FIREWALL POLICY

INTRODUCTION
A firewall
Designed
Used

is a part of a computer system or network.

for allow/deny the network traffic unwantedly.

to block unwanted incoming and outgoing traffic.

It

is a hardware-based network device or software running on

computer.

That inspects and controls the flow of traffic between computer

networks of different levels.

Firewall

main function is to keep information from leaking in and out.

FIREWALL FEATURES

Policy list is based on the source and destination addresses.

Traffic logging is enabled in a firewall policy so all log are get stored.

If General policy is created so it can accept connections from all source

and destination addresses.

Allowing connections to an internal network.

TYPES OF FIREWALL

Packet filter

Application gateway

State full firewall.

CONT
Packet filter:

It inspects each packet passing through the network.

accepts or rejects it based on user-defined rules.

Although difficult to configure.

Application gateway:

Specialized application, to handle specific traffic such as FTP and

Telnet servers.

It is very effective.

It consists of three types namely Transparent, non-Transparent,

Semi-Transparent.

CONT..
State full firewall:

Is a firewall that keeps track of the state of network connections.

The proxy server effectively hides the true network addresses.

State full firewall depends on the three-way Handshake.

state table holds entries that represent all the communication

sessions of which the device is aware.

when traffic returns, the device compares the packets information

to the state table information to determine whether it is part of a
currently logged communication session.

If the packet is related to a current table entry, it is allowed to

pass.

CREATING NEW POLICY

POLICY ACCEPT

POLICY DENY

ADDRESSES

Firewall address are added to firewall to the source and destination IP address
fields of firewall policies.

Two types of addresses:

Subnet / IP Range
Fully Qualified Domain Name (FQDN)
SUBNET/IP RANGE:

A single IP address can be added with no subnet or for a single computer

EG: 192.168.20.1/255.255.255.255
All possible IP addresses
0.0.0.0/0.0.0.0
An IP range address represents the range of IP addresses in a subnet.
EG:192.168.20.1 to 192.168.20.10

CREATE ADDRESSES

Add, edit, and delete firewall addresses and address ranges.

Firewall > Address > Address > Create New

CONT

The firewall address can also be a Fully Qualified Domain

Name(FQDN).

Name assigned to the address will be used to identify the address in

the firewall dialog box.

Addresses, address groups, and Virtual IPs must have a unique

names.
EG:www.google.com

In type we have to choose ad FQDN in the dialog box.

CREATE A NEW FQDN

ADDRESS GROUP

SCHEDULES

schedules which defines that policies are active or inactive

Two types of schedules:

One-time schedules
Recurring schedules

ONE-TIME SCHEDULES

It is effective once for the period of time specified in the

schedules.

Firewall > Schedule > One-time > Create New

RECURRING SCHEDULES

Reoccurring schedules repeat weekly for an indefinite period of

time, its very effective at specified times of the day or week.

Firewall > Schedule > Recurring > Create New

SERVICES

Services to determine the types of communication accepted or

denied by the firewall.

It can control the opening and closing of ports.

The firewall has many predefined service objects.

Creation of custom service objects.

A services group can be created and then create one policy to allow
or block access for all the services in the group.

PREDEFINED SERVICES

CUSTOM SERVICES

We can add a custom services to create a policy for a service that

is not in the predefined services list.

SERVICE GROUPS

We can create groups of services and then create one policy to allow or block
access for all the services in the group.

Firewall > Service > Group > Create New

NAT
Network Address Translation which hides the private IP address and sends
the public IP address

CONT

NAT is the process where a network device, usually a firewall,

assigns a public address to a computer (or group of computers)
inside a private network.

The main use of NAT is to limit the number of public Ip

addresses an organization or company must use, for economy.

NAT is widely used in residential networks, its of two types

dynamic and static.

POLICY SEQUENCE

Policy list is to select through for a policy that matches the connection
attempt.

The policy starts at the top of the selected policy list and searches
down.

The first policy that matches is applied to the connection attempt.

If no policy matches, the matches the connection is get dropped.

The policy list based on the source and destination addresses of the
connection attempt.

CONT

VIRTUAL IP

An IP address that is shared among multiple domain names or multiple

servers.

Virtual IPs are also widely used to balance incoming traffic to multiple
servers

Virtual IPs are used to allow the connection to FortiGate unit using
network address translation (NAT) firewall policies.

By using VIP we can access our system from outside.

Creates a bi-directional translation between an internal IP and an external

IP

Port Forwarding can be used to alter the source or destination ports.

CREATE PORT FORWARD

ENABLE PORT FORWARDING

CONT

TRAFFIC SHAPER

Traffic shaping is especially for allocate and controlling the bandwidth

for network performance.

once included in a firewall policy, controls the bandwidth available.

Sets the priority of traffic processed by the policy to control the volume
of traffic for a specific period.

It applied at the network edges to control traffic entering the network.

Is effective for normal Ip at the normal rates, it not effective at

extremely high-traffic.

FIREWALL AUTHENTICATION
PROTOCOLS

The firewalls allows authentication on the following protocols:

HTTP/HTTPS
FTP
Telnet

Default authentication timeout is 15 minutes