Schedule Groups

Schedule Groups

You can organize multiple firewall schedules into a schedule group to simplify your security policy list. The schedule parameter in the policy configuration does not allow for the entering of multiple schedules into a single policy so if you have a combination of time frames that you want to schedule the policy for then the best approach, rather than making multiple policies is to use a schedule group.

Creating a Schedule Group object

  1. Go to Policy & Objects > Schedules.
  2. Select Create New. A drop down menu is displayed. Select Schedule Group
  3. Input a Name for the schedule object.
  4. In the Members field, select the “+” to bring forth the panel for selecting entries.
  5. Press OK.

Example

Your Internet policy allows employees to visit Social Media sites from company computers but not during what is considered working hours. The offices are open a few hours before working hours and the doors are not locked until a few hours after official closing so work hours are from 9 to 5 with a lunch break from Noon to 1:00 p.m.

Your approach is to block the traffic between 9 and noon and between 1:00 p.m. and 5:00 p.m. This means you will need two schedules for a single policy and the schedule group handles this for you. Schedule groups can contain both recurring and one-time schedules. Schedule groups cannot contain other schedule groups.

Schedule expiration

The schedule in a security policy enables certain aspects of network traffic to occur for a specific length of time. What it does not do however, is police that time. That is, the policy is active for a given time frame, and as long as the session is open, traffic can continue to flow.

For example, in an office environment, Skype use is allowed between noon and 1pm. During that hour, any Skype traffic continues. As long as that session is open, after the 1pm end time, the Skype conversations can continue, yet new sessions will be blocked. Ideally, the Skype session should close at 1pm.

Using a CLI command you can set the schedule to terminate all sessions when the end time of the schedule is reached. Within the config firewall command enter the command: set schedule-timeout enable

By default, this option is set to disable.

A few further settings are needed to make this work.

config firewall policy edit ID set firewall-session-dirty check-new end config system settings

Schedule Groups

set firewall-session-dirty check-policy-option

end

Firewall-session-dirty setting

The firewall-session-dirty setting has three options

check-all CPU flushes all current sessions and re-evaluates them. [default]
check-new CPU keeps existing sessions and applies policy changes to new sessions only. This reduces CPU load and the possibility of packet loss.
check-policy-option Use the option selected in the firewall-session-dirty field of the firewall policy (check-all or check-new, as above, but per policy).

 

 

Before you begin                                                  Secure Web Gateway, WAN Optimization, Web Caching and WCCP

Small Unit GUI PCAP How To

So a lot of people that have smaller units have noticed in the latest versions (5.4+) that the PCAP link is now gone. Well, this video will show you how to get to that page so that you can carry out PCAPs from the GUI. We know that not everyone is as good at the CLI interface as they would like to be and this is a good shortcut to help those in need when they are troubleshooting their FortiGate.

Recurring schedule object

Recurring schedule object

Recurring schedules are in effect repeatedly at specified times of specified days of the week. The Recurring schedule is based on a repeating cycle of the days of the week as opposed to every x days or days of the month. This means that you can configure the schedule to be in effect on Tuesday, Thursday, and Saturday but not every 2 days or on odd numbered days of the month.

If a recurring schedule has a stop time that is earlier than the start time, the schedule will take effect at the start time but end at the stop time on the next day. You can use this technique to create recurring schedules that run from one day to the next.

Configuring a Recurring schedule object in the GUI

  1. Go to Policy & Objects > Schedules.
  2. Select Create New. A drop down menu is displayed. Select Schedule.
  3. From the Type options, choose Recurring.
  4. Input a Name for the schedule object.
  5. If you which to add a Color to the icon in the GUI, you can click on the Change link to choose 1 of 32 color options.
  6. From the Days options, choose the day of the week that you would like this schedule to apply to. The schedule will be in effect on the days of the week that have a check mark in the checkbox to the left of the name of the weekday.
  7. If the scheduled time is the whole day, leave the All Day toggle switch enabled. If the schedule is for specific times during the day, disable the All Day toggle switch.
  8. If the All Day option is disabled, choose a Start Time.

The Start Time is composed of two fields, Hour and Minute. Think of setting the time for a digital clock in 24 hour mode. The Hour value can be an integer from 0 and 23. The Minute value can be from 0 to 59. 0 and 0 would be midnight at the start of the day and 23 and 59 would be one minute to midnight at the end of the day. The value can be entered by keyboard or by using the up and down arrows in the field to select the value.

  1. Choose a Stop Time.

Configuration is the same as Start Time.

  1. Press OK.

Because recurring schedules do not work with DENY policies, the strategy when designing a schedule should not be to determine when users cannot access a policy but to build the schedules around when it is possible to access the policy.

Example: Firewall Schedule – Recurring

The Company wants to allow the use of Facebook by employees, but only during none business hours and the lunch break.

  • The business hours are 9:00 p.m. to 6:00 p.m. l The Lunch break is 12:00 p.m. to 1:00 p.m.
  • The plan is to create a schedule to cover the morning business hours and the afternoon business hours and block access to the Facebook web site during that time.

