" deny" rule getting bypassed

Rick_H · ‎08-08-2014

I have an Action:DENY policy setup at the top of the ruleset for inbound traffic from WAN1 to DMZ. The source address for this policy is a group which consists of some geography-based networks and " bad addresses" that come up frequently in the IPS. However, this policy doesn' t ever seem to get matched and hosts I have explicitly added to the blacklist group--or even as their own entry--are matched against policies further down in the chain. I know this has to be something easy, but after staring at it for a couple of days I' m just not seeing it. Hopefully one of you fellows can see what I' m missing. This is on a FortiGate 80C running FortiOS 5.0.7 (build 3608). I' ve attached a screenshot of the rule set, but the relevant bits of code are here:

 config firewall address
     edit " all" 
     next
     edit " outside.blacklist.121.139.0.0" 
         set subnet 121.139.0.0 255.255.0.0
     next
     edit " outside.blacklist.96.8.126.97" 
         set subnet 96.8.126.0 255.255.255.0
     next
     edit " outside.blacklist.108.61.91.211" 
         set subnet 108.61.91.0 255.255.255.0
     next
 end
 config firewall addrgrp
     edit " outside.blacklist.All" 
         set member " outside.blacklist.96.8.126.97"  " outside.blacklist.108.61.91.211"  " outside.blacklist.121.139.0.0"  [geography-based lists]
     next
 end
 
 config firewall policy
     edit 53
         set srcintf " wan1" 
         set dstintf " dmz" 
         set srcaddr " outside.blacklist.All" 
         set dstaddr " all" 
         set schedule " always" 
         set service " ALL" 
         set logtraffic all
     next
     edit 26
         set srcintf " wan1" 
         set dstintf " dmz" 
         set srcaddr " all" 
         set dstaddr " nat.inbound.rounding" 
         set action accept
         set schedule " always" 
         set service " HTTP"  " HTTPS" 
         set utm-status enable
         set av-profile " MainAV" 
         set ips-sensor " protect_http_server" 
         set profile-protocol-options " default" 
     next
     edit 37
         set srcintf " wan1" 
         set dstintf " dmz" 
         set srcaddr " all" 
         set dstaddr " nat.inbound.smtp" 
         set action accept
         set schedule " always" 
         set service " SMTP" 
         set utm-status enable
         set av-profile " MainAV" 
         set spamfilter-profile " MSPS Email Filter" 
         set ips-sensor " protect_email_server" 
         set profile-protocol-options " default" 
     next
     edit 42
         set srcintf " wan1" 
         set dstintf " dmz" 
         set srcaddr " all" 
         set dstaddr " nat.inbound.owa" 
         set action accept
         set schedule " always" 
         set service " HTTPS"  " HTTP" 
         set utm-status enable
         set av-profile " MainAV" 
         set ips-sensor " protect_http_server" 
         set profile-protocol-options " default" 
     next
     edit 49
         set srcintf " wan1" 
         set dstintf " dmz" 
         set srcaddr " all" 
         set dstaddr " nat.inbound.rdsgate" 
         set action accept
         set schedule " always" 
         set service " HTTPS"  " RDS_external_UDP" 
         set utm-status enable
         set av-profile " MainAV" 
         set ips-sensor " protect_http_server" 
         set profile-protocol-options " default" 
     next
     edit 51
         set srcintf " wan1" 
         set dstintf " dmz" 
         set srcaddr " all" 
         set dstaddr " nat.inbound.remote" 
         set action accept
         set schedule " always" 
         set service " HTTPS" 
         set utm-status enable
         set av-profile " MainAV" 
         set ips-sensor " protect_http_server" 
         set profile-protocol-options " default" 
     next
 end

These policies have been in place for sometime, yet this morning I have had the same IP address showing up in my IPS logs quite a bit:

Message meets Alert condition The following intrusion was observed: " PHP.CGI.Argument.Injection" . date=2014-08-08 time=10:18:04 devname=fw01 devid=FGT80C3911608826 logid=0419016384 type=ips subtype=signature level=alert severity=high srcip=96.8.126.97 dstip=[DMZ address of host in policy 42 above] srcintf=" wan1" dstintf=" dmz" policyid=42 identidx=0 sessionid=13078459 status=dropped proto=6 service=http count=1 attackname=" PHP.CGI.Argument.Injection" srcport=33113 dstport=80 attackid=31752 sensor=" protect_http_server" ref=" http://www.fortinet.com/ids/VID31752" incidentserialno=513620505 msg=" web_server: PHP.CGI.Argument.Injection,"

The source IP in this message is in my blacklist and I' ve tried specifying both it as a host and a /24 which included the address. Yet, inbound traffic from this host still seems to whiff past the deny policy and match against the next policy in the list instead. Any idea what I' m missing here? Any help at all is appreciated. Cheers, Rick

