Inside FortiOS: Denial of Service (DoS) protection

FortiOS DoS protection maintains network integrity and performance by identifying and blocking harmful IPv4 and IPv6-based denial of service (DoS) attacks.

About DoS and DDoS attacks

A denial of service (DoS) occurs when an attacker overwhelms server resources by flooding a target system with anomalous data packets, rendering it unable to service genuine users. A distributed denial of service (DDoS) occurs when an attacker uses a master computer to control a network of compromised systems, otherwise known as a ‘botnet’, which collectively inundates the target system with excessive anomalous data packets.

FortiOS DoS and DDoS protection

FortiOS DoS protection identifies potentially harmful traffic that could be part of a DoS or a DDoS attack by looking for specific traffic anomalies. Traffic anomalies that become DoS attacks include: TCP SYN floods, UDP floods, ICMP floods, TCP port scans, TCP session attacks, UDP session attacks, ICMP session attacks, and ICMP sweep attacks. Only traffic identified as part of a DoS attack is blocked; connections from legitimate users are processed normally.

FortiOS applies DoS protection very early in its traffic processing sequence to minimize the effect of a DoS attack on FortiOS system performance. DoS protection is the first step for packets after they are received by a FortiGate interface. Potential DoS attacks are detected and blocked before the packets are sent to other FortiOS systems.

FortiOS also includes an access control list feature that is implemented next. This accelerated ACL technology uses NP6 processors to block traffic (including DoS attacks) by source and destination address and service again before the packets are sent to the FortiGate CPU.

FortiOS DoS protection can operate in a standard configuration or operate out of band in sniffer mode, also known as one-arm mode, similar to intrusion detection systems. When operating in sniffer mode the FortiGate unit detects attacks and logs them without blocking them.

FortiOS DoS policies determine the course of action to take when anomalous traffic reaches a configured packet rate threshold. You can block an attacker, block an interface, block an attacker and interface, or allow traffic to pass through for monitoring purposes. This allows you to maintain network security by gathering information about attacks, monitor potentially offending traffic, or block offenders for the most protection.

FortiGates with NP6 processors also support synproxy DoS protection. An NP6-accelerated TCP SYN proxy offloads the three-way TCP handshake TCP SYN anomaly checking DoS protection to NP6 processors.

FortiOS DDoS prevention

In addition to using DoS protection for protection against DoS attacks, FortiOS includes a number of features that prevent the spread of Botnet and C&C activity. Mobile Malware or Botnet and C&C protection keeps Botnet and C&C code from entering a protected network and compromising protected systems. As a result, systems on the protected network cannot become Botnet clients.

In addition, FortiOS can monitor and block outgoing Botnet connection attempts. Monitoring allows you to find and remove Botnet clients from your network and blocking prevents infected systems from communicating with Botnet sites.

Configuration options

Choose the standard configuration for maximum protection or configure sniffer mode to gather information.

Standard configuration

DoS protection is commonly configured on a FortiGate unit that connects a private or DMZ network to the Internet or on a FortiWiFi unit that connects a wireless LAN to an internal network and to the Internet. All Internet traffic or wireless LAN traffic passes through DoS protection in the FortiGate unit or the FortiWiFi unit.

Out of band configuration (sniffer mode)

A FortiGate unit in sniffer mode operates out of band as a one-armed Intrusion Detection System by detecting and reporting attacks. It does not process network traffic nor does it take action against threats. The FortiGate interface operating in sniffer mode is connected to a Test Access Point (TAP) or a Switch Port Analyzer (SPAN) port that processes all of the traffic to be analyzed. The TAP or SPAN sends a copy of the switch traffic to the out of band FortiGate for analysis.

FortiOS records log messages and sends alerts to system administrators when a DoS attack is detected. IDS scanning does not affect network performance or network traffic if the IDS fails or goes offline.

DoS policies

DoS policies provide effective and early DoS detection while remaining light on system resources. They are configured to monitor and to stop traffic with abnormal patterns or attributes. The DoS policy recognizes traffic as a threat when the traffic reaches a user-configured packet rate threshold. The policy then determines the appropriate action. In addition to choosing whether or not to log each type of anomaly, you can choose to pass or block threats.

DoS policy anomaly protection is applied to all incoming traffic to a single FortiGate interface, but you can narrow policies by specifying service, source address, and destination address. The FortiGate unit processes DoS policies in their own respective order first, followed by all other firewall policies.

Hardware acceleration

Hardware acceleration enhances protection and increases the efficiency of your network. FortiOS integrated Content Processors (CPs), Network Processors (NPs), and Security Processors (SPs) accelerate specialized security processing. DoS SYN proxy protection is built in to NP6 processors and many Fortinet Security Processors, like the CE4, XE2, and FE8, to guard against TCP SYN floods. TCP packets with the SYN flag are the most efficient DoS attack tool because of how communication sessions are initiated between systems. NP6 and SP processors can offload TCP SYN flood attack detection and blocking. The SP module increases a FortiGate unit’s capacity to protect against TCP SYN flood attacks while minimizing the effect of attacks on the FortiGate unit’s overall performance and the network performance. The result is improved capacity and overall system performance.

The FortiGuard Center

The FortiGuard Center shows information on all the most recent FortiGuard news, including information concerning zero-day research and hot intrusion detections. Research papers are also available that concern a The FortiGuard Center       Inside FortiOS: Denial of Service (DoS) protection

variety of current security issues.

To view recent developments, go to http://www.fortiguard.com/static/intrusionprevention.html.

Network defense

This section describes in general terms the means by which attackers can attempt to compromise your network using attacks at the network level rather than through application vulnerabilities, and steps you can take to protect it. The goal of an attack can be as complex as gaining access to your network and the privileged information it contains, or as simple as preventing customers from accessing your web server.

Because of popular media, many people are aware of viruses and other malware as a threat against their computers and data, but some of the most costly malicious attack in history have been against networks. A 2016 study found that a single DDoS attack could cast a company over $1.6 million. Depending on the size and type of company the areas of expense can be:

• Changes in credit and insurance ratings l Overtime payment to employees l Hiring new employees in increase IT staff l PR expenses to restore a company’s reputation l Upgrading infrastructure and software l Customer compensation

The following topics are included in this section:

• Monitoring l Blocking external probes l Defending against DoS attacks

Monitoring

Monitoring, in the form of logging, alert email, and SNMP, does not directly protect your network. But monitoring allows you to review the progress of an attack, whether afterwards or while in progress. How the attack unfolds may reveal weaknesses in your preparations. The packet archive and sniffer policy logs can reveal more details about the attack. Depending on the detail in your logs, you may be able to determine the attackers location and identity.

While log information is valuable, you must balance the log information with the resources required to collect and store it.

Blocking external probes

Protection against attacks is important, but attackers often use vulnerabilities and network tools to gather information about your network to plan an attack. It is often easier to prevent an attacker from learning important details about your network than to defend against an attack designed to exploit your particular network.

Attacks are often tailored to the hardware or operating system of the target, so reconnaissance is often the first step. The IP addresses of the hosts, the open ports, and the operating systems the hosts are running is invaluable information to an attacker. Probing your network can be as simple as an attacker performing an Blocking external probes address sweep or port scan to a more involved operation like sending TCP packets with invalid combinations of flags to see how your firewall reacts.

Address sweeps

An address sweep is a basic network scanning technique to determine which addresses in an address range have active hosts. A typical address sweep involves sending an ICMP ECHO request (a ping) to each address in an address range to attempt to get a response. A response signifies that there is a host at this address that responded to the ping. It then becomes a target for more detailed and potentially invasive attacks.

Address sweeps do not always reveal all the hosts in an address range because some systems may be configured to ignore ECHO requests and not respond, and some firewalls and gateways may be configured to prevent ECHO requests from being transmitted to the destination network. Despite this shortcoming, Address sweeps are still used because they are simple to perform with software tools that automate the process.

Use the icmp_sweep anomaly in a DoS policy to protect against address sweeps.

There are a number of IPS signatures to detect the use of ICMP probes that can gather information about your network. These signatures include AddressMask, Traceroute, ICMP.Invalid.Packet.Size, and ICMP.Oversized.Packet. Include ICMP protocol signatures in your IPS sensors to protect against these probes/attacks.

Port scans

Potential attackers may run a port scan on one or more of your hosts. This involves trying to establish a communication session to each port on a host. If the connection is successful, a service may be available that the attacker can exploit.

Use the DoS anomaly check for tcp_port_scan to limit the number of sessions (complete and incomplete) from a single source IP address to the configured threshold. If the number of sessions exceed the threshold, the configured action is taken.

Use the DoS anomaly check for udp_scan to limit UDP sessions in the same way.

Probes using IP traffic options

Every TCP packet has space reserved for eight flags or control bits. They are used for communicating various control messages. Although space in the packet is reserved for all eight, there are various combinations of flags that should never happen in normal network operation. For example, the SYN flag, used to initiate a session, and the FIN flag, used to end a session, should never be set in the same packet.

Attackers may create packets with these invalid combinations to test how a host will react. Various operating systems and hardware react in different ways, giving a potential attackers clues about the components of your network.

The IPS signature TCP.Bad.Flags detects these invalid combinations. The default action is pass though you can override the default and set it to Block in your IPS sensor.

Configure packet replay and TCP sequence checking

The anti-replay command in the CLI allows you to set the level of checking for packet replay and TCP sequence checking (or TCP Sequence (SEQ) number checking). All TCP packets contain a Sequence Number Blocking external probes

(SEQ) and an Acknowledgment Number (ACK). The TCP protocol uses these numbers for error free end-to-end communications. TCP sequence checking can also be used to validate individual packets.

FortiGate units use TCP sequence checking to make sure that a packet is part of a TCP session. By default, if a packet is received with sequence numbers that fall out of the expected range, the FortiGate unit drops the packet. This is normally a desired behavior, since it means that the packet is invalid. But in some cases you may want to configure different levels of anti-replay checking if some of your network equipment uses non-RFC methods when sending packets.

Configure the anti-replay CLI command:

config system global set anti-replay {disable | loose | strict}

end

You can set anti-replay protection to the following settings:

• disable — No anti-replay protection.
• loose — Perform packet sequence checking and ICMP anti-replay checking with the following criteria:
• The SYN, FIN, and RST bit can not appear in the same packet.
• The FortiGate unit does not allow more than one ICMP error packet through before it receives a normal TCP or UDP packet.
• If the FortiGate unit receives an RST packet, and check-reset-range is set to strict, the FortiGate unit checks to determine if its sequence number in the RST is within the un-ACKed data and drops the packet if the sequence number is incorrect.
• strict — Performs all of the loose checking but for each new session also checks to determine of the TCP sequence number in a SYN packet has been calculated correctly and started from the correct value for each new session. Strict anti-replay checking can also help prevent SYN flooding.