Configuration in the GUI

  1. Go to Policy & Objects > Objects > Schedule.
  2. Select Create New > Schedule.
  3. Fill out the fields with the following information:
Type Recurring
Name Morning_Business_Hours
Days Monday, Tuesday, Wednesday, Thursday, Friday
Start Time Hour = 9, Minute = 0
Stop Time Hour = 12, Minute = 0
  1. Select OK.
  2. Create a second new schedule.
Type Recurring
Name Morning_Business_Hours
Days Monday, Tuesday, Wednesday, Thursday, Friday
Start Time Hour = 13, Minute = 0
Stop Time Hour = 18, Minute = 0
  1. Select OK.

To verify that the schedule was added correctly:

  1. Go to Policy & Objects > Objects > Schedule.
  2. Check that the schedule with the name you used has been added to the list of recurring schedules and that the listed settings are correct.

Configuration in the CLI

  1. Enter the following CLI command:

config firewall schedule recurring edit Morning_Business_Hours set day monday tuesday wednesday thursday friday set start 09:00 set end 12:00

end

  1. Enter the following CLI command:

config firewall schedule recurring edit Afternoon_Business_Hours set day monday tuesday wednesday thursday friday set start 13:00 set end 18:00

end

To verify that the schedule was added correctly:

  1. Enter the following CLI command:

config firewall schedule recurring

edit <the name of the schedule you wish to verify> show full-configuration

 

Schedule

One-time schedule object

One-time schedule object

One-Time schedules are in effect only once for the period of time specified in the schedule. This can be useful for testing to limit how long a policy will be in effect in case it is not removed, or it can be used for isolated events such as a conference where you will only need a temporary infrastructure change for a few days.

The time frame for a One-time schedule is configured by using a start time which includes, Year | Month | Day | Hour | Minute and a Stop time which includes the same variables. So while the frequency of the schedule is only once it can last anywhere from 1 minute to multiple years. Configuring a One-time schedule object in the GUI

  1. Go to Policy & Objects > Schedules.
  2. Select Create New. A drop down menu is displayed. Select Schedule.
  3. From the Type options, choose One-time.
  4. Input a Name for the schedule object.
  5. If you which to add a Color to the icon in the GUI, you can click on the Change link to choose 1 of 32 color options.
  6. Choose a Start Date.

Selecting the field with the mouse will bring up a interactive calendar graphic that will allow the user to select the date. The date can also be typed in using the format YYYY/MM/DD.

  1. Choose a Start Time.

The Start Time is composed of two fields, Hour and Minute. Think of setting the time for a digital clock in 24 hour mode. The Hour value can be an integer from 0 and 23. The Minute value can be from 0 to 59. 0 and 0 would be midnight at the start of the day and 23 and 59 would be one minute to midnight at the end of the day. The value can be entered by keyboard or by using the up and down arrows in the field to select the value.

  1. Choose an End Date.

Configuration is the same as Start Date.

  1. Choose a Stop Time.

Configuration is the same as Start Time.

  1. Enable/Disable Pre-expiration event log.

This configures the system to create an event log 1 to 100 days before the End Date as a warning in case the schedule needs to be extended.

  1. If the Pre-expiration event log is enabled, set the value for Number of days before.
  2. Press OK.

Example: Firewall Schedule – One-time

The company wants to change over their web site image to reference the new year. They have decided to take this opportunity to do some hardware upgrades as well. Their web site is business oriented so they have determined that over New Year’s Eve there will be very limited traffic. l They are going to need a maintenance window of 2 hours bracketing midnight on New Year’s Eve.

Configuration in the GUI

  1. Go to Policy & Objects > Objects > Schedule.
  2. Select Create New > Schedule.
  3. Fill out the fields with the following information:
Type   One-time
Name   NewYearsEve_Maintenance
Start Date   2014/12/31 <use the built in calendar>
End Date   2015/01/01 <use the built in calendar>
Start Time   Hour: 23, Minute: 0
Stop Time Hour: 1Minute: 0
Pre-expiration event log <disable>
  1. Select OK.

To verify that the schedule was added correctly:

  1. Go to Policy & Objects > Objects > Schedule.
  2. Check that the schedule with the name you used has been added to the list of recurring schedules and that the listed settings are correct.

Configuration in the CLI

  1. Enter the following CLI command:

config firewall schedule onetime edit maintenance_window set start 23:00 2012/12/31 set end 01:00 2013/01/01

next

end

To verify that the schedule was added correctly:

  1. Enter the following CLI command:

config firewall schedule onetime edit <the name of the schedule you wish to verify> show full-configuration

Services

Services

While there are a number of services already configured within FortiOS, the firmware allows for administrators to configure there own. The reasons for doing this usually fall into one or more of the following categories:

  • The service is not common enough to have a standard configuration l The service is not established enough to have a standard configuration l The service has a standard port number but there is a reason to use a different one:
  • Port is already in use by another service l For security reasons, want to avoid standard port

When looking at the list of preconfigured services it may seem like there are a lot, but keep in mind that the theoretical limit for port numbers is 65,535. This gives a fairly good sized range when you are choosing what port to assign a service but there are a few points to keep in mind.

  • Most of the well known ports are in the range 0 – 1023 l Most ports assigned by the Internet Corporation for Assigned Names and Numbers (ICANN) will be in the 1024 –

49151 range l Port numbers between 49,152 and 65,535 are often used for dynamic, private or ephemeral ports.

