Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Filtering by interfaces in policy
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Filtering by interfaces in policy
Greetings,
I' d like to correctly understand how traffic filtering functions on a Fortigate 60C firewall. The specific matter I' d like to discuss is how filtering by source/destination interfaces in firewall policy influences security.
Consider the following example: I have a unit with 4 tunnel interfaces - A, B, C, D - connecting it to remote networks. Each interface has a static route assigned to it:
10.0.1.0/24 via interface A
10.0.2.0/24 via interface B
192.168.1.0/24 via interface C
192.168.2.0/24 via interface D
Let' s assume tunneling and routing already works properly. Now, I want all IPv4 traffic from A and B to C and D to be allowed. Please consider two alternate scenarios:
SCENARIO 1.
Each network has a firewall object created with the relevant interface assigned:
NET_A: 10.0.1.0/24 (interface A)
NET_B: 10.0.2.0/24 (interface B)
NET_C: 192.168.1.0/24 (interface C)
NET_D: 192.168.2.0/24 (interface D)
Because objects belonging to different interfaces cannot be grouped into a firewall address group, four separate allow policies have to be created:
a) source interface: A
source address: NET_A
destination interface: C
destination address: NET_C
b) source interface: A
source address: NET_A
destination interface: D
destination address: NET_D
c) source interface: B
source address: NET_B
destination interface: C
destination address: NET_C
d) source interface: B
source address: NET_B
destination interface: D
destination address: NET_D
SCENARIO 2.
Each network has a firewall object created without assigning it to a specific interface:
NET_A: 10.0.1.0/24 (interface any)
NET_B: 10.0.2.0/24 (interface any)
NET_C: 192.168.1.0/24 (interface any)
NET_D: 192.168.2.0/24 (interface any)
Because these objects aren' t assigned to a specific interface, two firewall address groups can be created to group networks together:
NET_AB: NET_A, NET_B
NET_CD: NET_C, NET_D
With these firewall address groups, I can enforce the same traffic filtering rules as in scenario 1 with only one policy:
source interface: any
source address: NET_AB
destination interface: any
destination address: NET_CD
The question.
Is scenario 2 any less secure than scenario 1? As far as I understand, the firewall will perform reverse path checks for every packet traversing it, so even though we don' t specify source/destination interfaces in scenario 2, any invalid packets (e.g. packet with source address 10.0.2.1 received on interface A) will still be dropped as they will fail the reverse path check.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
21 REPLIES 21
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kempniu,
welcome to the forums.
Go with option 2. As you already figured out it' s exactly the same as option 1.
Assigning objects to interfaces does not provide anti-spoofing a la Checkpoint.
Reverse path check works off of the routing table.
A Real World Fortinet Guide
Configuration Examples & Frequently Asked Questions
http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked
Questions http://firewallguru.blogspot.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suggest you look into the ' zone' firewall object to group interfaces together. That would simplify your policy table a lot. Simple setup = secure setup.
Zones are not only groups of (interface) names but for what you are planning this picture fits.
Binding an address object to an interface helps in configuring - you cannot populate an policy address field with an address that will never show up on the connected interface. But that' s about all you gain. With less than 20 policies you wouldn' t really need this.
The drawback of binding is that you cannot re-use an address object when the corresponding host moves. You will have to delete and recreate the address. So I tend to avoid binding.
One good advice: avoid the ' any' interface. It literally means ' from any source' so that it is very easy to loose sight which way your data is flowing through the policy table.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you both for your input, it' s very helpful.
ede_pfau, after reading your post, this is the picture I get:
1. Assigning interfaces to firewall address objects doesn' t increase security, it' s only helpful when there' s a lot of addresses and/or interfaces configured on the firewall.
2. I should consider segregating interfaces into zones and using them instead of the any interface.
Please correct me if I got anything wrong.
