Skip to main content
Behzadawesome
Behzadawesome
New Member
June 30, 2020
Question

Fortigate zone based firewall

  • June 30, 2020
  • 2 replies
  • 18637 views

Hi all,

I am trying to test the firewalling feature of Fortigate.

My question/problem is as follows:

I have 3 zones named, INSIDE, OUTSIDE_A, OUTSIDE_B and they have different interface assigned to them.

I was trying to simulate the asymmetic routing which I would expect to be denied by most firewall by default. However, when I have tried to "send the traffic" from INSIDE to the OUTSIDE_A, and the return packet from OUTSIDE_B to INSIDE, the traffic is allowed.

I have only one permit policy which allows all traffic from INSIDE zone to be go out to the OUTSIDE_A zone and there is NO other policy defined in the policies.

The testing protocol is ICMP ping.

 

any help would be appreciated as it is a fundamental problem which I have.

 

Regards

 Behzad

    2 replies

    emnoc
    emnoc
    New Member
    June 30, 2020

    1st  ; Policy does not control traffic. What do you have in your route table and mainly for the source of the datagram that are returned?

     

    Also you might want to run a "diag debug flow" to get a trace on the traffic and see what is shown. You can search here to see examples of how to set the filter and execution for that command.

     

    Ken Felix

     

    Behzadawesome
    BehzadawesomeAuthor
    New Member
    June 30, 2020

    Hi emnoc

    first off, thanks for your reply.

    what do u mean the Policy does not control the traffic? do you mean that the IPv4 policy under the security section does not control the traffic?\

     

     

    emnoc
    emnoc
    New Member
    June 30, 2020

    Let me correct that. "it does not control routing the traffic". the routes is looked at 1st to determine what policy to match if any. In your case a "diag debug flow" and it's output would be helpful. The 1st few lines after the start of the trace will have "gw" or "next-hop" in it ( can't which ) and then the matched-policy.

     

    Can you share that ? Sanitize if you have sensitive ip_address

     

    Ken Felix

    sw2090
    SuperUser
    sw2090
    SuperUser
    July 2, 2020

    Sounds familiar to mee. 

    If you have a policy that allows subnet a to access subnet b and you ping a host in subnet b from a host in sbunet a then you will get a ping reply even though you don't have a reverse policy.

    I think this is wanted behaviour.  You should be denied if you try to ping a host in subnet a from a host in subnet b for there is no policy that allows that.

     

    Behzadawesome
    BehzadawesomeAuthor
    New Member
    July 3, 2020

    Hi all,

    Here is the topology that I have implemented

    here is the topology:

    https://imgur.com/UwtGevB

    Traffic is initiated from PC_A toward PC_B.

    The send traffic is INSIDE TO OUTSIDE_A, then R1 to PC_B.

    The return traffic is PC_B to R2, and then R2 to OUTSIDE_B, and OUTSIDE_B to PC_A

    An IPv4 firewall policy is configured to allow all traffic from INSIDE zone toward OUTSIDE_A is allowed only.

    There are no other rules in the IPv4 firewall policies.

    From Routing point of view, the PC_B IP address is configured on Fortigate to route through the OUTSIDE_A zone.

    I will post the debug output when I have access to the device.

     

    With regards

     Behzad

    Terms & ConditionsAccessibility statement