There are 3 Service objects that can be added and configured:

l Categories l Services l Service Groups

Categories

In order to make sorting through the services easier, there is a field to categorize the services. Because selecting a category is part of the process for creating a new service, the configuration of categories will be explained first.

The services can be sorted into the following groups:

  • General l Web Access l File Access l Email l Network Services l Authentication l Remote Access l Tunneling l VoIP, Messaging and Other Applications l Web Proxy
  • Uncategorized

The categories are for organization purposes so there is not many settings when creating a new one.

Creating a new Service Category

  1. Go to Policy & Objects > Services.
  2. Select Create New. A drop down menu is displayed. Select Category
  3. Input a Name for the category.
  4. Input any additional information in the Comments
  5. Press OK.

Example

You plan on adding a number of devices such as web cameras that will allow the monitoring of the physical security of your datacenter. A number of non-standard services will have to be created and you would like to keep them grouped together under the heading of “Surveillance”

Example of a New Category in the GUI

  1. Go to Policy & Objects > Objects > Services and select Create New > Category.
  2. Fill out the fields with the following information
Field   Value
Name   Surveillance
Comments   For DataCenter Surveillance Devices
  1. Select

Example of a New Category in the CLI

Enter the following CLI command:

config firewall service category edit Surveillance set comment “For DataCenter Surveillance Devices” end

To verify that the category was added correctly:

  1. Go to Policy & Objects > Objects > Services. Select the Category Settings icon . A listing of the categories should be displayed.
  2. Enter the following CLI command:

config firewall service category show

This should bring up all of the categories. Check to see that the new one is displayed.

Configuring a new service

Occasionally, the preconfigured list of services will not contain the needed service. There are a few variations in the creation of a service depending upon the protocol type, but the first steps in the creation of the service are common to all the variations.

To create a new service:

  1. Go to Policy & Objects > Services.
  2. Select Create New. A drop down menu is displayed. Select Service
  3. Enter a name in the Name field for the new service
  4. Include any description you would like in the Comments field
  5. In the Service Type field choose between Firewall and Explicit Proxy.
  6. Enable the toggle in the Show in Service List. If you can’t see the service when you need to select it, it serves very little purpose.
  7. For the Category field, choose the appropriate category from the Category drop down menu. If none is chosen, the Uncategorized option will be chosen by default.

Protocol Options

This is the section where the configuration options of the service will differ depending on the type of protocol chosen. (The Step numbers will all continue on from the common step sequence).

The protocol options for Firewall service type are: l TCP/UDP/SCTP l ICMP l ICMP6 l IP

The protocol options for Proxy service type are: l ALL l CONNECT l FTP l HTTP l SOCKS-TCP l SOCKS-UDP

TCP/UDP/SCTP

  1. For the Protocol Type field, choose TCP/UDP/SCTP from the drop down menu
  2. For the Address field, choose IP Range or FQDN (Fully Qualified Domain Name) if there is to be a specific destination for the service. Depending on which type of address is selected, the field value needs to be filled with a FQDN string or an IP address in one of the 3 standard IPv4 address formats: l x.x.x – for a specific address l x.x.x.x/x – for a subnet l x.x.x.x-x.x.x.x – for a range of specific addresses
  3. Configure the Destination Port by:
  • Select from the drop down menu, TCP, UDP or SCTP l Enter the low end to the port range in the field indicated by grayed out Low.
  • Enter the high end of the port range in the field indicated by grayed out High. If there is only a single port in the

range High can be left empty

  • Multiple ports or port ranges can be added by using the “+” at the beginning of the row l Rows can be removed by using the trash can symbol at the end of the row
  1. If required, you can Specify Source Ports for the service by enabling the toggle switch. l The Src Port will match up with a Destination Port l Src Ports cannot be configured without there being a value for the Destination Port l The same rules for configuring the Destination Ports applies to the Src Ports
  2. Select OK to confirm the configuration

Example

Example settings for a TCP protocol service. In this case, it is for an administrative connection to web servers on the DMZ. The protocol used is HTTPS which would normally use port 443, but that is already in use by another service such as Admin access to the firewall or an SSL-VPN connection.

Field Value
Name Example.com_WebAdmin
Comments Admin connection to Example.com Website
Service Type Firewall
Show in Service List enabled
Category Web Access
Protocol Options  
Protocol Type TCP/UDP/SCTP
IP/FQDN <left blank>
Destination Port l  Protocol: TCP l Low: 4300

l  High: <left blank>

Specify Source Ports <disabled>

Creating a new TCP/UDP/SCTP service in the CLI

The following is the creation of the same service using the command line.

config firewall service custom edit Example.com_WebAdmin set comment “Admin connection to Example.com Website”

set category Web Access set protocol TCP/UDP/SCTP set tcp-portrange 4300

end

end

ICMP / ICMP6

  1. For the Protocol Type field, choose ICMP or ICMP6 from the drop down menu
  2. In the Type field enter the appropriate type number based on the information found in “ICMP Types and Codes” on page 1 or in “ICMPv6 Types and Codes” on page 1, depending on whether the Protocol Type is ICMP or ICMPv6
  3. In the Code field enter the appropriate code number for the type, if applicable, based on the information found in

“ICMP Types and Codes” on page 1 or in “ICMPv6 Types and Codes” on page 1, depending on whether the Protocol Type is ICMP or ICMPv6

  1. Select OK to confirm the configuration

Example

Example settings for an ICMP.service.In this case it has been set up for some special testing of ICMP packets.

