fos 5.2 delta part 1 notes
TRANSCRIPT
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
1/30
5.2.1 Split Policy Removal
Firewall Polic
FGT1-03-50005-E-20131120
FCNSA FortiGate Network Security
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
2/30
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
3/30
Previously the behavior of authentication was proprietary to Fortinet.
This change allows for easier understanding and configuration when people
have a background
in other products or are doing a migration.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
4/30
5.0 pioneered separate policy types and subtypes for Identity, deviceidentification.The idea was to simplify the amount of options within a Firewall policy by
only allowing certain
configuration settings, depending on what Type > Sub-type was selected.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
5/30
5.2 collapses and combines settings into the firewall policy itself. Overall thisresults in simplerconfiguration settings.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
6/30
In previous firmware once traffic matched the source and destination IPs forANY firewall policy therewas no way to get out of that policy and drop down to the next one.
Traffic was handled by whatever rules were allowed by that policy.
5.2 expands source detection to include user and device information, not justIP addresses.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
7/30
The same behavior is true if the user IS authenticated but is not part ofgroup1.
Without FSSO (which authenticates ahead of time) users will never be
prompted to login because they
dont match policy 1 but DO match policy 2 (that has no authenticationenabled).
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
8/30
Only users that successfully authenticate AND are in group 1 are allowedthrough.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
9/30
Behavior change could impact upgrades from previous firmware.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
10/30
Old feature had limited scope of operation. Was designed to be used withFSSO or devices that did notgenerate traffic on valid authentication protocols.
Failure to authenticate is not the same as Unauthenticated
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
11/30
Theoretical example deployment.Requires that 2 different users groups have separate NAT rules.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
12/30
In 5.0 the scenario can not be resolved with a FortiGate.All users will receive the same NAT rules.
With 5.2 each group will be a separate firewall policy and can receive
independent NAT behavior.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
13/30
Authentication will no longer be allowed with a protocol that is not also anallowed service in the policy.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
14/30
May impact upgrades, if administrators were unaware of this behavior or weremaking explicit use of it.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
15/30
DNS traffic is allowed to pass prior to successful authentication because inmost cases, users would beunable to authenticate without first being able to get DNS resolution.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
16/30
This is a look at a Firewall policy with authentication rules in 5.0.6
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
17/30
CLI comparison shows the authentication rules from 5.0 being afterconversion to 5.2
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
18/30
Before and After GUI shots showing 5.0.6 policy and conversion to 5.2.0afterwards.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
19/30
Without using FSSO users will not be authenticated because policy 4 doesnot force authenticationand will match all the traffic.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
20/30
The behavior of authentication has changed with 5.2
Policys will be properly upgraded but the behavior change may result in
different possibly unwanted
Behavior, so all these factors need to be kept in mind.
Since the policy count will likely change in 5.2 since there are noauthentication rules within a policyanymore, customers that wind up going over their policy limit after the
upgrade will loose policys.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
21/30
Rather then enforcing user authentication through the firewall policy acaptive portal can be enabled inthe ingress interface.
A pure FSSO environment would have no need to enable captive portal to
receive user details as this comes from the Collector.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
22/30
Not available on interfaces with a Dynamic IP.
Setting can be found in the Network > Interface section
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
23/30
After enabling the captive portal, setup firewall policy(s) based on userinformation as normal.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
24/30
Unauthenticated users will fall through so policy order may be very important.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
25/30
Remember, some devices may need to pass through without authentication(print servers, etc) .
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
26/30
Firewall policy order is very important when using this.
Important rule of thumb: Always order your firewall policys from most
specific to least specific.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
27/30
This assumes that Internal -> DMZ remains internal to the network and that inthis environment theresno need to force authentication in that scenario.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
28/30
Captive portal exempt on the firewall policys will work the same way.However, the more policys that need an exemption, the more overhead it is tomaintain. This provides an
Alternative that, depending on the network involved, may be easier to
configure.
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
29/30
FCNSA FortiGate Network Security Firewall Poli
FGT1-03-50005-E-20131120
-
8/10/2019 FOS 5.2 Delta Part 1 Notes
30/30
FCNSA FortiGate Network Security Firewall Poli