If any packet fails a check it is dropped.

Configure ICMP error message verification

Enable ICMP error message verification to ensure an attacker can not send an invalid ICMP error message.

config system global check-reset-range {disable | strict}

end

• disable — the FortiGate unit does not validate ICMP error messages.
• strict — enable ICMP error message checking.

If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiOS can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. Strict checking also affects how the anti-replay option checks packets.

Protocol header checking

Select the level of checking performed on protocol headers.

config system global

Blocking external probes

check-protocol-header {loose | strict}

end

• loose — the FortiGate unit performs basic header checking to verify that a packet is part of a session and should be processed. Basic header checking includes verifying that the layer-4 protocol header length, the IP header length, the IP version, the IP checksum, IP options are correct, etc.
• strict — the FortiGate unit does the same checking as above plus it verifies that ESP packets have the correct sequence number, SPI, and data length.

If the packet fails header checking it is dropped by the FortiGate unit.

Evasion techniques

Attackers employ a wide range of tactics to try to disguise their techniques. If an attacker disguises a known attack in such a way that it is not recognized, the attack will evade your security and possibly succeed. FortiGate security recognizes a wide variety of evasion techniques and normalizes data traffic before inspecting it.

Packet fragmentation

Information sent across local networks and the Internet is encapsulated in packets. There is a maximum allowable size for packets and this maximum size varies depending on network configuration and equipment limitations. If a packet arrives at a switch or gateway and it is too large, the data it carries is divided among two or more smaller packets before being forwarded. This is called fragmentation.

When fragmented packets arrive at their destination, they are reassembled and read. If the fragments do not arrive together, they must be held until all of the fragments arrive. Reassembly of a packet requires all of the fragments.

The FortiGate unit automatically reassembles fragmented packets before processing them because fragmented packets can evade security measures. This reassembly of packets affects TCP, UDP and IP packets. There can be some variation though in what process does the reassembling. The IPS engine, nTurbo and the kernel all can do defragmentation.

For example, you have configured the FortiGate unit to block access to the example.org web site. Any checks for example.com will fail if a fragmented packet arrives and one fragment contains http://www.exa while the other contains mple.com/. Viruses and malware can be fragmented and avoid detection in the same way. The FortiGate unit will reassemble fragmented packets before examining network data to ensure that inadvertent or deliberate packet fragmentation does not hide threats in network traffic.

Non-standard ports

Most traffic is sent on a standard port based on the traffic type. The FortiGate unit recognizes most traffic by packet content rather than the TCP/UDP port and uses the proper IPS signatures to examine it. Protocols recognized regardless of port include DHCP, DNP3, FTP, HTTP, IMAP, MS RPC, NNTP, POP3, RSTP, SIP, SMTP, and SSL, as well as the supported IM/P2P application protocols.

In this way, the FortiGate unit will recognize HTTP traffic being sent on port 25 as HTTP rather than SMTP, for example. Because the protocol is correctly identified, the FortiGate unit will examine the traffic for any enabled HTTP signatures.

Negotiation codes

Telnet and FTP servers and clients support the use of negotiation information to allow the server to report what features it supports. This information has been used to exploit vulnerable servers. To avoid this problem, the Blocking external probes

FortiGate unit removes negotiation codes before IPS inspection.

HTTP URL obfuscation

Attackers encode HTML links using various formats to evade detection and bypass security measures. For example, the URL www.example.com/cgi.bin could be encoded in a number of ways to avoid detection but still work properly, and be interpreted the same, in a web browser.

The FortiGate prevents the obfuscation by converting the URL to ASCII before inspection.

HTTP URL obfuscation types

HTTP header obfuscation

The headers of HTTP requests or responses can be modified to make the discovery of patterns and attacks more difficult. To prevent this, the FortiGate unit will:

l remove junk header lines l reassemble an HTTP header that’s been folded onto multiple lines l move request parameters to HTTP POST body from the URL

The message is scanned for any enabled HTTP IPS signatures once these problems are corrected.

HTTP body obfuscation

The body content of HTTP traffic can be hidden in an attempt to circumvent security scanning. HTTP content can be GZipped or deflated to prevent security inspection. The FortiGate unit will uncompress the traffic before inspecting it.

Another way to hide the contents of HTTP traffic is to send the HTTP body in small pieces, splitting signature matches across two separate pieces of the HTTP body. The FortiGate unit reassembles these ‘chunked bodies’ before inspection.

Microsoft RPC evasion

Because of its complexity, the Microsoft Remote Procedure Call protocol suite is subject to a number of known evasion techniques, including:

l SMB-level fragmentation l DCERPC-level fragmentation l DCERPC multi-part fragmentation l DCERPC UDP fragmentation l Multiple DCERPC fragments in one packet

The FortiGate unit reassembles the fragments into their original form before inspection.

Defending against DoS attacks

A denial of service is the result of an attacker sending an abnormally large amount of network traffic to a target system. Having to deal with the traffic flood slows down or disables the target system so that legitimate users can not use it for the duration of the attack.

Any network traffic the target system receives has to be examined, and then accepted or rejected. TCP, UDP, and ICMP traffic is most commonly used, but a particular type of TCP traffic is the most effective. TCP packets with the SYN flag are the most efficient DoS attack tool because of how communication sessions are started between systems.

The “three-way handshake”

Communication sessions between systems start with establishing a TCP/IP connection. This is a simple three step process, sometimes called a “three-way handshake,” initiated by the client attempting to open the connection.

1. The client sends a TCP packet with the SYN flag set. With the SYN packet, the client informs the server of its intention to establish a connection.
2. If the server is able to accept the connection to the client, it sends a packet with the SYN and the ACK flags set. This simultaneously acknowledges the SYN packet the server has received, and informs the client that the server intends to establish a connection.
3. To acknowledge receipt of the packet and establish the connection, the client sends an ACK packet.

Establishing a TCP/IP connection

Defending against DoS attacks

The three-way handshake is a simple way for the server and client to each agree to establish a connection and acknowledge the other party expressing its intent. Unfortunately, the three-way handshake can be used to interfere with communication rather than facilitate it.

SYN flood

When a client sends a SYN packet to a server, the server creates an entry in its session table to keep track of the connection. The server then sends a SYN+ACK packet expecting an ACK reply and the establishment of a connection.

An attacker intending to disrupt a server with a denial of service (DoS) attack can send a flood of SYN packets and not respond to the SYN+ACK packets the server sends in response. Networks can be slow and packets can get lost so the server will continue to send SYN+ACK packets until it gives up, and removes the failed session from the session table. If an attacker sends enough SYN packets to the server, the session table will fill completely, and further connection attempts will be denied until the incomplete sessions time out. Until this happens, the server is unavailable to service legitimate connection requests.

A single client launches a SYN flood attack

SYN floods are seldom launched from a single address so limiting the number of connection attempts from a single IP address is not usually effective.

SYN spoofing

With a flood of SYN packets coming from a single attacker, you can limit the number of connection attempts from the source IP address or block the attacker entirely. To prevent this simple defense from working, or to disguise the source of the attack, the attacker may spoof the source address and use a number of IP addresses to give the appearance of a distributed denial of service (DDoS) attack. When the server receives the spoofed SYN packets, the SYN+ACK replies will go to the spoofed source IP addresses which will either be invalid, or the system receiving the reply will not know what to do with it.

A client launches a SYN spoof attack

DDoS SYN flood

The most severe form of SYN attack is the distributed SYN flood, one variety of distributed denial of service attack (DDoS). Like the SYN flood, the target receives a flood of SYN packets and the ACK+SYN replies are never answered. The attack is distributed across multiple sources sending SYN packets in a coordinated attack.

Multiple attackers launch a distributed SYN flood

The distributed SYN flood is more difficult to defend against because multiple clients are capable of creating a larger volume of SYN packets than a single client. Even if the server can cope, the volume of traffic may Defending against DoS attacks

overwhelm a point in the network upstream of the targeted server. The only defense against this is more bandwidth to prevent any choke points.

Configuring the SYN threshold to prevent SYN floods

The preferred primary defense against any type of SYN flood is the DoS anomaly check for tcp_syn_flood threshold. The threshold value sets an upper limit on the number of new incomplete TCP connections allowed per second. If the number of incomplete connections exceeds the threshold value, and the action is set to Pass, the FortiGate unit will allow the SYN packets that exceed the threshold. If the action is set to Block, the FortiGate unit will block the SYN packets that exceed the threshold, but it will allow SYN packets from clients that send another SYN packet.

The tools attackers use to generate network traffic will not send a second SYN packet when a SYN+ACK response is not received from the server. These tools will not “retry.” Legitimate clients will retry when no response is received, and these retries are allowed even if they exceed the threshold with the action set to Block.

SYN proxy

FortiGate units with network acceleration hardware, whether built-in or installed in the form of an add-on module, offer a third action for the tcp_syn_flood threshold. Instead of Block and Pass, you can choose to Proxy the incomplete connections that exceed the threshold value.

When the tcp_syn_flood threshold action is set to f, incomplete TCP connections are allowed as normal as long as the configured threshold is not exceeded. If the threshold is exceeded, the FortiGate unit will intercept incoming SYN packets from clients and respond with a SYN+ACK packet. If the FortiGate unit receives an ACK response as expected, it will “replay” this exchange to the server to establish a communication session between the client and the server, and allow the communication to proceed.

Other flood types

UDP and ICMP packets can also be used for DoS attacks, though they are less common. TCP SYN packets are so effective because the target receives them and maintains a session table entry for each until they time out. Attacks using UDP or ICMP packets do not require the same level of attention from a target, rendering them less effective. The target will usually drop the offending packets immediately, closing the session.

Use the udp_flood and icmp_flood thresholds to defend against these DoS attacks.

DoS policies

DDoS attacks vary in nature and intensity. Attacks aimed at saturating the available bandwidth upstream of your service can only be countered by adding more bandwidth. DoS policies can help protect against DDoS attacks that aim to overwhelm your server resources. DoS policy recommendations

• Use and configure DoS policies to appropriate levels based on your network traffic and topology. This will help drop traffic if an abnormal amount is received.
• It is important to set a good threshold. The threshold defines the maximum number of sessions/packets per second of normal traffic. If the threshold is exceeded, the action is triggered. Threshold defaults are general recommendations, although your network may require very different values.
• One way to find the correct values for your environment is to set the action to Pass and enable logging. Observe the logs and adjust the threshold values until you can determine the value at which normal traffic begins to generate attack reports. Set the threshold above this value with the margin you want. Note that the smaller the margin, the more protected your system will be from DoS attacks, but your system will also be more likely to generate false alarms.