Field Value
Name ICMP test #4
Comments For testing of proprietary network scanner
Service Type Firewall
Show in Service List enabled
Category Network Services
Protocol Options  
Protocol Type ICMP
Type 7
Code <left blank>

Creating a new ICMP service in the CLI

The following is the creation of the same service using the command line.

config firewall service custom edit ICMP test4 set comment “For testing of proprietary network scanner” set category Network Services set protocol ICMP set icmptype 7 end

end

IP

  1. For the Protocol Type field, choose IP from the drop down menu
  2. In the Protocol Number field enter the numeric value based on the information found in “Protocol Number” on page 1
  3. Select OK to confirm the configuration

Example

Example settings for an IP.service.In this case it has been set up to communicate via an old protocol called QNX

Field Value
Name QNX
Comments For QNX communications to the Development Lab
Service Type Firewall
Show in Service List enabled
Category Uncatagorized
Protocol Options  
Protocol Type IP
Protocol Number 106

Creating a new ICMP service in the CLI

The following is the creation of the same service using the command line.

config firewall service custom edit ICMP test4 set comment “For QNX communications to the Development Lab ” set protocol IP set icmptype 106

end

end

In the CLI examples, the fields for Show in Service List, Service Type and in the example for IP, Category were net set because the values that they would have been set to were the default values and were already correctly set.

ALL/CONNECT/FTP/HTTP/SOCKS-TCP/SOCKS-UDP

These options are available only if the Service Type is set to Explicit Proxy.

  1. For the Protocol Type field, choose one of the following from the drop down menu:
    • ALL l CONNECT l FTP l HTTP l SOCKS-TCP l SOCKS-UDP
  2. For the Address field, choose IP Range or FQDN (Fully Qualified Domain Name) if there is to be a specific destination for the service. Depending on which type of address is selected, the field value needs to be filled with a FQDN string or an IP address in one of the 3 standard IPv4 address formats: l x.x.x – for a specific address l x.x.x.x/x – for a subnet l x.x.x.x-x.x.x.x – for a range of specific addresses
  3. Configure the Destination Port by:
    • Enter the low end to the TCP port range in the field indicated by grayed out Low.
    • Enter the high end of the TCP port range in the field indicated by grayed out High. If there is only a single port in the range High can be left empty
    • Multiple ports or port ranges can be added by using the “+” at the beginning of the row l Rows can be removed by using the trash can symbol at the end of the row
  4. If required, you can Specify Source Ports for the service by enabling the toggle switch. l The Src Port will match up with a Destination Port l Src Ports cannot be configured without there being a value for the Destination Port l The same rules for configuring the Destination Ports applies to the Src Ports
  5. Select OK to confirm the configuration

Specific Addresses in TCP/UDP/SCTP

In the TCP/UDP/SCTP services it is also possible to set the parameter for a specific IP or Fully Qualified Domain Name address. The IP/FQDN field refers to the destination address of the traffic, not the source. This means for example, that you can set up a custom service that will describe in a policy the TCP traffic over port 80 going to the web site example.com, but you cannot set up a service that describes the TCP traffic over port 80 that is coming from the computer with the address 192.168.29.59.

Service Groups

Just like some of the other firewall components, services can also be bundled into groups for ease of administration.

Creating a ServiceGroup

  1. Go to Policy & Objects > Services.
  2. Select Create New. A drop down menu is displayed. Select Service Group
  3. Input a Group Name to describe the services being grouped

 

  1. Input any additional information in the Comments
  2. Choose a Type of group.The options are Firewall or Explicit Proxy.
  3. Add to the list of Members from the drop down menu. Using the + sign beside the field will allow the addition of multiple services.
  4. Press OK.

Example

Example of a New Service Group:

Field Value
Group Name Authentication Services
Comments Services used in Authentication
Type Firewall
Members l Kerberos l LDAP l LDAP_UDP l RADIUS

Firewall schedules

Firewall schedules control when policies are in effect. When you add a security policy on a FortiGate unit you need to set a schedule to determine the time frame in which that the policy will be functioning. While it is not set by default, the normal schedule would be always. This would mean that the policy that has been created is always function and always policing the traffic going through the FortiGate. The time component of the schedule is based on a 24 hour clock notation or military time as some people would say.

There are two types of schedules: One-time schedules and recurring schedules.

Configuring IP pools

Configuring IP pools

An IP pool is essentially one in which the IP address that is assigned to the sending computer is not known until the session is created, therefore at the very least it will have to be a pool of at least 2 potential addresses. A quick example would be an IP pool for users of a VPN. IP pools are based upon the version of IP determined by the interface that they are associated with so as expected there are two types of IP pools that can be configured:

l “Creating a IPv4 Pool” on page 189 l “Creating a IPv6 Pool” on page 193

Because of the differences in the configuration for the two types of pools, instructions for configuring them will be done separately.

