8/10/2019 FOS 5.2 Delta Part 1 Notes

1/30

5.2.1 Split Policy Removal

Firewall Polic

FGT1-03-50005-E-20131120

FCNSA FortiGate Network Security

8/10/2019 FOS 5.2 Delta Part 1 Notes

2/30

8/10/2019 FOS 5.2 Delta Part 1 Notes

3/30

Previously the behavior of authentication was proprietary to Fortinet.

This change allows for easier understanding and configuration when people

have a background

in other products or are doing a migration.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

4/30

5.0 pioneered separate policy types and subtypes for Identity, deviceidentification.The idea was to simplify the amount of options within a Firewall policy by

only allowing certain

configuration settings, depending on what Type > Sub-type was selected.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

5/30

5.2 collapses and combines settings into the firewall policy itself. Overall thisresults in simplerconfiguration settings.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

6/30

In previous firmware once traffic matched the source and destination IPs forANY firewall policy therewas no way to get out of that policy and drop down to the next one.

Traffic was handled by whatever rules were allowed by that policy.

5.2 expands source detection to include user and device information, not justIP addresses.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

7/30

The same behavior is true if the user IS authenticated but is not part ofgroup1.

Without FSSO (which authenticates ahead of time) users will never be

prompted to login because they

dont match policy 1 but DO match policy 2 (that has no authenticationenabled).

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

8/30

Only users that successfully authenticate AND are in group 1 are allowedthrough.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

9/30

Behavior change could impact upgrades from previous firmware.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

10/30

Old feature had limited scope of operation. Was designed to be used withFSSO or devices that did notgenerate traffic on valid authentication protocols.

Failure to authenticate is not the same as Unauthenticated

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

11/30

Theoretical example deployment.Requires that 2 different users groups have separate NAT rules.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

12/30

In 5.0 the scenario can not be resolved with a FortiGate.All users will receive the same NAT rules.

With 5.2 each group will be a separate firewall policy and can receive

independent NAT behavior.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

13/30

Authentication will no longer be allowed with a protocol that is not also anallowed service in the policy.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

14/30

May impact upgrades, if administrators were unaware of this behavior or weremaking explicit use of it.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

15/30

DNS traffic is allowed to pass prior to successful authentication because inmost cases, users would beunable to authenticate without first being able to get DNS resolution.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

16/30

This is a look at a Firewall policy with authentication rules in 5.0.6

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

17/30

CLI comparison shows the authentication rules from 5.0 being afterconversion to 5.2

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

18/30

Before and After GUI shots showing 5.0.6 policy and conversion to 5.2.0afterwards.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

19/30

Without using FSSO users will not be authenticated because policy 4 doesnot force authenticationand will match all the traffic.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

20/30

The behavior of authentication has changed with 5.2

Policys will be properly upgraded but the behavior change may result in

different possibly unwanted

Behavior, so all these factors need to be kept in mind.

Since the policy count will likely change in 5.2 since there are noauthentication rules within a policyanymore, customers that wind up going over their policy limit after the

upgrade will loose policys.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

21/30

Rather then enforcing user authentication through the firewall policy acaptive portal can be enabled inthe ingress interface.

A pure FSSO environment would have no need to enable captive portal to

receive user details as this comes from the Collector.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

22/30

Not available on interfaces with a Dynamic IP.

Setting can be found in the Network > Interface section

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

23/30

After enabling the captive portal, setup firewall policy(s) based on userinformation as normal.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

24/30

Unauthenticated users will fall through so policy order may be very important.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

25/30

Remember, some devices may need to pass through without authentication(print servers, etc) .

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

26/30

Firewall policy order is very important when using this.

Important rule of thumb: Always order your firewall policys from most

specific to least specific.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

27/30

This assumes that Internal -> DMZ remains internal to the network and that inthis environment theresno need to force authentication in that scenario.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

28/30

Captive portal exempt on the firewall policys will work the same way.However, the more policys that need an exemption, the more overhead it is tomaintain. This provides an

Alternative that, depending on the network involved, may be easier to

configure.

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

29/30

FCNSA FortiGate Network Security Firewall Poli

FGT1-03-50005-E-20131120

8/10/2019 FOS 5.2 Delta Part 1 Notes

30/30

FCNSA FortiGate Network Security Firewall Poli