NGFW mode in the VDOM – NAT & SSL Inspection considerations (407547)

NGFW mode in the VDOM – NAT & SSL Inspection considerations (407547)

Due to how the NGFW Policy mode works, it can get complicated in the two areas of NAT and SSL Deep

Inspection. To match an application against a policy, some traffic has to pass through the FortiGate in order to be properly identified. Once that happens may end up getting mapped to a different policy, where the new policy will be appropriately enforced.

NAT

In the case of NAT being used, the first policy that is triggered to identify the traffic might require NAT enabled for it to work correctly. i.e., without NAT enabled it may never be identified, and thus not fall through. Let’s use a very simple example:

Policy 1: Block Youtube

Policy 2: Allow everything else (with NAT enabled)

Any new session established will never be identified immediately as Youtube, so it’ll match policy #1 and let some traffic go to try and identify it. Without NAT enabled to the Internet, the session will never be setup and thus stuck here.

Solution:

  • NAT for NGFW policies must be done via Central SNAT Map l Central SNAT Map entries now have options for ‘srcintf’, ‘dstintf’ and ‘action’. l If no IP-pools are specified in the Central SNAT entry, then the outgoing interface address will be used.
  • NGFW policies now must use a single default ssl-ssh-profile. The default ssl-ssh-profile can be configured under the system settings table.

SSL

In the case of SSL inspection, the issue is a bit simpler. For each policy there are 3 choices:

  1. No SSL,
  2. Certificate Only
  3. Deep Inspection.

For 1. and 2. there is no conflict and the user could enable them inter-changeably and allow policy fallthrough.

The issue happens when:

  • The first policy matched, uses Certificate Only
  • After the application is detected, it re-maps the session to a new policy which has Deep Inspection enabled This switching of behavior is the main cause of the issue.

Solution:

  • Multiple SSL profiles have been replaced with a single page of settings l The user can setup exemptions for destination web category, source IP or etc.

CLI

Changes

config system settings set inspection-mode flow set policy-mode [standard | ngfw]

Has been changed to:

config system settings set inspection-mode flow

set ngfw-mode [profile-based | policy-based]

l ngfw-mode – Next Generation Firewall mode. l profile-based – Application and web-filtering is configured using profiles applied to policy entries. l policy-based – Application and web-filtering is configured as policy match conditions.

Additions

Setting the vdom default ssl-ssh-profile

config system settings set inspection-mode flow set ngfw-mode policy-based set ssl-ssh-profile <profile> ssl-ssh-profile – VDOM SSL SSH profile.

Setting srcintf, dstintf, action on the central-snat policy

config firewall central-snat-map edit <id> set srcintf <names or any> set dstintf <names or any> set action (permit | deny)

l srcintf – Source interface name. l dstintf – Destination interface name. l action – Action of central SNAT policy.

GUI

System settings, VDOM settings list/dialog: l A field has been added to show the default ssl-ssh-profile IPv4/v6 Policy list and dialogs:

  • In NGFW policy-based mode, there are added tool tips under NAT columns/fields to indicate that NAT must be configured via Central SNAT Map. Additionally, links to redirect to Central SNAT list were added.
  • Default ssl-ssh-profile is shown in the policy list and dialog for any policies doing NGFW (`application, application-categories, url-categories`) or UTM (`av-profile etc.) inspection. l Default ssl-ssh-profile is disabled from editing in policy list dialog Central SNAT Policy list and dialogs:
  • In both profile-based & policy-basedngfw-mode, fields for srcintf, dstintf were added to Central

SNAT policies entries.

  • In policy-based mode only, a toggle-switch for NAT Action was added in Central SNAT policy dialog. The action is also configurable from the Action column in Central SNAT policy list.

 

SSL/SSH Inspection list:

  • In policy-based mode only, the navigation bar link to SSL/SSH Inspection redirects to the profiles list l In policy-based mode only, the SSL/SSH Inspection list table indicates which profile is the current VDOM default.

Additionally, options are provided in the list menu and context menu to change the current VDOM default.

This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.