Creating a IPv4 Pool

  1. Go to Policy & Objects > IP Pools.
  2. Select Create New.
  3. In the IP Pool Type field choose IPv4 Pool
  4. Enter a name in the Name field for the new service Include any description you would like in the Comments field
  5. In the Type field choose between:

l Overload l One-to-One l Fixed Port Range l Port Block Allocation

At this point the configurations can start to differ based on the type of type of pool.

For more information on the different types of IP pools, check IP Pools in the Concepts section.

Overload

  1. For the External IP Range fields, enter the lowest and highest addresses in the range. If you only want a single address used, enter the same address in both fields.
  2. Enable the ARP Reply field by making sure there is a check in the box
  3. Select OK

Configuring IP pools

Overload Example for GUI

In this example, the Sales team needs to connect to an Application Service Provider that does the accounting for the company. As a security measure, the ASP only accepts traffic from a white list of IP addresses. There is 1 public IP address of the company on that list.The Sales team consists of 40 people, so they need to share.The external interface is wan1.

Field Value
IP Pool Type IPv4 Pool
Name Sales_Team
Comments For the Sales team to use to connect to the Accounting ASP
Type Overload (This is the default)
External IP Range 10.23.56.20 – 10.23.56.20
ARP Reply enabled

Overload Example for CLI

config firewall ippool edit Sales_Team set comments “For the Sales team to use to connect to the Accounting ASP” set type overload set startip 10.23.56.20 set endip 10.23.56.20 set arp-reply enable set arp-intf wan1 end

One-to-one
  1. For the External IP Range fields, enter the lowest and highest addresses in the range. If you only want a single address used, enter the same address in both fields.
  2. Enable the ARP Reply field by making sure there is a check in the box.
  3. Select OK

One-to-one Example for GUI

In this example, the external IP address of the mail server is part of a range assigned to the company but not the one that is assigned to the Internet facing interface. A VIP has been set up but in order to properly resolve

Reverse DNS lookups the mail server always has to use a specific IP address.The external interface is wan1.

Field Value
IP Pool Type IPv4 Pool
Field Value
Name Mail-Server
Comments So the the correct IP address is resolved on Reverse DNS look ups of the mail server.
Type One-to-one
External IP Range 10.23.56.21 – 10.23.56.21
ARP Reply enabled

One-to-one Example for CLI

config firewall ippool edit Mail-Server set comments “So the the correct IP address is resolved on reverse DNS look ups of the mail server.”

set type one-to-one set startip 10.23.56.21 set endip 10.23.56.21 set arp-reply enable set arp-intf wan1 end

Fixed Port Range
  1. For the External IP Range fields, enter the lowest and highest addresses in the range. If you only want a single address used, enter the same address in both fields.
  2. Fort the Internal IP Range fields, enter the lowest and highest addresses in the range.
  3. Enable the ARP Reply field by making sure there is a check in the box
  4. Select OK

Fixed Port Range Example for GUI

In this example, the company has a range of 10 IP address that they want to be used by employees on a specific subnet for NATing.The external interface is wan1.

Field   Value
IP Pool Type   IPv4 Pool
Name   IPPool-3
Comments   IP range to be used by outgoing traffic
Type   Fixed Port Range
External IP Range   10.23.56.22 – 10.23.56.31

Configuring IP pools

Field Value
Internal IP Range 192.168.23.1 – 192.168.23.254
ARP Reply enabled

Fixed Port Range Example for CLI

config firewall ippool edit IPPool-3 set comments “So the the correct IP address is resolved on reverse DNS look ups of the mail server.”

set type fixed-port-range set startip 10.23.56.22 set endip 10.23.56.31 set source-startip 192.168.23.1 set source-endip 192.168.23.254 set arp-reply enable set arp-intf wan1 end

Port Block Allocation
  1. For the External IP Range fields, enter the lowest and highest addresses in the range. If you only want a single address used, enter the same address in both fields.
  2. In the Block Size field, either type in the value or use the up or down arrows to set the value of the block size.
  3. In the Blocks Per User field, either type in the value or use the up or down arrows to set the value for the number of blocks per user.
  4. Enable the ARP Reply field by making sure there is a check in the box
  5. Select OK

Port Block Allocation Example for GUI

In this example,an small ISP is setting up NATing for its clients, but to be fair it is putting some restrictions on the number of connections each client can have so that no one hogs all of the possible ports and addresses.The external interface is port12.

Field Value
IP Pool Type IPv4 Pool
Name Client-IPPool
Comments IP Pool for clients to access the Internet
Type Port Block Allocation
External IP Range 10.23.75.5 – 10.23.75.200
Block Size 64
Field Value
Blocks Per User 8
ARP Reply enabled

Port Block Allocation Example for CLI

config firewall ippool edit Client-IPPool set comments “IP Pool for clients to access the Internet”

set type port-block-allocation set startip 10.23.75.5 set endip 10.23.75.200 set block-size 64 set num-blocks-per-user 8 set permit-any-host disable set arp-intf wan1 set arp-reply enableset arp-intf port12 end

Creating a IPv6 Pool

  1. Go to Policy & Objects > IP Pools.
  2. Select Create New.
  3. In the IP Pool Type field choose IPv6 Pool
  4. Enter a name in the Name field for the new service
  5. Include any description you would like in the Comments field
  6. For the External IP Range fields, enter the lowest and highest addresses in the range.

