Description | This article describes the Behavior of a Firewall when a local-in policy with VIP configuration is configured |
Scope | FortiGate |
Solution |
config system interface
edit "port3"
set vdom "root"
set ip 10.245.15.139 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 3
next
end
config firewall local-in-policy
edit <1>
set intf port3
set srcaddr all
set dstaddr all
set action deny
set service ALL
set schedule always
end
config firewall vip
edit "https-VIP"
set uuid 2ec692d4-0b67-51ee-a454-7c2bce837a12
set extip 10.245.15.139
set mappedip "10.5.50.90"
set extintf "port3"
set portforward enable
set extport 443
set mappedport 443
next
end
config firewall policy
edit 5
set name "VIP-policy"
set uuid 4cd236f2-0b67-51ee-0bba-b20d74c84179
set srcintf "port3"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "https-VIP"
set schedule "always"
set service "ALL"
set nat enable
next
Explanation:
With the above VIP and security policy and local-in-policy configuration, the HTTPS traffic to port3 interface on port 443 will be allowed through the security policy and all the other remaining services will be blocked by the firewall local-in-policy.
Flow Debug for Ping blocked via local in deny policy:
FGT-02 # id=20085 trace_id=9 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=1, 10.245.10.81:1->10.245.15.139:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=1, seq=10."
id=20085 trace_id=9 func=init_ip_session_common line=6023 msg="allocate a new session-0036c21a, tun_id=0.0.0.0"
id=20085 trace_id=9 func=vf_ip_route_input_common line=2605 msg="find a route: flag=84000000 gw-10.245.15.139 via root"
id=20085 trace_id=9 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 1, drop"
Flow Debug for Https allowed through VIP and security rule:
FGT-02 # id=20085 trace_id=33 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=6, 10.245.10.81:50523->10.245.15.139:443) tun_id=0.0.0.0 from port3. flag [S], seq 1746916338, ack 0, win 64240"
id=20085 trace_id=33 func=init_ip_session_common line=6023 msg="allocate a new session-0036caf8, tun_id=0.0.0.0"
id=20085 trace_id=33 func=get_new_addr line=1221 msg="find DNAT: IP-10.5.50.90, port-443"
id=20085 trace_id=33 func=fw_pre_route_handler line=178 msg="VIP-10.5.50.90:443, outdev-port3"
id=20085 trace_id=33 func=__ip_session_run_tuple line=3483 msg="DNAT 10.245.15.139:443->10.5.50.90:443"
id=20085 trace_id=33 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.5.50.90 via port2"
id=20085 trace_id=33 func=get_new_addr line=1221 msg="find SNAT: IP-10.5.63.139(from IPPOOL), port-50523"
id=20085 trace_id=33 func=fw_forward_handler line=881 msg="Allowed by Policy-5: SNAT"
id=20085 trace_id=33 func=__ip_session_run_tuple line=3470 msg="SNAT 10.245.10.81->10.5.63.139:50523"
Session output for Https traffic through VIP:
session info: proto=6 proto_state=01 duration=3 expire=3597 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=5
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=5978/75/1 reply=560275/412/1 tuples=4
tx speed(Bps/kbps): 1763/14 rx speed(Bps/kbps): 165272/1322
orgin->sink: org pre->post, reply pre->post dev=9->6/6->9 gwy=10.5.50.90/10.245.10.81
hook=pre dir=org act=dnat 10.245.10.81:50553->10.245.15.139:443(10.5.50.90:443)
hook=post dir=org act=snat 10.245.10.81:50553->10.5.50.90:443(10.5.63.139:50553)
hook=pre dir=reply act=dnat 10.5.50.90:443->10.5.63.139:50553(10.245.10.81:50553)
hook=post dir=reply act=snat 10.5.50.90:443->10.245.10.81:50553(10.245.15.139:443)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=5 pol_uuid_idx=14768 auth_info=0 chk_client_info=0 vd=0
serial=0036db91 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off
total session 1
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.