Following up on point 2: what if I' m defining policies for a hub in a star network (one hub, multiple spokes connected via VPN) and I want certain traffic (say, HTTP) to be allowed between all spokes (assume all traffic between spokes is flowing through the hub)? Should I define a zone consisting of all the VPN interfaces (but not the default gateway interface) and use it instead of the any interface? Is this the way of thinking you' re suggesting? The problem is that a single interface cannot be used in multiple zones - but I suppose a reasonable workaround is to define multiple zones as source/destination interfaces in policy definition when needed.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. yes. It helps while creating or changing policies. No impact on data flow control.
2. You are combining interfaces in a zone.
3. For the hub-and-spoke scenario, to allow intra-zone traffic with policy control you create a policy from ' myZone' to ' myZone' and specify the service and other constraints. This gives you full control over the traffic between zone members.
4. An interface that is member of a zone cannot be used as just an interface in an other policy. (at least that is what I think, I might be wrong here. Seems to depend on the FortiOS version as well, especially v5 has more restrictions.)
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4. Indeed - any interface which is part of a zone is unavailable on its own in policy definition. But it gets worse - if I define two zones, each containing several tunnel interfaces, I cannot use both these zones in a single policy (CLI returns " Cannot use tunnel interface in multiple interfaces." ). So if I wanted to use this technique for a scenario involving tunnel interfaces, I' d have to define multiple similar policies (one for each source/destination zone pair) instead of just one with any specified as source, right? Because this is specifically what I wanted to avoid. As you said, simple policy is good policy, as long as it' s secure of course.
Oh, and about that: apart from policy readability, does using the any interface introduce any security risks? Won' t the reverse path check filter out unwanted traffic anyway?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe I don' t understand quite right what you tried when you got the error message. Anyway, you cannot put the same interface into multiple zones. And you cannot use the interface by itself in a policy if it is part of a zone.
But in your case...
say you have 5 VPN tunnels, all in Interface mode: Rome, Vienna, Prague, London, Paris. On your gateway you have these policies:
zone: ' VPNs' , members: Rome, Vienna, Prague, London, Paris
src IF: internal
src addr: HQ_LAN
dst IF: VPNs
dst addr: all
service: ANY
NAT: disable
This allows traffic from HQ into the remote offices.
Use a similar policy if you want to allow traffic from the offices into HQ.
Now for traffic between offices:
src IF: VPNs
src addr: all
dst IF: VPNs
dst addr: all
service: HTTP
NAT: disable
That should work.
But no policies from HQ to e.g. Rome or vice versa.
Zones are more or less the only practical way of handling a hub-and-spoke design with more than 4-5 tunnels.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe I don' t understand quite right what you tried when you got the error message.What I was trying to do is the following: a) define zone ZONE_WX consisting of tunnel interfaces W and X, b) define zone ZONE_YZ consisting of tunnel interfaces Y and Z, c) define a single policy with source interface specified as ZONE_WX or ZONE_YZ (set srcintf " ZONE_WX" " ZONE_YZ" ). Such a configuration is not possible. That last step (followed by next or end) executed on the CLI produces the error message I' ve quoted. I understand the examples you' ve given, thank you for providing them. However, I still haven' t heard a response to the last question from my previous post:
(...) apart from policy readability, does using the any interface introduce any security risks? Won' t the reverse path check filter out unwanted traffic anyway?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RPF check will still work as expected. Only the flow of data through the policies can be contrary to what you expect if using the ' any' interface. That' s why I recommend not using it.
Putting multiple zones into the ' Interface' entry is possible in FOS v5.
Which version do you use?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it is possible, as long as all the zones you use consist of only physical interfaces. The problem reveals itself once you satisfy both of the following conditions:
1. use more than one zone for input interface or output interface,
2. at least one of the zones from the ones you' ve selected contains a tunnel interface.
I' ve just tested it on FortiOS 5.0.6 running on a Fortigate 60C.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,694 -
FortiClient
1,762 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
431 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1712 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.