部署防火墙 v4.3.

Presentation on theme: "部署防火墙 v4.3."— Presentation transcript:

1 部署防火墙 v4.3

2 创建防火墙策略的原则 策略是按照进出流量的接口部署的 流量如果没有匹配的防火墙策略的话，是不能穿过设备的
正确理解状态检测，防火墙的策略应以数据流的发起方来判断建立的方向 也就是说，当需要内部网访问外部网时，只需要建立一个从Internal到wan1的允许策略即可 TCP状态在会话表中可以跟踪 为非状态协议建立伪状态 IP, UDP, ICMP

3 防火墙策略 接口 服务 NAT / Route 应用层的UTM
In the above diagram notice there is a “Multiple” button for source address, destination address, and service. This allows for simplified policy creation, and to avoid using address groups, and service groups. Generally speaking, if you are intend to group addresses or services for only a single policy simply use the “Multiple” button. If more than one firewall policy will group the addresses or services in the same fashion simply create a grouping via (firewall > address > group) or (firewall > service > group)

4 如何创建防火墙策略 – 接口与IP地址 两种类型的地址: 定义IP范围的多种方式: IP / IP Range FQDN——域名的方式
/ /24 [99-105] 可以建立地址组将多个防火墙地址对象组合在一起。配置地址和地址组的命令如下: conf firewall address edit “manufacturing” set associated-interface “port3” set subnet “ ” next edit “warehouse” set subnet “ ” conf firewall addrgrp edit “shipping” set member “manufacturing” “warehouse” End 地址可以同接口绑定，也可以不绑定。如果绑定的话，则该地址对象只能用于该接口。

5 如何创建防火墙策略 – 选择与定制服务 FortiGate本身内置了六十多个预定义的服务 用户也可以自行定义服务，以下协议可以定制:
TCP/UDP ICMP IP 也可以通过组的方式将多个服务组合在一起 The purpose of the source and destination port fields is not to account for dynamic port assignment during port address translation. Rather, it is to account for client-server variance on the original request. The firewall is stateful, and is therefore session aware. What these assignments deal with is session creation, rather than actual port traffic flow during a NAT.

6 如何创建防火墙策略 – 定制时间表 防火墙的基于时间的控制
The FortiGate uses its own date and time to make firewall scheduling decisions. For this reason it is important that the date and time are accurate otherwise time-sensitive traffic may not flow as expected. Another consideration is the timezone, and any DST settings that may apply. Timezone is configured as a number in the CLI, for example EST (GMT -5) is “12”. To see a list of timezone-number associations simply perform a “set timezone ?”. Generally speaking core network apparatus should have time synchronized via NTP: config system global set ntpserver “ ” set ntpsync “enable” set timezone “12” set syncinterval “60” end

7 如何创建防火墙策略 – 选择动作 数据包是根据接口、地址、协议、时间四项进行匹配的，一旦匹配成功后，就根据“Action”来决定操作，不再向下匹配。 在建立防火墙策略是，应尽可能范围小的放在前面，范围大的放在后面。 在 NAT/Route模式下，防火墙策略还需要判断是否对数据流进行NAT。 有以下类型的动作： Accept Deny SSL——ssl vpn的策略 IPSec——Ipsec vpn的策略 Firewall policies are arranged in directional interface pairs, e.g. internal-to-wan1, wan1-to-dmz Since the FortiGate UTM Security Appliance is a Stateful firewall, only the *originating* direction requires a firewall policy. Return traffic that matches an existing outgoing session will automatically be permitted back in. For a simple Internet access policy for a PC host connected to the “internal” interface, you only need to define a single firewall policy from “internal-to-wan1” (assuming that wan1 connects to the Internet!) with appropriate traffic type permissions. Basic, non-encrypting actions: ACCEPT –permit packet; DENY –drop packet and create logging message Remember, if there is no matching policy in the interface pair list, the packet will be dropped and without any logging. A DENY policy allows for logging of “illegal” traffic. Note that all logging presents a load to the FortiGate system so heavy traffic logging will affect the system performance. Administration note: The firewall policies are for traffic *through* the FortiGate device. For traffic *to* the FortiGate device for administrative purposes, each interface has its own setting for HTTP, HTTPS, SSH, SMNP or TELNET traffic.

8 两种查看方式 — 分区视图或者全局视图 使用了Any作为接口只能支持全局视图

9 防火墙策略使用“Any”接口 源或目的接口都可以设置为“any” 如果任何一条防火墙策略使用了“any”接口，则只能使用防火墙策略全局视图
“any”接口不能用于VIP或IP-pool

10 如何设置防火墙认证 — 用户 用户对象是认证的一个方法 用户组是用户对象的容器 FortiGate基于组的方式控制对资源的访问 识别组成员
保护内容表和类型实现对成员的认证属性 FortiGate基于组的方式控制对资源的访问 用户组和防火墙策略定义了对用户的认证过程 Protection Profile, typically defined in the group however with some authentication methods the profile can come from the server. Group type provides authorization information: Firewall: a firewall policy specifies the user groups that are allowed to use the policy, and has optional FortiGuard override settings SSL-VPN: controls access to the FortiGate SSL-VPN tunnel and SSL-VPN web applications Active Directory: controls access to firewall policies based on Windows AD group membership

11 如何设置防火墙认证 — 用户种类 支持以下类型的认证: 本地用户 RADIUS用户 LDAP / AD用户 TACACS+
建立在防火墙上的用户名和密码 RADIUS用户 取自Radius的用户名和密码 LDAP / AD用户 取自LDAP服务器的用户名和密码 TACACS+ 取自TACACS服务器的用户名和密码 FSSO / NTLM (AD)用户 可以实现单点登录 PKI 基于CA证书(不需要用户名和密码) FortiToken 基于动态口令卡的用户认证 User names stored in the config file, passwords are either stored encrypted in the config file or retrieved from a RADIUS or LDAP server.

