Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Fortigate zone based firewall
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate zone based firewall
Hi all,
I am trying to test the firewalling feature of Fortigate.
My question/problem is as follows:
I have 3 zones named, INSIDE, OUTSIDE_A, OUTSIDE_B and they have different interface assigned to them.
I was trying to simulate the asymmetic routing which I would expect to be denied by most firewall by default. However, when I have tried to "send the traffic" from INSIDE to the OUTSIDE_A, and the return packet from OUTSIDE_B to INSIDE, the traffic is allowed.
I have only one permit policy which allows all traffic from INSIDE zone to be go out to the OUTSIDE_A zone and there is NO other policy defined in the policies.
The testing protocol is ICMP ping.
any help would be appreciated as it is a fundamental problem which I have.
Regards
Behzad
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
-
- 1
- 2
- Next »
18 REPLIES 18
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
Here is the topology that I have implemented
here is the topology:
Traffic is initiated from PC_A toward PC_B.
The send traffic is INSIDE TO OUTSIDE_A, then R1 to PC_B.
The return traffic is PC_B to R2, and then R2 to OUTSIDE_B, and OUTSIDE_B to PC_A
An IPv4 firewall policy is configured to allow all traffic from INSIDE zone toward OUTSIDE_A is allowed only.
There are no other rules in the IPv4 firewall policies.
From Routing point of view, the PC_B IP address is configured on Fortigate to route through the OUTSIDE_A zone.
I will post the debug output when I have access to the device.
With regards
Behzad
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes that is the desired behavior which is the stateful firewall basics. My problem, though is that it allows the traffic.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you checked my answer to you?
Thanks
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ac89live wrote:Hi yes the asymmentic routing is disabled.
Have you checked my answer to you?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok .. so this got me interested.
I sat a lab with two fortigates each one has different LAN , (version 6.2.0)
fortigate-1 is connected to a wan1-router and wan1-router is also connected fortigate-2
fortigate-1 is also connected to fortigate-2 through wan2 interface
And I sat the traffic to flow this way , and it worked regardless that asymmetric route is disabled.
But guess what, I sat on FGT-2 that FGT-1 LAN learned the direct p2p connection and not through the mpls router. ANd when I tried to ping from FGT-1 LAN to FGT-2 LAN and enforced traffic to go through the mpls router , traffic got denied on FGT-2 . See log:
FGT-2 (settings) # id=20085 trace_id=41 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=1, 10.2.0.1:48896->10.100.77.101:2048) from por
t5. type=8, code=0, id=48896, seq=0."
id=20085 trace_id=41 func=init_ip_session_common line=5666 msg="allocate a new session-00011302"
id=20085 trace_id=41 func=ip_route_input_slow line=2252 msg="reverse path check fail, drop"
id=20085 trace_id=41 func=ip_session_handle_no_dst line=5750 msg="trace"
id=20085 trace_id=42 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=1, 10.2.0.1:48896->10.100.77.101:2048) from port5. type=8, code=0, id=48896,
seq=1."
After enabling asymmetric route on FGT-2 traffic got Permitted on FGT-2
FGT-2 (settings) # get | grep asym
asymroute : disable
asymroute-icmp : enable
asymroute6 : disable
asymroute6-icmp : disable
And then arrived successfully at FGT-1 without being denied.
FGT-1 # diagnose sniffer packet any 'host 10.100.77.101 and host 10.2.0.1' 4
interfaces=[any]
filters=[host 10.100.77.101 and host 10.2.0.1]
3.770602 mpls out 10.2.0.1 -> 10.100.77.101: icmp: echo request
3.785696 wan2 in 10.100.77.101 -> 10.2.0.1: icmp: echo reply
4.770882 mpls out 10.2.0.1 -> 10.100.77.101: icmp: echo request
4.784904 wan2 in 10.100.77.101 -> 10.2.0.1: icmp: echo reply
(So I guess) this is default behavior to accept outgoing traffic that it returns from different WAN. And default behavior to deny incoming traffic that is coming of different interface other that what is mentined in the routing table (suspecetd spoofed traffic).
Its worth mentioning that this is not the same with SD-WAN while there you have the auxiliary-session command:
https://docs.fortinet.com/document/fortigate/6.2.3/technical-tip-enabling-auxiliary-session-with-ecmp-or-sd-wan/19/fd47765
Thanks
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ac89live wrote:(So I guess) this is default behavior to accept outgoing traffic that it returns from different WAN. And default behavior to deny incoming traffic that is coming of different interface other that what is mentined in the routing table (suspecetd spoofed traffic).
So is there anyway to change this behavior to enforce to care about the outgoing zone/interface?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
any update?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to open a case with Fortinet support to see if this is in fact expected behavior like live89 suggests. I suspect it is, but they have been known to have a lot of bugs, especially in .0 code that live89 was using.
I don't see the issue with this traffic being allowed though, as the security issue where RPF checks drop packets is when the initiating traffic is coming from the wrong interface (i.e. doesn't match the routing table). If it comes back from a different interface, who cares? Assuming these are ISP connections, that means you have an upstream routing problem that won't be resolved by dropping packets.
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Quarantined IP Address Group 54 Views
- FortiGate Firewall Security Testing 89 Views
- How to avoid Assymetric Routing with... 90 Views
- Reconnaissance block - why? 110 Views
- Device firmware version 124 Views
Labels
-
FortiGate
8,428 -
FortiClient
1,701 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
542 -
FortiSwitch
456 -
FortiAP
456 -
6.0
416 -
FortiClient EMS
404 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
211 -
FortiWeb
198 -
5.0
196 -
IPsec
183 -
FortiNAC
175 -
FortiGuard
134 -
6.4
128 -
SD-WAN
109 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
83 -
Customer Service
77 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
51 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
BGP
38 -
DNS
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1645 | |
| 1070 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.