Firewall
This chapter describes new firewall features added to FortiOS 5.4.
Multiple interfaces or ANY interface can be added to a firewall policy (288984)
This feature can be enabled or disabled in the GUI by going to the System > Feature Select page and toggling Multiple Interface Policies.
When selecting the Incoming or Outgoing interface of a policy, there are a few choices:
- The ANY interface (choosing this will remove all other interfaces)
- A single specific interface
- multiple specific interfaces (can be added at the same time or one at a time)
The GUI is intuitive and straightforward on how to do this. Click on the "+" symbol in the interface field and then select the desired interfaces from the side menu. There are a couple of ways to do it in the CLI:
- Set the interfaces all at once:
config firewall policy
edit 0
set srcintf wan1 wan2
end
- Set the first interface and append additional ones:
config firewall policy
edit 0
set srcintf wan1
append srcintf wan2
end
Multicast policy page changes (293709 305114 )
The multicast policy GUI page has been updated to the new GUI look and feel. Some functionality has also been changed.
- The DNAT option has been removed from the GUI but is still in the CLI, you can set the action to IPsec, and if you select Log Allowed Traffic you can also select a few logging options.
- The Multicast policy page loads faster.
Policy objects dialogs updated to new GUI style (354505)
To avoid confusion, the default value for "day" is no longer Sunday. In the GUI, none of the day options are selected.
Display change in Policy listing (284027)
Alias names for interfaces, if used now appear in the headings for the Interface Pair View or what used to be called the Section View.
RPC over HTTP traffic separate (288526)
How protocol options profiles and SSL inspection profiles handle RPC (Remote Procedure Calls) over HTTP traffic can now be configured separately from normal HTTP traffic.
CLI syntax changes
config firewall profile-protocol-options
edit 0
set rpc-over-http {disable | enable}
end
config firewall ssl-ssh-profile
edit deep-inspection
set rpc-over-http {disable | enable}
end
Disable Server Response Inspection supported (274458)
Disable Server Response Inspection (DSRI) option included in Firewall Policy (CLI only) to assist performance when only using URL filtering as it allows the system to ignore the http server responses.
CLI syntax for changing the status of the DSRI setting:
conf firewall policy|policy6
edit NNN
set dsri enable/disable
end
conf firewall interface-policy|interface-policy6
edit NNN
set dsri enable/disable
end
conf firewall sniffer
edit NNN
set dsri enable/disable
end
Policy counter improvements (277555 260743 172125)
- implicit deny policy counter added
- first-hit time tracked for each policy
- "Hit count" is tracked for each policy (total number of new sessions since last reset)
- Most counters now persist across reboots
Bidirectional Forwarding Detection (BFD) (247622)
Bidirectional Forwarding Detection (BFD) protocol support has been added to Protocol Independent Multicast (PIM), to detect failures between forwarding engines.
TCP sessions can be created without TCP syn flag checking (236078)
A Per-VDOM option is available to enable or disable the creation of TCP sessions without TCP SYN flag checking
Mirroring of traffic decrypted by SSL inspection (275458)
This feature sends a copy of traffic decrypted by SSL inspection to one or more FortiGate interfaces so that it can be collected by raw packet capture tool for archiving and analysis.
This feature is available if the inspection mode is set to flow-based. Use the following command to enable this feature in a policy. The following command sends all traffic decrypted by the policy to the FortiGate port1 and port2 interfaces.
conf firewall policy
edit 1
set ssl-mirror enable/disable
set ssl-mirror-intf port1 port2
next
Support for full cone NAT (269939)
Full cone NAT maps a public IP address and port to a LAN IP address and port. This means that a device on the Internet can send data to the internal LAN IP address and port number by directing it a the external IP address and port number. Sending to the correct IP address but a different port will cause the communication to fail. This type of NAT is also known as port forwarding.
Full cone NATing is configured only in the CLI. It is done by properly configuring an IP pool for the NATing of an external IP address. The two important settings are:
set type
- it must be set toport-block-allocation
to use full coneset permit-any-host
- enabling it is what enables full cone NAT
An example fo the IP pool configuration would be:
config firewall ippool
edit "full_cone-pool1"
set type port-block-allocation
set startip 10.1.1.1
set endip 10.1.1.1
set permit-any-host enable
end
Enable or disable inspecting IPv4 and IPv6 ICMP traffic (258734)
There is now a system setting that determines if ICMP traffic can pass through a Fortigate even if there is no existing session.
config system settings
set asymroute-icmp enable
set asymroute6-imap enable
end
When feature enabled:
- Allows ICMP or ICMPv6 reply traffic can pass through firewall when there is no session existing - asymmetric routing case.