Policy configuration

The firewall policies of the FortiGate are one of the most important aspects of the appliance. There are a lot of building blocks and configurations involved in setting up a firewall and it within the policies that a lot of these components come together to form a cohesive unit to perform the firewall’s main function, analyzing network traffic and responding appropriately to the results of that analysis.

There are a few different kinds of policies and in most cases these are further divided into IPv4 and IPv6 versions:

• IPv4 policy – used for managing traffic going through the appliance using IPv4 protocols l IPv6 policy – used for managing traffic going through the appliance using IPv6 protocols l NAT64 policy – used for managing traffic going through the appliance that converts from IPv6 on the incoming interface to IPv4 on the outgoing interface
• NAT46 policy – used for managing traffic going through the appliance that converts from IPv4 on the incoming interface to IPv6 on the outgoing interface
• Multicast policy – used to manage traffic sent to multiple destinations l IPv4 access control list – used to filter out packets based on specific IPV4 parameters. l IPv6 access control list – used to filter out packets based on specific IPV6 parameters. l IPv4 DoS policy – used to prevent malicious or flawed packets on an IPv4 interface from denying access to users. l IPv6 DoS policy – used to prevent malicious or flawed packets on an IPv6 interface from denying access to users.

Because the policy determines whether or not NAT will be used, it is also import to look at how to configure: l Central SNAT – used for granular controlling when NATing is in use.

Viewing firewall policies

To find a Policy window, follow one of these path in the GUI:

• Policy & Objects> IPv4 Policy l Policy & Objects> IPv6 Policy l Policy & Objects> NAT64 Policy l Policy & Objects> NAT46 Policy l Policy & Objects> Proxy Policy l Policy & Objects> Multicast Policy

You may notice other policy options on the left window pane such as:

• Policy & Objects> IPv4 DoS Policy l Policy & Objects> IPv6 DoS Policy l Policy & Objects> Local InPolicy

These are different enough that they have their own descriptions in the sections that relate to them.

Viewing firewall policies

Menu items

There are some variations, but there are some common elements share by all of them. There is a menu bar across the top. The menu bar will have the following items going from left to right:

l Create New button l Edit button l Delete button l Search field l Interface Pair View– Displays the policies in the order that they are checked for matching traffic, grouped by the pairs of Incoming and Outgoing interfaces. For instance, all of the policies referencing traffic from WAN1 to DMZ will be in one section. The policies referencing traffic from DMZ to WAN1 will be in another section. The sections are collapsible so that you only need to look at the sections with policies you are interested in. l By Sequence– Displays the policies in the order that they are checked for matching traffic without any grouping.

Menu items not shared by all policies

l Policy Lookup – (IPv4, IPv6 ) l NAT64 Forwarding – (NAT64)

The Table of Policies

Columns

The tables that make up the Policy window are based on rows which represent individual policies and the columns that represent the various parameters or status within the policy. The columns are customizable by which columns are included and what order they are in.

The table can be laid out a number ways to suit the viewer. There is a column for most of the important pieces of information that you might be interested in seeing, but a lot of them are hidden by default. If you had a large enough screen, you might be able to show all of the columns, but even then it might look a bit busy and crammed together. Figure out which pieces of information are most important to you and hide the rest.

To configure which columns are visible and which are hidden, right click on the header row of the table. This will present a drop down menu. The drop down will be divided into sections. At the top will be the Selected Columns which are currently visible, and the next section will be Available Columns which show which columns are available to add to the table.

To move a column from the Available list to the Selected list just click on it. To move a column from the Selected list to the Available list, it also just takes a click of the mouse. To make the changes show up on the table, go to the bottom of the drop down menu and select Apply. Any additions to the table will show up on the right side.

One of the more useful ones that can be added is the ID column. The reason for adding this one is that within the configuration file and CLI, the policies are referenced by their ID number. Some policy settings are only available for configuration in the CLI. If you are looking in the CLI you will see that the only designation for a policy is its number and if you wish to edit the policy or change its order in the sequence you will be asked to move it before or after another policy by referencing its number.

Object configuration

As was mentioned earlier, the components of the FortiGate firewall go together like interlocking building blocks. The Firewall objects are a prime example of those building blocks. They are something that can be configured once and then used over and over again to build what you need. They can assist in making the administration of the FortiGate unit easier and more intuitive as well as easier to change. By configuring these objects with their future use in mind as well as building in accurate descriptions the firewall will become almost self documenting. That way, months later when a situation changes, you can take a look at a policy that needs to change and use a different firewall object to adapt to the new situation rather than build everything new from the ground up to accommodate the change.

This chapter includes information about the following Firewall objects:

l Addresses l “Virtual IPs” on page 234 l IP Pools l “Services” on page 248 l “Firewall schedules” on page 256

UUID support

A Universally Unique Identified (UUID) attribute has been added to some firewall objects, so that the logs can record these UUID to be used by a FortiManager or FortiAnalyzer unit. The objects currently include:

l Addresses, both IPv4 and IPv6 l Address Groups, both IPv4 and IPv6 l Virtual IPs, both IPv4 and IPv6 l Virtual IP groups, both IPv4 and IPv6 l Policies, IPv4,IPv6 and IP64

A UUID is a 16-octet (128-bit) number that is represented by 32 lowercase hexidecimal digits. The digits are displayed in five groups separated by hyphens (-). The pattern is 8-4-4-4-12; 36 digits if you include the hyphens.

Addresses

Firewall addresses define sources and destinations of network traffic and are used when creating policies. When properly set up these firewall objects can be used with great flexibility to make the configuration of firewall policies simpler and more intuitive. The FortiGate unit compares the IP addresses contained in packet headers with a security policy’s source and destination addresses to determine if the security policy matches the traffic.

The address categories and the types within those categories on the FortiGate unit can include:

• IPv4 addresses l IP address and Netmask l IP address range l Geography based address l Fully Qualified Domain Name (FQDN) address l Wildcard FQDN l IPv4 address aroup
• IPv6 addresses l Subnets l IP range l IPv6 address group
• Multicast addresses l Multicast IP range l Broadcast subnets
• Proxy addresses l URL pattern l Host Regex match l URL category l Http method l User agent l HTTP header l Advanced (source) l Advanced (destination)
• IP Pools (IPv4) l Overload l One-to-one l Fixed port range l Port block allocation
• IP pools (IPv6) l Virtual IP addresses l IPv4 l IPv6 l NAT46 l NAT64

Interfaces

When setting up an address one of the parameters that is asked for is the interface. This means that the system will expect to see that address only on the interface that you select. You can only select one interface. If you expect that the address may be seen at more than one interface you can choose the “any” interface option. Whenever, possible it is best to choose a more specific interface than the “any” option because in the GUI configuration of firewall policies there is a drop down field that will show the possible addresses that can be used. The drop down will only show those addresses that can be on the interface assigned for that interface in the policy.

Example:

• You have an address called “XYZ”. l “XYZ” is set to the WAN1 interface because that is the only interface that will be able to access that address.
• When you are selecting a Source Address in the Web-based Manager for a policy that is using the DMZ the address “XYZ” will not be in the drop-down menu.

When there are only 10 or 20 addresses this is not a concern, but if there are a few hundred addresses configured it can make your life easier.

Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies. If an address is selected in a policy, the address cannot be deleted until it is deselected from the policy.

Addressing Best Practices Tip

The other reason to assign a specific interface to addresses is that it will prevent you from accidentally assigning an address where it will not work properly. Using the example from earlier, if the “XYZ” address was assigned to the “Any” interface instead of WAN1 and you configure the “XYZ” address.

Addressing Best Practices Tip

Don’t specify an interface for VIP objects or other address objects that may need to be moved or approached from a different direction. When configuring a VIP you may think that it will only be associated with a single interface, but you may later find that you need to reference it on another interface.

Example: Some web applications require the use of a FQDN rather than an

IP address. If you have a VIP set up that works from the Internet to the Internal LAN you wont be able to use that VIP object to access it from an internal LAN interface.

IPv4 addresses

When creating an IPv4 address there are a number of different types of addresses that can be specified. These include:

• FQDN
• Geography l IP range l IP/Netmask l Wildcard FQDN

Which one chosen will depend on which method most easily yet accurately describes the addresses that you are trying to include with as few entries as possible based on the information that you have. For instance, if you are trying to describe the addresses of a specific company’s web server but it you have no idea of how extensive there web server farm is you would be more likely to use a Fully Qualified Domain Name (FQDN) rather than a specific IP address. On the other hand some computers don’t have FQDNs and a specific IP address must be used.

The following is a more comprehensive description of the different types of addresses.

FQDN addresses

By using Fully Qualified Domain Name (FQDN) addressing you can take advantage of the dynamic ability of DNS to keep up with address changes without having to manually change the addresses on the FortiGate. FQDN addresses are most often used with external web sites but they can be used for internal web sites as well if there is a trusted DNS server that can be accessed. FQDN addressing also comes in handy for large web sites that may use multiple addresses and load balancers for their web sites. The FortiGate firewall automatically maintains a cached record of all the addresses resolved by the DNS for the FQDN addresses used.

For example, if you were doing this manually and you wanted to have a security policy that involved Google you could track down all of the IP addresses that they use across multiple countries. Using the FQDN address is simpler and more convenient.

When representing hosts by an FQDN, the domain name can also be a subdomain, such as mail.example.com.

Valid FQDN formats include:

• <host_name>.<top_level_domain_name> such as example.com
• <host_name>.<second_level_domain_name>.<top_level_domain_name>, such as mail.example.com When creating FQDN entries it is important to remember that:
• Wildcards are not supported in FQDN address objects l While there is a level of convention that would imply it, “www.example.com” is not necessarily the same address of “example.com”. they will each have their own records on the DNS server.

The FortiGate firewall keeps track of the DNS TTLs so as the entries change on the DNS servers the IP address will effectively be updated for the FortiGate. As long as the FQDN address is used in a security policy, it stores the address in the DNS cache.

There is a possible security downside to using FQDN addresses. Using a fully qualified domain name in a security policy means that your policies are relying on the DNS server to be accurate and correct. DNS servers in the past were not seen as potential targets because the thinking was that there was little of value on them and therefore are often not as well protected as some other network resources. People are becoming more aware that the value of the DNS server is that in many ways it controls where users and computers go on the Internet. Should the DNS server be compromised, security policies requiring domain name resolution may no longer function properly.

Creating a Fully Qualified Domain Name address

1. Go to Policy & Objects > Addresses.
2. Select Create New. A drop down menu is displayed. Select Address. In the Category field, chose Address. (This is for IPv4 addresses.)
3. Input a Name for the address object.
4. In the Type field, select FQDN from the drop down menu.
5. Input the domain name in the FQDN
6. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled, the address will appear in drop down menus where it is an option.
8. Input any additional information in the Comments
9. Press

Example: FQDN address

You have to great a policy that will govern traffic that goes to a site that has a number of servers on the Internet. Depending on the traffic or the possibility that one of the servers is down network traffic can go to any one of those sites. The consistent factor is that they all use the same Fully Qualified Domain Name.

