Tag Archives: fortigate service group jobs

Services

Services

While there are a number of services already configured within FortiOS, the firmware allows for administrators to configure there own. The reasons for doing this usually fall into one or more of the following categories:

  • The service is not common enough to have a standard configuration
  • The service is not established enough to have a standard configuration
  • The service has a standard port number but there is a reason to use a different one:
  • Port is already in use by another service
  • For security reasons, want to avoid standard port

 

When looking at the list of preconfigured services it may seem like there are a lot, but keep in mind that the theoretical limit for port numbers is 65,535. This gives a fairly good sized range when you are choosing what port to assign a service but there are a few points to keep in mind.

  • Most of the well known ports are in the range 0 – 1023
  • Most ports assigned by the Internet Corporation for Assigned Names and Numbers (ICANN) will be in the 1024 – 49151 range
  • Port numbers between 49,152 and 65,535 are often used for dynamic, private or ephemeral ports. There are 3 Service objects that can be added and configured:
  • Categories
  • Services
  • Service Groups

Configuring IP Pools

Configuring IP pools

A IP pool is essentially one in which the IP address that is assigned to the sending computer is not known until the session is created, therefore at the very least it will have to be a pool of at least 2 potential addresses. A quick example would be an IP pool for users of a VPN. IP pools are based upon the version of IP determined by the interface that they are associated with so as expected there are two types of IP pools that can be configured:

  • IPv4 Pool
  • IPv6 Pool

 

Because of the differences in the configuration for the two types of pools, instructions for configuring them will be done separately.

 

Creating a IPv4 Pool

1. Go to Policy & Objects > IP Pools.

2. Select Create New.

3. In the IP Pool Type field choose IPv4 Pool

4. Enter a name in the Name field for the new service

5. Include any description you would like in the Comments field

6. In the Type field choose between:

  • Overload
  • One-toOne
  • Fixed Port Range
  • Port Block Allocation

 

At this point the configurations can start to differ based on the type of type of pool.

For more information on the different types of IP pools, check IP Pools in the Concepts section.

 

Overload

7. For the External IP Range fields, enter the lowest and highest addresses in the range.If you only want a single address used, enter the same address in both fields.

8. Enable the ARP Reply field by making sure there is a check in the box

9. Select OK

 

Overload Example for GUI

In this example, the Sales team needs to connect to an Application Service Provider that does the accounting for the company. As a security measure, the ASP only accepts traffic from a white list of IP addresses. There is 1 public IP address of the company on that list.The Sales team consists of 40 people, so they need to share.The external interface is wan1.

Field                                     Value

IP Pool Type                            IPv4 Pool

Name                                       Sales_Team

Comments                              For the Sales team to use to connect to the Accounting ASP

Type                                        Overload (This is the default)

External IP Range                   10.23.56.20 – 10.23.56.20

ARP Reply                               enabled

 

Overload Example for CLI

config firewall ippool edit Sales_Team

set comments “For the Sales team to use to connect to the Accounting ASP” set type overload

set startip 10.23.56.20 set endip 10.23.56.20 set arp-reply enable

set arp-intf wan1 end

 

One-toone

7. For the External IP Range fields, enter the lowest and highest addresses in the range. If you only want a single address used, enter the same address in both fields.

8. Enable the ARP Reply field by making sure there is a check in the box.

9. Select OK

 

 

One-toone Example for GUI

In this example, the external IP address of the mail server is part of a range assigned to the company but not the one that is assigned to the Internet facing interface. A VIP has been set up but in order to properly resolve Reverse DNS lookups the mail server always has to use a specific IP address.The external interface is wan1.

Field                           Value

IP Pool Type                 IPv4 Pool

Name                           Mail-Server

Comments                   So the the correct IP address is resolved on Reverse DNS look ups of the mail server.

Type                             One-to-one

External IP Range        10.23.56.21 – 10.23.56.21

ARP Reply                    enabled

Virtual IPs

Virtual IPs

The mapping of a specific IP address to another specific IP address is usually referred to as Destination NAT. FortiOS has a component that is a bit more specialized along this line called a Virtual IP Address, sometimes referred to as a VIP. FortiOS uses a Virtual IP address to map an External IP address to an IP address. This address does not have to be an individual host, it can also be an address range. This mapping can include all TCP/UDP ports or if Port Forwarding is enabled it will only refer to the specific ports configured.