Dave_Hall · ‎04-09-2015

If you are trying to block countries by geo, I would do it via local-in-policy., e.g.

config system global
    set gui-local-in-policy enable
end
config firewall address
    edit "block-country-netherlands"
        set associated-interface "wan1"
        set type geography
        set country "NL"
    next
    edit "block-country-brazil"
        set associated-interface "wan1"
        set type geography
        set country "BR"
    next
    edit "block-country-lithuania"
        set associated-interface "wan1"
        set type geography
        set country "LT"
    next
    edit "block-country-sweden"
        set associated-interface "wan1"
        set type geography
        set country "SE"
    next
    edit "block-country-china"
        set associated-interface "wan1"
        set type geography
        set country "CN"
    next
    edit "block-country-russia"
        set associated-interface "wan1"
        set type geography
        set country "RU"
    next
end
config firewall addrgrp
    edit "block-countries-group"
        set member "block-country-brazil" "block-country-china" "block-country-lithuania" "block-country-netherlands" "block-country-russia" "block-country-sweden"
    next
end
config firewall local-in-policy
    edit 0
        set intf "wan1"
        set srcaddr "block-countries-group"
        set dstaddr "all"
        set service "ALL"
        set schedule "always"
    next
end

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

trauthor · ‎06-18-2015

There are multiple posts in this forum related to VIP policy compromising security. I have opened cases with FortiNet both for this issue and an additional issue. I have also alerted appropriate parties. To FortiNet's credit, they are working quickly to address this. I have not yet seen an official public statement from FortiNet. Please refer to the below correspondence to see if it pertains to your situation. Thank you.

(O.P.: not sure if it matters at this point, but I don't see a "set action deny" for rule 53 in the copy you took from the CLI.)

==========

Fw: FortiGate Security "Loophole" and Severe Bug

Two issues were discovered during FortiGate firewall product tests, the first a documentation issue which FortiNet has confirmed affects FortiOS 5.0.x and 5.2.x and the second a bug which affects any FortiGate "D" series in combination with FortiOS 5.0.10 (the FIPS 140 version; it is unknown whether other combinations of FortiOS and FortiGate are affected.)

1) FortiGate Deny All rules do not deny all traffic. What is documented: "VIP rules" take precedence over "regular rules." However, until two days ago (6/15/2015) after it was recently brought to their attention this was mentioned only briefly in a technical note and not in any of their standard documentation (the FortiOS handbook, admin guide, etc.) It remains inexplicit that "VIP rules" also take precedence over "Deny All" rules.

- Here's the link to the technical note (taken from the support case): http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33338

- Here's the link to the updated handbook, published 6/15/2015 (see page 956, "Exception to policy order (VIPs):") http://docs.fortinet.com/d/fortigate-fortios-handbook-the-complete-guide

The scenario documented in the stem support case is given below. Rules appear in the same order they would after issuing the commands "config firewall policy" and "get."

=====

config firewall policy

edit 1

set srcintf "wan1"

set srcaddr "outside_blacklist"

set dstintf "dmz"

set dstaddr "all"

set action deny

set schedule "always"

set service "ALL"

set logtraffic all

set srcintf "wan1"

set srcaddr "all"

set dstintf "dmz"

set dstaddr "nat_inside"

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

=====

In the above example, "outside_blacklist" is a group of outside addresses and "nat_inside" is a VIP on the firewall. As depicted, traffic will not follow the usual order of precedence. Any traffic destined for "nat_inside" will ignore the Deny All in Rule 1 but match the Accept in Rule 2. Below is the fix suggested by a FortiNet support engineer.

=====

config firewall policy

edit 1

set srcintf "wan1"

set srcaddr "outside_blacklist"

set dstintf "dmz"

set dstaddr "nat_inside"

set action deny

set schedule "always"

set service "ALL"

set logtraffic all

set srcintf "wan1"

set srcaddr "all"

set dstintf "dmz"

set dstaddr "nat_inside"

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

=====

Shown above, the change replaces the Deny All in Rule 1 with Deny "nat_inside." This in effect restores the order of precedence. (For an explanation, see the new section "Exception to policy order (VIPs)" in the handbook. For the alternative fix, "match-vip," see the technical note.) To summarize, FortiGate "VIP rules" are matched before "regular rules." Most significantly, "VIP rules" are matched before "Deny All" rules.

The potential for a security "loophole" as described in the above case is compounded by:

a) a reasonable (until two days ago) expectation that a Deny or Deny All policy always denies blacklisted traffic in order of precedence; and

b) typical industry practice that only denied traffic gets logged.