• The FQDN of the web site: example.com
• The number of ISP connections off of the FortiGate firewall: 2

Configuring the address in the GUI

1. Go to Policy & Objects> Objects > Addresses and select Create New > Address.
2. Fill out the fields with the following information:

3. Select

Configuring the address in the CLI

config firewall address edit BigWebsite.com set type fqdn set associated-interface any set fqdn bigwebsite.com end

Verification

To verify that the addresses were added correctly:

1. Go to Firewall Objects > Address > Addresses. Check that the addresses have been added to the address list and that they are correct.
2. Enter the following CLI command:

config firewall address edit <the name of the address that you wish to verify>

Show full-configuration

Changing the TTL of a FQDN address

To make sure that the FQDN resolves to the most recent active server you have been asked to make sure that the FortiGate has not cached the address for any longer than 10 minutes.

There is no field for the cached time-to-live in the web-based manager. It is only configurable in the CLI. Enter the following commands:

config firewall address edit BigWebsite.com set cache-ttl 600

end

Geography based addresses

Geography addresses are those determined by country of origin.

This type of address is only available in the IPv4 address category.

Creating a geography address

1. Go to Policy & Objects > Addresses.
2. Select Create New. A drop down menu is displayed. Select Address. In the Category field, chose Address. (This is for IPv4 addresses.)
3. Input a Namefor the address object.
4. In the Type field, select Geography from the drop down menu.
5. In the Country field, select a single country from the drop down menu.
6. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
8. Input any additional information in the Comments
9. Press

Example: Geography-based address

Configuring the address in the GUI

Your company is US based and has information on its web site that may be considered information that is not allowed to be sent to embargoed countries. In an effort to help reduce the possibility of sensitive information going to those countries you have be asked to set up addresses for those countries so that they can be block in the firewall policies.

l One of the countries you have been asked to block is Cuba l You have been asked to comment the addresses so that other administrators will know why they have been created

1. Go to Policy & Objects> Objects > Addresses and select Create New > Address.
2. Fill out the fields with the following information

3. Select

Configuring the address in the CLI

Enter the following CLI commands:

config firewall address edit Cuba set type geography set country CN set interface wan1

end

Overrides

It is possible to assign a specific ip address range to a customized country ID. Generally, geographic addressing is done at the VDOM level; it could be considered global if you are using the root VDOM, but the geoip-override setting is a global setting.

config system geoip-override edit “test” set country-id “A0” config ip-range

edit 1 set start-ip 7.7.7.7 set end-ip 7.7.7.8

next

edit 2 set start-ip 7.7.10.1 set end-ip 7.7.10.255 end

• While the setting exists in the configuration file, the system assigns the country-id option automatically.
• While you can use “edit 1” and “edit 2”, it is simpler to use “edit 0” and let the system automatically assign an ID number.

After creating a customized Country by using geoip-override command, the New country name has been added automatically to the country list and will be available on the Firewall Address Country field.

Diagnose commands

There are a few diagnose commands used with geographic addresses. The basic syntax is:

diagnose firewall ipgeo [country-list | ip-list | ip2country | override | copyright-notice]

IP range addresses

Where the subnet address is good a representing a standardized group of addresses that are subnets the IP Range type of address can describe a group of addresses while being specific and granular. It does this by specifying a continuous set of IP addresses between one specific IP address and another. While it is most common that this range is with a subnet it is not a requirement. For instance, 192.168.1.0/24 and 192.168.2.0/24 would be 2 separate subnets but if you wanted to describe the top half of one and the bottom half of the other you could describe the range of 192.168.1.128-192.168.2.127. It’s also a lot easier that trying to calculate the correct subnet mask.

The format would be:

x.x.x.x-x.x.x.x, such as 192.168.110.100-192.168.110.120

There is a notation that is commonly used and accepted by some devices that follows the format:

x.x.x.[x-x], such as 192.168.110.[100-120]

This format is not recognized in FortiOS 5.2 as a valid IP Range.

Creating a IP range address

1. Go to Policy & Objects > Addresses.
2. Select Create New. A drop down menu is displayed. Select Address In the Category field, chose Address(IPv4 addresses) or IPv6 Address.
3. Input a Name for the address object.
4. In the Type field, select IP Range from the drop down menu.
5. In the Subnet / IP Range field, enter the range of addresses in the following format: x.x.x.x-x.x.x.x (no spaces)
6. In the Interface field, leave as the default any or select a specific interface from the drop down menu. (This setting is not available for IPv6 addresses)
7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
8. Input any additional information in the Comments

10. Press OK. Example

Example of a IP Range address for a group of computers set aside for guests on the company network.

IP Range addresses can be configured for both IPv4 and IPv6 addresses. The only differences in creating an IPv6 IP Range address is that you would choose IPv6 Address for the Category and the syntax of the address in the Subnet/IP Range field would be in the format of 2001:0db8:0000:0002:0:0:0:202001:0db8:0000:0004:0:0:0:20

IP / netmask addresses

The subnet type of address is expressed using a host address and a subnet mask. From a strictly mathematical stand point this is the most flexible of the types because the address can refer to as little one individual address or as many as all of the available addresses.

It is usually used when referring to your own internal addresses because you know what they are and they are usually administered in groups that are nicely differentiated along the lines of the old A, B, and C classes of IPv4 addresses. They are also addresses that are not likely to change with the changing of Internet Service Providers (ISP).

When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a firewall address can be:

• A single host such as a single computer with the address 192.45.46.45 l A range of hosts such as all of the hosts on the subnet 192.45.46.1 to 192.45.46.255 l All hosts, represented by 0.0.0.0 which matches any IP address

The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiGate unit automatically converts CIDR formatted netmasks to dotted decimal format. Example formats:

• Netmask for a class A subnet of 16,777,214 usable addresses: 255.0.0.0, or /8 l Netmask for a class B subnet of 65,534 usable addresses: 255.255.0.0, or /16 l Netmask for a class C subnet of 254 usable addresses: 255.255.255.0, or /24 l Netmask for subnetted class C of 126 usable addresses: 255.255.255.128, or /25 l Netmask for subnetted class C of 62 usable addresses: 255.255.255.128, or /26 l Netmask for subnetted class C of 30 usable addresses: 255.255.255.128, or /27 l Netmask for subnetted class C of 14 usable addresses: 255.255.255.128, or /28 l Netmask for subnetted class C of 6 usable addresses: 255.255.255.128, or /29 l Netmask for subnetted class C of 2 usable addresses: 255.255.255.128, or /30 l Netmask for a single computer: 255.255.255.255, or /32 l Netmask used with 0.0.0.0 to include all IP addresses: 0.0.0.0, or /0

So for a single host or subnet the valid format of IP address and netmask could be either:

x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0 or

x.x.x.x/x, such as 192.168.1.0/24

Static route configuration

A setting that is found in the IP/Netmask address type that is not found in the other address types is the enabling or disabling of Static Route Configuration. Enabling this feature includes the address in the listing of named addresses when setting up a static route.

To use in the GUI

1. Enable the Static Route Configuration in the address.
2. Go to Network > Static Routes and create a new route.
3. For a Destination type, choose Named Address.
4. Using the drop down menu, enter the name of the address object in the field just underneath the Destination type options.
5. Fill out the other information relevant to the route
6. Select the OK button

To enable in the CLI:

config firewall address edit <address_name> set allow-routing enable end

Creating a subnet address

1. Go to Policy & Objects > Addresses.
2. Select Create New. A drop down menu is displayed. Select Address. In the Category field, chose Address. (This is for IPv4 addresses.)
3. Input a Namefor the address object.
4. In the Type field, select IP/Netmask from the drop down menu.
5. In the Subnet/IP Range field, enter the address and subnet mask according to the format x.x.x.x/x.x.x.x or the short hand format of x.x.x.x/x
6. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
8. Select the desired on/off toggle setting for Static Route Configuration.
9. Input any additional information in the Comments

11. Press OK. Example

Example of a Subnet address for a database server on the DMZ:

Wildcard addressing

Wildcard addresses are addresses that identify ranges of IP addresses, reducing the amount of firewall addresses and security policies required to match some of the traffic on your network. Wildcard addresses are an advanced feature, usually required only for complex networks with complex firewall filtering requirements. By using these wildcard addresses in the firewall configuration, administrators can eliminate creating multiple, separate IP based address objects and then grouping them to then apply to multiple security policies.

A wildcard address consists of an IP address and a wildcard netmask, for example, 192.168.0.56

255.255.0.255. In this example, the IP address is 192.168.0.56 and the wildcard netmask is

255.255.0.255. The IP address defines the networks to match and the wildcard netmask defines the specific addresses to match on these networks.

In a wildcard netmask, zero means ignore the value of the octet in the IP address, which means the wildcard firewall address matches any number in this address octet. This also means that the number included in this octet of IP address is ignored and can be any number. Usually, if the octet in the wildcard netmask is zero, the corresponding octet in the IP address is also zero.

In a wildcard netmask, a number means match addresses according to how the numbers translate into binary addresses. For example, the wildcard netmask is 255; the wildcard address will only match addresses with the value for this octet that is in the IP address part of the wildcard address. So, if the first octet of the IP address is 192 and the first octet of the wildcard netmask is 255, the wildcard address will only match addresses with 192 in the first octet.

In the above example, the wildcard address 192.168.0.56 255.255.0.255 would match the following IP addresses:

192.168.0.56

192.168.1.56

192.168.2.56 …

192.168.255.56

The wildcard addresses 192.168.0.56 255.255.0.255 and 192.168.1.56 255.255.0.255 define the same thing since the 0 in the wildcard mask means to match any address in the third octet.

If we use the wildcard address 172.0.20.10 255.0.255.255, it would match the following IP addresses:

172.1.20.10

172.2.20.10

172.3.20.10 …

172.255.20.10

If you do not want to use all of the values in the octet, you can select a smaller grouping by using a number other than 255 in the subnet mask. There are some limitations though that users familiar with subnetting an IP range will recognose.

l The range should be a value that is a power of 2, such as 2, 4, 8, 16, etc l The starting number should be the first number in a number grouping of the same power of 2 divided by the possible range. For instance, if the range is 32 addresses, divide 256 by 32. Start at 0. Therefore the starting IP address can be 0, 33, 65, 97, 129, 161, 193, and 225. If you don’t want to do the math yourself there are a number of online subnet calculators that you can use.

You can perform a binary conversion to calculate the addresses that would be matched by a given value. For example, you can create the IP address and wildcard netmask to match the following network addresses:

192.168.32.0/24

192.168.33.0/24

192.168.34.0/24

192.168.35.0/24

192.168.36.0/24

192.168.37.0/24

192.168.38.0/24

192.168.39.0/24

In this example the range for the numbers in the third octet is 8.

