Technical Note : FortiOS Protecting data for muliple subnets when IPSec Tunnel Fails
Description
This article explains how to protect multiple internal subnets from sending unencrypted data across the network when an IPSec tunnel fails.
Scope
FortiOS v3.0 All patches, FortiOS v4.0, FortiOS v4.0 MR1, FortiOS v4.0 MR2, FortiOS v4.0 MR3
Solution
When an IPSec interface goes down there is risk that unencrypted traffic can leave the protected network in clear.
In FortiOS v3.0 and v4.0 GA (all patches) deny firewall policies can be created to prevent unencrypted traffic leaving the FortiGate on an external interface.
However if there are multiple remote networks then the issue can be prevented at the session level by using the following steps.
1. Create a firewall address for each remote network.
2. Create a firewall group to gather all these remote networks.
3. Create a deny firewall policy. This firewall policy prevents internal traffic leaving the FortiGate when this traffic should be destined for the IPSec tunnel.
"TheGroup" refers to the firewall group created in step 2.
4. Place this policy at the top of the (internal->external) policy list if there are no encrypt policies, or just under the last encrypt policy if such policies exist.
In FortiOS v3.0 and v4.0 GA (all patches) deny firewall policies can be created to prevent unencrypted traffic leaving the FortiGate on an external interface.
However if there are multiple remote networks then the issue can be prevented at the session level by using the following steps.
1. Create a firewall address for each remote network.
2. Create a firewall group to gather all these remote networks.
3. Create a deny firewall policy. This firewall policy prevents internal traffic leaving the FortiGate when this traffic should be destined for the IPSec tunnel.
| srcint=internal dstint=external srcaddr=all dstaddr="TheGroup" service=any action=deny |
4. Place this policy at the top of the (internal->external) policy list if there are no encrypt policies, or just under the last encrypt policy if such policies exist.
Related Articles