Given these factors, a configuration error which would allow blacklisted traffic to enter a network undetected via an Accept rule is not unlikely. [...]

2) The secondary unit in a FortiGate "D" series active/passive cluster bricks (i.e., fails closed and must be re-imaged) after the first couple FIPS self-tests under certain conditions, two of them being: when it can't contact the master; when it is given the master's configuration file. Anyone with "D" series units will not be able to maintain an active/passive cluster in FIPS-CC mode. An "emergency" code fix of FortiOS 5.0.10 is underway which will be released as 5.0.13. We have been assured by FortiNet this will not affect the FIPS 140 certification of FortiOS.

View solution in original post

emnoc · ‎08-08-2014

What I would do is to run diag debug flow against a known entry or temporary add an entry into the addr-group Generate traffic inbound to a service and 1 > see what fwpolicy-ID is being match 2> see if it matches or hit the fwpolicy for the blacklist ( policyID 53 ) Yo do know that you have another means for blacklist traffic by GEO-IP depending on code.

PCNSE

NSE

StrongSwan

FatalHalt · ‎08-08-2014

Edit: Oops, misread the original post and saw that you showed what policy 42 was. Other thing I would do would be look in your logs and filter by policy 53, see if there is ANY traffic that gets matched to it.

Rick_H · ‎08-08-2014

Emnoc, the only reason I haven' t debugged is because I thought my rules were cut and dry. Silly I know. This will be my next step. FatalHalt, Nothing shows up in the logs matching against policy 53. :/ Netmin, I' ve always used dots in my names without issue, but I will try renaming the relevant objects. I' m willing to try anything at this point.

netmin · ‎08-08-2014

I just saw all these dots in the names and remembered this and would replace them by - or _ (better don' t use spaces).

A name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), spaces, and the special characters - and _

FatalHalt · ‎08-08-2014

I would normally agree, your rules look fine from this side, though it' s possible some of the geo stuff isn' t playing well, haven' t done much with that myself. I would start debugging per Emnoc' s post. I' ve always used dots in my names as well, didn' t realize it was against convention.

netmin · ‎08-08-2014

While it may appear to work (for you), this statement:

Improper naming can cause problems that are hard to diagnose.

tells me to not even consider using different special characters, as results seem to be unpredictable.

emnoc · ‎08-08-2014

I don' t use " ." ( dots ) also but don' t think that' s the problem. What I do per fortinet BCP is, you don' t use or let me say you can' t uses certain characters; & Ampersand alligator mouth greater or lesser < > ' single or " double quotes These are typically XSS vulnerability characters, and depending on fortios version, it will warn you of such e.g The string contains XSS vulnerability characters I don' t believe a " dot " is a XSS vulnerability character. It' s been that way for ages iirc maybe Ede will shed some light and wisdom.

PCNSE

NSE

StrongSwan

netmin · ‎08-09-2014

It is not so much about XSS but rather to rule out an unknown variable. While speculative to a certain degree, comments in this forum, i.e. here, indicate that things can get messed up quickly. Just imagine what happened if the labels/names get truncated at illegal characters, under certain conditions, when the text configuration is compiled into the running config...you never known unless you have written the configuration parser.

ede_pfau · ‎08-09-2014

The docs clearly state that these characters are allowed: a-z A-Z 0-9 space - (minus) _ (underscore) There are input field where other chars are allowed (even [<>" ' ]) because it needs to be, e.g. LDAP names, or passwords. This has been in place since at least v3.00 and has (to my knowledge) not altered up to 5.0 and 5.2. Edit: While this may be the official intention we have seen a LOT of trouble if spaces are used in object names. Sometimes accepted by the GUI they are not handled well during runtime. I' d say there is a widespread agreement to avoid spaces in names altogether, just to not have to try and error if it works in a particular case or not.[/Edit] So in short: while " ." (dot) is not explicitely disallowed it is not allowed generally. Of course, in FQDN you will want to use it, and you can. BEST PRACTICE would be to stick to the allowed chars in naming. Be aware that different objects have length limitations as well! One quite funny would be the name of a phase 1 IPsec VPN in Interface Mode which is used as a Dial-In VPN. FortiOS will append " _<n>" for each concurrent tunnel, and so with 10 or 100+ tunnels you may cross the length limit for an interface (which is 16 chars). Those higher numbered tunnels will never connect... Lately with FOS 5.2 Fortinet has switched from static length identifiers to dynamically allocated names. Which may or may not be a good thing (every magic comes at a price). If available, one could have a look at the " Maximum Values" matrix for FOS 5.2 to see if object name length limits have changed as well.

Ede Kernel panic: Aiee, killing interrupt handler!

" deny" rule getting bypassed

Nominate a Forum Post for Knowledge Article Creation