The table shows how to write the third octet for these networks according to the octet bit position and address value for each bit.

Use some basic math:

128 + 64 + 32 +16 + 8 = 248

248 is the value in the subnet mask for the third octet.

The networks can be summarized into one network (192.168.32.0/21 or 192.168.32.0

255.255.248.0). All eight possible combinations of the three low-order bits are relevant for the network ranges. The wildcard address that would match all of these subnet addresses can be written as192.168.32.0 255.255.248.0.

Wildcard addresses are similar to routing access list wildcard masks. You add routing access lists containing wildcard masks using the config router access list command. However, router access list wildcard masks use the inverse of the masking system used for firewall wildcard addresses. For the router access list wildcard masks, zero (0)means match all IP addresses and one (1)means ignore all IP addresses. So to match IP addresses 192.168.0.56, 192.268.1.56, 192.168.2.56,… 192.168.255.56 you would use the following router access IP address prefix and wildcard mask: 192.168.0.56 0.0.255.0.

The following is an example of how to configure a wildcard firewall address.

config firewall address edit example_wildcard_address set type wildcard

set wildcard 192.168.0.56 255.255.0.255

end

Wildcard firewall addresses are initially configured in the CLI. You cannot choose wildcard in the GUI when creating the address, but after the address is created in the CLI, it will show up in the GUI. The Type field shows a grayed out value of Wildcard and the settings, other than the type , can be edited.

Wildcard FQDN

There are a number of companies that use secondary and even tertiary domain names or FQDNs for their websites. Wildcard FQDN addresses are to ease the administrative overhead in cases where this occurs. Sometimes its as simple as sites that still use www. as a prefix for their domain name. If you don’t know whether or not the www is being used it’s simpler to use a wildcard and include all of the possibilities whether it be example.com, www.example.com or even ftp.example.com.

The following wildcard character instances are supported in wildcard FQDN addresses:

l “?” character l “*” character in the middle of a phrase l The “?*” combination

Wildcard FQDN addresses do not resolve to a specific set of IP addresses in the same way that a normal FQDN address does. They are intended for use in SSL exemptions and should not be used as source or destination addresses in policies.

Creating a Fully Qualified Domain Name address

1. Go to Policy & Objects > Addresses.
2. Select Create New. A drop down menu is displayed. Select Address In the Category field, chose Address. (This is for IPv4 addresses.)
3. Input a Name for the address object.
4. In the Type fUncategorizedield, select Wildcard FQDNfrom the drop down menu.
5. Input the domain name in the Wildcard FQDN
6. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
8. Input any additional information in the Comments

10. Press OK. Example

Example of a FQDN address for a remote FTP server used by Accounting team:

Wildcard FQDNs for SSL deep inspection exemptions

As part of an improvement to SSL deep inspection, wild card FQDN addresses are stored in two tables, one relates to firewall address, historic location for the information, and the second location relates to firewall wildcard-fqdn custom. The wildcard FQDN in firewall address is used by proxypolicy. The wildcard FQDN in firewall wildcard-fqdn custom is used by ssl-exempt in sslssh-profile.

During an upgrade from v5 to v6, all wildcard FQDN in firewall address in the v5 configuration will be moved to firewall wildcard-fqdn custom. If the wildcard FQDN is used in a policy in v5, the upgrade process will leave a copy of the wildcard FQDN in firewall address in addition to the one in firewall wildcard-fqdn custom.

Syntax of the firewall wildcard-fqdn custom object:

config firewall wildcard-fqdn custom edit <string_value> set uuid <string_value> set wildcard-fqdn <string_value> set color <integer 0-32> set comment <string_value> set visibility {enable|disable}

next

end

Syntax of the firewall wildcard-fqdn group object:

config firewall wildcard-fqdn group edit “test-group” set uuid <string_value>

set member <string_value> [<string_value>]

set color 0 set comment ” set visibility enable

next end

Got a whiteboard! Now I just have to get it installed. Should be up this week and then we can start pumping out some videos discussing design, implementation, and more!

IPv6 addresses

When creating an IPv6 address there are a number of different types of addresses that can be specified. These include:

l Subnet l IP Range – the details of this type of address are the same as the IPv4 version of this type l IPv6 FQDN firewall addresses – similar to the IPv4 version.

The IPv6 addresses don’t yet have the versatility of the IPv4 address in that they don’t have things like geography based addresses, but as IPv6 becomes more mainstream this should change.

Subnet addresses

The Subnet Address type is one that is only used in reference to IPv6 addresses.It represents an IPv6 address subnet. This means that the address will likely be a series of hexadecimal characters followed by a double colon, followed by a “/”, and then a number less than 128 to indicate the size of the subnet. An example would be:

fd5e:3c59:35ce:f67e::/64

• The hexidecimal characters represent the IPv6 subnet address.
• The “::” indicates 0’s from that point to the left. In an actual address for a computer, the hexadecimal characters that would take the place of these zeros would represent the device address on the subnet.
• /xx, in this case /64 represents the number of bits in the subnet.This will make a range that can potentially include

18,446,744,073,709,551,616 addresses. For those wanting to use English rather than math, that is 18 Quintillion.

Creating a subnet address

1. Go to Policy & Objects > Addresses.
2. Select Create New. A drop down menu is displayed. Select Address
3. In the Category field, chose IPv6 Address.
4. Input a Name for the address object.
5. In the Type field, select Subnet from the drop down menu.
6. In the Subnet / IP Range field, enter the range of addresses in IPv6 format (no spaces)
7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
8. Input any additional information in the Comments
9. Press

Example

Example of a IP Range address for a group of computers set aside for guests on the company network.

IPv6 FQDN firewall addresses

FQDN firewall addresses can be configured for IPv6.

Syntax in CLI

config firewall address6 edit <address_name> set type fqdn set fqdn <domain_name>

set cache-ttl <integer value from 0 to 86400> end

Firewall IPv6 address templates

You can use the IPv6 address templates to create new IPv6 addresses that share a prefix. Using templates for addresses reduces the chance of configuring an incorrect address due to a typographical error.

l A standard IPv6 address can be divided into three parts:

[IPv6 network prefix] + [subnet segments] + [host address] l The subnet segments can be split into multiple 4-bit blocks called nibbles l Each subnet segments represent different geographical or organizational parts of the network. They are represented by 1 or more nibbles.

Example of a prefix:

2001:db8:1234:0000::/64

The 16 bits that make up the subnet segments can be more granular.

Example: 0011 1111 0000 1101

The resulting network portion of the address is:

2001:db8:1234:3f0d::/64

By changing the mask, the subnet segment could be increased.

2001:db8:1234:      0000::/48

2001:db8:1234:           0000::/32

This makes more options available for the configuration of the subnet segments. Below is an example of a very basic template:

Using that template, you can see how the GUI could be used to quickly create address objects.

Multicast addresses

Multicast addressing defines a specific range of address values set aside for them. Therefore all IPv4 multicast addresses should be between 224.0.0.0 and 239.255.255.255.

More information on the concepts behind Multicast addressing can be found in the Multicast Forwarding section.

Multicast IP range

This type of address will allow multicast broadcasts to a specified range of addresses.

Creating a multicast IP range address

1. Go to Policy & Objects > Addresses.
2. Select Create New.

l If you use the down arrow next to Create New, select Address.

3. Choose the Category, Multicast Address
4. Input a Name for the address object.
5. Select the Type,Multicast IP Range from the drop-down menu.
6. Enter the value for the Multicast IP Range
7. Select the Interface from the drop-down menu.
8. Enable the Show in Address List function
9. Input any additional information in the Comments
10. Press

Example: Multicast IP range address

The company has a large high tech campus that has monitors in many of its meeting rooms. It is common practice for company wide notifications of importance to be done in a streaming video format with the CEO of the company addressing everyone at once.

The video is High Definition quality so takes up a lot of bandwidth. To minimize the impact on the network the network administrators have set things up to allow the use of multicasting to the monitors for these notifications. Now it has to be set up on the FortiGate firewall to allow the traffic.

l The range being used for the multicast is 239.5.5.10 to 239.5.5.200 l The interface on this FortiGate firewall will be on port 9

1. Go to Policy & Objects> Objects > Addresses and select Create New > Address.
2. Fill out the fields with the following information

3. Select
4. Enter the following CLI command:

config firewall multicast-address edit “meeting_room_display” set type multicastrange set associated-interface “port9” set start-ip 239.5.5.10 set end-ip 239.5.5.200 set visibility enable

next

end

To verify that the address range was added correctly:

1. Go to Policy & Objects> Objects > Addresses. Check that the addresses have been added to the address list and that they are correct.
2. Enter the following CLI command:

config firewall multicast-address

edit <the name of the address that you wish to verify> Show full-configuration

Broadcast subnet

This type of address will allow multicast broadcast to every node on a subnet.

1. Go to Policy & Objects > Addresses.
2. Select Create New. A drop down menu is displayed. Select Address.
3. In theCategory field, choseMulticast Address.
4. Input a Name for the address object.
5. In the Type field, select Broadcast Subnetfrom the drop down menu.
6. In the Broadcast Subnet field enter the address and subnet mask according to the format x.x.x.x/x.x.x.x or the short hand format of x.x.x.x/x.(Remember, it needs to be within the appropriate IP range 224.0.0.0 to 239.255.255.255)
7. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
9. Input any additional information in the Comments
10. Press OK.

Example

Multicast IP addresses

Multicast uses the Class D address space. The 224.0.0.0 to 239.255.255.255 IP address range is reserved for multicast groups. The multicast address range applies to multicast groups, not to the originators of multicast packets. The following table lists the reserved multicast address ranges and describes what they are reserved for:

Reserved Multicast address ranges

Creating multicast security policies requires multicast firewall addresses. You can add multicast firewall addresses by going to Firewall Objects > Address > Addresses and selecting Create New > Multicast

Address. The factory default configuration includes multicast addresses for Bonjour (224.0.0.251-224.0.0.251, EIGRP (224.0.0.10-224.0.0.100), OSPF (224.0.0.5-224.0.0.60), all_hosts (224.0.0.1-224.0.0.1), and all_routers (224.0.0.2-224.0.0.2).

Proxy addresses

This category of address is different from the other addresses in that it is not designed to be used in the normal firewall policy configuration. It is intended to be used only with explicit web proxies.

In some respects they can be like a FQDN addresses in that they refer to an alpha-numeric string that is assigned to an IP address, but then goes an additional level of granularity by using additional information and criteria to further specify locations or types of traffic within the website itself. In depth information on Explicit Proxy Addressing can be found in WAN Optimization, but it is worth laying out the steps of how to create an address object for this category.

