Technical Tip: Limiting VIP access from specific sources

naveenk · ‎12-17-2019

Description

If only specific IP addresses are allowed to be the source address for traffic using the VIP, use the option called 'Source Address Filter' under Virtual IP configuration.

This article describes this feature.

Solution
To add allowed addresses select 'Create New' as shown in screenshot.

The value for the address field for the source/client can be specific source IP or range of IPs or complete subnet.
Address Filter can be formatted in three different ways:

1) Source IP: use the standard format for a single IP address based on whether it's IPv4 or IPv6.
Example: 192.168.1.1/32.

2) Range: enter the first and last members of the range.
Example: 192.168.1.1 - 192.168.1.20.

3) Subnet: enter the IP address of the broadcast address for the subnet.
Example: 192.168.1.0/24.

++ VIP src-filter configuration from cli:

FG80EP-1 # config firewall vip

FG80EP-1 (vip) # edit TEST-1

FG80EP-1 (TEST-1) # show
config firewall vip
edit "TEST-1"
set uuid b8ef1c54-34e1-51ed-206b-a7704619ea49
set src-filter "10.5.23.138" <<<<<<<<<<<<<<<
set extip 10.5.20.136
set mappedip "10.131.3.113"
set extintf "lan"
set portforward enable
set extport 80
set mappedport 80
next
end

FG80EP-1 (TEST-1)

Above VIP is called in the policy:

FG80EP-1 # show firewall policy 10
config firewall policy
edit 10
set name "TEST-1"
set uuid 09b88f80-34e2-51ed-bd95-cee95af9eb08
set srcintf "lan"
set dstintf "wan2"
set action accept
set srcaddr "all" <<<<<<<<<<<<<<<<<<<
set dstaddr "TEST-1"
set schedule "always"
set service "ALL"
set inspection-mode proxy
set ssl-ssh-profile "TEST1"
set logtraffic all
set auto-asic-offload disable
set np-acceleration disable
next
end

Verification:

Run sniffer to verify the traffic flow:

#diag sniffer packet any “host x.x.x.x and port xxx” 4 a <----- x.x.x.x is source IP and xxx is port number.

In the firewall policy source is 'All' and we access the VIP http://10.5.20.136 from the IP 10.5.23.174

From the sniffer:

FG80EP-1 # dia sniffer packet any 'host 10.5.20.136 and port 80'
interfaces=[any]
filters=[host 10.5.20.136 and port 80]
14.100483 10.5.23.174.50639 -> 10.5.20.136.80: syn 1257750728
14.365882 10.5.23.174.50640 -> 10.5.20.136.80: syn 2491461381
15.111968 10.5.23.174.50639 -> 10.5.20.136.80: syn 1257750728
15.375508 10.5.23.174.50640 -> 10.5.20.136.80: syn 2491461381

Debug flow:

FG80EP-1 # id=20085 trace_id=6130 func=print_pkt_detail line=5852 msg="vd-root:0 received a packet(proto=6, 10.5.23.174:50702->10.5.20.136:80) tun_id=0.0.0.0 from lan. flag [S], seq 4017750267, ack 0, win 64240"
id=20085 trace_id=6130 func=init_ip_session_common line=6024 msg="allocate a new session-024f6168, tun_id=0.0.0.0"
id=20085 trace_id=6130 func=vf_ip_route_input_common line=2606 msg="find a route: flag=84000000 gw-10.5.20.136 via root"
id=20085 trace_id=6130 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop" <<<<<

When the access from the filtered IP 10.5.23.138 is taken:

Sniffer output from the firewall:

FG80EP-1 # dia sniffer packet any 'host 10.5.23.138 and port 80' 4 0 a
interfaces=[any]
filters=[host 10.5.23.138 and port 80]
2023-02-12 13:52:52.652620 lan in 10.5.23.138.49372 -> 10.5.20.136.80: syn 3286496742
2023-02-12 13:52:52.652762 wan2 out 10.5.23.138.49372 -> 10.131.3.113.80: syn 3286496742
2023-02-12 13:52:52.653499 wan2 in 10.131.3.113.80 -> 10.5.23.138.49372: syn 2810872981 ack 3286496743
2023-02-12 13:52:52.653553 lan out 10.5.20.136.80 -> 10.5.23.138.49372: syn 2810872981 ack 3286496743
2023-02-12 13:52:52.654008 lan in 10.5.23.138.49372 -> 10.5.20.136.80: ack 2810872982
2023-02-12 13:52:52.654033 wan2 out 10.5.23.138.49372 -> 10.131.3.113.80: ack 2810872982

Debug flow from the firewall for working scenario:

id=20085 trace_id=6143 func=print_pkt_detail line=5852 msg="vd-root:0 received a packet(proto=6, 10.5.23.138:49384->10.5.20.136:80) tun_id=0.0.0.0 from lan. flag [S], seq 296226352, ack 0, win 64240"
id=20085 trace_id=6143 func=init_ip_session_common line=6024 msg="allocate a new session-024f721d, tun_id=0.0.0.0"
id=20085 trace_id=6143 func=get_new_addr line=1225 msg="find DNAT: IP-10.131.3.113, port-80"
id=20085 trace_id=6143 func=fw_pre_route_handler line=181 msg="VIP-10.131.3.113:80, outdev-lan"
id=20085 trace_id=6143 func=__ip_session_run_tuple line=3489 msg="DNAT 10.5.20.136:80->10.131.3.113:80"
id=20085 trace_id=6143 func=vf_ip_route_input_common line=2606 msg="find a route: flag=04000000 gw-10.131.3.113 via wan2"
id=20085 trace_id=6143 func=fw_forward_handler line=885 msg="Allowed by Policy-10:

Session table:

FG80EP-1 # dia sys session list

session info: proto=6 proto_state=01 duration=74 expire=3570 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
dst_user=ADMINISTRATOR dst_authsvr=TEST state=log may_dirty f00
statistic(bytes/packets/allow_err): org=2206/35/1 reply=103769/72/1 tuples=2
tx speed(Bps/kbps): 29/0 rx speed(Bps/kbps): 1400/11
orgin->sink: org pre->post, reply pre->post dev=30->6/6->30 gwy=10.131.3.113/10.5.23.138
hook=pre dir=org act=dnat 10.5.23.138:49384->10.5.20.136:80(10.131.3.113:80)
hook=post dir=reply act=snat 10.131.3.113:80->10.5.23.138:49384(10.5.20.136:80)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=10 pol_uuid_idx=540 auth_info=0 chk_client_info=0 vd=0
serial=024f721d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000101 no_offload
no_ofld_reason: disabled-by-policy
total session 1

FG80EP-1 #

Troubleshooting:

# dia de reset

# di de flow filter clear

# di de flow filter addr x.x.x.x

# di de flow filter port xx

# di de flow trace start 1000

# di de en

x.x.x.x is the source IP from where the traffic is initiated.

once the traffic is initiated, and issue reproduced, stop the debug using:

# di de di

# di de reset