2019 MAY

..
Tuesday Wednesday Fnday
02 03

13
1fi 17 IS
14

20 21 22 23 24 25 26

27

’
Lesson Overview
Firewall Policies
iübjectives
• ldentify components of firewall policies
• ldentify how FortiGate matches traPic to firewall policies
What Are Firewall Policies?
• Policies define:
Which ta&c matches them
How to process tméc that matches
• When a new IP session packet arrives, FoliGate:
) Slaps at the top of the list to look Dr a policy match
‹ Applies the first ma&hing policy
• Implicit Deny
No matching policy?
FoliGate dops
packet
»«:ennc«
Components and Pclicy /O rigin and destination i3 FortiGate
itselg

Types • DoS ‹lPv4. IQv6)

Trafiic shaping
Objects used by policies
• Interface and interface groups w ..Rvinsv
• Address. user. device, and inlernet service objRCts
• Service definitions
• SchB.du lbs
NAT rules
• 5ecL‹Fity profiles
Pollcy types
• IPv4. IPv6
• Virtual wire pair {lPv4, IPv6j

Multicast
• Lnr.al In Poli«y
(•
:l '•, .l .,'- i

i•...'a'i l i ‹ '."

*•°..l'
How Are Policy Matches Determined?
»xinrinm:
Ir«IImùg a3d
od›g‹Ià1gmlB
tfξB

Smirœ: IP
aϾss,
user,
device

AGion =
ACCEPT
or DENY
 Leggirig
Simplify—inteJ aces and Zones
• Incoming Interface and Outgoing Interface can be interface(s) or a zone
Zone. Lagiæl goup o interfaces
• To match policies with trafiïc, select one {or more) inte¥aœs or any inte¥aœ

By Role

ID 2C .t.t 255.255 255 0 @ PhysJCal In terface

tD2e.2.t 255.255.255 0 M Physical In terta‹e
IO-0-125+ Z55.255255 0

O zone
i9›.tæ1.t zss.zss.zss.o BPl+,›‹ «ii«x«
t9J.tô&to.t 25u55.J55.0
t9 2.tö&?D.t 25 5.255.J 5 5.0 @ Physical I•tz rfa
D.0.0.DD.0.0.0 îcai Interface
Seiecting InteJ aces or AnynteJ ace
• Disabled by default
Cannot seiect muapie interfaces or any interface in firewaii policy £om the GUi
• Can be made visible in the GUI

Single InE

Incc›ming Interfwe
Outgol og In e‹fa<e
Matching Saurce
• 4fuæ specdy Æ bast orÆ sourœ {ad&ess;

FQDê4

Acoxx›ts a renx:de server‹fôrcxampe. Acbve D›recto‹Y.

LDAÄ RADIJS;
FSSO

• Seurœ Deviœ-iœn5fëd œ manMalÇ &fùmd dmnt devæe

Source User Identi!cation
• Confirms identity of user
• Access to network is provided after confirming user credentials

Authentic
a\low Ssrvor

ill s swnr‹I
 identification—Agentiess vs. Agent

• Requires direct connex??i‘tt¿ la • Locat@n and infrastructure independent

YaNGale

• Detect@n methods: FortiCl@m. — -

TCP fa›gecpnn0ng

Fo¢tiCliem
osoftwi
SIP user agent

FotݣI%VM &tecton
• ForéOS-VM vendQ ID & IKE messages
ForaOS-VM ven&r ID ?iFoaGuAd b fi¥er
arxl
warn fi¥p reg‹msD
Device identificatinn
• Source Device type enables Device Detection on the source interface(s) of that
pOliCÿ
Networls > Interfaces
I•
Policy & Ob@cQ » IPv4 Policy *

e
Can enable
Actlve 9cannlng
Endpoint Controi
• FortiGate can control FortiClient settings through F ortiClient profiles and v..›Rvincv
registration
• Enable FortiTelemetry on FortiGate interface(s) fof registration
Reg•sterad
FortiCI%n1
 Device Identification: Device List (GUI and CLi)
• Detected devices are saved in the FoJiGate flash drive for 28 days
A device expires and is removed from the Device Inventory list if no traffic is seen for th at device
Can change the dura tion on the CLI

User & oazce » Qevlcs Inven1ory

0
 Example—Matching Policy S›ource
• Matches by source address. user. • Source as Internet service database
device type (ISDB) objects

