Firewall

This chapter describes new firewall features added to FortiOS 5.4.

Multiple interfaces or ANY interface can be added to a firewall policy (288984)

This feature can be enabled or disabled in the GUI by going to the System > Feature Select page and toggling Multiple Interface Policies.

When selecting the Incoming or Outgoing interface of a policy, there are a few choices:

  • The ANY interface (choosing this will remove all other interfaces)
  • A single specific interface
  • multiple specific interfaces (can be added at the same time or one at a time)

The GUI is intuitive and straightforward on how to do this. Click on the "+" symbol in the interface field and then select the desired interfaces from the side menu. There are a couple of ways to do it in the CLI:

  1. Set the interfaces all at once:

config firewall policy

edit 0

set srcintf wan1 wan2

end

  1. Set the first interface and append additional ones:

config firewall policy

edit 0

set srcintf wan1

append srcintf wan2

end

Multicast policy page changes (293709 305114 )

The multicast policy GUI page has been updated to the new GUI look and feel. Some functionality has also been changed.

  • The DNAT option has been removed from the GUI but is still in the CLI, you can set the action to IPsec, and if you select Log Allowed Traffic you can also select a few logging options.
  • The Multicast policy page loads faster.

 

Policy objects dialogs updated to new GUI style (354505)

To avoid confusion, the default value for "day" is no longer Sunday. In the GUI, none of the day options are selected.

Display change in Policy listing (284027)

Alias names for interfaces, if used now appear in the headings for the Interface Pair View or what used to be called the Section View.

RPC over HTTP traffic separate (288526)

How protocol options profiles and SSL inspection profiles handle RPC (Remote Procedure Calls) over HTTP traffic can now be configured separately from normal HTTP traffic.

CLI syntax changes

config firewall profile-protocol-options

edit 0

set rpc-over-http {disable | enable}

end

 

config firewall ssl-ssh-profile

edit deep-inspection

set rpc-over-http {disable | enable}

end

Disable Server Response Inspection supported (274458)

Disable Server Response Inspection (DSRI) option included in Firewall Policy (CLI only) to assist performance when only using URL filtering as it allows the system to ignore the http server responses.

CLI syntax for changing the status of the DSRI setting:

conf firewall policy|policy6

edit NNN

set dsri enable/disable

end

 

conf firewall interface-policy|interface-policy6

edit NNN

set dsri enable/disable

end

 

conf firewall sniffer

edit NNN

set dsri enable/disable

end

Policy counter improvements (277555 260743 172125)

  • implicit deny policy counter added
  • first-hit time tracked for each policy
  • "Hit count" is tracked for each policy (total number of new sessions since last reset)
  • Most counters now persist across reboots

Bidirectional Forwarding Detection (BFD) (247622)

Bidirectional Forwarding Detection (BFD) protocol support has been added to Protocol Independent Multicast (PIM), to detect failures between forwarding engines.

TCP sessions can be created without TCP syn flag checking (236078)

A Per-VDOM option is available to enable or disable the creation of TCP sessions without TCP SYN flag checking

Mirroring of traffic decrypted by SSL inspection (275458)

This feature sends a copy of traffic decrypted by SSL inspection to one or more FortiGate interfaces so that it can be collected by raw packet capture tool for archiving and analysis.

This feature is available if the inspection mode is set to flow-based. Use the following command to enable this feature in a policy. The following command sends all traffic decrypted by the policy to the FortiGate port1 and port2 interfaces.

conf firewall policy

edit 1

set ssl-mirror enable/disable

set ssl-mirror-intf port1 port2

next

 

Support for full cone NAT (269939)

Full cone NAT maps a public IP address and port to a LAN IP address and port. This means that a device on the Internet can send data to the internal LAN IP address and port number by directing it a the external IP address and port number. Sending to the correct IP address but a different port will cause the communication to fail. This type of NAT is also known as port forwarding.

Full cone NATing is configured only in the CLI. It is done by properly configuring an IP pool for the NATing of an external IP address. The two important settings are:

  • set type - it must be set to port-block-allocation to use full cone
  • set permit-any-host - enabling it is what enables full cone NAT

An example fo the IP pool configuration would be:

config firewall ippool

edit "full_cone-pool1"

set type port-block-allocation

set startip 10.1.1.1

set endip 10.1.1.1

set permit-any-host enable

end

Enable or disable inspecting IPv4 and IPv6 ICMP traffic (258734)

There is now a system setting that determines if ICMP traffic can pass through a Fortigate even if there is no existing session.

config system settings

set asymroute-icmp enable

set asymroute6-imap enable

end

When feature enabled:

  • Allows ICMP or ICMPv6 reply traffic can pass through firewall when there is no session existing - asymmetric routing case.

When feature disabled:

  • Prevents ICMP or ICMPv6 replies from passing through firewall when there is no session existing.

Policy names (246575 269948 293048)

In addition to the Policy ID #, there is now a Policy name field in the policy settings. On upgrading to 5.4, policy names will not be assigned to old policies but when configuring new policies, a unique name must be assigned to it. Every policy name must be unique for the current VDOM regardless of policy type.

In the GUI, the field for the policy name is the first field on the editing page.

In the CLI, the syntax for assigning the policy name is:

config firewall [policy|policy6]

set name <policy_name>

end

The feature can be turned on or off.

To turn it off in the CLI:

config system settings

set gui-advance-policy[enable|disable]

end

To turn it off in the GUI, the ability to enable or disable it in the GUI must be enabled in the CLI.It is disabled by default.The syntax is:

config system settings

set gui-allow-unamed-policy [enable | disable]

end

Once it has been enabled, the requirement for named passwords can be relaxed by going to System > Feature Select. Allow Unamed Policies can be found under Additional Features.

This setting is VDOM based so if you are running VDOMs you will have to enter the correct VDOM before entering the CLI commands or turning the feature on or off in the GUI.

Policy and route lookup (266996 222827)

The Policy Lookup button in the menu bar at the top of the IPv4 and IPv6 Policy pages is used to determine the policy that traffic with a particular set of parameters will use. Once the parameters are entered, the policy that the traffic will use is displayed.

The parameters are:

  • Source Interface - select from drop down menu of available interfaces
  • Protocol - select from a drop down menu of:
  • IP
  • TCP
  • UDP
  • SCTP
  • [ICMP|ICMPv6]
  • [ICMP|ICMPv6] ping request
  • [ICMP|ICMPv6] ping reply
  • Source - Source IP address
  • Source Port
  • Destination - Destination IP address
  • Protocol Number - if Protocol = IP
  • Source Port - if Protocol = TCP|UDP|SCTP
  • Destination Port - if Protocol = TCP|UDP|SCTP
  • ICMP Type - if Protocol = ICMPv6
  • ICMP Code - if Protocol = ICMPv6

 

Support NAT 64 CLAT (244986)

NAT64 CLAT traffic is now supported by the FortiGate. CLAT traffic comes from devices that use the SIIT translator that plays a part in affecting IPv6 - IPv4 NAT translation.

VIPs can contain FQDNs (268876)

Instead of mapping to an IP address VIP can use a Fully Qualified Domain Name. This has to be configured in the CLI and the FQDN must be an address object that is already configured in the address listing.

The syntax for using a FQDN is as follows:

config firewall vip

edit <VIP id>

set type fqdn

set mapped-addr <FQDN address object>

end

Access Control Lists (ACLs) (293399)

The access control list (ACL) feature allows you to deny IPv4 or IPv6 packets received at an NP6-accelerated interface based on source and destination address and service. If you add an access control policy to an interface, ACL checking is one of the first things that happens to the packet and checking is done by the NP6 processor. The result is very efficient protection that does not use CPU or memory resources.

In the GUI, the feature can be found at Policy & Objects > IPv4 Access Control List Policy & Objects > IPv6 Access Control List.

To add an IPv4 ACL through the CLI use the following syntax:

config firewall acl

edit <acl Policy ID #>

set status enable

set interface <interface>

set srcaddr <address object>

set dstaddr <address object>

set service <service object>

end

end

To add an IPv6 ACL through the CLI use the following syntax:

config firewall acl6

edit <acl Policy ID #>

set status enable

set interface <interface>

set srcaddr <address object>

set dstaddr <address object>

set service <service object>

end

end

GUI improvement for DoS Policy configuration (286905)

The user can now set the Action, whether Pass or Block, for all of the anomalies in a list at once when configuring a DoS policy.Just choose the desired option in the heading at the top of the column.

Expired Policy Object warnings (259338)

The Policy window indicates when a policy has become invalid due to its schedule parameters referring only to times in the past.