Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mbrowndcm
New Contributor III

Created on ‎03-01-2011 06:08 AM

Applying UTM policies correctly

Hello, After reviewing the UTM Guide document, I am still lacking the simple understanding of how to apply the Firewall policy to provide UTM scanning. Intuitively, I would assume the following example would work: 1) Create a policy and assign it Sequence number 1. 2) Assign source interface to any 3) Assign source address to all 4) Destination will be our internal1 interface (which is our user LAN) 5) Destination address is an address range that is the subnet of our user LAN 6) Action is ACCEPT 7) UTM is enabled for AntiVirus and IPS This policy doesn' t appear to get any hits. Should the source and destination interface(s) be configured differently? Thanks, Matt Brown
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
7423
0 Kudos
9 REPLIES 9
ede_pfau
SuperUser
SuperUser

Created on ‎03-01-2011 06:34 AM

Hi, the big picture is like this: - traffic originates at interfaces. - interfaces can be physical ports, VLAN ports or VPN tunnel ends. - whether traffic can flow into other interfaces is determined by a rule / rule set called policy. So, policies connect interfaces. Best practices: - be as specific as you can when you spell out a policy: which interface is the source? (NOT ' any' !) which interface is the target? which addresses are meant on each interface? (ALL at a pinch) which services are meant? which kind of UTM filtering do I want (if any)? The ' any' construct is FortiOS specific and IMHO dreadful. If have yet to see an example where you couldn' t solve a problem without using it. The downside of using ' any' is that traffic might be affected that you might not have thought of when writing the policy. You should try to avoid it if possible. That being said your points 1) to 7) make up a valid policy, except for 1) " assign a seqence ID" . You don' t need one - there is an implicit hierarchy of policies given by their position in the list of policies, i.e. top-down. Be aware that allowing traffic does not suffice to make it flow. Routing is equally important as it logically connects separate networks. HTH.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4996
0 Kudos
mbrowndcm
New Contributor III

Created on ‎03-01-2011 09:19 AM

Thanks for your response. I am not concerned with your opinion on writing " correct" policies. I am concerned with how to properly implement UTM in a policy. I have created a separate policy for UTM filtering that passes traffic through (ACCEPT). Since it is at the top of the list (aka sequence position 1), it will pass it down to the next policy in sequence (the second one in the list), etc. Allow me to rephrase my question: Here is the info 1) Create a policy and assign it Sequence number 1. 2) Assign source interface to any (inspecting traffic ingress on any interface == protecting all the interfaces from each other) 3) Assign source address to all (inspecting traffic ingress from any ip address == protecting all subnets from each other) 4) Destination will be our internal1 interface (qualifying the destination interface) 5) Destination address is an address range that is the subnet of our user LAN (qualifying the destination subnet) 6) Action is ACCEPT 7) UTM is enabled for AntiVirus and IPS I am not getting any hits on this UTM policy. What am I doing wrong? It may be that since the firewall is stateful, that traffic never hits the UTM policy as it is already allowed via the statefulness of a connection with the source of internal1 [as there' s a policy internal1>any = ACCEPT]. Should this be the firewall policy where I apply the UTM policy? Thanks, Matt [edit] On page 63 of the UTM Guide the following is stated: " When an antivirus profile is selected in a firewall policy, its settings are applied to all the traffic the firewall policy handles." I' m guessing that I am correct in my assumption that I must apply the UTM policies to the policy that initiates the connection, even if the traffic being inspected is coming ingress on another interface than this policy. I will test. Additionally, protocol options must be applied. Alright, I lied before... I didn' t read the UTM guide through.
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
4996
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎03-01-2011 10:49 AM

OK I guess I see your situation now. Wasn' t too accustomed to the ' any' interface. As soon as you use the ' any' interface anywhere your policy table switches into global view. From there it can be difficult to trace the sequence of policies a packet goes through. Get rid of the ' any' interface and choose ' segmented view' for the policies. There you have policies grouped according to interface pairs. Within a policy group traffic traverses top to down. BUT it will only pass down to the next policy if traffic doesn' t match. In reality you don' t have that many interfaces with incoming traffic - usually it' s only WAN1. For the sake of testing the concept put the real interface name into the policy and test. To help you in debugging you can switch on the ' hits' column in the policy table (Column Settings). It shows # of hits and amount of data passed by each policy. BTW please mention your FortiOS version.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4996
0 Kudos
mbrowndcm
New Contributor III

Created on ‎03-01-2011 12:08 PM

Thanks Ede. I have no problem using global view to administer my policies, as I' ve added several columns that make it quite easy to pinpoint all the concerning information: " Seq. No.," " ID," " From [interface]," " To [interface]," " Source [ip addr]," " Destination [ip addr]," " Action," " Status," " NAT." I am using: 4.00 MR2 build 5400. I' ve gained a greater understanding, but I do have to test my assumption. That UTM policies trigger packet inspection, qualified by a firewall policy... for which, since the firewall is treated as stateful (when a TCP session traverses a firewall policy, then incoming traffic is allowed back without hitting any policy), that the UTM policy must be applied to the policy that allows this conversation to start. To test this theory, an example of a policy would be: src: internal1 src ip addr: any dst: wan1 dst ip addr: any UTM policy: anti-virus A host behind internal1 could then test the anti-virus policy by utilizing: http://www.fortiguard.com/antivirus/eicartest.html Alternately, to test the other theory (the the firewall will inspect all traffic whether or not it has been statefully established as " safe" aka requested traffic), a policy would be: src: wan1 src ip addr: any dst: internal1 dst ip addr: any UTM policy: anti-virus A host behind internal1 could then test the anti-virus policy by utilizing: http://www.fortiguard.com/antivirus/eicartest.html For reference, note that each of these UTM policies must also have qualified traffic using protocol options in the firewall policy for at least HTTP, and the anti-virus protocol scanning options must also be set for at least HTTP. Note the same is true for IPS with the relevant info: " EICAR.AV.Test.File.Download" is the signature. Logging is accessed Log&Report> Log Access> Attack [edit] The first test (src: internal1) failed. The second test (src: wan1) failed.
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
4996
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎03-02-2011 03:10 AM