Policy & Objects > IPv4 Policy & Ob)ecQ > IPv4 Polley
Policy

, ,/ User
AddrRSS v-.
evinn
v Device
Intemat
Service
Matching Destination
Like source, destination criteria can use.
• Address objects:
Subnet (IP or netmask)
IP address or addrt3ss rarI/R
FODN
f3NS q‹›ery used to resDlve FQGN
Geography
• Country defines addresses by ISP's geographical
IDcation Database updated periodically through
FortiGuard

• Internet service database (ISDB) objects

internet Services
• Database that contains IP addresses, IP protocols. Policy & ObjecD » Internet 9enice
Databaae
and pot numbers used by the most common
Internet services
Regularly updated through FortiGuard

• Can be used as Source or Destination in the

firewall policy
Potlcy 6 Ob}eco > IPv4 Policy

• If In ternet Service is selected as Sou rce:

You cannot USA Address in the Source

• If Internet Service is selected as

Destination:
You cannot uSR Address in the Source
You cannot select Senice in the firewall policy
 Scheduling
• Policies apply only during specific times and days
Example A less restrictive l‹in«h time policy
Default schedule applies all the lime

• Recurring
Happens every time during specified day(s) • One-time
of the week Happens only once

Poiky 6 ObQcD > 6chedu1œ

vï::ovinsv
Matchinp Sevice
• Service detemines matching transmission protocol ¿UDP. TCP. and so on; and port number
• Can be predefined or custom
• ALL matches all ports and protocols

Packet
” Firewall Poticy
PrWcof a¥& Pmt
Knowiedge Check
1. What criteria does FortiGate use to match tra9ic to a firewall policy?
A. Source and destination interfaces
B Security profiles

2. What must be sele4ed in the Source field of a firewall policy7

A At least one address obje4
B At least one source user and one source address obiect

3. On which FoñíGate inte¥ace is Device Detectlon enabled when

conúguñng a fimwall policy with a device defin’Lion7
A Œ urce interfaœ of the firewall policy
B Destination inte¥ace of the firewall policy
 Configu Firewall Policies
Objectives
• Restrict access and make your network more secure using security profiles
• Configure logging
• Configure learning mode to evaluate and analyze traffic

F':.miinEr
 Configuring Firewall Policies
• Mandatory policy name when creating on GUI
Can relax the requirement fry enabling Allow Unnamed Policies

Enabed by default
AfV5F specig unigw
• Flat GUI view allows: name
Highlights sebued 4ntry
Select by clicking
Drag-and-drap

Universally Unique Iden1ifed (UUID)

n..›Rvinev
Security Profiles
• Firewall policies limit access to configured networks
• Security profiles configured in firewall policies protect your network by:
Blocking threats
Controlling access to certain applications and URLs
Preventing specific data from leaving your network

Policy 6 Objects > IPv4 Polky

- ..›-. ”

y
-r
• 8y defaull set to Security Events
Generates logs based on ayglied security profile cnl-¿
• Can change to All Sessions
Learning Mode
• Allows everything through firewall policy but with fully enabied logping capabilities
Enables hidden secuñç profiles
• Amion æt to monltor
• Uærs unable to view or ed1Qem
.› Enables Devlce Demmlon on the source interfacQs) of policy

• AII logs generated from thèse policies

will be tagged as Lesm

• Provides cyber threat assessment repoñ

. Log & RepoÆ » Learning RepoÆ
• Uses all Iœrning logs and security vectors
TraFic Shapers
• Rate limiting is configurable
In bandwidth and out bandwidth
De fines and guaranteed bandwidth

Pollclea & Ob]ecQ » Tnffic 6haplng Policy

ShaRd TaMc Shaper

vi:ievincv
Knowîedge Check
ï. Fírewalł połícy name is mandatory when con@uńnq on the

2. What will happen when the Action opéon in the firewall policy is set to Learn†
A ÆI ærvîces in firewÆl policy are enabłed.
B. HBden Æofi&s arø snabied

3. What is the pu@ose of appŞing secu”rity profiles to a firewall policy?

A To aIłow mcess to œæ‹n st&nets
B To protect yŒir notœ& frŒn thrøata and œnœI access O spocifs appi›catonsand URLs
Managing Firewall Policies
u•bjectives
• Identify policy list views
• Understand the use of policy lDs
• where an object is referenced
Poiicy List—inteJam Pair lew and By Sequence
• iNerfaœ Pair V›ew
ÜÆ policies by ingress and egress inte6mœ

If poiñres are œeated æag mukgde æurce aŒ destinatôn interfmœ or any interfæe

..
- ." . . . aw1.” Gaz G
Real-time Policy Status
• Real—tiilie policy status update

