- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Filtering by interfaces in policy
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Filtering by interfaces in policy
Greetings,
I' d like to correctly understand how traffic filtering functions on a Fortigate 60C firewall. The specific matter I' d like to discuss is how filtering by source/destination interfaces in firewall policy influences security.
Consider the following example: I have a unit with 4 tunnel interfaces - A, B, C, D - connecting it to remote networks. Each interface has a static route assigned to it:
10.0.1.0/24 via interface A
10.0.2.0/24 via interface B
192.168.1.0/24 via interface C
192.168.2.0/24 via interface D
Let' s assume tunneling and routing already works properly. Now, I want all IPv4 traffic from A and B to C and D to be allowed. Please consider two alternate scenarios:
SCENARIO 1.
Each network has a firewall object created with the relevant interface assigned:
NET_A: 10.0.1.0/24 (interface A)
NET_B: 10.0.2.0/24 (interface B)
NET_C: 192.168.1.0/24 (interface C)
NET_D: 192.168.2.0/24 (interface D)
Because objects belonging to different interfaces cannot be grouped into a firewall address group, four separate allow policies have to be created:
a) source interface: A
source address: NET_A
destination interface: C
destination address: NET_C
b) source interface: A
source address: NET_A
destination interface: D
destination address: NET_D
c) source interface: B
source address: NET_B
destination interface: C
destination address: NET_C
d) source interface: B
source address: NET_B
destination interface: D
destination address: NET_D
SCENARIO 2.
Each network has a firewall object created without assigning it to a specific interface:
NET_A: 10.0.1.0/24 (interface any)
NET_B: 10.0.2.0/24 (interface any)
NET_C: 192.168.1.0/24 (interface any)
NET_D: 192.168.2.0/24 (interface any)
Because these objects aren' t assigned to a specific interface, two firewall address groups can be created to group networks together:
NET_AB: NET_A, NET_B
NET_CD: NET_C, NET_D
With these firewall address groups, I can enforce the same traffic filtering rules as in scenario 1 with only one policy:
source interface: any
source address: NET_AB
destination interface: any
destination address: NET_CD
The question.
Is scenario 2 any less secure than scenario 1? As far as I understand, the firewall will perform reverse path checks for every packet traversing it, so even though we don' t specify source/destination interfaces in scenario 2, any invalid packets (e.g. packet with source address 10.0.2.1 received on interface A) will still be dropped as they will fail the reverse path check.
21 REPLIES 21
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kempniu,
welcome to the forums.
Go with option 2. As you already figured out it' s exactly the same as option 1.
Assigning objects to interfaces does not provide anti-spoofing a la Checkpoint.
Reverse path check works off of the routing table.
A Real World Fortinet Guide
Configuration Examples & Frequently Asked Questions
http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked
Questions http://firewallguru.blogspot.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suggest you look into the ' zone' firewall object to group interfaces together. That would simplify your policy table a lot. Simple setup = secure setup.
Zones are not only groups of (interface) names but for what you are planning this picture fits.
Binding an address object to an interface helps in configuring - you cannot populate an policy address field with an address that will never show up on the connected interface. But that' s about all you gain. With less than 20 policies you wouldn' t really need this.
The drawback of binding is that you cannot re-use an address object when the corresponding host moves. You will have to delete and recreate the address. So I tend to avoid binding.
One good advice: avoid the ' any' interface. It literally means ' from any source' so that it is very easy to loose sight which way your data is flowing through the policy table.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you both for your input, it' s very helpful.
ede_pfau, after reading your post, this is the picture I get:
1. Assigning interfaces to firewall address objects doesn' t increase security, it' s only helpful when there' s a lot of addresses and/or interfaces configured on the firewall.
2. I should consider segregating interfaces into zones and using them instead of the any interface.
Please correct me if I got anything wrong.
Following up on point 2: what if I' m defining policies for a hub in a star network (one hub, multiple spokes connected via VPN) and I want certain traffic (say, HTTP) to be allowed between all spokes (assume all traffic between spokes is flowing through the hub)? Should I define a zone consisting of all the VPN interfaces (but not the default gateway interface) and use it instead of the any interface? Is this the way of thinking you' re suggesting? The problem is that a single interface cannot be used in multiple zones - but I suppose a reasonable workaround is to define multiple zones as source/destination interfaces in policy definition when needed.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. yes. It helps while creating or changing policies. No impact on data flow control.
