Thursday, November 4, 2021

FortiGate Address Object and Firewall Policy

Create a Firewall Address Object

 

To create a new Firewall Address Object, go to Policy & Objects > Addresses > Create New > Address.

 

Notice there are Address Objects (IP Range/Subnets, FQDN, Address Group) created by default.

 

Type a Name: FG_LAN > leave default Type: Subnet > type IP/Netmask: 172.16.1.0/24 (CIDR notation) > leave the default Interface: any > click OK.



Create a Firewall Policy and Source NAT

 

To create a new Firewall Policy, go to Policy & Objects > Firewall Policy > Create New.

 

Notice there's an Implicit Deny is created by default.

Type a Name: FG_LAN_INTERNET > select Incoming Interface: port2 > select Outgoing Interface: port1.

Select Source: FG_LAN (Address Object created earlier) > select Destination: all > leave the default Schedule: always > select Service: all.



Leave the default Action: Accept > leave the default Inspection mode: Flow-based > leave NAT enabled (toggled) > leave the default > Use Outgoing Interface Address (port 1: 192.168.1.160/24).

Skip the Security Profiles (Antivirus, Web Filter, etc.) for now > leave the default Log Allowed Traffic enabled (toggled) > select All Sessions (careful to enable in production) > leave the Enable this policy enabled (toggled) > click OK.

Note FortiGate is a stateful firewall (create pin holes on the return traffic), so you only need one Firewall Policy that matches the direction of traffic that initiates the session, i.e. from LAN to Internet.

You can also change the Firewall Policy view to: By Sequence.

I was able to ping to Google DNS 8.8.8.8 and access the fortinet.com from the Windows 7 VM (172.16.1.100/24) afterwards.

To view the logs, go to Policy & Objects > Firewall Policy > right-click on the newly created policy: FG_LAN_INTERNET > select Show Matching Logs.

It will automatically redirect to Log & Report > Forward Traffic.

 

Select a specific log > click Details to view Log Details.

 

 

Reorder a Firewall Policy
 

The FortiGate firewall looks for a match policy from top down. You should put specific policies at the top, otherwise the general policies will match traffic first and the more granular policies will never be applied (overshadowed).

 

Create a Firewall Policy to deny ICMP to public DNS IP address 4.2.2.2 from source LAN subnet 172.16.1.0/24. Go to Policy & Objects > Firewall Policy > Create New.

Type Name: DENY_PING_DNS > select Incoming Interface: port2 > select Outgoing Interface: port1 > select Source: FG_LAN.

 

For the Destination, create an Address Object > click Create.

 

Click +Address to create a new address object.

Type a Name: PUBLIC_DNS > select default Type: Subnet > type IP/Netmask: 4.2.2.2/32 > click OK.

Select the newly created Destination Address Object: PUBLIC_DNS.

Select Service: ALL_ICMP > select Action: Deny > enable (toggled): Log Violation Traffic > click OK.

Notice the newly created Firewall Policy was placed after the FG_LAN_INTERNET policy.

 

Also note the Policy ID: 2 was assigned to this policy.

 

I can still ping 4.2.2.2 from Windows 7 VM (172.16.1.100) since traffic hit the first Firewall Policy.

You can verify the Firewall Policy hits by doing a right-click on a specific Firewall Policy > Show Matchings Logs.

 

Or go under Log & Report > Forward Traffic > select a specific log > click Details.

 

Notice under Action the Policy ID: FG_LAN_INTERNET (1) was shown.

 


You can drag and drop the Firewall Policy to re-arrange its order. I placed/dragged Policy ID 2 (DENY_PING_DNS) on top.


Ping to 4.2.2.2 timed out but I can still ping 8.8.8.8 and access kb.fortinet.com.

I verified the Firewall Policy hits for Policy ID 2: DENY_PING_DNS.

 

Notice the Policy ID 2 remained the same even though it was placed on top.

 

Firewall Policy Lookup

The FortiGate can find a matching Firewall Policy based on the Policy Lookup criteria. The Policy Lookup feature is basically creating a packet flow via the FortiGate without any real traffic (virtual). This is similar to the Cisco ASA packet-tracer feature. From the packet flow, FortiGate can extract the policy ID and highlight on the Firewall Policy GUI page.

 

To test the Policy Lookup criteria, go to Policy & Objects > Firewall Policy > Policy Lookup (with magnifying glass icon).

Select Incoming Interface: port2 (LAN) > leave the default IP Version: IPv4 (grayed out) > leave the default Protocol: IP.

Type Protocol Number: 80 (TCP web) > type Source: 172.16.1.100 (Windows 7 VM) > type Destination (FQDN): facebook.com > click Search.

It highlighted (red) the Firewall Policy: FG_LAN_INTERNET to inform which Firewall Policy hit the traffic.

I tried another Policy Lookup for ICMP to 4.2.2.2 public DNS IP address.

It highlighted the first Firewall Policy: DENY_PING_DNS.

I re-ordered the Firewall Policy and put the FG_LAN_INTERNET policy on top.

I performed the Policy Lookup again for ICMP to 4.2.2.2 public DNS IP address.


It highlighted the top most policy, which proved the FortiGate Firewall Policy is checked from top to bottom.

To disable a Firewall Policy, right-click on a specific Firewall Policy: FG_LAN_INTERNET > Set Status > Disable.

Notice the top Firewall Policy: FG_LAN_INTERNET is grayed out, which means it's disabled.

I performed a Policy Lookup to Destination (FQDN): fortinet.com > click Search.

 

Notice a warning message was displayed and the Policy Lookup matched the Implicit Deny policy.