| Solution |
Sometimes, access to certain VIPs needs to be restricted for specific IP addresses. This article describes how this can be done on FortiOS.
Example topology:
The host with the IP 172.26.226.36 should be blocked from accessing the VIP with the IP address 10.5.133.3 .
VIP configuration:
config firewall vip
edit "VIP_WAN_IP"
set uuid 8e2c3f40-79e1-51f0-abc9-3746e55302da
set extip 10.5.133.3
set mappedip "192.168.183.9"
set extintf "any"
set portforward enable
set extport 5555
set mappedport 5555
next
end
Destination NAT takes effect at the beginning of the packet process.
A local-in policy with the 'deny' action will not deny traffic allowed by the VIP policy because, when the Local-in policy takes effect, the VIP policy already allows the traffic.
A firewall rule with the option 'set srcaddr-negate enable' will not deny the the traffic. It will skip the rule and will continue to search across the rest of the firewall rules for matches. If there are no rules, traffic will be blocked by the default deny policy.
If the configuration is like this the one below, FortiOS will not block the traffic from 172.26.226.36. It will skip rule No2 because of 'set srcaddr-negate enable' and will continue to check the rest of the rules. If there is no match, it will be blocked by the default deny policy.
config firewall policy
edit 1
...........
next
edit 2
set name "VIP_Traffic_block_bad_IP"
set uuid cc03fad8-79e1-51f0-28f8-b03b0c7ada0b
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "h-172.26.226.36"
set dstaddr "VIP_WAN_IP"
set schedule "always"
set service "TCP_5555"
set srcaddr-negate enable
next
edit 3
...........
next
edit x
..........
next
end
The best solution is to configure a policy which will block the traffic from specific IP addresses on top of the firewall rules:
config firewall policy
edit 1
set name "VIP_Block_BAD_IP"
set uuid 7b556862-79e4-51f0-d665-1207c270c7ed
set srcintf "port1"
set dstintf "port2"
set srcaddr "h-172.26.226.36"
set dstaddr "VIP_WAN_IP"
set schedule "always"
set service "ALL"
next
edit 2
set name "VIP_Traffic"
set uuid cc03fad8-79e1-51f0-28f8-b03b0c7ada0b
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "VIP_WAN_IP"
set schedule "always"
set service "TCP_5555"
set srcaddr-negate enable
next
edit 3
...........
next
end
Firewall policy ID 1 blocks the traffic for specific IP addresses, while policy ID 2 allows the traffic for the rest of the IP addresses. A debug flow shows how the traffic is blocked by deny policy 1:
# diagnose id=65308 trace_id=15 func=print_pkt_detail line=6194 msg="vd-root:0 received a packet(proto=6, 172.26.226.36:39396->10.5.133.3:5555) tun_id=0.0.0.0 from port1. flag [S], seq 2341104336, ack 0, win 64240"
id=65308 trace_id=15 func=init_ip_session_common line=6401 msg="allocate a new session-002fe934"
id=65308 trace_id=15 func=iprope_dnat_check line=5564 msg="in-[port1], out-[]"
id=65308 trace_id=15 func=iprope_dnat_tree_check line=826 msg="len=1"
id=65308 trace_id=15 func=__iprope_check_one_dnat_policy line=5429 msg="checking gnum-100000 policy-16410"
id=65308 trace_id=15 func=get_new_addr line=1308 msg="find DNAT: IP-192.168.183.9, port-5555"
id=65308 trace_id=15 func=__iprope_check_one_dnat_policy line=5519 msg="matched policy-16410, act=accept, vip=16410, flag=100, sflag=2000000"
id=65308 trace_id=15 func=iprope_dnat_check line=5589 msg="result: skb_flags-02000000, vid-16410, ret-matched, act-accept, flag-00000100"
id=65308 trace_id=15 func=fw_pre_route_handler line=192 msg="VIP-192.168.183.9:5555, outdev-unknown"
id=65308 trace_id=15 func=__ip_session_run_tuple line=3593 msg="DNAT 10.5.133.3:5555->192.168.183.9:5555"
id=65308 trace_id=15 func=__vf_ip_route_input_rcu line=2116 msg="find a route: flag=00000000 gw-0.0.0.0 via port2"
id=65308 trace_id=15 func=__iprope_fwd_check line=831 msg="in-[port1], out-[port2], skb_flags-020000c0, vid-16410, app_id: 0, url_cat_id: 0"
id=65308 trace_id=15 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=4"
id=65308 trace_id=15 func=__iprope_check_one_policy line=2174 msg="checked gnum-100004 policy-4, ret-matched, act-accept"
id=65308 trace_id=15 func=__iprope_user_identity_check line=1937 msg="ret-matched"
id=65308 trace_id=15 func=__iprope_check line=2457 msg="gnum-4e20, check-ffffffffa002d31a"
id=65308 trace_id=15 func=__iprope_check_one_policy line=2174 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=15 func=__iprope_check_one_policy line=2174 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=15 func=__iprope_check_one_policy line=2174 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=15 func=__iprope_check line=2474 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=15 func=__iprope_check_one_policy line=2427 msg="policy-1 is matched, act-drop"
id=65308 trace_id=15 func=__iprope_fwd_check line=868 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-4"
id=65308 trace_id=15 func=iprope_fwd_auth_check line=897 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-4"
id=65308 trace_id=15 func=fw_forward_handler line=849 msg="Denied by forward policy check (policy 1)"
|