Creating an proxy address

1. Go to Policy & Objects > Addresses.
2. Select Create New. A drop down menu is displayed. Select Address.
3. In the Category field, choseProxy Address.
4. Input a Name for the address object.
5. For the Type field, select one of the options from the drop down menu.

Within the Explicit Proxy Address category there are 8 types of addresses. Each of these types will have associated field(s) that also need to have values entered to make the object specific to it’s address.

Type = URL Pattern

• In the Host field, choose from drop down menu l In the URL Path Regex field, enter the appropriate string

Host Regex Match l In the Host Regex Pattern field, enter the appropriate string

URL Category

• In the Host field, choose from drop down menu l In the URL Category field, choose from drop down menu

HTTP Method

• In the Host field, choose from drop down menu l In the Request Method field, choose from drop down menu The options are: l CONNECT l DELETE l GET l HEAD l OPTIONS l POST l PUT l TRACE

User Agent

• In the Host field, choose from drop down menu l In the User Agent field, choose from drop down menu The options are:
• Apple Safari l Google Chrome
• Microsoft Internet Explorer or Spartan l Mozilla Firefox l Other browsers

HTTP Header

• In the Host field, choose from drop down menu l In the Header Name field, enter the appropriate string value l In the Header Regex field, enter the appropriate string value

Advanced (Source)

• In the Host field, choose from drop down menu l In the Request Method field, choose from drop down menu (see HTTP Method type for option list) l In the User Agent field, choose from drop down menu (see User Agent type for option list)
• In the Header Group table, create, edit or delete Header Name strings and associated Header Regex strings

Advance (Destination)

• In the Host field, choose from drop down menu l In the Host Regex Pattern field, enter the appropriate string l In the URL Category field, choose from drop down menu

6. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
7. Input any additional information in the Comments
8. Press

Proxy address groups

To create a Proxy address group:

1. Go to Policy & Objects > Addresses.
2. Click on + Create New to get the drop down menu. Select Address Group.
3. In the Category field, choose Proxy Group.
4. Fill in a descriptive name in the Group Name
5. If you wish, use the Change link to change the Color of icons in the GUI. There are 32 color options.
6. In the Type field, select whether the group will be a Source Group (composed of source addresses) or a Destination Group (composed of destination addresses).
7. Select anywhere in the Members field to bring forth the pane of potential members for selection to the group.
8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled, the address will appear in drop down menus where it is an option.
9. Input any additional information in the Comments
10. Click on OK.

Internet services

In FortiOS 5.4, support was added for Internet Service objects which could be used with FortiView, Logging, Routing and WAN Load Balancing. Now they can be added to firewall policies as well.

There is an either or relationship between Internet Service objects and destination address and service combinations in firewall policies. This means that a destination address and service can be specified in the policy OR an Internet service, not both.

CLI

The related CLI options/syntax are:

config firewall policy edit 1 set internet-service 1 5 10 set internet-service-custom test set internet-service-negate [enable|disable]

end

GUI

In the policy listing page you will notice that is an Internet Service object is used, it will be found in both the Destination and Service column.

In the policy editing page the Destination Address, now Destination field now has two types, Address and Internet Service.

Hey Guys, check out Fortinet presenting on Tech Field Day Live (quick search on facebook will find the stream). Outside of the one guy needing to invest in an iron the content is pretty good.

Address groups

Address groups are designed for ease of use in the administration of the device. If you have a number of addresses or address ranges that will commonly be treated the same or require the same security policies, you can put them into address groups, rather than entering multiple individual addresses in each policy refers to them.

The use of groups is not required. If you have a number of different addresses you could add them individually to a policy and the FortiGate firewall will process them just as quickly and efficiently as if they were in a group, but the chances are that if you have used a group once you could need to use it again and depending on the number of addresses involved entering them individually for each policy can become tedious and the likelihood of an address being missed becomes greater. If you have a number of policies using that combination of addresses it is much easier to add or subtract addresses from the group than to try and remember all of the firewall policies that combination of addresses was used in. With the group, you only have to make the one edit and it is used by any firewall policy using that address group.

Because security policies require addresses with homogenous network interfaces, address groups should contain only addresses bound to the same network interface, or to Any.

For example, if address 1.1.1.1 is associated with port1, and address 2.2.2.2 is associated with port2, they cannot be in the same group. However, if 1.1.1.1 and 2.2.2.2 are configured with an interface of Any, they can be grouped, even if the addresses involve different networks. There are 3 Categories of Address groups to choose from:

l IPv4 Group l IPv6 Group l Proxy Group

You cannot mix different categories of addresses within a group, so whether or not it makes sense from an administrative purpose to group certain addresses together, if some are IPv4 and some are IPv6, it cannot be done.

Creating an address group

1. Go to Policy & Objects > Addresses.
2. Select the down arrow next to Create New, select Address Group.
3. Choose the Category, that is applicable to the proposed selection of addresses.
4. Input a Group Name for the address object.

Depending on which Category has been chosen the configurations will differ slightly

IPv4 group

1. Select the “+” in the Members You can select members of the group from the window that slides out from the left of the screen. It is possible to select more than 1 entry. Select the “X” icon in the field to remove an entry.
2. Select the desired on/off toggle setting for Show in Address List.
3. Select the desired on/off toggle setting for Static Route Configuration .

IPv6 group

1. Select the “+” in the Members You can select members of the group from the window that slides out from the left of the screen. It is possible to select more than 1 entry. Select the “X” icon in the field to remove an entry.
2. Select the desired on/off toggle setting for Show in Address List.

Proxy group

1. Select which Type, either Source Group or Destination Group.
2. Select the “+” in the Members You can select members of the group from the window that slides out from the left of the screen. It is possible to select more than 1 entry. Select the “X” icon in the field to remove an entry.
3. Select the desired on/off toggle setting for Show in Address List.

Irrespective of the Category the groups all have the same final configuration options:

1. Input any additional information in the Comments field.

2. Press OK. UUID support

Syntax:

config firewall {address|addres6|addgrp|addgrp6} edit 1 set uuid <example uuid: 8289ef80-f879-51e2-20dd-fa62c5c51f44> next end

Virtual IPs

The mapping of a specific IP address to another specific IP address is usually referred to as Destination NAT.

When the Central NAT Table is not being used, FortiOS calls this a Virtual IP Address, sometimes referred to as a

VIP. FortiOS uses a DNAT or Virtual IP address to map an External IP address to an IP address. This address

does not have to be an individual host, it can also be an address range. This mapping can include all TCP/UDP ports or if Port Forwarding is enabled it will only refer to the specific ports configured. Because, the Central NAT table is disabled by default the term Virtual IP address or VIP will be used predominantly.

Virtual IP addresses are typically used to NAT external or Public IP addresses to internal or Private IP addresses. Using a Virtual IP address between 2 internal Interfaces made up of Private IP addresses is possible but there is rarely a reason to do so as the 2 networks can just use the IP addresses of the networks without the need for any address translation. Using a Virtual IP address for traffic going from the inside to the Internet is even less likely to be a requirement, but it is supported.

Something that needs to be considered when there are multiple Public IP addresses on the external interface(s) is that when a Virtual IP address is used without Port Forwarding enabled there is a reciprocal effect as far as traffic flow is concerned. Normally, on a firewall policy where NAT is enabled, for outgoing traffic the internal address is translated to the Public address that is assigned to the FortiGate, but if there is a Virtual IP address with no port forwarding enabled, then the Internal IP address in the Mapped field would be translated to the IP address configured as the External Address in the VIP settings.

Example

• The assigned External address (WAN1) of the FortiGate unit is 172.12.96.3 with a subnet mask of 255.255.255.128 l There is a Virtual IP address set up to map the external address 172.12.96.127 on WAN1 to the internal IP address of 192.168.1.127
• Port Forwarding is not enabled because you want all allowed traffic going to the external IP address to go to this server.

In this case any outbound traffic from 192.168.1.127 will go out on WAN1 with the IP address of 172.12.96.127 as the source IP address.

In terms of actually using the Virtual IP address, they would be using in the security policies in the same places that other addresses would be used, usually as a Destination Address.

UUID support for VIP

UUID is now supported in for virtual IPs and virtual IP groups. This includes virtual IPs for IPv4, IPv6, NAT46, and NAT64. To view the UUID for these objects in a FortiGate unit’s logs, log-uuid must be set to extended mode, rather than policy-only (which only shows the policy UUID in a traffic log). UUID can only be configured through the CLI

Syntax

config sys global set log-uuid {disable | policy-only | extended}

end

There is another type of address that the term “virtual IP address” commonly refers to which is used in load balancing and other similar configurations. In those cases, a number of devices share a separately created virtual IP address that can be sent to multiple possible devices. In FortiOS these are referred to as Virtual Servers and are configured in the “Load Balance” section.

If Central-NAT is enabled in the CLI the GUI will be different.

Instead of VIP Type, the field label will be DNAT & VIP Type

Instead of IPv4 the option will be IPv4 DNAT

There will also be the addition setting of Source Interface Filter.

Commands to set central-nat:

config system settings set central-nat [enable | disable] end

Creating a virtual IP

1. Go to Policy & Objects > Virtual IPs.
2. Select Create New. A drop down menu is displayed. Select Virtual IP.
3. From the VIP Type options, choose an applicable type based on the IP addressing involved. Which is chosen will depend on which of the IP version networks is on the external interface of the FortiGate unit and which is on the internal interface.

The available options are:

• IPv4 – IPv4 on both sides of the FortiGate Unit. l IPv6 – IPv6 on both sides of the FortiGate Unit. l NAT46 – Going from an IPv4 Network to an IPv6 Network.
• NAT64 – Going from an IPv6 Network to an IPv4 Network.

4. In the Name field, input a unique identifier for the Virtual IP.
5. Input any additional information in the Comments
6. The Color of the icons that represent the object in the GUI can be changed by clicking on the [Change] link and choosing from the 32 colors.

Because the configuration differs slightly for each type the next steps will be under a separate heading based on the type of the VIP

Configuring a VIP for IPv4

In the Network section:

7. If an IPv4 type of Virtual IP, select the Interface

Using the drop down menu for the Interface Field, choose the incoming interface for the traffic.

The IPv4 VIP Type is the only one that uses this field. This is a legacy function from previous versions so that they can be upgraded without complicated reconfiguration. The External IP address, which is a required field, tells the unit which interface to use so it is perfectly acceptable to choose “any” as the interface. In some configurations, if the Interface field is not set to “any” the Virtual IP object will not one of the displayed options when choosing a destination address.

8. Configure the External IP Address/Range.

There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. The format of the address will depend on the VIP Type option that was selected.

9. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.