When feature disabled:
- Prevents ICMP or ICMPv6 replies from passing through firewall when there is no session existing.
Policy names (246575 269948 293048)
In addition to the Policy ID #, there is now a Policy name field in the policy settings. On upgrading to 5.4, policy names will not be assigned to old policies but when configuring new policies, a unique name must be assigned to it. Every policy name must be unique for the current VDOM regardless of policy type.
In the GUI, the field for the policy name is the first field on the editing page.
In the CLI, the syntax for assigning the policy name is:
config firewall [policy|policy6]
set name <policy_name>
end
The feature can be turned on or off.
To turn it off in the CLI:
config system settings
set gui-advance-policy[enable|disable]
end
To turn it off in the GUI, the ability to enable or disable it in the GUI must be enabled in the CLI.It is disabled by default.The syntax is:
config system settings
set gui-allow-unamed-policy [enable | disable]
end
Once it has been enabled, the requirement for named passwords can be relaxed by going to System > Feature Select. Allow Unamed Policies can be found under Additional Features.
This setting is VDOM based so if you are running VDOMs you will have to enter the correct VDOM before entering the CLI commands or turning the feature on or off in the GUI.
Policy and route lookup (266996 222827)
The Policy Lookup button in the menu bar at the top of the IPv4 and IPv6 Policy pages is used to determine the policy that traffic with a particular set of parameters will use. Once the parameters are entered, the policy that the traffic will use is displayed.
The parameters are:
- Source Interface - select from drop down menu of available interfaces
- Protocol - select from a drop down menu of:
- IP
- TCP
- UDP
- SCTP
- [ICMP|ICMPv6]
- [ICMP|ICMPv6] ping request
- [ICMP|ICMPv6] ping reply
- Source - Source IP address
- Source Port
- Destination - Destination IP address
- Protocol Number - if Protocol = IP
- Source Port - if Protocol = TCP|UDP|SCTP
- Destination Port - if Protocol = TCP|UDP|SCTP
- ICMP Type - if Protocol = ICMPv6
- ICMP Code - if Protocol = ICMPv6
Support NAT 64 CLAT (244986)
NAT64 CLAT traffic is now supported by the FortiGate. CLAT traffic comes from devices that use the SIIT translator that plays a part in affecting IPv6 - IPv4 NAT translation.
VIPs can contain FQDNs (268876)
Instead of mapping to an IP address VIP can use a Fully Qualified Domain Name. This has to be configured in the CLI and the FQDN must be an address object that is already configured in the address listing.
The syntax for using a FQDN is as follows:
config firewall vip
edit <VIP id>
set type fqdn
set mapped-addr <FQDN address object>
end
Access Control Lists (ACLs) (293399)
The access control list (ACL) feature allows you to deny IPv4 or IPv6 packets received at an NP6-accelerated interface based on source and destination address and service. If you add an access control policy to an interface, ACL checking is one of the first things that happens to the packet and checking is done by the NP6 processor. The result is very efficient protection that does not use CPU or memory resources.
In the GUI, the feature can be found at Policy & Objects > IPv4 Access Control List Policy & Objects > IPv6 Access Control List.
To add an IPv4 ACL through the CLI use the following syntax:
config firewall acl
edit <acl Policy ID #>
set status enable
set interface <interface>
set srcaddr <address object>
set dstaddr <address object>
set service <service object>
end
end
To add an IPv6 ACL through the CLI use the following syntax:
config firewall acl6
edit <acl Policy ID #>
set status enable
set interface <interface>
set srcaddr <address object>
set dstaddr <address object>
set service <service object>
end
end
GUI improvement for DoS Policy configuration (286905)
The user can now set the Action, whether Pass or Block, for all of the anomalies in a list at once when configuring a DoS policy.Just choose the desired option in the heading at the top of the column.
Expired Policy Object warnings (259338)
The Policy window indicates when a policy has become invalid due to its schedule parameters referring only to times in the past.