2. You are combining interfaces in a zone.
3. For the hub-and-spoke scenario, to allow intra-zone traffic with policy control you create a policy from ' myZone' to ' myZone' and specify the service and other constraints. This gives you full control over the traffic between zone members.
4. An interface that is member of a zone cannot be used as just an interface in an other policy. (at least that is what I think, I might be wrong here. Seems to depend on the FortiOS version as well, especially v5 has more restrictions.)
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4. Indeed - any interface which is part of a zone is unavailable on its own in policy definition. But it gets worse - if I define two zones, each containing several tunnel interfaces, I cannot use both these zones in a single policy (CLI returns " Cannot use tunnel interface in multiple interfaces." ). So if I wanted to use this technique for a scenario involving tunnel interfaces, I' d have to define multiple similar policies (one for each source/destination zone pair) instead of just one with any specified as source, right? Because this is specifically what I wanted to avoid. As you said, simple policy is good policy, as long as it' s secure of course.
Oh, and about that: apart from policy readability, does using the any interface introduce any security risks? Won' t the reverse path check filter out unwanted traffic anyway?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe I don' t understand quite right what you tried when you got the error message. Anyway, you cannot put the same interface into multiple zones. And you cannot use the interface by itself in a policy if it is part of a zone.
But in your case...
say you have 5 VPN tunnels, all in Interface mode: Rome, Vienna, Prague, London, Paris. On your gateway you have these policies:
zone: ' VPNs' , members: Rome, Vienna, Prague, London, Paris
src IF: internal
src addr: HQ_LAN
dst IF: VPNs
dst addr: all
service: ANY
NAT: disable
This allows traffic from HQ into the remote offices.
Use a similar policy if you want to allow traffic from the offices into HQ.
Now for traffic between offices:
src IF: VPNs
src addr: all
dst IF: VPNs
dst addr: all
service: HTTP
NAT: disable
That should work.
But no policies from HQ to e.g. Rome or vice versa.
Zones are more or less the only practical way of handling a hub-and-spoke design with more than 4-5 tunnels.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe I don' t understand quite right what you tried when you got the error message.What I was trying to do is the following: a) define zone ZONE_WX consisting of tunnel interfaces W and X, b) define zone ZONE_YZ consisting of tunnel interfaces Y and Z, c) define a single policy with source interface specified as ZONE_WX or ZONE_YZ (set srcintf " ZONE_WX" " ZONE_YZ" ). Such a configuration is not possible. That last step (followed by next or end) executed on the CLI produces the error message I' ve quoted. I understand the examples you' ve given, thank you for providing them. However, I still haven' t heard a response to the last question from my previous post:
(...) apart from policy readability, does using the any interface introduce any security risks? Won' t the reverse path check filter out unwanted traffic anyway?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RPF check will still work as expected. Only the flow of data through the policies can be contrary to what you expect if using the ' any' interface. That' s why I recommend not using it.
Putting multiple zones into the ' Interface' entry is possible in FOS v5.
Which version do you use?
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it is possible, as long as all the zones you use consist of only physical interfaces. The problem reveals itself once you satisfy both of the following conditions:
1. use more than one zone for input interface or output interface,
2. at least one of the zones from the ones you' ve selected contains a tunnel interface.
I' ve just tested it on FortiOS 5.0.6 running on a Fortigate 60C.
Related Posts
- FortiGate 61F Blocked Web access after... 197 Views
- Traffic is not forwards to another... 175 Views
- vivaldi browser wont reach any webpage 814 Views
- Implementing FGSP with OSPF ECMP based... 164 Views
- Fortiproxy - how exactly is traffic... 130 Views
Labels
-
FortiGate
6,771 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
581 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
347 -
FortiAP
347 -
FortiClient EMS
274 -
FortiMail
265 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
162 -
6.4
128 -
FortiNAC
113 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
SSL-VPN
70 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiDNS
34 -
SD-WAN
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
23 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
DNS
15 -
FortiMonitor
14 -
BGP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
LDAP
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.