There are two fields. If there is a single IP address, use that address in both fields. The format of the address will depend on the VIP Type option that was selected. In the Optional Filters

10. Disable/Enable the Optional Filters.

If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, enable the Optional Filters.

11. To specify an allowed address enter the value in the field labeled Source Address. The value can be formatted in three different ways.

l Source IP – Use the standard format for a single IP address l Range – Enter the first and last members of the range l Subnet – Enter the IP address of the broadcast address for the subnet.

To add additional addresses, click on the “+” below the last field with an address. To subtract an address, click on the “X” next to the field you wish to delete.

12. To specify an allowed Service, toggle the Services option to enabled. Set the Services parameter by selecting the field with the “+” in the field. This will slide a window out from the right. Single or multiple options can be selected by highlighting the services wanted, unless the ALL option is chosen, in which case it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
13. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
14. Select the Protocol from l TCP l UDP l SCTP l ICMP
15. Configure the External Service Port. This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
16. Configure the setting Map to Port.This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
17. Press

Example

This example is for a VIP that is being used to direct traffic from the external IP address to a web server on the internal network. The web server is for company use only. The company’s public facing web server already used port 80 and there is only one IP external IP address so the traffic for this server is being listened for on port 8080 of the external interface and being sent to port 80 on the internal host.

Configuring a VIP for IPv6

In the Network section:

7. Configure the External IP Address/Range.

There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. Enter the address in the standard IPv6 format.

8. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.

There are two fields. If there is a single IP address, use that address in both fields. Enter the address in the standard IPv6 format.

In the Optional Filters

9. Disable/Enable the Optional Filters.

If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, enable the Optional Filters.

10. To specify an allowed address enter the value in the field labeled Source Address. The value can be formatted in three different ways.

l Source IP – Use the standard format for a single IP address l Range – Enter the first and last members of the range l Subnet – Enter the IP address of the broadcast address for the subnet.

To add additional addresses, click on the “+” below the last field with an address. To subtract an address, click on the “X” next to the field you wish to delete.

12. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
13. Select the Protocol from l TCP l UDP l SCTP
14. Configure the External Service Port. This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
15. Configure the setting Map to Port.This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
16. Press

Configuring a VIP for NAT46

In the Network section:

7. Configure the External IP Address/Range.

There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. Enter the address in the standard IPv4 format.

8. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.

There are two fields. If there is a single IP address, use that address in both fields. Enter the address in the standard IPv6 format.

In the Optional Filters

9. Disable/Enable the Optional Filters.

If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, enable the Optional Filters.

10. To specify an allowed address enter the value in the field labeled Source Address. The value can be formatted in three different ways.

l Source IP – Use the standard format for a single IP address l Range – Enter the first and last members of the range l Subnet – Enter the IP address of the broadcast address for the subnet.

To add additional addresses, click on the “+” below the last field with an address. To subtract an address, click on the “X” next to the field you wish to delete.

12. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
13. Select the Protocol from l TCP l UDP
14. Configure the External Service Port. This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
15. Configure the setting Map to Port.This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.

Configuring a VIP for NAT64

In the Network section:

7. Configure the External IP Address/Range.

There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. Enter the address in the standard IPv6 format.

8. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.

There are two fields. If there is a single IP address, use that address in both fields. Enter the address in the standard IPv4 format.

In the Optional Filters

9. Disable/Enable the Optional Filters.

If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, enable the Optional Filters.

10. To specify an allowed address enter the value in the field labeled Source Address. The value can be formatted in three different ways.

l Source IP – Use the standard format for a single IP address l Range – Enter the first and last members of the range l Subnet – Enter the IP address of the broadcast address for the subnet.

To add additional addresses, click on the “+” below the last field with an address. To subtract an address, click on the “X” next to the field you wish to delete.

12. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
13. Select the Protocol from l TCP l UDP
14. Configure the External Service Port. This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
15. Configure the setting Map to Port.This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
16. Press

FQDN in VIPs

Instead of mapping to an IP address a VIP can use a FQDN(Fully Qualified Domain Name). This has to be configured in the CLI and the FQDN must be an address object that is already configured in the address listing.

The syntax for using a FQDN is:

config firewall vip edit <VIP id> set type fqdn

set mappped-addr <FQDN address object> end

Dynamic VIP according to DNS translation

When a dynamic virtual IP is used in a policy, the dynamic DNS translation table is installed along with the dynamic NAT translation table into the kernel. All matched DNS responses will be translated and recorded regardless if they hit the policy. When a client request hits the policy, dynamic NAT translation will occur if it matches a record, otherwise the traffic will be blocked.

Syntax

config firewall vip edit “1” set type dns-translation set extip 192.168.0.1-192.168.0.100

set extintf “dmz” set dns-mapping-ttl 604800 set mappedip “3.3.3.0/24” “4.0.0.0/24” end end

Virtual IP groups

Just like other address, Virtual IP addresses can be organized into groups for ease of administration. If you have multiple virtual IPs that are likely to be associated to common firewall policies rather than add them individually to each of the policies you can add the instead. That way, if the members of the group change then any changes made to the group will propagate to all of the policies using that group.

When using a Virtual IP address group the firewall policy will take into account all of the configured parameters of the Virtual IPs: IP addresses, Ports and port types.

Creating a virtual IP group

1. Go to Policy & Objects > Virtual IPs.
2. Select Create New. A drop down menu is displayed. Select Virtual IP Group.
3. Select the Type for VIP group you wish to create. The options available are:

l IPv4 – IPv4 on both sides of the FortiGate Unit. l IPv6 – IPv6 on both sides of the FortiGate Unit. l NAT46 – Going from an IPv4 Network to an IPv6 Network. l NAT64 – Going from an IPv6 Network to an IPv4 Network.

Which is chosen will depend on which of the IP version networks is on the external interface of the FortiGate unit and which is on the internal interface. The options will be:

4. Enter a unique identifier for the group in the Name
5. Enter any additional information in the Comments
6. If you wish, use the Change link to change the Color of icons in the GUI. There are 32 color options.
7. If the Type is IPv4, the Interface field will be available. Use the drop-down menu to select the interface if all of the VIPs are on the same interface. If any of the VIPS are on different interfaces or if any of them are associated with the “any” option, choose the any option for the group.
8. Select anywhere in the Members field to bring forth the pane of potential members for selection to the group.
9. Press

Configuring IP pools

An IP pool is essentially one in which the IP address that is assigned to the sending computer is not known until the session is created, therefore at the very least it will have to be a pool of at least 2 potential addresses. A quick example would be an IP pool for users of a VPN. IP pools are based upon the version of IP determined by the interface that they are associated with so as expected there are two types of IP pools that can be configured:

l “Creating a IPv4 pool” on page 243 l “Creating a IPv6 pool” on page 247

Because of the differences in the configuration for the two types of pools, instructions for configuring them will be done separately.

Creating a IPv4 pool

1. Go to Policy & Objects > IP Pools.
2. Select Create New.
3. In the IP Pool Type field choose IPv4 Pool
4. Enter a name in the Name field for the new service Include any description you would like in the Comments field
5. In the Type field choose between:

l Overload l One-to-One l Fixed Port Range l Port Block Allocation

At this point the configurations can start to differ based on the type of type of pool.

For more information on the different types of IP pools, check IP Pools in the Concepts section.

Overload

7. For the External IP Range fields, enter the lowest and highest addresses in the range. If you only want a single address used, enter the same address in both fields.
8. Enable the ARP Reply field by making sure there is a check in the box
9. Select OK

Overload example for GUI

In this example, the Sales team needs to connect to an Application Service Provider that does the accounting for the company. As a security measure, the ASP only accepts traffic from a white list of IP addresses. There is 1 public IP address of the company on that list.The Sales team consists of 40 people, so they need to share.The external interface is wan1.

Overload example for CLI

config firewall ippool edit Sales_Team set comments “For the Sales team to use to connect to the Accounting ASP”

set type overload set startip 10.23.56.20 set endip 10.23.56.20 set arp-reply enable set arp-intf wan1 end

One-to-one

7. For the External IP Range fields, enter the lowest and highest addresses in the range. If you only want a single address used, enter the same address in both fields.
8. Enable the ARP Reply field by making sure there is a check in the box.
9. Select OK

One-to-one example for GUI

In this example, the external IP address of the mail server is part of a range assigned to the company but not the one that is assigned to the Internet facing interface. A VIP has been set up but in order to properly resolve Reverse DNS lookups the mail server always has to use a specific IP address.The external interface is wan1.

One-to-one example for CLI

config firewall ippool edit Mail-Server set comments “So the the correct IP address is resolved on reverse DNS look ups of the mail server.”

set type one-to-one set startip 10.23.56.21 set endip 10.23.56.21 set arp-reply enable set arp-intf wan1 end

Fixed port range

7. For the External IP Range fields, enter the lowest and highest addresses in the range. If you only want a single address used, enter the same address in both fields.
8. Fort the Internal IP Range fields, enter the lowest and highest addresses in the range.
9. Enable the ARP Reply field by making sure there is a check in the box
10. Select OK

Fixed port range example for GUI

In this example, the company has a range of 10 IP address that they want to be used by employees on a specific subnet for NATing.The external interface is wan1.

Fixed port range example for CLI

config firewall ippool edit IPPool-3 set comments “So the the correct IP address is resolved on reverse DNS look ups of the mail server.”

set type fixed-port-range set startip 10.23.56.22 set endip 10.23.56.31 set source-startip 192.168.23.1 set source-endip 192.168.23.254 set arp-reply enable set arp-intf wan1 end

Port block allocation

7. For the External IP Range fields, enter the lowest and highest addresses in the range. If you only want a single address used, enter the same address in both fields.
8. In the Block Size field, either type in the value or use the up or down arrows to set the value of the block size.
9. In the Blocks Per User field, either type in the value or use the up or down arrows to set the value for the number of blocks per user.
10. Enable the ARP Reply field by making sure there is a check in the box
11. Select OK

Port block allocation timeout

The port block allocation timeout value is configurable. The setting is found in the CLI.

The option pba-timeout has been added to the firewall ip pool configuration. The availability of this option is dependent on the type option being set to port-block-allocation. The timeout value is measured in seconds and is an integer between 3 and 300, with the default being 30.

Syntax:

config firewall ippool

edit <name of PBA pool> set type port-block-allocation set pba-timeout <integer> end

Port block allocation example for GUI

In this example, an small ISP is setting up NATing for its clients, but to be fair it is putting some restrictions on the number of connections each client can have so that no one hogs all of the possible ports and addresses.The external interface is port12.