Virtual IP addresses are typically used to NAT external or Public IP addresses to internal or Private IP addresses. Using a Virtual IP address between 2 internal Interfaces made up of Private IP addresses is possible but there is rarely a reason to do so as the 2 networks can just use the IP addresses of the networks without the need for any address translation. Using a Virtual IP address for traffic going from the inside to the Internet is even less likely to be a requirement, but it is supported.

Something that needs to be considered when there are multiple Public IP addresses on the external interface(s) is that when a Virtual IP address is used without Port Forwarding enabled there is a reciprocal effect as far as traffic flow is concerned. Normally, on a firewall policy where NAT is enabled, for outgoing traffic the internal address is translated to the Public address that is assigned to the FortiGate, but if there is a Virtual IP address with no port forwarding enabled, then the Internal IP address in the Mapped field would be translated to the IP address configured as the External Address in the VIP settings.

 

Example

  • The assigned External address (WAN1) of the FortiGate unit is 172.12.96.3 with a subnet mask of 255.255.255.128
  • There is a Virtual IP address set up to map the external address 172.12.96.127 on WAN1 to the internal IP address of 192.168.1.127
  • Port Forwarding is not enabled because you want all allowed traffic going to the external IP address to go to this server.

 

In this case any outbound traffic from 192.168.1.127 will go out on WAN1 with the IP address of 172.12.96.127 as the source IP address.

In terms of actually using the Virtual IP address, they would be using in the security policies in the same places that other addresses would be used, usually as a Destination Address.

 

UUID Support for VIP

UUID is now supported in for virtual IPs and virtual IP groups. This includes virtual IPs for IPv4, IPv6, NAT46, and NAT64. To view the UUID for these objects in a FortiGate unit’s logs, log-uuid must be set to extended mode, rather than policy-only (which only shows the policy UUID in a traffic log). UUID can only be configured through the CLI

 

Syntax

config sys global

set log-uuid {disable | policy-only | extended}

end

 

There is another type of address that the term “virtual IP address” commonly refers to which is used in load balancing and other similar configurations. In those cases, a num- ber of devices share a separately created virtual IP address that can be sent to multiple possible devices. In FortiOS these are referred to as Virtual Servers and are configured in the “Load Balance” section.

 

Address Groups

Address Groups

Address groups are designed for ease of use in the administration of the device. If you have a number of addresses or address ranges that will commonly be treated the same or require the same security policies, you can put them into address groups, rather than entering multiple individual addresses in each policy refers to them.

The use of groups is not required. If you have a number of different addresses you could add them individually to a policy and the FortiGate firewall will process them just as quickly and efficiently as if they were in a group, but the chances are that if you have used a group once you could need to use it again and depending on the number of addresses involved entering them individually for each policy can become tedious and the likelihood of an address being missed becomes greater. If you have a number of policies using that combination of addresses it is much easier to add or subtract addresses from the group than to try and remember all of the firewall policies that combination of addresses was used in. With the group, you only have to make the one edit and it is used by any firewall policy using that address group.

Because security policies require addresses with homogenous network interfaces, address groups should contain only addresses bound to the same network interface, or to Any.

For example, if address 1.1.1.1 is associated with port1, and address 2.2.2.2 is associated with port2, they cannot be in the same group. However, if 1.1.1.1 and 2.2.2.2 are configured with an interface of Any, they can be grouped, even if the addresses involve different networks.

 

There are 3 Categories of Address groups to choose from:

  • IPv4 Group
  • IPv6 Group
  • Explicit Proxy Group

 

You cannot mix different categories of addresses within a group, so whether or not it makes sense from an administrative purpose to group certain addresses together, if some are IPv4 and some are IPv6, it cannot be done.

 

Creating an Address Group

1. Go to Policy & Objects > Addresses.

2. Select the down arrow next to Create New, select Address Group.

3. Choose the Category, that is applicable to the proposed selection of addresses.

4. Input a Group Name for the address object.

Depending on which Category has been chosen the configurations will differ slightly

 

IPv4 Group

1. Select the “+” in the Members field. You can select members of the group from the window that slides out from the left of the screen. It is possible to select more than 1 entry. Select the “X” icon in the field to remove an entry.