IPv6 Example for GUI

In this example,there is a similar situation to the One-to-one example earlier.There is a mail server that needs to be resolved to a specific IP address in Reverse DNS look-ups. The difference in this case is the company is an early adopter of IPv6 connectivity to the Internet.

Field Value
IP Pool Type IPv6 Pool
Name Mail-svr-ipv6
Comments Registered IPv6 address for mail server
External IP Range fd2f:50ec:cdea:0663::1025 – fd2f:50ec:cdea:0663::1025

Port Block Allocation Example for CLI

config firewall ippool6 edit Mail-svr-ipv6

 

set comments “Registered IPv6 address for mail server”

set startip fd2f:50ec:cdea:663::102 set endip fd2f:50ec:cdea:663::1025 end

Virtual IPs

Virtual IPs

The mapping of a specific IP address to another specific IP address is usually referred to as Destination NAT.

When the Central NAT Table is not being used, FortiOS calls this a Virtual IP Address, sometimes referred to as a VIP. FortiOS uses a DNAT or Virtual IP address to map an External IP address to an IP address. This address does not have to be an individual host, it can also be an address range. This mapping can include all TCP/UDP ports or if Port Forwarding is enabled it will only refer to the specific ports configured. Because, the Central NAT table is disabled by default the term Virtual IP address or VIP will be used predominantly.

Virtual IP addresses are typically used to NAT external or Public IP addresses to internal or Private IP addresses. Using a Virtual IP address between 2 internal Interfaces made up of Private IP addresses is possible but there is rarely a reason to do so as the 2 networks can just use the IP addresses of the networks without the need for any address translation. Using a Virtual IP address for traffic going from the inside to the Internet is even less likely to be a requirement, but it is supported.

Something that needs to be considered when there are multiple Public IP addresses on the external interface(s) is that when a Virtual IP address is used without Port Forwarding enabled there is a reciprocal effect as far as traffic flow is concerned. Normally, on a firewall policy where NAT is enabled, for outgoing traffic the internal address is translated to the Public address that is assigned to the FortiGate, but if there is a Virtual IP address with no port forwarding enabled, then the Internal IP address in the Mapped field would be translated to the IP address configured as the External Address in the VIP settings.

Example

  • The assigned External address (WAN1) of the FortiGate unit is 172.12.96.3 with a subnet mask of 255.255.255.128 l There is a Virtual IP address set up to map the external address 172.12.96.127 on WAN1 to the internal IP address of 192.168.1.127
  • Port Forwarding is not enabled because you want all allowed traffic going to the external IP address to go to this server.

In this case any outbound traffic from 192.168.1.127 will go out on WAN1 with the IP address of 172.12.96.127 as the source IP address.

In terms of actually using the Virtual IP address, they would be using in the security policies in the same places that other addresses would be used, usually as a Destination Address.

UUID Support for VIP

UUID is now supported in for virtual IPs and virtual IP groups. This includes virtual IPs for IPv4, IPv6, NAT46, and NAT64. To view the UUID for these objects in a FortiGate unit’s logs, log-uuid must be set to extended mode, rather than policy-only (which only shows the policy UUID in a traffic log). UUID can only be configured through the CLI

Syntax

config sys global set log-uuid {disable | policy-only | extended}

end

There is another type of address that the term “virtual IP address” commonly refers to which is used in load balancing and other similar configurations. In those cases, a number of devices share a separately created virtual IP address that can be sent to multiple possible devices. In FortiOS these are referred to as Virtual Servers and are configured in the “Load Balance” section.

If Central-NAT is enabled in the CLI the GUI will be different.

Instead of VIP Type, the field lable will be DNAT & VIP Type

Instead of IPv4 the option will be IPv4 DNAT

There will also be the addition setting of Source Interface Filter.

Commands to set central-nat:

config system settings set central-nat [enable | disable] end

Creating a Virtual IP

  1. Go to Policy & Objects > Virtual IPs.
  2. Select Create New. A drop down menu is displayed. Select Virtual IP.
  3. From the VIP Type options, choose an applicable type based on the IP addressing involved. Which is chosen will depend on which of the IP version networks is on the external interface of the FortiGate unit and which is on the internal interface.

The available options are:

l IPv4 – IPv4 on both sides of the FortiGate Unit. l IPv6 – IPv6 on both sides of the FortiGate Unit. l NAT46 – Going from an IPv4 Network to an IPv6 Network. l NAT64 – Going from an IPv6 Network to an IPv4 Network.

  1. In the Name field, input a unique identifier for the Virtual IP.
  2. Input any additional information in the Comments
  3. The Color of the icons that represent the object in the GUI can be changed by clicking on the [Change] link and choosing from the 32 colors.

Because the configuration differs slightly for each type the next steps will be under a separate heading based on the type of the VIP

Configuring a VIP for IPv4

In the Network section:

  1. If an IPv4 type of Virtual IP, select the Interface

Using the drop down menu for the Interface Field, choose the incoming interface for the traffic.

The IPv4 VIP Type is the only one that uses this field. This is a legacy function from previous versions so that they can be upgraded without complicated reconfiguration. The External IP address, which is a required field, tells the unit which interface to use so it is perfectly acceptable to choose “any” as the interface. In some configurations, if the Interface field is not set to “any” the Virtual IP object will not one of the displayed options when choosing a destination address.

  1. Configure the External IP Address/Range.

There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. The format of the address will depend on the VIP Type option that was selected.

  1. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.

There are two fields. If there is a single IP address, use that address in both fields. The format of the address will depend on the VIP Type option that was selected. In the Optional Filters

  1. Disable/Enable the Optional Filters.

If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, enable the Optional Filters.

  1. To specify an allowed address enter the value in the field labeled Source Address. The value can be formatted in three different ways.

l Source IP – Use the standard format for a single IP address l Range – Enter the first and last members of the range l Subnet – Enter the IP address of the broadcast address for the subnet.

To add additional addresses, click on the “+” below the last field with an address. To subtract an address, click on the “X” next to the field you wish to delete.

  1. To specify an allowed Service, toggle the Services option to enabled. Set the Services parameter by selecting the field with the “+” in the field. This will slide a window out from the right. Single or multiple options can be selected by highlighting the services wanted, unless the ALL option is chosen, in which case it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  2. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
  3. Select the Protocol from l TCP l UDP l SCTP l ICMP
  4. Configure the External Service Port. This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  5. Configure the setting Map to Port.This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  6. Press

Example

This example is for a VIP that is being used to direct traffic from the external IP address to a web server on the internal network. The web server is for company use only. The company’s public facing web server already used port 80 and there is only one IP external IP address so the traffic for this server is being listened for on port 8080 of the external interface and being sent to port 80 on the internal host.

Field Value
VIP Type IPv4
Name Internal_Webserver
Comments Web server with Collaboration tools for Corporate employees
Interface Any
Field Value
External IP

Address/Range

172.13.100.27 <this would normally be a public IP address>
Mapped IP

Address/Range

192.168.34.150
Optional Filters enabled
Source Address

Filter

<list of IP addresses of remote users>
Services enabled with HTTP in the list
Port Forwarding enabled
Map to Port 80 – 80

Configuring a VIP for IPv6

In the Network section:

  1. Configure the External IP Address/Range.

There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. Enter the address in the standard IPv6 format.

  1. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.

There are two fields. If there is a single IP address, use that address in both fields. Enter the address in the standard IPv6 format.

In the Optional Filters

  1. Disable/Enable the Optional Filters.

If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, enable the Optional Filters.

  1. To specify an allowed address enter the value in the field labeled Source Address. The value can be formatted in three different ways.

l Source IP – Use the standard format for a single IP address l Range – Enter the first and last members of the range l Subnet – Enter the IP address of the broadcast address for the subnet.

To add additional addresses, click on the “+” below the last field with an address. To subtract an address, click on the “X” next to the field you wish to delete.

  1. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
  2. Select the Protocol from l TCP l UDP

l SCTP

  1. Configure the External Service Port. This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  2. Configure the setting Map to Port.This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  3. Press

Configuring a VIP for NAT46

In the Network section:

  1. Configure the External IP Address/Range.

There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. Enter the address in the standard IPv4 format.

  1. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.

There are two fields. If there is a single IP address, use that address in both fields. Enter the address in the standard IPv6 format.

In the Optional Filters

  1. Disable/Enable the Optional Filters.

If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, enable the Optional Filters.

  1. To specify an allowed address enter the value in the field labeled Source Address. The value can be formatted in three different ways.

l Source IP – Use the standard format for a single IP address l Range – Enter the first and last members of the range l Subnet – Enter the IP address of the broadcast address for the subnet.

To add additional addresses, click on the “+” below the last field with an address. To subtract an address, click on the “X” next to the field you wish to delete.

  1. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
  2. Select the Protocol from l TCP l UDP
  3. Configure the External Service Port. This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  4. Configure the setting Map to Port.This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the

range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.

  1. Press

Configuring a VIP for NAT64

In the Network section:

  1. Configure the External IP Address/Range.

There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. Enter the address in the standard IPv6 format.

  1. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.

There are two fields. If there is a single IP address, use that address in both fields. Enter the address in the standard IPv4 format.

In the Optional Filters

  1. Disable/Enable the Optional Filters.

If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, enable the Optional Filters.

  1. To specify an allowed address enter the value in the field labeled Source Address. The value can be formatted in three different ways.

l Source IP – Use the standard format for a single IP address l Range – Enter the first and last members of the range l Subnet – Enter the IP address of the broadcast address for the subnet.

To add additional addresses, click on the “+” below the last field with an address. To subtract an address, click on the “X” next to the field you wish to delete.

  1. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
  2. Select the Protocol from l TCP l UDP
  3. Configure the External Service Port. This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  4. Configure the setting Map to Port.This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  5. Press

FQDN in VIPs

Instead of mapping to an IP address a VIP can use a FQDN(Fully Qualified Domain Name). This has to be configured in the CLI and the FQDN must be an address object that is already configured in the address listing.

The syntax for using a FQDN is:

config firewall vip edit <VIP id> set type fqdn

set mappped-addr <FQDN address object> end

Dynamic VIP according to DNS translation

When a dynamic virtual IP is used in a policy, the dynamic DNS translation table is installed along with the dynamic NAT translation table into the kernel. All matched DNS responses will be translated and recorded regardless if they hit the policy. When a client request hits the policy, dynamic NAT translation will occur if it matches a record, otherwise the traffic will be blocked.

Syntax

config firewall vip edit “1” set type dns-translation set extip 192.168.0.1-192.168.0.100

set extintf “dmz” set dns-mapping-ttl 604800 set mappedip “3.3.3.0/24” “4.0.0.0/24” end end

Virtual IP Groups

Just like other address, Virtual IP addresses can be organized into groups for ease of administration. If you have multiple virtual IPs that are likely to be associated to common firewall policies rather than add them individually to each of the policies you can add the instead. That way, if the members of the group change then any changes made to the group will propagate to all of the policies using that group.

When using a Virtual IP address group the firewall policy will take into account all of the configured parameters of the Virtual IPs: IP addresses, Ports and port types.

Creating a Virtual IP Group

  1. Go to Policy & Objects > Virtual IPs.
  2. Select Create New. A drop down menu is displayed. Select Virtual IP Group.
  3. Select the Type fo VIP group you wish to create. The options available are:

l IPv4 – IPv4 on both sides of the FortiGate Unit. l IPv6 – IPv6 on both sides of the FortiGate Unit. l NAT46 – Going from an IPv4 Network to an IPv6 Network. l NAT64 – Going from an IPv6 Network to an IPv4 Network.

Which is chosen will depend on which of the IP version networks is on the external interface of the

 

FortiGate unit and which is on the internal interface. The options will be:

  1. Enter a unique identifier for the group in the Name
  2. Enter any additional information in the Comments
  3. If you wish, use the Change link to change the Color of icons in the GUI. There are 32 color options.
  4. If the Type is IPv4, the Interface field will be available. Use the drop-down menu to select the interface if all of the VIPs are on the same interface. If any of the VIPS are on different interfaces or if any of them are associated with the “any” option, choose the any option for the group.
  5. Select anywhere in the Members field to bring forth the pane of potential members for selection to the group.
  6. Press

Address Groups

Address Groups

Address groups are designed for ease of use in the administration of the device. If you have a number of addresses or address ranges that will commonly be treated the same or require the same security policies, you can put them into address groups, rather than entering multiple individual addresses in each policy refers to them.

The use of groups is not required. If you have a number of different addresses you could add them individually to a policy and the FortiGate firewall will process them just as quickly and efficiently as if they were in a group, but the chances are that if you have used a group once you could need to use it again and depending on the number of addresses involved entering them individually for each policy can become tedious and the likelihood of an address being missed becomes greater. If you have a number of policies using that combination of addresses it is much easier to add or subtract addresses from the group than to try and remember all of the firewall policies that combination of addresses was used in. With the group, you only have to make the one edit and it is used by any firewall policy using that address group.

Because security policies require addresses with homogenous network interfaces, address groups should contain only addresses bound to the same network interface, or to Any.

For example, if address 1.1.1.1 is associated with port1, and address 2.2.2.2 is associated with port2, they cannot be in the same group. However, if 1.1.1.1 and 2.2.2.2 are configured with an interface of Any, they can be grouped, even if the addresses involve different networks. There are 3 Categories of Address groups to choose from:

l IPv4 Group l IPv6 Group l Proxy Group

You cannot mix different categories of addresses within a group, so whether or not it makes sense from an administrative purpose to group certain addresses together, if some are IPv4 and some are IPv6, it cannot be done.

Creating an Address Group

  1. Go to Policy & Objects > Addresses.
  2. Select the down arrow next to Create New, select Address Group.
  3. Choose the Category, that is applicable to the proposed selection of addresses.
  4. Input a Group Name for the address object.

Depending on which Category has been chosen the configurations will differ slightly

IPv4 Group

  1. Select the “+” in the Members You can select members of the group from the window that slides out from the left of the screen. It is possible to select more than 1 entry. Select the “X” icon in the field to remove an entry.
  2. Select the desired on/off toggle setting for Show in Address List.
  3. Select the desired on/off toggle setting for Static Route Configuration .

IPv6 Group

  1. Select the “+” in the Members You can select members of the group from the window that slides out from the left of the screen. It is possible to select more than 1 entry. Select the “X” icon in the field to remove an entry.
  2. Select the desired on/off toggle setting for Show in Address List.

Proxy Group

  1. Select which Type, either Source Group or Destination Group.
  2. Select the “+” in the Members You can select members of the group from the window that slides out from the left of the screen. It is possible to select more than 1 entry. Select the “X” icon in the field to remove an entry.
  3. Select the desired on/off toggle setting for Show in Address List.

Irrespective of the Category the groups all have the same final configuration options:

  1. Input any additional information in the Comments
  2. Press

UUID Support

Syntax:

config firewall {address|addres6|addgrp|addgrp6} edit 1 set uuid <example uuid: 8289ef80-f879-51e2-20dd-fa62c5c51f44> next end