Policies decide whether the source can establish a session to the destination. Once the session is entered into the session table both traffic flowing forward and reverse which belongs to this session is inspected by the UTM feature. So, in your first scenario internal->wan the EICAR test file should have triggered the AV. There must be something else responsible for this, your AV just isn' t working at the moment. The policy for wan->internal will only work if someone on the internet would originate traffic towards your internal private network. That will never happen as traffic from private networks is not forwarded by ISPs.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4996
0 Kudos
mbrowndcm
New Contributor III

Created on ‎03-02-2011 05:25 AM

Thanks again Ede. Okay, so I am correct in my second assumption... that UTM is activated on traffic originating through a policy (as in the first policy mention, src: internal1). How do I debug the anti-virus and IPS (since I am using both on the current internal1>wan1 policy)? My config is as follows: 
        set srcintf " internal1" 
         set dstintf " wan1" 
             set srcaddr " any" 
             set dstaddr " all" 
         set rtp-nat disable
         set action accept
         set status enable
         set utm-status enable
         set ippool disable
         set central-nat disable
         set session-ttl 0
         set wccp disable
         set disclaimer disable
         set natip 0.0.0.0 0.0.0.0
         set match-vip disable
         set diffserv-forward disable
         set diffserv-reverse disable
         set tcp-mss-sender 0
         set tcp-mss-receiver 0
         set comments ' ' 
         set endpoint-check disable
         set label ' ' 
         set identity-based disable
         set schedule " always" 
             set service " ANY" 
         set profile-type single
         set av-profile " Antivirus all protocols" 
         set webfilter-profile ' ' 
         set spamfilter-profile ' ' 
         set ips-sensor " all_default" 
         set dlp-sensor ' ' 
         set application-list ' ' 
         set voip-profile ' ' 
         set profile-protocol-options " protocol_restrict" 
         set logtraffic disable
         set traffic-shaper ' ' 
         set per-ip-shaper ' ' 
         set nat enable
         set fixedport disable
 
 config antivirus profile
     edit " Antivirus all protocols" 
             config http
                 set options scan quarantine
             end
             config https
                 set options scan
             end
             config ftp
                 set options scan
             end
             config imap
                 set options scan
             end
             config imaps
                 set options scan
             end
             config pop3
                 set options scan
             end
             config pop3s
                 set options scan
             end
             config smtp
                 set options scan
             end
             config smtps
                 set options scan
             end
             config nntp
                 set options scan
             end
             config im
                 set options scan
             end
         set av-virus-log enable
     next
 end
 
 config ips sensor
     edit " all_default" 
         set comment " all predefined signatures with default setting" 
             config filter
                 edit " 1" 
                 next
             end
     next
 end
 
     edit " protocol_restrict" 
             config http
                 set inspect-all enable
                 set options clientcomfort no-content-summary
                 set comfort-interval 2
                 set comfort-amount 2
                 unset post-lang
             end
             config https
                 set port 443
                 set options no-content-summary
                 unset post-lang
             end
             config ftp
                 set inspect-all enable
                 set options clientcomfort no-content-summary
                 set comfort-interval 2
                 set comfort-amount 2
                 unset post-lang
             end
             config imap
                 set port 143
                 set options fragmail no-content-summary
             end
             config imaps
                 set port 993
                 set options fragmail no-content-summary
             end
             config pop3
                 set port 110
                 set options fragmail no-content-summary
             end
             config pop3s
                 set port 995
                 set options fragmail no-content-summary
             end
             config smtp
                 set port 25
                 set options fragmail no-content-summary
             end
             config smtps
                 set port 465
                 set options fragmail no-content-summary
             end
             config nntp
                 set port 119
                 set options no-content-summary
             end
     next
What looks wrong?
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
4996
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎03-02-2011 09:17 AM

Nothing really looks wrong with your config. The only thing I have in addition, in the " config antivirus profile" , " edit <name>" is this: " set av-block-log enable" but that isn' t why. Are you sure traffic hits the policy at all (check by means of the counter)?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4996
0 Kudos
mbrowndcm
New Contributor III

Created on ‎03-02-2011 11:02 AM

Yes. I see the count is very high. In fact, this is our User LAN access to the internet (specifically). I have opened a case with support, but any more input is appreciated.
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
4996
0 Kudos
RH2
New Contributor II

Created on ‎11-14-2011 11:34 AM

You have to turn on logging allowed traffic too. set profile-protocol-options " protocol_restrict" set logtraffic disable set traffic-shaper ' ' set per-ip-shaper ' ' set nat enable set fixedport disable
4996
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.