2. Select the desired on/off toggle setting for Show in Address List.

3. Select the desired on/off toggle setting for Static Route Configuration .

 

IPv6 Group

1. Select the “+” in the Members field. You can select members of the group from the window that slides out from the left of the screen. It is possible to select more than 1 entry. Select the “X” icon in the field to remove an entry.

2. Select the desired on/off toggle setting for Show in Address List.

 

Explicit Proxy Group

1. Select which Type, either Source Group or Destination Group.

2. Select the “+” in the Members field. You can select members of the group from the window that slides out from the left of the screen. It is possible to select more than 1 entry. Select the “X” icon in the field to remove an entry.

3. Select the desired on/off toggle setting for Show in Address List.

 

Irrespective of the Category the groups all have the same final configuration options:

1. Input any additional information in the Comments field.

2. Press OK. UUID Support

Syntax:

config firewall {address|addres6|addgrp|addgrp6}

edit 1

set uuid <example uuid: 8289ef80-f879-51e2-20dd-fa62c5c51f44>

next end

IPv6 Addresses

IPv6 Addresses

When creating an IPv6 address there are a number of different types of addresses that can be specified. These include:

  • Subnet
  • IP Range – the details of this type of address are the same as the IPv4 version of this type

The IPv6 addresses don’t yet have the versatility of the IPv4 address in that they don’t have things like geography based or FQDN address but as IPv6 becomes more mainstream this should change.

 

Subnet Addresses

The Subnet Address type is one that is only used in reference to IPv6 addresses.It represents an IPv6 address subnet. This means that the address will likely be a series of hexadecimal characters followed by a double colon, followed by a “/”, and then a number less than 128 to indicate the size of the subnet. An example would be:

fd5e:3c59:35ce:f67e::/64

  • The hexidecimal charaters represent the IPv6 subnet address.
  • The “::” indicates 0’s from that point to the left. In an actual address for a computer, the hexadecimal characters that would take the place of these zeros would represent the device address on the subnet.
  • /xx, in this case /64 represents the number of bits in the subnet.This will make a range that can potentially include 18,446,744,073,709,551,616 addresses. For those wanting to use English rather than math, that is 18 Quintillion.

 

 

Creating a Subnet address

1. Go to Policy & Objects > Addresses.

2. Select Create New. A drop down menu is displayed. Select Address

3. In the Category field, chose IPv6 Address.

4. Input a Name for the address object.

5. In the Type field, select Subnet from the drop down menu.

6. In the Subnet / IP Range field, enter the range of addresses in IPv6 format (no spaces)

7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.

8. Input any additional information in the Comments field.

9. Press OK.

 

 

Example

Example of a IP Range address for a group of computers set aside for guests on the company network.

Field                                Value

Category                          IPv6 Address

Name                              IPv6_Guest_user_range

Type                                Subnet

Subnet / IP Range         fd5e:3c59:35ce:f67e::/64

Show in Address List    [on]

Comments

IPv4 Addresses

IPv4 Addresses

 

When creating an IPv4 address there are a number of different types of addresses that can be specified. These include:

  • FQDN
  • Geography
  • IP Range
  • IP/Netmask
  • Wildcard FQDN

 

Which one chosen will depend on which method most easily yet accurately describes the addresses that you are trying to include with as few entries as possible based on the information that you have. For instance, if you are trying to describe the addresses of a specific company’s web server but it you have no idea of how extensive there web server farm is you would be more likely to use a Fully Qualified Domain Name (FQDN) rather than a specific IP address. On the other hand some computers don’t have FQDNs and a specific IP address must be used.

The following is a more comprehensive description of the different types of addresses.

 

FQDN Addresses

By using Fully Qualified Domain Name (FQDN) addressing you can take advantage of the dynamic ability of DNS to keep up with address changes without having to manually change the addresses on the FortiGate. FQDN addresses are most often used with external web sites but they can be used for internal web sites as well if there is a trusted DNS server that can be accessed. FQDN addressing also comes in handy for large web sites that may use multiple addresses and load balancers for their web sites. The FortiGate firewall automatically maintains a cached record of all the addresses resolved by the DNS for the FQDN addresses used.

