Description
This article explains how to protect multiple internal subnets from sending unencrypted data across the network when an IPSec tunnel fails.
Scope
FortiOS v3.0 All patches, FortiOS v4.0, FortiOS v4.0 MR1, FortiOS v4.0 MR2, FortiOS v4.0 MR3
Solution
When an IPSec interface goes down there is risk that unencrypted traffic can leave the protected network in clear.
In FortiOS v3.0 and v4.0 GA (all patches) deny firewall policies can be created to prevent unencrypted traffic leaving the FortiGate on an external interface.
However if there are multiple remote networks then the issue can be prevented at the session level by using the following steps.
1. Create a firewall address for each remote network.
2. Create a firewall group to gather all these remote networks.
3. Create a deny firewall policy. This firewall policy prevents internal traffic leaving the FortiGate when this traffic should be destined for the IPSec tunnel.
srcint=internal
dstint=external
srcaddr=all
dstaddr="TheGroup"
service=any
action=deny |
"TheGroup" refers to the firewall group created in step 2.
4. Place this policy at the top of the (internal->external) policy list if there are no encrypt policies, or just under the last encrypt policy if such policies exist.
Related Articles
Technical Note : FortiGate to Juniper SSG VPN
