Se maskinöversättning på 

Manage Firewall Rules – Fortigate

Description

This document describes basic thoughts and guidelines on how to work with the ruleset of our Fortigate firewalls.

Prerequisites

A browser that allows pop-ups from FMG.
 

Object definition

There are two types of the objects described below, "normal" and Global ones. The Global objects are used to form global policies that span over multiple virtual domains within the Fortigate units. These objects are all prepended with a 'g' in their name. For each virtual domain the "normal" objects are defined as per below and are the most common ones in daily operations.

Normal objects are defined per virtual domain and thus need to be recreated as needed into new domains when these are added.

The lower left of the GUI presents the panel where different objects are created:

C:\a92d72a5911d5f7c63eaff4838534f02
 

Single hosts

Individual host objects are defined as in the image below. The netmask /255.255.255.255 will be applied automatically if not supplied upon creation, only the IP-address needs to be entered for individual hosts.
C:\74e191f917823e07c48d7f16ee9e5b26 
 

Object groups

Groups are used to provide ease of use when adding or removing servers with a common purpose, e.g. exchange servers and to keep a tidier rule set.
C:\9cf74b6be0afc2b3fbe5d89feb535ad5 
 

Network objects

Network objects define a subnet with a range of IP-addresses. The netmask is provided in the name with _XX to help identify the network object when defining rules in case of objects overlapping each other in range.
C:\e3a973aee0ce618dc45a47ba0ffc1db8 
 

Service objects

Service objects define a range of ports and/or protocols that can be used when defining which traffic should reach a host. These objects can either be defined with several ranges in the same object or by grouping individual objects into a Service group. The proper choice as to what to use has to be evaluated at the time of setup, each has its pros and cons.

C:\02653586391bd3a2debe2a7685663f51

C:\d2c0b03174f4561a81dcc55aaae16bbb
 

Rule definition

Rules are grouped in sections by which destination network a host is part of. For each section there usually exists a number of group-rules for easy access. Below these "normal" host-access rules follow in ascending order when looking at the last octet of the IP-address.
The sections grouping rules together are only of cosmetic value - they do not add any kind of logical separation of rules. Thus a defined "any-rule" for example will still affect the whole rule set below it.

C:\3d7ba19d6975d495dbb313bdb3f9dfe4
 

Adding new rules

  • Navigate to https://firewall-prod-fmg.it.su.se and log on with your TACACS-credentials.
  • Click on "Policy & Objects".
  • To be able to add new rules a lock on the affected adom/vdom needs to be aquired. Simply click the open lock and the screen will refresh and the lock close.

C:\fed2e12abf8ebb4c126c42561234c87f
 

  • Find where you wish to add the rule, right-click the rule indexes to the left and choose Insert Policy->Above/Below.

C:\82ad516aeda296ab44a578c2bf71234b
 

  • A new rule with Any/Any Deny will be added where you specified.

C:\331e21b116375bd895ea8f113a23e375
 

  • Right-click the rule's index number and choose Edit or drag-and-drop objects into the rule to get the desired setup. We currently log all traffic for trouble-shooting purposes and general visibility.

C:\96d43272d181ac54a24610f9487f10e7
 

  • With the changes in place save your changes with the Floppy-button.

C:\9fd2bfa16df434bcaaad2b047063a69f
 

  • To install the changes on the firewall, right-click the Policy Package and choose Install.

C:\6da573c9982042f49168e223e2a1cd51
 

  • The installation wizard will be presented. The correct policy package to be installed is pre-selected. Enter a short comment to describe the change being done. If it is a large change that might have severe implications for the operability of the affected adom/vdom it is a good idea to create a separate revision to enable a faster rollback in case of errors in the config. For smaller rule changes this is seldom necessary and can be avoided, if so, simply uncheck the checkbox.

C:\9f24fc01b1880b0754110572cdcba1dc
 

  • The installation target is pre-selected, just press Next

C:\d3c52a3a4d37717f836cd6df1b56db69
 

  • The configuration goes through a preliminary validation check and presents the option to preview the changes and commands that will be installed on the Fortigates. If unsure, review the changes to make sure no extra commands that might affect operations have slunk into the revision. Press Next.

C:\25eab8205e99698e2fc9d07cf4464557
 

  • Installation is performed, one can follow the installation procedure by reloading the popup which is spawned using the terminal icon under History while the installation processes.

C:\1bb30ca1e369c7a9df29ce439b5263a4
 

  • Unlock the adom/vdom again to allow another administrator to make changes if necessary. The lock will also be removed if you log out of the FortiManager.
     

Removing objects and rules

Removing rules

  • To remove a rule, simply lock the ADOM as in Adding new rules. Then locate your rule and right-click the desired rule and select Delete:

C:\c296f72518e886dc3bc489c14484491f
 

  • Install the changes with the wizard.
     

Removing objects

  • When removing single host objects it's very important to make sure that it is not in use in any rules before removal. If the object is the last referenced object in a cell and it is removed the cell in the rule will be changed to ANY and an unintended whole in the rule-set is opened.
    To remedy this, locate your object in the Firewall Objects->Address section, right-click it and select Where Used.

C:\cee108946ccc92116495d83eaa2f03cd

  • A list will be presented on all the references (e.g. groups and rules) and from there you can by double-clicking go to each reference and delete the object. It is recommended to start with any groups as that will likely remove a large chunk of rule references as well.

C:\17ee8f6818c1e3aa9a2de839f3dabc28

  • When done, save and install using the Install Wizard as usual.

254Visningar
0
© ComAround Scandinavia AB 2000 - 2020 Med ensamrätt

Hjälpte den här artikeln dig?