For example, if you were doing this manually and you wanted to have a security policy that involved Google you could track down all of the IP addresses that they use across multiple countries. Using the FQDN address is simpler and more convenient.

When representing hosts by an FQDN, the domain name can also be a subdomain, such as mail.example.com. Valid FQDN formats include:

  • <host_name>.<top_level_domain_name> such as example.com
  • <host_name>.<second_level_domain_name>.<top_level_domain_name>, such as mail.example.com

When creating FQDN entries it is important to remember that:

  • Wildcards are not supported in FQDN address objects
  • While there is a level of convention that would imply it, “www.example.com” is not necessarily the same address of “example.com”. they will each have their own records on the DNS server.

The FortiGate firewall keeps track of the DNS TTLs so as the entries change on the DNS servers the IP address will effectively be updated for the FortiGate. As long as the FQDN address is used in a security policy, it stores the address in the DNS cache.

There is a possible security downside to using FQDN addresses. Using a fully qualified domain name in a security policy means that your policies are relying on the DNS server to be accurate and correct. DNS servers in the past were not seen as potential targets because the thinking was that there was little of value on them and therefore are often not as well protected as some other network resources. People are becoming more aware that the value of the DNS server is that in many ways it controls where users and computers go on the Internet. Should the DNS server be compromised, security policies requiring domain name resolution may no longer function properly.

 

Creating a Fully Qualified Domain Name address

1. Go to Policy & Objects > Addresses.

2. Select Create New. A drop down menu is displayed. Select Address.

3. In the Category field, chose Address. (This is for IPv4 addresses.)

4. Input a Name for the address object.

5. In the Type field, select FQDN from the drop down menu.

6. Input the domain name in the FQDN field.

7. In the Interface field, leave as the default any or select a specific interface from the drop down menu.

8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.

9. Input any additional information in the Comments field.

10. Press OK.

 

 

Example

Example of a FQDN address for a remote FTP server used by Accounting team:

Field                        Value

Category                  Address

Name                       Payroll_FTP_server

Type                         FQDN

FQDN                       ftp.payrollcompany.com

Interface                  any

Show in Address

List                          [on]

Comments              Third party FTP server used by Payroll.

Geography Based Addresses

Geography addresses are those determined by country of origin. This type of address is only available in the IPv4 address category.

 

Creating a Geography address

1. Go to Policy & Objects > Addresses.

2. Select Create New. A drop down menu is displayed. Select Address.

3. In the Category field, chose Address. (This is for IPv4 addresses.)

4. Input a Namefor the address object.

5. In the Type field, select Geography from the drop down menu.

6. In the Country field, select a single country from the drop down menu.

7. In the Interface field, leave as the default any or select a specific interface from the drop down menu.

8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.

9. Input any additional information in the Comments field.

10. Press OK.

 

Service Groups

Service Groups

Just like some of the other firewall components, services can also be bundled into groups for ease of administration.

 

Creating a ServiceGroup

1. Go to Policy & Objects > Services.

2. Select Create New. A drop down menu is displayed. Select Service Group

3. Input a Group Name to describe the services being grouped

4. Input any additional information in the Comments field.

5. Choose a Type of group.The options are Firewall or Explicit Proxy.

6. Add to the list of Members from the drop down menu. Using the + sign beside the field will allow the addition of multiple services.

7. Press OK.

 

Example

Example of a New Service Group:

Field                                Value

Group Name                   Authentication Services

Comments                      Services used in Authentication

Type                                Firewall

 

Members

  • Kerberos
  • LDAP
  • LDAP_UDP
  • RADIUS

 

UUID Support

UUID Support

A Universally Unique Identified (UUID) attribute has been added to some firewall objects, so that the logs can record these UUID to be used by a FortiManager or FortiAnalyzer unit. The objects currently include:

  • Addresses, both IPv4 and IPv6
  • Address Groups, both IPv4 and IPv6
  • Virtual IPs, both IPv4 and IPv6
  • Virtual IP groups, both IPv4 and IPv6
  • Policies, IPv4,IPv6 and IP64

A UUID is a 16-octet (128-bit) number that is represented by 32 lowercase hexidecimal digits. The digits are displayed in five groups separated by hyphens (-). The pattern is 8-4-4-4-12; 36 digits if you include the hyphens.

Note: UUID is only supported on large-partition platforms (>=128M)