Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tsimeonov_FTNT
Staff
Staff

Created on ‎12-31-2014 02:48 PM Edited on ‎06-08-2022 02:51 PM By Anonymous

Article Id 195658

How to setup authentication policies -- same source, multiple destinations (FortiOS 5.0)

Description
In FortiOS v5.0, when 'Skip this policy for unauthenticated users' is disabled, all possible destinations for traffic originating from the SAME source IP should be referenced inside the SAME firewall policy.

In the following configuration, firewall policy ID 3 will never be used.

Tsvetan_50Guest2_multiple_dst.jpg


In this scenario all user traffic from the same source interface and address space will match policy ID 7 and if the destination is not 1.1.1.1, all traffic will be drooped. No traffic will be matched to policy ID 3 which is below it.

Flow information:
filters=[host  192.168.1.205 and port 80]
id=13 trace_id=1 func=print_pkt_detail line=4307 msg="vd-root received a packet(proto=6, 192.168.1.205:50355->204.79.197.203:80) from port2. flag [S], seq 1547655617, ack 0, win 65535"
id=13 trace_id=1 func=init_ip_session_common line=4463 msg="allocate a new session-00008a8c"
id=13 trace_id=1 func=vf_ip4_route_input line=1605 msg="find a route: flags=00000000 gw-172.17.97.254 via port1"
id=13 trace_id=1 func=fw_forward_handler line=537 msg="Denied by forward policy check (policy 7)"



Solution
In order for the policies to work properly, the policy ID 7.1 (sequence 5.1) has to be merged into policy ID 3 (sequence 6).  The modified configuration is shown below.

Tsvetan_50Guest3_multiple_dst.jpg

With this changes, the traffic to 1.1.1.1 follows rule 3.3 (seq: 5.3):

session info: proto=6 proto_state=11 duration=2 expire=3597 timeout=3600 flags=00000000 sockflag=00000000 sockport=80 user=guest group=FSSO_Guest_Users state=redir log local may_dirty ndr authed acct-ext
statistic(bytes/packets/allow_err): org=185/3/1 reply=92/2/1 tuples=3
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=172.17.97.254/192.168.1.206
hook=post dir=org act=snat 192.168.1.206:49350->1.1.1.1:80(172.17.97.180:49350)
hook=pre dir=reply act=dnat 1.1.1.1:80->172.17.97.180:49350(192.168.1.206:49350)
hook=post dir=reply act=noop 1.1.1.1:80->192.168.1.206:49350(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=3 id_policy_id=3 auth_info=4294967295 chk_client_info=0 vd=0
serial=000083ed tos=ff/ff ips_view=4 app_list=2000 app=0
dd_type=0 dd_mode=0
per_ip_bandwidth meter: addr=192.168.1.206, bps=350

And the rest of the unauthenticated traffic will be matched against the next identity based rule with ID 3.4 (sequence 5.4):

session info: proto=6 proto_state=11 duration=3 expire=3598 timeout=3600 flags=00000010 sockflag=00000000 sockport=80 user=guest group=FSSO_Guest_Users state=redir log local may_dirty ndr authed acct-ext
statistic(bytes/packets/allow_err): org=1201/8/1 reply=2966/5/1 tuples=3
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=172.17.97.254/192.168.1.206
hook=post dir=org act=snat 192.168.1.206:49333->174.129.208.32:80(172.17.97.180:49333)
hook=pre dir=reply act=dnat 174.129.208.32:80->172.17.97.180:49333(192.168.1.206:49333)
hook=post dir=reply act=noop 174.129.208.32:80->192.168.1.206:49333(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=3 id_policy_id=4 auth_info=4294967295 chk_client_info=0 vd=0
serial=00007bd9 tos=ff/ff ips_view=5 app_list=2000 app=8001
dd_type=0 dd_mode=0
per_ip_bandwidth meter: addr=192.168.1.206, bps=11125


Labels:
2141
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.