Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
HatiUjja
Staff
Staff

Created on ‎06-19-2023 11:31 PM

Article Id 261055

Technical Tip: Behavior when configured local-in-policy to deny all services on an interface IP address that is used in a VIP configuration (port forward enable)

Description This article describes the Behavior of a Firewall when a local-in policy with VIP configuration is configured
Scope FortiGate
Solution
  • The firewall performs Destination NAT and security rule evaluation on traffic first before being checked by the local Management module, so local-in-policy will only be checked after the Destination NAT and security policy evaluation is done. So, the services for which the port forward is not enabled will be blocked/allowed by Local-in-policy.

 

  • If the VIP mapping is without port forward then local-in-policy will not be evaluated since all the traffic will be forwarded to the mapped IP address based on Firewall security rule permissions.

 

  • Below is the sample configuration to allow only HTTPS traffic to a VIP-mapped IP and block all other services on Interface port3 via local-in-policy.

 

config system interface
    edit "port3"
        set vdom "root"
        set ip 10.245.15.139 255.255.240.0
        set allowaccess ping https ssh http telnet
        set type physical
        set snmp-index 3
    next
end
 
config firewall local-in-policy
    edit <1>
        set intf port3
        set srcaddr all
        set dstaddr all
        set action deny
        set service ALL
        set schedule always
    end
 
config firewall vip
    edit "https-VIP"
        set uuid 2ec692d4-0b67-51ee-a454-7c2bce837a12
        set extip 10.245.15.139
        set mappedip "10.5.50.90"
        set extintf "port3"
        set portforward enable
        set extport 443
        set mappedport 443
    next
end
 
config firewall policy
    edit 5
        set name "VIP-policy"
        set uuid 4cd236f2-0b67-51ee-0bba-b20d74c84179
        set srcintf "port3"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "https-VIP"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
 
Explanation:
With the above VIP and security policy and local-in-policy configuration, the HTTPS traffic to port3 interface on port 443 will be allowed through the security policy and all the other remaining services will be blocked by the firewall local-in-policy.
 
Flow Debug for Ping blocked via local in deny policy:
 
FGT-02 # id=20085 trace_id=9 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=1, 10.245.10.81:1->10.245.15.139:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=1, seq=10."
id=20085 trace_id=9 func=init_ip_session_common line=6023 msg="allocate a new session-0036c21a, tun_id=0.0.0.0"
id=20085 trace_id=9 func=vf_ip_route_input_common line=2605 msg="find a route: flag=84000000 gw-10.245.15.139 via root"
id=20085 trace_id=9 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 1, drop"
 
Flow Debug for Https allowed through VIP and security rule:
 
 
FGT-02 # id=20085 trace_id=33 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=6, 10.245.10.81:50523->10.245.15.139:443) tun_id=0.0.0.0 from port3. flag [S], seq 1746916338, ack 0, win 64240"
id=20085 trace_id=33 func=init_ip_session_common line=6023 msg="allocate a new session-0036caf8, tun_id=0.0.0.0"
id=20085 trace_id=33 func=get_new_addr line=1221 msg="find DNAT: IP-10.5.50.90, port-443"
id=20085 trace_id=33 func=fw_pre_route_handler line=178 msg="VIP-10.5.50.90:443, outdev-port3"
id=20085 trace_id=33 func=__ip_session_run_tuple line=3483 msg="DNAT 10.245.15.139:443->10.5.50.90:443"
id=20085 trace_id=33 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.5.50.90 via port2"
id=20085 trace_id=33 func=get_new_addr line=1221 msg="find SNAT: IP-10.5.63.139(from IPPOOL), port-50523"
id=20085 trace_id=33 func=fw_forward_handler line=881 msg="Allowed by Policy-5: SNAT"
id=20085 trace_id=33 func=__ip_session_run_tuple line=3470 msg="SNAT 10.245.10.81->10.5.63.139:50523"
 
 
Session output for Https traffic through VIP:
 
session info: proto=6 proto_state=01 duration=3 expire=3597 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=5
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty 
statistic(bytes/packets/allow_err): org=5978/75/1 reply=560275/412/1 tuples=4
tx speed(Bps/kbps): 1763/14 rx speed(Bps/kbps): 165272/1322
orgin->sink: org pre->post, reply pre->post dev=9->6/6->9 gwy=10.5.50.90/10.245.10.81
hook=pre dir=org act=dnat 10.245.10.81:50553->10.245.15.139:443(10.5.50.90:443)
hook=post dir=org act=snat 10.245.10.81:50553->10.5.50.90:443(10.5.63.139:50553)
hook=pre dir=reply act=dnat 10.5.50.90:443->10.5.63.139:50553(10.245.10.81:50553)
hook=post dir=reply act=snat 10.5.50.90:443->10.245.10.81:50553(10.245.15.139:443)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=5 pol_uuid_idx=14768 auth_info=0 chk_client_info=0 vd=0
serial=0036db91 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason:  npu-flag-off
total session 1
1669
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.