Ac!›ve Sessions
Total Bytes
Current Bandv›‹dth
 Policy D
• Firewall policies are primarily ordered on a top-dow/i basis
• Policy IDs are identifiers
Policy iD is assigned by the system when the *ule is created
The ID numbRr nsver Changes as rules move highi3r or lower in the sequEtncs

Policy & objects » lPv1 Policy

I J•””

! OIr il- I

v‹:‹ovinsv
Simplify—G roups of Addr esses cr Services
• You can reference address and service objects individually, or use
groups to simplify policy configuration

\ cb FTP V ACCEPT & Enabled

@ HT £P

/DlOf

always @ Web-FTPw• ACCEPT @ Etxsblcd

os.-"Rnnsv
Object Usage
• Allows for faster changes to se2ings
• Reference column shows if the object ›s being used
Lak» direoiy to the retere0Cing objed g

ii ibil ty
»xiennsv
Firewali Policy—Fine Tuning
• Right-click menu oon@ins various options to add and modify policies

@ LOCAL WINOOWS
PT G Erul¥cd
#9AtL V ACCEPT @ Erxzbled
& Show Reference

• Insert Empty Policy >

A Insert Empty Poiicv •

& Rename Policy

Edi£
› Edit InCLI
@ Delete Policy
› Edit lnCLl
@ Delete Po/fcv
Filter Column
- New filters can be applied in the column section.
Knowledge heck
1 If a firewall policy is configured with the any interface, you can only view the
firewall policy list in
A. The By Sequence View
B. The Interface Pair View

2. What does the number in the Ref. column represent?

A. The number of places wh ere that object is being used

B The policy ID of the firewa ll policy where that object is being used
::. Tinsv
Best Practices aud Troubleshootiug

• Identify naming restrictions for firewall policies and objects

• Reorder firewall policies for correct matching
• Demonstrate how to find matching policies for trafiic type
Namiug Rules and RestéGicrs
• Most firewall object name fields accept up to 35 charaotem
• Supported cham&em in a firewall object name:

Letters” AO 2 (uppercase and Dœr œse)

Speci4 charmtecs. hyphen - md MndeEICO£&_

Avoid using spaœs ñi

• Some special Œaractem are supported in passwords, comments,

replacement messages. and œ on.
Best Pra4ims
• Test policies in a maintenanæ window bafôre depD/ng in priÆucäon
c Te8t pollcy &r few IP ældresses, useæ, devkms, and ao on
• Be careful when ed‘1ing, disabling, or deleting firewall p&icies and objecb
o Cfangea am saved and activatad imndiataly
o Reset8 sctive 8e8aions
• Cteate firewall policiw to match as specificalg as possible
o Exarrpb: Rastrfit firewall poIkies baaed on soume, destinstion, sorvicc
c use propa subroairig &addrmsoi›jects
• Analyze and enab& sppo priata sayings on a per-policy basis
r Gmurlty profiles
usting Policy Order
• On the GUI. drag-and-drop

Before policy move

 ARer policy move
ID famains same

w..›Rvincv
Combining Firewali Policies
• Check the settings before combining firewall policies
Source and destination interfaces
Source and destination addresses

Schedules
Security profiles
Logging
NAT rules

Kame 5 ouroe 3c hecufe Lerzce Log

@ LOCAL @ FTP w W CEP”Q EnabI-md g) UTM

UI !LL_ICMP
Policy Lookup (GU
• Identify matching policy without real traPic
Daes not generate any packets
• Search es matching policy based on input criteria
Source interface
Pfolocol
• Requires more granulgr input criteria
Source IP address
Destination IP/FQDN
• Policy lookup chechs
Reverse path forward (RPF)
Destination NAT, if matching virtual IP
Route lookup. ta resolve destination interface
v‹.›Rvinm•
Policy Lookup Exampie
• Highlights matching policy a6er search

S0A110

ACCEPT

w ACCEPT @ Enabled
VIb Icess

Danxlaeon MAT

@ FTP @ En abled

@ LOC4L_SuB+ T @ WL _IC
IQ Web AcCcss
Knowiedge Check
1. Which &the following naming fomaD is œrrect when configuñng a name
for a firwall address object?
A. Good_Trainîng

2. What is the purpose &the policy lookup feature on FortiGate†

A To find a matching poîcy basod on inpa cntena
B. To bÆk traffîc based on input crîteña
 Recognize how packets match a firewall policy based on:
Interfaces and zones
Source and destination
Network services
Schedules

Configure firewall policies

Understand how policy IDs are used
Identify object usage
Reorder policies to match more granular policies frst
Use policy lookup to find matching policies

F..miinEr