Object configuration – FortiOS 6
As was mentioned earlier, the components of the FortiGate firewall go together like interlocking building blocks. The Firewall objects are a prime example of those building blocks. They are something that can be configured once and then used over and over again to build what you need. They can assist in making the administration of the FortiGate unit easier and more intuitive as well as easier to change. By configuring these objects with their future use in mind as well as building in accurate descriptions the firewall will become almost self documenting. That way, months later when a situation changes, you can take a look at a policy that needs to change and use a different firewall object to adapt to the new situation rather than build everything new from the ground up to accommodate the change.
This chapter includes information about the following Firewall objects:
l Addresses l “Virtual IPs” on page 234 l IP Pools l “Services” on page 248 l “Firewall schedules” on page 256
A Universally Unique Identified (UUID) attribute has been added to some firewall objects, so that the logs can record these UUID to be used by a FortiManager or FortiAnalyzer unit. The objects currently include:
l Addresses, both IPv4 and IPv6 l Address Groups, both IPv4 and IPv6 l Virtual IPs, both IPv4 and IPv6 l Virtual IP groups, both IPv4 and IPv6 l Policies, IPv4,IPv6 and IP64
A UUID is a 16-octet (128-bit) number that is represented by 32 lowercase hexidecimal digits. The digits are displayed in five groups separated by hyphens (-). The pattern is 8-4-4-4-12; 36 digits if you include the hyphens.
Firewall addresses define sources and destinations of network traffic and are used when creating policies. When properly set up these firewall objects can be used with great flexibility to make the configuration of firewall policies simpler and more intuitive. The FortiGate unit compares the IP addresses contained in packet headers with a security policy’s source and destination addresses to determine if the security policy matches the traffic.
The address categories and the types within those categories on the FortiGate unit can include:
- IPv4 addresses l IP address and Netmask l IP address range l Geography based address l Fully Qualified Domain Name (FQDN) address l Wildcard FQDN l IPv4 address aroup
- IPv6 addresses l Subnets l IP range l IPv6 address group
- Multicast addresses l Multicast IP range l Broadcast subnets
- Proxy addresses l URL pattern l Host Regex match l URL category l Http method l User agent l HTTP header l Advanced (source) l Advanced (destination)
- IP Pools (IPv4) l Overload l One-to-one l Fixed port range l Port block allocation
- IP pools (IPv6) l Virtual IP addresses l IPv4 l IPv6 l NAT46 l NAT64
When setting up an address one of the parameters that is asked for is the interface. This means that the system will expect to see that address only on the interface that you select. You can only select one interface. If you expect that the address may be seen at more than one interface you can choose the “any” interface option. Whenever, possible it is best to choose a more specific interface than the “any” option because in the GUI configuration of firewall policies there is a drop down field that will show the possible addresses that can be used. The drop down will only show those addresses that can be on the interface assigned for that interface in the policy.
- You have an address called “XYZ”. l “XYZ” is set to the WAN1 interface because that is the only interface that will be able to access that address.
- When you are selecting a Source Address in the Web-based Manager for a policy that is using the DMZ the address “XYZ” will not be in the drop-down menu.
When there are only 10 or 20 addresses this is not a concern, but if there are a few hundred addresses configured it can make your life easier.
Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies. If an address is selected in a policy, the address cannot be deleted until it is deselected from the policy.
Addressing Best Practices Tip
The other reason to assign a specific interface to addresses is that it will prevent you from accidentally assigning an address where it will not work properly. Using the example from earlier, if the “XYZ” address was assigned to the “Any” interface instead of WAN1 and you configure the “XYZ” address.
Addressing Best Practices Tip
Don’t specify an interface for VIP objects or other address objects that may need to be moved or approached from a different direction. When configuring a VIP you may think that it will only be associated with a single interface, but you may later find that you need to reference it on another interface.
Example: Some web applications require the use of a FQDN rather than an
IP address. If you have a VIP set up that works from the Internet to the Internal LAN you wont be able to use that VIP object to access it from an internal LAN interface.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos
Leave a Reply