12 如何设置防火墙认证 — 用户组 用户组名称 类别设为防火墙 是否用于SSL VPN 设置组成员

13 如何设置防火墙认证 — 用户认证子策略 启用基于用户的子策略 可以针对不同的用户组使用不同的 时间表 服务 保护内容表 流量控制 流量日志

14 功能描述 所有启用用户认证的防火墙策略将成为“基于用户认证的策略” 可以将一条策略拆分成多个子项： 用户组 时间表 服务 保护内容表
流量控制 流量日志

15 如何设置防火墙认证 — 用户认证子策略 说明 根据不同的用户组部署不同的保护内容表和流量控制

16 用户监视 -> Firewall v4.0的GUI下可以监视和管理已认证的用户

17 如何设置防火墙认证 — 认证时间与协议 当没有已经认证的用户或在没有数据流的情况下，经过“验证超时“后，就需要重新认证
能够弹出用户名和密码的允许认证协议如上 采用证书方式认证

18 如何设置防火墙认证 — 自动刷新 Keepalive 命令行下设置： Config sys global
Set auth-keepalive en End

19 地址转换NAT

20 如何设置源地址转换 缺省情况下，端口地址翻译为外部接口IP地址
多对一的源地址转换是通过转换源端口来实现的。理论上上，最多一个公网地址可以支持64500个会话。 如果选择”保持端口号“，则无法实现多对一的地址映射。

21 如何设置源地址转换 — 不使用接口地址 地址翻译成指定范围的IP地址 防火墙>虚拟IP >IP池 如何来验证
Diagnose sniffer packet any ‘icmp’ 4 Ping The IP Pool function on a FortiGate is simply to control the source IP of traffic subject to a NAT.  Referring to the first point above, if you had an IP Pool that contained “ [80-82]” traffic from the inside subject to that policy would have the source IP changed to the first IP address in the pool ( ).  Round robin would be used to dictate the source IP of subsequent egress traffic assuming more than one IP address present in the pool.  The IP Pool option doesn’t apply to, and is unavailable unless the NAT checkbox is selected, and an IP Pool exists that is associated with the egress interface. This technology is useful when a host must masquerade as an IP other than its own for outgoing sessions. This particular technology is stateful, but is not however bi-directional. This technology will allow a larger amount of concurrent sessions to be subject to NAT in the firewall policy due to the additional IP and port associations created by PAT.

22 映射服务器 — 设置虚拟IP 绑定的外部接口 一对一映射 端口映射 外部的IP地址 内部的IP地址 外部IP端口 内部服务器端口

23 映射服务器 — 设置服务器的负载均衡 选择使用服务器负载均衡 外部的IP 分配流量的方式 外部的IP端口 内部的服务器列表

24 映射服务器 — 添加允许访问服务器的策略 策略是从外向内建立的 目标地址是服务器映射的虚拟IP 不需要启用NAT

25 设置流量控制原则 在防火墙策略中启动流量控制设置。如果您不对防火墙策略设置任何的流量控制，那么默认情况下，流量的优先级别设置为高级。
防火墙策略中的流量控制选项设置为三个优先级别（低、中、高）。 确定防火墙策略中所有基本带宽之和需要低于接口所承载的最大容量。

26 设置流量控制 — 流量整形器 流量控制可以采用多种方式 1、一条策略覆盖的IP地址共享带宽 2、使用同一个流量整形器的所有IP共享带宽 3、每个IP最大带宽

27 设置流量控制 — 在策略里调用 启用流量控制和每IP最大带宽

28 将应用层的安全附加在防火墙策略上 — UTM
The diagram above illustrates that an overall policy for content inspection is not a typical scenario. FortiGates are able to apply varying content inspection technologies based on different communications through the network. For example, sessions originating from the internal network may not be subject to IPS scanning. Whereas sessions entering servers on the DMZ should be subject to IPS scanning. We may wish to employ web content inspection technologies for our internal network, however, our servers may communicate with any outside host without such inspection.

29 在策略中调用UTM 可以进行更细粒度的应用层的内容检测技术 防火墙策略中的UTM
UTM选项涵盖病毒、IPS、Web过滤、 过滤、DLP、应用控制与以上相关的日志 Protection profiles are broken down in several sections: Anti-Virus, Web Filtering, FortiGuard Web Filtering, Spam Filtering, IPS, Content Archive, IM/P2P, Logging, and VOIP. Each section will have different technologies and the ability to enable said technologies for supported protocols. Often times, as in the above diagram there is also the ability to specify certain thresholds or parameters for a particular feature. Although Fortinet recommends the creation of a new, custom Protection Profile for each type of flowThere are four protection profiles pre-configured in under (Firewall > Protection Profile): Web: Scan: Strict: Unfiltered: