevice
• Service detemines matching transmission protocol ¿UDP. TCP. and so on; and port number
• Can be predefined or custom
• ALL matches all ports and protocols
Packet
” Firewall Poticy
PrWcof a¥& Pmt
Knowiedge Check
1. What criteria does FortiGate use to match tra9ic to a firewall policy?
A. Source and destination interfaces
B Security profiles
F':.miinEr
Configuring Firewall Policies
• Mandatory policy name when creating on GUI
Can relax the requirement fry enabling Allow Unnamed Policies
Enabed by default
AfV5F specig unigw
• Flat GUI view allows: name
Highlights sebued 4ntry
Select by clicking
Drag-and-drap
n..›Rvinev
Security Profiles
• Firewall policies limit access to configured networks
• Security profiles configured in firewall policies protect your network by:
Blocking threats
Controlling access to certain applications and URLs
Preventing specific data from leaving your network
y
-r
• 8y defaull set to Security Events
Generates logs based on ayglied security profile cnl-¿
• Can change to All Sessions
Learning Mode
• Allows everything through firewall policy but with fully enabied logping capabilities
Enables hidden secuñç profiles
• Amion æt to monltor
• Uærs unable to view or ed1Qem
.› Enables Devlce Demmlon on the source interfacQs) of policy
2. What will happen when the Action opéon in the firewall policy is set to Learn†
A ÆI ærvîces in firewÆl policy are enabłed.
B. HBden Æofi&s arø snabied
If poiñres are œeated æag mukgde æurce aŒ destinatôn interfmœ or any interfæe
..
- ." . . . aw1.” Gaz G
Real-time Policy Status
• Real—tiilie policy status update
Ac!›ve Sessions
Total Bytes
Current Bandv›‹dth
Policy D
• Firewall policies are primarily ordered on a top-dow/i basis
• Policy IDs are identifiers
Policy iD is assigned by the system when the *ule is created
The ID numbRr nsver Changes as rules move highi3r or lower in the sequEtncs
! OIr il- I
v‹:‹ovinsv
Simplify—G roups of Addr esses cr Services
• You can reference address and service objects individually, or use
groups to simplify policy configuration
/DlOf
ii ibil ty
»xiennsv
Firewali Policy—Fine Tuning
• Right-click menu oon@ins various options to add and modify policies
@ LOCAL WINOOWS
PT G Erul¥cd
#9AtL V ACCEPT @ Erxzbled
& Show Reference
Edi£
› Edit InCLI
@ Delete Policy
› Edit lnCLl
@ Delete Po/fcv
Filter Column
- New filters can be applied in the column section.
Knowledge heck
1 If a firewall policy is configured with the any interface, you can only view the
firewall policy list in
A. The By Sequence View
B. The Interface Pair View
w..›Rvincv
Combining Firewali Policies
• Check the settings before combining firewall policies
Source and destination interfaces
Source and destination addresses
Schedules
Security profiles
Logging
NAT rules
UI !LL_ICMP
Policy Lookup (GU
• Identify matching policy without real traPic
Daes not generate any packets
• Search es matching policy based on input criteria
Source interface
Pfolocol
• Requires more granulgr input criteria
Source IP address
Destination IP/FQDN
• Policy lookup chechs
Reverse path forward (RPF)
Destination NAT, if matching virtual IP
Route lookup. ta resolve destination interface
v‹.›Rvinm•
Policy Lookup Exampie
• Highlights matching policy a6er search
S0A110
ACCEPT
w ACCEPT @ Enabled
VIb Icess
Danxlaeon MAT
@ FTP @ En abled
@ LOC4L_SuB+ T @ WL _IC
IQ Web AcCcss
Knowiedge Check
1. Which &the following naming fomaD is œrrect when configuñng a name
for a firwall address object?
A. Good_Trainîng
F..miinEr