This document describes basic thoughts and guidelines on how to work with the ruleset of our Fortigate firewalls.
A browser that allows pop-ups from FMG.
There are two types of the objects described below, "normal" and Global ones. The Global objects are used to form global policies that span over multiple virtual domains within the Fortigate units. These objects are all prepended with a 'g' in their name. For each virtual domain the "normal" objects are defined as per below and are the most common ones in daily operations.
Normal objects are defined per virtual domain and thus need to be recreated as needed into new domains when these are added.
The lower left of the GUI presents the panel where different objects are created:
Individual host objects are defined as in the image below. The netmask /255.255.255.255 will be applied automatically if not supplied upon creation, only the IP-address needs to be entered for individual hosts.
Groups are used to provide ease of use when adding or removing servers with a common purpose, e.g. exchange servers and to keep a tidier rule set.
Network objects define a subnet with a range of IP-addresses. The netmask is provided in the name with _XX to help identify the network object when defining rules in case of objects overlapping each other in range.
Service objects define a range of ports and/or protocols that can be used when defining which traffic should reach a host. These objects can either be defined with several ranges in the same object or by grouping individual objects into a Service group. The proper choice as to what to use has to be evaluated at the time of setup, each has its pros and cons.
Rules are grouped in sections by which destination network a host is part of. For each section there usually exists a number of group-rules for easy access. Below these "normal" host-access rules follow in ascending order when looking at the last octet of the IP-address.
The sections grouping rules together are only of cosmetic value - they do not add any kind of logical separation of rules. Thus a defined "any-rule" for example will still affect the whole rule set below it.
- Navigate to https://firewall-prod-fmg.it.su.se and log on with your TACACS-credentials.
- Click on "Policy & Objects".
- To be able to add new rules a lock on the affected adom/vdom needs to be aquired. Simply click the open lock and the screen will refresh and the lock close.
- Find where you wish to add the rule, right-click the rule indexes to the left and choose Insert Policy->Above/Below.
- A new rule with Any/Any Deny will be added where you specified.
- Right-click the rule's index number and choose Edit or drag-and-drop objects into the rule to get the desired setup. We currently log all traffic for trouble-shooting purposes and general visibility.
- With the changes in place save your changes with the Floppy-button.
- To install the changes on the firewall, right-click the Policy Package and choose Install.
- The installation wizard will be presented. The correct policy package to be installed is pre-selected. Enter a short comment to describe the change being done. If it is a large change that might have severe implications for the operability of the affected adom/vdom it is a good idea to create a separate revision to enable a faster rollback in case of errors in the config. For smaller rule changes this is seldom necessary and can be avoided, if so, simply uncheck the checkbox.
- The installation target is pre-selected, just press Next
- The configuration goes through a preliminary validation check and presents the option to preview the changes and commands that will be installed on the Fortigates. If unsure, review the changes to make sure no extra commands that might affect operations have slunk into the revision. Press Next.
- Installation is performed, one can follow the installation procedure by reloading the popup which is spawned using the terminal icon under History while the installation processes.
- Unlock the adom/vdom again to allow another administrator to make changes if necessary. The lock will also be removed if you log out of the FortiManager.
- To remove a rule, simply lock the ADOM as in Adding new rules. Then locate your rule and right-click the desired rule and select Delete:
- Install the changes with the wizard.
- When removing single host objects it's very important to make sure that it is not in use in any rules before removal. If the object is the last referenced object in a cell and it is removed the cell in the rule will be changed to ANY and an unintended whole in the rule-set is opened.
To remedy this, locate your object in the Firewall Objects->Address section, right-click it and select Where Used.
- A list will be presented on all the references (e.g. groups and rules) and from there you can by double-clicking go to each reference and delete the object. It is recommended to start with any groups as that will likely remove a large chunk of rule references as well.
- When done, save and install using the Install Wizard as usual.