Port block allocation example for CLI

config firewall ippool edit Client-IPPool set comments “IP Pool for clients to access the Internet”

set type port-block-allocation set startip 10.23.75.5 set endip 10.23.75.200 set block-size 64 set num-blocks-per-user 8 set permit-any-host disable set arp-intf wan1 set arp-reply enableset arp-intf port12

end

Creating a IPv6 pool

1. Go to Policy & Objects > IP Pools.
2. Select Create New.
3. In the IP Pool Type field choose IPv6 Pool
4. Enter a name in the Name field for the new service
5. Include any description you would like in the Comments field
6. For the External IP Range fields, enter the lowest and highest addresses in the range.

IPv6 example for GUI

In this example, there is a similar situation to the One-to-one example earlier.There is a mail server that needs to be resolved to a specific IP address in Reverse DNS look-ups. The difference in this case is the company is an early adopter of IPv6 connectivity to the Internet.

Port block allocation example for CLI

config firewall ippool6 edit Mail-svr-ipv6 set comments “Registered IPv6 address for mail server”

set startip fd2f:50ec:cdea:663::102 set endip fd2f:50ec:cdea:663::1025 end

Creating NAT46 IP pool and multiple (secondary) NAT64 prefixes

Policies that translate between IPv4 and IPv6 can use IPv4 address pools or IPv6 prefixes to be used in the policies, giving more options to the configuration of addresses.

NAT46

For using the ippool in NAT46 policies, first enable the use of ippools and then set the names of the ippool(s).

config firewall policy46 edit 1 set uuid e9c6ca3e-72ea-51e7-554a-1185693d03eb

set srcintf “wan1” set dstintf “internal7” set srcaddr “external-net4” set dstaddr “internal-vip46” set action accept set schedule “always”

set service “ALL” set ippool enable set poolname “intit-pool6” end

NAT64

In order to use these options in the NAT64 firewall policies the new settingssecondary-prefix status and secondary-prefix options have to be configured as in the example below.

config system nat64 set nat64-prefix 2001::/96 set secondary-prefix enable config secondary-prefix edit 1 set nat64-prefix 2002::/94

next

edit 2 set nat64-prefix 2003::/95

end end

Services

While there are a number of services already configured within FortiOS, the firmware allows for administrators to configure there own. The reasons for doing this usually fall into one or more of the following categories:

• The service is not common enough to have a standard configuration l The service is not established enough to have a standard configuration l The service has a standard port number but there is a reason to use a different one:
• Port is already in use by another service l For security reasons, want to avoid standard port

When looking at the list of preconfigured services it may seem like there are a lot, but keep in mind that the theoretical limit for port numbers is 65,535. This gives a fairly good sized range when you are choosing what port to assign a service but there are a few points to keep in mind.

• Most of the well known ports are in the range 0 – 1023 l Most ports assigned by the Internet Corporation for Assigned Names and Numbers (ICANN) will be in the 1024 –

49151 range l Port numbers between 49,152 and 65,535 are often used for dynamic, private or ephemeral ports.

There are 3 Service objects that can be added and configured:

l Categories l Services l Service Groups

Categories

In order to make sorting through the services easier, there is a field to categorize the services. Because selecting a category is part of the process for creating a new service, the configuration of categories will be explained first.

The services can be sorted into the following groups:

• General l Web Access l File Access l Email l Network Services l Authentication l Remote Access l Tunneling l VoIP, Messaging and Other Applications l Web Proxy
• Uncategorized

The categories are for organization purposes so there is not many settings when creating a new one.

Creating a new service category

1. Go to Policy & Objects > Services.
2. Select Create New. A drop down menu is displayed. Select Category
3. Input a Name for the category.
4. Input any additional information in the Comments
5. Press OK.

Example

You plan on adding a number of devices such as web cameras that will allow the monitoring of the physical security of your datacenter. A number of non-standard services will have to be created and you would like to keep them grouped together under the heading of “Surveillance”

Example of a new category in the GUI

1. Go to Policy & Objects > Objects > Services and select Create New > Category. 2. Fill out the fields with the following information

3. Select OK.

Example of a New Category in the CLI

Enter the following CLI command:

config firewall service category edit Surveillance set comment “For DataCenter Surveillance Devices” end

To verify that the category was added correctly:

1. Go to Policy & Objects > Objects > Services. Select the Category Settings icon . A listing of the categories should be displayed.
2. Enter the following CLI command:

config firewall service category show

This should bring up all of the categories. Check to see that the new one is displayed.

Configuring a new service

Occasionally, the preconfigured list of services will not contain the needed service. There are a few variations in the creation of a service depending upon the protocol type, but the first steps in the creation of the service are common to all the variations.

To create a new service:

1. Go to Policy & Objects > Services.
2. Select Create New. A drop down menu is displayed. Select Service
3. Enter a name in the Name field for the new service
4. Include any description you would like in the Comments field
5. In the Service Type field choose between Firewall and Explicit Proxy.
6. Enable the toggle in the Show in Service List. If you can’t see the service when you need to select it, it serves very little purpose.
7. For the Category field, choose the appropriate category from the Category drop down menu. If none is chosen, the Uncategorized option will be chosen by default.

Protocol options

This is the section where the configuration options of the service will differ depending on the type of protocol chosen. (The Step numbers will all continue on from the common step sequence).

The protocol options for Firewall service type are: l TCP/UDP/SCTP l ICMP l ICMP6 l IP

The protocol options for Proxy service type are: l ALL l CONNECT

l FTP l HTTP l SOCKS-TCP l SOCKS-UDP

TCP/UDP/SCTP

8. For the Protocol Type field, choose TCP/UDP/SCTP from the drop down menu
9. For the Address field, choose IP Range or FQDN (Fully Qualified Domain Name) if there is to be a specific destination for the service. Depending on which type of address is selected, the field value needs to be filled with a FQDN string or an IP address in one of the 3 standard IPv4 address formats: l x.x.x – for a specific address l x.x.x.x/x – for a subnet l x.x.x.x-x.x.x.x – for a range of specific addresses
10. Configure the Destination Port by:
    • Select from the drop down menu, TCP, UDP or SCTP l Enter the low end to the port range in the field indicated by grayed out Low.
    • Enter the high end of the port range in the field indicated by grayed out High. If there is only a single port in the

range High can be left empty

• Multiple ports or port ranges can be added by using the “+” at the beginning of the row l Rows can be removed by using the trash can symbol at the end of the row

11. If required, you can Specify Source Ports for the service by enabling the toggle switch.
    • The Src Port will match up with a Destination Port
    • Src Ports cannot be configured without there being a value for the Destination Port l The same rules for configuring the Destination Ports applies to the Src Ports
12. Select OK to confirm the configuration

Example

Example settings for a TCP protocol service. In this case, it is for an administrative connection to web servers on the DMZ. The protocol used is HTTPS which would normally use port 443, but that is already in use by another service such as Admin access to the firewall or an SSL-VPN connection.

Creating a new TCP/UDP/SCTP service in the CLI

The following is the creation of the same service using the command line.

config firewall service custom edit Example.com_WebAdmin set comment “Admin connection to Example.com Website” set category Web Access set protocol TCP/UDP/SCTP set tcp-portrange 4300

end

end

ICMP / ICMP6

8. For the Protocol Type field, choose ICMP or ICMP6 from the drop down menu
9. In the Type field enter the appropriate type number based on the information found in “ICMP Types and Codes” on page 1 or in “ICMPv6 Types and Codes” on page 1, depending on whether the Protocol Type is ICMP or ICMPv6
10. In the Code field enter the appropriate code number for the type, if applicable, based on the information found in

“ICMP Types and Codes” on page 1 or in “ICMPv6 Types and Codes” on page 1, depending on whether the Protocol Type is ICMP or ICMPv6

11. Select OK to confirm the configuration

Example

Example settings for an ICMP.service.In this case it has been set up for some special testing of ICMP packets.

Creating a new ICMP service in the CLI

The following is the creation of the same service using the command line.

config firewall service custom edit ICMP test4 set comment “For testing of proprietary network scanner” set category Network Services set protocol ICMP set icmptype 7

end

end

IP

8. For the Protocol Type field, choose IP from the drop down menu
9. In the Protocol Number field enter the numeric value based on the information found in “Protocol Number” on page 1
10. Select OK to confirm the configuration

Example

Example settings for an IP.service.In this case it has been set up to communicate via an old protocol called QNX

Creating a new ICMP service in the CLI

The following is the creation of the same service using the command line.

config firewall service custom edit ICMP test4 set comment “For QNX communications to the Development Lab ” set protocol IP set icmptype 106

end

end

In the CLI examples, the fields for Show in Service List, Service Type and in the example for IP, Category were net set because the values that they would have been set to were the default values and were already correctly set.

ALL/CONNECT/FTP/HTTP/SOCKS-TCP/SOCKS-UDP

These options are available only if the Service Type is set to Explicit Proxy.

8. For the Protocol Type field, choose one of the following from the drop down menu: l ALL l CONNECT l FTP l HTTP l SOCKS-TCP l SOCKS-UDP
9. For the Address field, choose IP Range or FQDN (Fully Qualified Domain Name) if there is to be a specific destination for the service. Depending on which type of address is selected, the field value needs to be filled with a FQDN string or an IP address in one of the 3 standard IPv4 address formats: l x.x.x – for a specific address l x.x.x.x/x – for a subnet l x.x.x.x-x.x.x.x – for a range of specific addresses
10. Configure the Destination Port by:
    • Enter the low end to the TCP port range in the field indicated by grayed out Low.
    • Enter the high end of the TCP port range in the field indicated by grayed out High. If there is only a single port

in the range High can be left empty

• Multiple ports or port ranges can be added by using the “+” at the beginning of the row l Rows can be removed by using the trash can symbol at the end of the row

11. If required, you can Specify Source Ports for the service by enabling the toggle switch.
    • The Src Port will match up with a Destination Port
    • Src Ports cannot be configured without there being a value for the Destination Port l The same rules for configuring the Destination Ports applies to the Src Ports
12. Select OK to confirm the configuration

Specific addresses in TCP/UDP/SCTP

In the TCP/UDP/SCTP services it is also possible to set the parameter for a specific IP or Fully Qualified Domain Name address. The IP/FQDN field refers to the destination address of the traffic, not the source. This means for example, that you can set up a custom service that will describe in a policy the TCP traffic over port 80 going to the web site example.com, but you cannot set up a service that describes the TCP traffic over port 80 that is coming from the computer with the address 192.168.29.59.

Service groups

Just like some of the other firewall components, services can also be bundled into groups for ease of administration.

Creating a service group

1. Go to Policy & Objects > Services.
2. Select Create New. A drop down menu is displayed. Select Service Group Input a Group Name to describe the services being grouped
3. Input any additional information in the Comments
4. Choose a Type of group.The options are Firewall or Explicit Proxy.
5. Add to the list of Members from the drop down menu. Using the + sign beside the field will allow the addition of multiple services.
6. Press OK.

Example

Example of a New Service Group: