Internet services

Internet services

In FortiOS 5.4, support was added for Internet Service objects which could be used with FortiView, Logging, Routing and WAN Load Balancing. Now they can be added to firewall policies as well.

There is an either or relationship between Internet Service objects and destination address and service combinations in firewall policies. This means that a destination address and service can be specified in the policy OR an Internet service, not both.

CLI

The related CLI options/syntax are:

config firewall policy edit 1 set internet-service 1 5 10 set internet-service-custom test set internet-service-negate [enable|disable]

end

GUI

In the policy listing page you will notice that is an Internet Service object is used, it will be found in both the Destination and Service column.

In the policy editing page the Destination Address, now Destination field now has two types, Address and Internet Service.

Proxy addresses

Proxy addresses

This category of address is different from the other addresses in that it is not designed to be used in the normal firewall policy configuration. It is intended to be used only with explicit web proxies.

In some respects they can be like a FQDN addresses in that they refer to an alpha-numeric string that is assigned to an IP address, but then goes an additional level of granularity by using additional information and criteria to further specify locations or types of traffic within the website itself. In depth information on Explicit Proxy Addressing can be found in WAN Optimization, but it is worth laying out the steps of how to create an address object for this category.

Creating an proxy address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address.
  3. In the Category field, choseProxy Address.
  4. Input a Name for the address object.
  5. For the Type field, select one of the options from the drop down menu.

Within the Explicit Proxy Address category there are 8 types of addresses. Each of these types will have associated field(s) that also need to have values entered to make the object specific to it’s address.

Type = URL Pattern

  • In the Host field, choose from drop down menu l In the URL Path Regex field, enter the appropriate string

Host Regex Match l In the Host Regex Pattern field, enter the appropriate string

URL Category

  • In the Host field, choose from drop down menu l In the URL Category field, choose from drop down menu

HTTP Method

  • In the Host field, choose from drop down menu l In the Request Method field, choose from drop down menu The options are: l CONNECT l DELETE l GET l HEAD l OPTIONS l POST l PUT l TRACE

User Agent

  • In the Host field, choose from drop down menu l In the User Agent field, choose from drop down menu The options are:
  • Apple Safari l Google Chrome
  • Microsoft Internet Explorer or Spartan l Mozilla Firefox l Other browsers

HTTP Header

  • In the Host field, choose from drop down menu l In the Header Name field, enter the appropriate string value l In the Header Regex field, enter the appropriate string value

Advanced (Source)

  • In the Host field, choose from drop down menu l In the Request Method field, choose from drop down menu (see HTTP Method type for option list) l In the User Agent field, choose from drop down menu (see User Agent type for option list)
  • In the Header Group table, create, edit or delete Header Name strings and associated Header Regex strings

Advance (Destination)

  • In the Host field, choose from drop down menu l In the Host Regex Pattern field, enter the appropriate string l In the URL Category field, choose from drop down menu
  1. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  2. Input any additional information in the Comments
  3. Press

Proxy address groups

To create a Proxy address group:

  1. Go to Policy & Objects > Addresses.
  2. Click on + Create New to get the drop down menu. Select Address Group.
  3. In the Category field, choose Proxy Group.
  4. Fill in a descriptive name in the Group Name
  5. If you wish, use the Change link to change the Color of icons in the GUI. There are 32 color options.
  6. In the Type field, select whether the group will be a Source Group (composed of source addresses) or a Destination Group (composed of destination addresses).
  7. Select anywhere in the Members field to bring forth the pane of potential members for selection to the group.
  8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled, the address will appear in drop down menus where it is an option.
  9. Input any additional information in the Comments
  10. Click on OK.

Multicast addresses

Multicast addresses

Multicast addressing defines a specific range of address values set aside for them. Therefore all IPv4 multicast addresses should be between 224.0.0.0 and 239.255.255.255.

More information on the concepts behind Multicast addressing can be found in the Multicast Forwarding section.

Multicast IP range

This type of address will allow multicast broadcasts to a specified range of addresses.

Creating a multicast IP range address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New.

l If you use the down arrow next to Create New, select Address.

  1. Choose the Category, Multicast Address
  2. Input a Name for the address object.
  3. Select the Type,Multicast IP Range from the drop-down menu.
  4. Enter the value for the Multicast IP Range
  5. Select the Interface from the drop-down menu.
  6. Enable the Show in Address List function
  7. Input any additional information in the Comments
  8. Press

Example: Multicast IP range address

The company has a large high tech campus that has monitors in many of its meeting rooms. It is common practice for company wide notifications of importance to be done in a streaming video format with the CEO of the company addressing everyone at once.

The video is High Definition quality so takes up a lot of bandwidth. To minimize the impact on the network the network administrators have set things up to allow the use of multicasting to the monitors for these notifications. Now it has to be set up on the FortiGate firewall to allow the traffic.

l The range being used for the multicast is 239.5.5.10 to 239.5.5.200 l The interface on this FortiGate firewall will be on port 9

  1. Go to Policy & Objects> Objects > Addresses and select Create New > Address.
  2. Fill out the fields with the following information
Category Multicast Address
Name Meeting_Room_Displays
Type Multicast IP Range
Multicast IP Range 239.5.5.10-239.5.5.200
Interface port9
Show in Address List <enable>
Comments <Input into this field is optional>
  1. Select
  2. Enter the following CLI command:

config firewall multicast-address edit “meeting_room_display” set type multicastrange set associated-interface “port9” set start-ip 239.5.5.10 set end-ip 239.5.5.200 set visibility enable

next

end

To verify that the address range was added correctly:

  1. Go to Policy & Objects> Objects > Addresses. Check that the addresses have been added to the address list and that they are correct.
  2. Enter the following CLI command:

config firewall multicast-address

 

edit <the name of the address that you wish to verify> Show full-configuration

Broadcast subnet

This type of address will allow multicast broadcast to every node on a subnet.

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address.
  3. In theCategory field, choseMulticast Address.
  4. Input a Name for the address object.
  5. In the Type field, select Broadcast Subnetfrom the drop down menu.
  6. In the Broadcast Subnet field enter the address and subnet mask according to the format x.x.x.x/x.x.x.x or the short hand format of x.x.x.x/x.(Remember, it needs to be within the appropriate IP range 224.0.0.0 to 239.255.255.255)
  7. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
  8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  9. Input any additional information in the Comments
  10. Press OK.

Example

Field Value
Category Broadcast Subnet
Name Corpnet-B
Type Broadcast Subnet
Broadcast Subnet 224.5.5.0/24
Interface any
Show in Address List [on]
Comments Corporate Network devices – Broadcast Group B

Multicast IP addresses

Multicast uses the Class D address space. The 224.0.0.0 to 239.255.255.255 IP address range is reserved for multicast groups. The multicast address range applies to multicast groups, not to the originators of multicast packets. The following table lists the reserved multicast address ranges and describes what they are reserved for:

Reserved Multicast address ranges

Reserved

Address Range

Use Notes
224.0.0.0 to

224.0.0.255

Used for network protocols on local networks. For more information, see RFC 1700. In this range, packets are not forwarded by the router but remain on the local network. They have a Time to Live (TTL) of 1. These addresses are used for communicating routing information.
224.0.1.0 to

238.255.255.255

Global addresses used for multicasting data between organizations and across the Internet. For more information, see RFC 1700. Some of these addresses are reserved, for example, 224.0.1.1 is used for Network Time Protocol (NTP).
239.0.0.0 to

239.255.255.255

Limited scope addresses used for local groups and organizations. For more information, see RFC 2365. Routers are configured with filters to prevent multicasts to these addresses from leaving the local system.

Creating multicast security policies requires multicast firewall addresses. You can add multicast firewall addresses by going to Firewall Objects > Address > Addresses and selecting Create New > Multicast

Address. The factory default configuration includes multicast addresses for Bonjour (224.0.0.251-224.0.0.251, EIGRP (224.0.0.10-224.0.0.100), OSPF (224.0.0.5-224.0.0.60), all_hosts (224.0.0.1-224.0.0.1), and all_routers (224.0.0.2-224.0.0.2).

IPv6 addresses

IPv6 addresses

When creating an IPv6 address there are a number of different types of addresses that can be specified. These include:

l Subnet l IP Range – the details of this type of address are the same as the IPv4 version of this type l IPv6 FQDN firewall addresses – similar to the IPv4 version.

The IPv6 addresses don’t yet have the versatility of the IPv4 address in that they don’t have things like geography based addresses, but as IPv6 becomes more mainstream this should change.

Subnet addresses

The Subnet Address type is one that is only used in reference to IPv6 addresses.It represents an IPv6 address subnet. This means that the address will likely be a series of hexadecimal characters followed by a double colon, followed by a “/”, and then a number less than 128 to indicate the size of the subnet. An example would be:

fd5e:3c59:35ce:f67e::/64

  • The hexidecimal characters represent the IPv6 subnet address.
  • The “::” indicates 0’s from that point to the left. In an actual address for a computer, the hexadecimal characters that would take the place of these zeros would represent the device address on the subnet.
  • /xx, in this case /64 represents the number of bits in the subnet.This will make a range that can potentially include

18,446,744,073,709,551,616 addresses. For those wanting to use English rather than math, that is 18 Quintillion.

Creating a subnet address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address
  3. In the Category field, chose IPv6 Address.
  4. Input a Name for the address object.
  5. In the Type field, select Subnet from the drop down menu.
  6. In the Subnet / IP Range field, enter the range of addresses in IPv6 format (no spaces)
  7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  8. Input any additional information in the Comments
  9. Press

Example

Example of a IP Range address for a group of computers set aside for guests on the company network.

Field Value
Category IPv6 Address
Name IPv6_Guest_user_range
Type Subnet
Subnet / IP Range fd5e:3c59:35ce:f67e::/64
Show in Address List [on]
Comments  

IPv6 FQDN firewall addresses

FQDN firewall addresses can be configured for IPv6.

Syntax in CLI

config firewall address6 edit <address_name> set type fqdn set fqdn <domain_name>

set cache-ttl <integer value from 0 to 86400> end

Firewall IPv6 address templates

You can use the IPv6 address templates to create new IPv6 addresses that share a prefix. Using templates for addresses reduces the chance of configuring an incorrect address due to a typographical error.

l A standard IPv6 address can be divided into three parts:

[IPv6 network prefix] + [subnet segments] + [host address] l The subnet segments can be split into multiple 4-bit blocks called nibbles l Each subnet segments represent different geographical or organizational parts of the network. They are represented by 1 or more nibbles.

Example of a prefix:

2001:db8:1234:0000::/64

Section Description
yellow

The            highlighted characters

Prefix (48 bits)
green

The           highlighted characters (zeros)

Place holder for the subnet segments (16 bits)
red

The        highlighted characters

Subnet mask

The 16 bits that make up the subnet segments can be more granular.

Example: 0011 1111 0000 1101

Segment Binary Hexadecimal
Site 0011 0x3
Subsite 1111 0xf
Subnet 0000 1101 0x0d

The resulting network portion of the address is:

2001:db8:1234:3f0d::/64

By changing the mask, the subnet segment could be increased.

0000

2001:db8:1234:      0000::/48

0000 0000

2001:db8:1234:           0000::/32

This makes more options available for the configuration of the subnet segments. Below is an example of a very basic template:

Using that template, you can see how the GUI could be used to quickly create address objects.

FortiGate Address Objects

IPv4 addresses

When creating an IPv4 address there are a number of different types of addresses that can be specified. These include:

  • FQDN
  • Geography l IP range l IP/Netmask l Wildcard FQDN

Which one chosen will depend on which method most easily yet accurately describes the addresses that you are trying to include with as few entries as possible based on the information that you have. For instance, if you are trying to describe the addresses of a specific company’s web server but it you have no idea of how extensive there web server farm is you would be more likely to use a Fully Qualified Domain Name (FQDN) rather than a specific IP address. On the other hand some computers don’t have FQDNs and a specific IP address must be used.

The following is a more comprehensive description of the different types of addresses.

FQDN addresses

By using Fully Qualified Domain Name (FQDN) addressing you can take advantage of the dynamic ability of DNS to keep up with address changes without having to manually change the addresses on the FortiGate. FQDN addresses are most often used with external web sites but they can be used for internal web sites as well if there is a trusted DNS server that can be accessed. FQDN addressing also comes in handy for large web sites that may use multiple addresses and load balancers for their web sites. The FortiGate firewall automatically maintains a cached record of all the addresses resolved by the DNS for the FQDN addresses used.

For example, if you were doing this manually and you wanted to have a security policy that involved Google you could track down all of the IP addresses that they use across multiple countries. Using the FQDN address is simpler and more convenient.

When representing hosts by an FQDN, the domain name can also be a subdomain, such as mail.example.com.

Valid FQDN formats include:

  • <host_name>.<top_level_domain_name> such as example.com
  • <host_name>.<second_level_domain_name>.<top_level_domain_name>, such as mail.example.com When creating FQDN entries it is important to remember that:
  • Wildcards are not supported in FQDN address objects l While there is a level of convention that would imply it, “www.example.com” is not necessarily the same address of “example.com”. they will each have their own records on the DNS server.

The FortiGate firewall keeps track of the DNS TTLs so as the entries change on the DNS servers the IP address will effectively be updated for the FortiGate. As long as the FQDN address is used in a security policy, it stores the address in the DNS cache.

There is a possible security downside to using FQDN addresses. Using a fully qualified domain name in a security policy means that your policies are relying on the DNS server to be accurate and correct. DNS servers in the past were not seen as potential targets because the thinking was that there was little of value on them and therefore are often not as well protected as some other network resources. People are becoming more aware that the value of the DNS server is that in many ways it controls where users and computers go on the Internet. Should the DNS server be compromised, security policies requiring domain name resolution may no longer function properly.

Creating a Fully Qualified Domain Name address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address. In the Category field, chose Address. (This is for IPv4 addresses.)
  3. Input a Name for the address object.
  4. In the Type field, select FQDN from the drop down menu.
  5. Input the domain name in the FQDN
  6. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
  7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled, the address will appear in drop down menus where it is an option.
  8. Input any additional information in the Comments
  9. Press

Example: FQDN address

You have to great a policy that will govern traffic that goes to a site that has a number of servers on the Internet. Depending on the traffic or the possibility that one of the servers is down network traffic can go to any one of those sites. The consistent factor is that they all use the same Fully Qualified Domain Name.

  • The FQDN of the web site: example.com
  • The number of ISP connections off of the FortiGate firewall: 2
Configuring the address in the GUI
  1. Go to Policy & Objects> Objects > Addresses and select Create New > Address.
  2. Fill out the fields with the following information:
Category Address
Name BigWebsite.com
Type FQDN
FQDN bigwebsite.com
Interface any
Show in Address List <enable>
Comments <Input into this field is optional>
  1. Select
Configuring the address in the CLI

config firewall address edit BigWebsite.com set type fqdn set associated-interface any set fqdn bigwebsite.com end

Verification

To verify that the addresses were added correctly:

  1. Go to Firewall Objects > Address > Addresses. Check that the addresses have been added to the address list and that they are correct.
  2. Enter the following CLI command:

config firewall address edit <the name of the address that you wish to verify>

Show full-configuration

Changing the TTL of a FQDN address

To make sure that the FQDN resolves to the most recent active server you have been asked to make sure that the FortiGate has not cached the address for any longer than 10 minutes.

There is no field for the cached time-to-live in the web-based manager. It is only configurable in the CLI. Enter the following commands:

config firewall address edit BigWebsite.com set cache-ttl 600

end

Geography based addresses

Geography addresses are those determined by country of origin.

This type of address is only available in the IPv4 address category.

Creating a geography address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address. In the Category field, chose Address. (This is for IPv4 addresses.)
  3. Input a Namefor the address object.
  4. In the Type field, select Geography from the drop down menu.
  5. In the Country field, select a single country from the drop down menu.
  6. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
  7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  8. Input any additional information in the Comments
  9. Press

Example: Geography-based address

Configuring the address in the GUI

Your company is US based and has information on its web site that may be considered information that is not allowed to be sent to embargoed countries. In an effort to help reduce the possibility of sensitive information going to those countries you have be asked to set up addresses for those countries so that they can be block in the firewall policies.

l One of the countries you have been asked to block is Cuba l You have been asked to comment the addresses so that other administrators will know why they have been created

  1. Go to Policy & Objects> Objects > Addresses and select Create New > Address.
  2. Fill out the fields with the following information
Category Address
Name Cuba
Type Geography
Country Cuba
Interface any
Visibility <enable>
Comments Embargoed
  1. Select
Configuring the address in the CLI

Enter the following CLI commands:

config firewall address edit Cuba set type geography set country CN set interface wan1

end

Overrides

It is possible to assign a specific ip address range to a customized country ID. Generally, geographic addressing is done at the VDOM level; it could be considered global if you are using the root VDOM, but the geoip-override setting is a global setting.

config system geoip-override edit “test” set country-id “A0” config ip-range

edit 1 set start-ip 7.7.7.7 set end-ip 7.7.7.8

next

edit 2 set start-ip 7.7.10.1 set end-ip 7.7.10.255 end

  • While the setting exists in the configuration file, the system assigns the country-id option automatically.
  • While you can use “edit 1” and “edit 2”, it is simpler to use “edit 0” and let the system automatically assign an ID number.

After creating a customized Country by using geoip-override command, the New country name has been added automatically to the country list and will be available on the Firewall Address Country field.

Diagnose commands

There are a few diagnose commands used with geographic addresses. The basic syntax is:

diagnose firewall ipgeo [country-list | ip-list | ip2country | override | copyright-notice]

Diagnose command Description
country-list Listing of all the countries.
ip-list List of the IP addresses associated with the country
ip2country Used to determine which country a specific IP address is assigned to.
override Listing of user defined geography data – items configured by using “config system geoip-override” command.
copyright-notice Shows the copyright notice.

IP range addresses

Where the subnet address is good a representing a standardized group of addresses that are subnets the IP Range type of address can describe a group of addresses while being specific and granular. It does this by specifying a continuous set of IP addresses between one specific IP address and another. While it is most common that this range is with a subnet it is not a requirement. For instance, 192.168.1.0/24 and 192.168.2.0/24 would be 2 separate subnets but if you wanted to describe the top half of one and the bottom half of the other you could describe the range of 192.168.1.128-192.168.2.127. It’s also a lot easier that trying to calculate the correct subnet mask.

The format would be:

x.x.x.x-x.x.x.x, such as 192.168.110.100-192.168.110.120

There is a notation that is commonly used and accepted by some devices that follows the format:

x.x.x.[x-x], such as 192.168.110.[100-120]

This format is not recognized in FortiOS 5.2 as a valid IP Range.

Creating a IP range address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address In the Category field, chose Address(IPv4 addresses) or IPv6 Address.
  3. Input a Name for the address object.
  4. In the Type field, select IP Range from the drop down menu.
  5. In the Subnet / IP Range field, enter the range of addresses in the following format: x.x.x.x-x.x.x.x (no spaces)
  6. In the Interface field, leave as the default any or select a specific interface from the drop down menu. (This setting is not available for IPv6 addresses)
  7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  8. Input any additional information in the Comments

10. Press OK. Example

Example of a IP Range address for a group of computers set aside for guests on the company network.

Field Value
Category Address or IPv6 Address
Name Guest_users
Type IP Range
Subnet / IP Range 192.168.100.200-192.168.100.240
Interface Port1
Show in Address

List

[on]
Comments Computers on the 1st floor used by guests for Internet access.

IP Range addresses can be configured for both IPv4 and IPv6 addresses. The only differences in creating an IPv6 IP Range address is that you would choose IPv6 Address for the Category and the syntax of the address in the Subnet/IP Range field would be in the format of 2001:0db8:0000:0002:0:0:0:202001:0db8:0000:0004:0:0:0:20

IP / netmask addresses

The subnet type of address is expressed using a host address and a subnet mask. From a strictly mathematical stand point this is the most flexible of the types because the address can refer to as little one individual address or as many as all of the available addresses.

It is usually used when referring to your own internal addresses because you know what they are and they are usually administered in groups that are nicely differentiated along the lines of the old A, B, and C classes of IPv4 addresses. They are also addresses that are not likely to change with the changing of Internet Service Providers (ISP).

When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a firewall address can be:

  • A single host such as a single computer with the address 192.45.46.45 l A range of hosts such as all of the hosts on the subnet 192.45.46.1 to 192.45.46.255 l All hosts, represented by 0.0.0.0 which matches any IP address

The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiGate unit automatically converts CIDR formatted netmasks to dotted decimal format. Example formats:

  • Netmask for a class A subnet of 16,777,214 usable addresses: 255.0.0.0, or /8 l Netmask for a class B subnet of 65,534 usable addresses: 255.255.0.0, or /16 l Netmask for a class C subnet of 254 usable addresses: 255.255.255.0, or /24 l Netmask for subnetted class C of 126 usable addresses: 255.255.255.128, or /25 l Netmask for subnetted class C of 62 usable addresses: 255.255.255.128, or /26 l Netmask for subnetted class C of 30 usable addresses: 255.255.255.128, or /27 l Netmask for subnetted class C of 14 usable addresses: 255.255.255.128, or /28 l Netmask for subnetted class C of 6 usable addresses: 255.255.255.128, or /29 l Netmask for subnetted class C of 2 usable addresses: 255.255.255.128, or /30 l Netmask for a single computer: 255.255.255.255, or /32 l Netmask used with 0.0.0.0 to include all IP addresses: 0.0.0.0, or /0

So for a single host or subnet the valid format of IP address and netmask could be either:

x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0 or

x.x.x.x/x, such as 192.168.1.0/24

Static route configuration

A setting that is found in the IP/Netmask address type that is not found in the other address types is the enabling or disabling of Static Route Configuration. Enabling this feature includes the address in the listing of named addresses when setting up a static route.

To use in the GUI
  1. Enable the Static Route Configuration in the address.
  2. Go to Network > Static Routes and create a new route.
  3. For a Destination type, choose Named Address.
  4. Using the drop down menu, enter the name of the address object in the field just underneath the Destination type options.
  5. Fill out the other information relevant to the route
  6. Select the OK button

To enable in the CLI:

config firewall address edit <address_name> set allow-routing enable end

Creating a subnet address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address. In the Category field, chose Address. (This is for IPv4 addresses.)
  3. Input a Namefor the address object.
  4. In the Type field, select IP/Netmask from the drop down menu.
  5. In the Subnet/IP Range field, enter the address and subnet mask according to the format x.x.x.x/x.x.x.x or the short hand format of x.x.x.x/x
  6. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
  7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  8. Select the desired on/off toggle setting for Static Route Configuration.
  9. Input any additional information in the Comments

11. Press OK. Example

Example of a Subnet address for a database server on the DMZ:

Field Value
Category Address
Name DB_server_1
Type IP/Netmask
Subnet/IP Range United States
Interface any
Show in Address List [on]
Static Route Configuration [off]
Comments  

Wildcard addressing

Wildcard addresses are addresses that identify ranges of IP addresses, reducing the amount of firewall addresses and security policies required to match some of the traffic on your network. Wildcard addresses are an advanced feature, usually required only for complex networks with complex firewall filtering requirements. By using these wildcard addresses in the firewall configuration, administrators can eliminate creating multiple, separate IP based address objects and then grouping them to then apply to multiple security policies.

A wildcard address consists of an IP address and a wildcard netmask, for example, 192.168.0.56

255.255.0.255. In this example, the IP address is 192.168.0.56 and the wildcard netmask is

255.255.0.255. The IP address defines the networks to match and the wildcard netmask defines the specific addresses to match on these networks.

In a wildcard netmask, zero means ignore the value of the octet in the IP address, which means the wildcard firewall address matches any number in this address octet. This also means that the number included in this octet of IP address is ignored and can be any number. Usually, if the octet in the wildcard netmask is zero, the corresponding octet in the IP address is also zero.

In a wildcard netmask, a number means match addresses according to how the numbers translate into binary addresses. For example, the wildcard netmask is 255; the wildcard address will only match addresses with the value for this octet that is in the IP address part of the wildcard address. So, if the first octet of the IP address is 192 and the first octet of the wildcard netmask is 255, the wildcard address will only match addresses with 192 in the first octet.

In the above example, the wildcard address 192.168.0.56 255.255.0.255 would match the following IP addresses:

192.168.0.56

192.168.1.56

192.168.2.56 …

192.168.255.56

The wildcard addresses 192.168.0.56 255.255.0.255 and 192.168.1.56 255.255.0.255 define the same thing since the 0 in the wildcard mask means to match any address in the third octet.

If we use the wildcard address 172.0.20.10 255.0.255.255, it would match the following IP addresses:

172.1.20.10

172.2.20.10

172.3.20.10 …

172.255.20.10

If you do not want to use all of the values in the octet, you can select a smaller grouping by using a number other than 255 in the subnet mask. There are some limitations though that users familiar with subnetting an IP range will recognose.

l The range should be a value that is a power of 2, such as 2, 4, 8, 16, etc l The starting number should be the first number in a number grouping of the same power of 2 divided by the possible range. For instance, if the range is 32 addresses, divide 256 by 32. Start at 0. Therefore the starting IP address can be 0, 33, 65, 97, 129, 161, 193, and 225. If you don’t want to do the math yourself there are a number of online subnet calculators that you can use.

You can perform a binary conversion to calculate the addresses that would be matched by a given value. For example, you can create the IP address and wildcard netmask to match the following network addresses:

192.168.32.0/24

192.168.33.0/24

192.168.34.0/24

192.168.35.0/24

192.168.36.0/24

192.168.37.0/24

192.168.38.0/24

192.168.39.0/24

In this example the range for the numbers in the third octet is 8.

The table shows how to write the third octet for these networks according to the octet bit position and address value for each bit.

Decimal 128 64 32 16 8 4 2 1
32 0 0 1 0 0 0 0 0
33 0 0 1 0 0 0 0 1
34 0 0 1 0 0 0 1 0
35 0 0 1 0 0 0 1 1
36 0 0 1 0 0 1 0 0
37 0 0 1 0 0 1 0 1
38 0 0 1 0 0 1 1 0
39 0 0 1 0 0 1 1 1
  Match Match Match Match Match Differ Differ Differ

Use some basic math:

128 + 64 + 32 +16 + 8 = 248

248 is the value in the subnet mask for the third octet.

The networks can be summarized into one network (192.168.32.0/21 or 192.168.32.0

255.255.248.0). All eight possible combinations of the three low-order bits are relevant for the network ranges. The wildcard address that would match all of these subnet addresses can be written as192.168.32.0 255.255.248.0.

Wildcard addresses are similar to routing access list wildcard masks. You add routing access lists containing wildcard masks using the config router access list command. However, router access list wildcard masks use the inverse of the masking system used for firewall wildcard addresses. For the router access list wildcard masks, zero (0)means match all IP addresses and one (1)means ignore all IP addresses. So to match IP addresses 192.168.0.56, 192.268.1.56, 192.168.2.56,… 192.168.255.56 you would use the following router access IP address prefix and wildcard mask: 192.168.0.56 0.0.255.0.

The following is an example of how to configure a wildcard firewall address.

config firewall address edit example_wildcard_address set type wildcard

set wildcard 192.168.0.56 255.255.0.255

end

Wildcard firewall addresses are initially configured in the CLI. You cannot choose wildcard in the GUI when creating the address, but after the address is created in the CLI, it will show up in the GUI. The Type field shows a grayed out value of Wildcard and the settings, other than the type , can be edited.

Wildcard FQDN

There are a number of companies that use secondary and even tertiary domain names or FQDNs for their websites. Wildcard FQDN addresses are to ease the administrative overhead in cases where this occurs. Sometimes its as simple as sites that still use www. as a prefix for their domain name. If you don’t know whether or not the www is being used it’s simpler to use a wildcard and include all of the possibilities whether it be example.com, www.example.com or even ftp.example.com.

The following wildcard character instances are supported in wildcard FQDN addresses:

l “?” character l “*” character in the middle of a phrase l The “?*” combination

Wildcard FQDN addresses do not resolve to a specific set of IP addresses in the same way that a normal FQDN address does. They are intended for use in SSL exemptions and should not be used as source or destination addresses in policies.

Creating a Fully Qualified Domain Name address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address In the Category field, chose Address. (This is for IPv4 addresses.)
  3. Input a Name for the address object.
  4. In the Type fUncategorizedield, select Wildcard FQDNfrom the drop down menu.
  5. Input the domain name in the Wildcard FQDN
  6. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
  7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  8. Input any additional information in the Comments

10. Press OK. Example

Example of a FQDN address for a remote FTP server used by Accounting team:

Field Value
Category Address
Name Example.com_servers
Type Wildcard FQDN
Wildcard FQDN *.example.com
Interface any
Show in Address List [on]
Comments Secondary and tertiary domain names for example.com

Wildcard FQDNs for SSL deep inspection exemptions

As part of an improvement to SSL deep inspection, wild card FQDN addresses are stored in two tables, one relates to firewall address, historic location for the information, and the second location relates to firewall wildcard-fqdn custom. The wildcard FQDN in firewall address is used by proxypolicy. The wildcard FQDN in firewall wildcard-fqdn custom is used by ssl-exempt in sslssh-profile.

During an upgrade from v5 to v6, all wildcard FQDN in firewall address in the v5 configuration will be moved to firewall wildcard-fqdn custom. If the wildcard FQDN is used in a policy in v5, the upgrade process will leave a copy of the wildcard FQDN in firewall address in addition to the one in firewall wildcard-fqdn custom.

Syntax of the firewall wildcard-fqdn custom object:

config firewall wildcard-fqdn custom edit <string_value> set uuid <string_value> set wildcard-fqdn <string_value> set color <integer 0-32> set comment <string_value> set visibility {enable|disable}

next

end

Syntax of the firewall wildcard-fqdn group object:

config firewall wildcard-fqdn group edit “test-group” set uuid <string_value>

set member <string_value> [<string_value>]

set color 0 set comment ” set visibility enable

next end

Object configuration – FortiOS 6

Object configuration

As was mentioned earlier, the components of the FortiGate firewall go together like interlocking building blocks. The Firewall objects are a prime example of those building blocks. They are something that can be configured once and then used over and over again to build what you need. They can assist in making the administration of the FortiGate unit easier and more intuitive as well as easier to change. By configuring these objects with their future use in mind as well as building in accurate descriptions the firewall will become almost self documenting. That way, months later when a situation changes, you can take a look at a policy that needs to change and use a different firewall object to adapt to the new situation rather than build everything new from the ground up to accommodate the change.

This chapter includes information about the following Firewall objects:

l Addresses l “Virtual IPs” on page 234 l IP Pools l “Services” on page 248 l “Firewall schedules” on page 256

UUID support

A Universally Unique Identified (UUID) attribute has been added to some firewall objects, so that the logs can record these UUID to be used by a FortiManager or FortiAnalyzer unit. The objects currently include:

l Addresses, both IPv4 and IPv6 l Address Groups, both IPv4 and IPv6 l Virtual IPs, both IPv4 and IPv6 l Virtual IP groups, both IPv4 and IPv6 l Policies, IPv4,IPv6 and IP64

A UUID is a 16-octet (128-bit) number that is represented by 32 lowercase hexidecimal digits. The digits are displayed in five groups separated by hyphens (-). The pattern is 8-4-4-4-12; 36 digits if you include the hyphens.

Addresses

Firewall addresses define sources and destinations of network traffic and are used when creating policies. When properly set up these firewall objects can be used with great flexibility to make the configuration of firewall policies simpler and more intuitive. The FortiGate unit compares the IP addresses contained in packet headers with a security policy’s source and destination addresses to determine if the security policy matches the traffic.

The address categories and the types within those categories on the FortiGate unit can include:

  • IPv4 addresses l IP address and Netmask l IP address range l Geography based address l Fully Qualified Domain Name (FQDN) address l Wildcard FQDN l IPv4 address aroup
  • IPv6 addresses l Subnets l IP range l IPv6 address group
  • Multicast addresses l Multicast IP range l Broadcast subnets
  • Proxy addresses l URL pattern l Host Regex match l URL category l Http method l User agent l HTTP header l Advanced (source) l Advanced (destination)
  • IP Pools (IPv4) l Overload l One-to-one l Fixed port range l Port block allocation
  • IP pools (IPv6) l Virtual IP addresses l IPv4 l IPv6 l NAT46 l NAT64

Interfaces

When setting up an address one of the parameters that is asked for is the interface. This means that the system will expect to see that address only on the interface that you select. You can only select one interface. If you expect that the address may be seen at more than one interface you can choose the “any” interface option. Whenever, possible it is best to choose a more specific interface than the “any” option because in the GUI configuration of firewall policies there is a drop down field that will show the possible addresses that can be used. The drop down will only show those addresses that can be on the interface assigned for that interface in the policy.

Example:

  • You have an address called “XYZ”. l “XYZ” is set to the WAN1 interface because that is the only interface that will be able to access that address.
  • When you are selecting a Source Address in the Web-based Manager for a policy that is using the DMZ the address “XYZ” will not be in the drop-down menu.

When there are only 10 or 20 addresses this is not a concern, but if there are a few hundred addresses configured it can make your life easier.

Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies. If an address is selected in a policy, the address cannot be deleted until it is deselected from the policy.

Addressing Best Practices Tip

The other reason to assign a specific interface to addresses is that it will prevent you from accidentally assigning an address where it will not work properly. Using the example from earlier, if the “XYZ” address was assigned to the “Any” interface instead of WAN1 and you configure the “XYZ” address.

Addressing Best Practices Tip

Don’t specify an interface for VIP objects or other address objects that may need to be moved or approached from a different direction. When configuring a VIP you may think that it will only be associated with a single interface, but you may later find that you need to reference it on another interface.

Example: Some web applications require the use of a FQDN rather than an

IP address. If you have a VIP set up that works from the Internet to the Internal LAN you wont be able to use that VIP object to access it from an internal LAN interface.

Policy configuration – FortiOS 6

Policy configuration

The firewall policies of the FortiGate are one of the most important aspects of the appliance. There are a lot of building blocks and configurations involved in setting up a firewall and it within the policies that a lot of these components come together to form a cohesive unit to perform the firewall’s main function, analyzing network traffic and responding appropriately to the results of that analysis.

There are a few different kinds of policies and in most cases these are further divided into IPv4 and IPv6 versions:

  • IPv4 policy – used for managing traffic going through the appliance using IPv4 protocols l IPv6 policy – used for managing traffic going through the appliance using IPv6 protocols l NAT64 policy – used for managing traffic going through the appliance that converts from IPv6 on the incoming interface to IPv4 on the outgoing interface
  • NAT46 policy – used for managing traffic going through the appliance that converts from IPv4 on the incoming interface to IPv6 on the outgoing interface
  • Multicast policy – used to manage traffic sent to multiple destinations l IPv4 access control list – used to filter out packets based on specific IPV4 parameters. l IPv6 access control list – used to filter out packets based on specific IPV6 parameters. l IPv4 DoS policy – used to prevent malicious or flawed packets on an IPv4 interface from denying access to users. l IPv6 DoS policy – used to prevent malicious or flawed packets on an IPv6 interface from denying access to users.

Because the policy determines whether or not NAT will be used, it is also import to look at how to configure: l Central SNAT – used for granular controlling when NATing is in use.

Viewing firewall policies

To find a Policy window, follow one of these path in the GUI:

  • Policy & Objects> IPv4 Policy l Policy & Objects> IPv6 Policy l Policy & Objects> NAT64 Policy l Policy & Objects> NAT46 Policy l Policy & Objects> Proxy Policy l Policy & Objects> Multicast Policy

You may notice other policy options on the left window pane such as:

  • Policy & Objects> IPv4 DoS Policy l Policy & Objects> IPv6 DoS Policy l Policy & Objects> Local InPolicy

These are different enough that they have their own descriptions in the sections that relate to them.

Viewing firewall policies

Menu items

There are some variations, but there are some common elements share by all of them. There is a menu bar across the top. The menu bar will have the following items going from left to right:

l Create New button l Edit button l Delete button l Search field l Interface Pair View– Displays the policies in the order that they are checked for matching traffic, grouped by the pairs of Incoming and Outgoing interfaces. For instance, all of the policies referencing traffic from WAN1 to DMZ will be in one section. The policies referencing traffic from DMZ to WAN1 will be in another section. The sections are collapsible so that you only need to look at the sections with policies you are interested in. l By Sequence– Displays the policies in the order that they are checked for matching traffic without any grouping.

Menu items not shared by all policies

l Policy Lookup – (IPv4, IPv6 ) l NAT64 Forwarding – (NAT64)

The Table of Policies

Columns

The tables that make up the Policy window are based on rows which represent individual policies and the columns that represent the various parameters or status within the policy. The columns are customizable by which columns are included and what order they are in.

The table can be laid out a number ways to suit the viewer. There is a column for most of the important pieces of information that you might be interested in seeing, but a lot of them are hidden by default. If you had a large enough screen, you might be able to show all of the columns, but even then it might look a bit busy and crammed together. Figure out which pieces of information are most important to you and hide the rest.

To configure which columns are visible and which are hidden, right click on the header row of the table. This will present a drop down menu. The drop down will be divided into sections. At the top will be the Selected Columns which are currently visible, and the next section will be Available Columns which show which columns are available to add to the table.

To move a column from the Available list to the Selected list just click on it. To move a column from the Selected list to the Available list, it also just takes a click of the mouse. To make the changes show up on the table, go to the bottom of the drop down menu and select Apply. Any additions to the table will show up on the right side.

One of the more useful ones that can be added is the ID column. The reason for adding this one is that within the configuration file and CLI, the policies are referenced by their ID number. Some policy settings are only available for configuration in the CLI. If you are looking in the CLI you will see that the only designation for a policy is its number and if you wish to edit the policy or change its order in the sequence you will be asked to move it before or after another policy by referencing its number.