Firewall Policies. Module Objectives By the end of this module participants will be able to:...
-
Upload
leslie-norton -
Category
Documents
-
view
225 -
download
4
Transcript of Firewall Policies. Module Objectives By the end of this module participants will be able to:...
![Page 1: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/1.jpg)
Firewall Policies
![Page 2: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/2.jpg)
Module Objectives
• By the end of this module participants will be able to:• Identify the components used in a firewall policy
• Create firewall objects
• Create firewall policies and manage the order of their processing
![Page 3: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/3.jpg)
Firewall Policies Source and destination interfaces
Source and destination IP addresses
Services
Schedules
Action = ACCEPT
Authentication
ThreatManagement
TrafficShaping
Logging
![Page 4: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/4.jpg)
Firewall PoliciesSource and destination interfaces
Source and destination IP addresses
Services
Schedules
Action = ACCEPT
Authentication
ThreatManagement
TrafficShaping
Logging
• Firewall policies include the instructions used by the FortiGate device to determine what to do with a connection request• Packet analyzed, content compared to policy, action performed
![Page 5: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/5.jpg)
Firewall Actions
Source and destination interfaces
Source and destination IP addresses
Services
Schedules
Accept Deny IPSec SSL VPN
Action
![Page 6: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/6.jpg)
Policy Matching
From To Source Destination
Schedule
Service Action
internal wan1 192.168.1.110
All Always HTTP Accept
internal wan1 all all 9am-5pm
HTTP Accept
internal wan1 192.168.1.0/24
all always FTP Accept
any ANY All All Always ANY Deny
Click here to read more about policy matching
![Page 7: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/7.jpg)
Policy Matching
From To Source Destination
Schedule
Service Action
internal wan1 192.168.1.110
All Always HTTP Accept
internal wan1 all all 9am-5pm
HTTP Accept
internal wan1 192.168.1.0/24
all always FTP Accept
any ANY All All Always Any Deny
• The FortiGate device searches list from top to bottom looking for a policy with matching conditions• The action on the first matched policy is
applied
•Move policies in list to influence order evaluated•Default Implicit DENY always at bottom of list
Click here to read more about policy matching
![Page 8: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/8.jpg)
Policy Usage
• View policy usage by active sessions, bytes or packets• Firewall > Monitor > Policy Monitor
![Page 9: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/9.jpg)
Firewall Policy Elements
Source and destination interfaces
Schedules
Action
Identity-based policies
Traffic shaping
Logging
Load balancing
Source and destination addresses
Services
NAT
Threat management
Endpoint NAC
Virtual IPs
![Page 10: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/10.jpg)
Firewall Interfaces
Destinationinterface
Sourceinterface
![Page 11: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/11.jpg)
Firewall Interfaces
Destinationinterface
Sourceinterface
• Select source to identify the interface or zone on which packets are received• Select an individual interface or ANY to
match all interfaces as the source• Can also set source to sslvpn tunnel
interface web-proxy and ftp-proxy• Select destination to identify the interface
or zone to which packets are forwarded• Select an individual interface or ANY to
match all interfaces as the source • SSL VPN and IPSEC tunnel interface also
available
![Page 12: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/12.jpg)
Firewall Addresses
Source and destinationIP address
Packet
Source and destinationIP address
Firewall Policy
=
![Page 13: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/13.jpg)
Firewall Addresses
Source and destinationIP address
Packet
Source and destinationIP address
Firewall Policy
=• The FortiGate device compares the source and destination address in the packet to the policies on the device• Default of ALL addresses available
• Addresses in policies configured with:• Name for display in policy list• IP address and mask• FQDN if desired
•Use Country to create addresses based on geographical location• Create address groups to simplify administration
![Page 14: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/14.jpg)
Firewall Schedules
One-time orRecurring schedule
Firewall Policy
=
![Page 15: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/15.jpg)
Firewall Schedules
One-time orRecurring schedule
Firewall Policy
=• Schedules control when policies are active or inactive• The FortiGate device compares the current date and time to the policies• The action on the first matched policy is
applied
•One-time or recurring schedule• Active sessions are timed out when the schedule expires•Group schedules to simplify administration
![Page 16: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/16.jpg)
Firewall Services
Protocol and port
Packet
Protocol and port
Firewall Policy
=
![Page 17: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/17.jpg)
Firewall Services
Protocol and port
Packet
Protocol and port
Firewall Policy
=• The FortiGate device uses services to
determine the types of communication accepted or denied• Default of ANY service available• Select a service from predefined list on the
FortiGate unit or create a custom service• Web Proxy Service also available if Source
Interface is set to web-proxy• Group services and Web Proxy Service
Group to simplify administration
![Page 18: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/18.jpg)
Firewall Logging
DenyAccept IPSec
Log Allowed Traffic Log Violation Traffic
![Page 19: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/19.jpg)
Network Address Translation (NAT)
10.10.10.1
172.16.1.1Firewall policy
with NAT enabledwan1 IP address: 192.168.2.2
Source IP address:10.10.10.1
Source port: 1025
Destination IP address:172.16.1.1
Destination Port: 80
Source IP address:192.168.2.2
Source port: 30912
Destination IP address:172.16.1.1
Destination Port: 80
internal
wan1192.168.2.2
![Page 20: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/20.jpg)
NAT Dynamic IP Pool
Firewall policywith NAT + IP pool enabled
wan1 IP pool: 172.16.12.2-172.16.12.12
Source IP address:10.10.10.1
Source port: 1025
Destination IP address:172.16.1.1
Destination Port: 80
Source IP address:172.16.12.12
Source port: 30957
Destination IP address:172.16.1.1
Destination Port: 80
10.10.10.1
internal
wan1
172.16.1.1
192.168.2.2
![Page 21: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/21.jpg)
Central NAT Table
• Allows creation of NAT rules and NAT mappings setup by the global firewall table• Control port translation instead of allowing the system to assign them randomly
![Page 22: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/22.jpg)
Fixed Port
Firewall policywith NAT + IP pool enabled + fixed port (CLI only)
wan1 IP pool: 172.16.12.2-172.16.12.12
Source IP address:172.16.12.12
Source port: 1025
Destination IP address:172.16.1.1
Destination Port: 80
Source IP address:10.10.10.1
Source port: 1025
Destination IP address:172.16.1.1
Destination Port: 80
10.10.10.1
internal
172.16.1.1
wan1192.168.2.2
![Page 23: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/23.jpg)
Source NAT IP Address and Port
• Session table identifies IP and port with NAT applied
![Page 24: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/24.jpg)
Identity-Based Policies
LDAPDirectoryServices
TACACS+
RADIUSLocal
![Page 25: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/25.jpg)
Identity-Based Policies
LDAPDirectoryServices
TACACS+
RADIUSLocal•When enabled, a user must authenticate before the device will allow traffic• Authentication rules specify group details for users being forced to authenticate
![Page 26: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/26.jpg)
Local-in Firewall Policies
• Policies designed for traffic that is localized to the FortiGate unit• Central management
• Update announcement
• NetBIOS forward
•Destination address of firewall policies for local-in traffic is limited to the FortiGate interface IP and secondary IP addresses• Can create local-in firewall policies for IPv4 and IPv6
![Page 27: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/27.jpg)
Local-in Firewall Policies
• Policies designed for traffic that is localized to the FortiGate unit• Central management
• Update announcement
• NetBIOS forward
•Destination address of firewall policies for local-in traffic is limited to the FortiGate interface IP and secondary IP addresses• Can create local-in firewall policies for IPv4 and IPv6
• Configurable only in the CLIconfig firewall interface-policy
edit <0>
set interface <source_interface_name>
set srcaddr <source_address_name>
set dstaddr <destination_address_name>
set service <service_name>
end
![Page 28: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/28.jpg)
Threat Management
Protocol options
AntivirusIPS
Web filteringEmail filtering
Data leak preventionApplication control
![Page 29: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/29.jpg)
Threat Management
![Page 30: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/30.jpg)
Protocol Options
HTTP HTTPSFTP
FTPSIMAP POP3 SMTP IM NNTP IMAPS POP3S SMTPS
Protocol Options List
![Page 31: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/31.jpg)
Protocol Options - File Size
Firewall Policy
Enable UTM
Protocol Options
Oversize File/EmailPass or Block
Threshold
+
![Page 32: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/32.jpg)
Protocol Options - File size
Firewall Policy
Enable UTM
Protocol Options
Oversize File/EmailPass or Block
Threshold
+
• File size is checked against preset thresholds• If larger than threshold and action set to
block, file is rejected• If larger than threshold and action set to
allow, uncompressed file must fit within memory buffer • If not, by default no further scanning
operations performed
![Page 33: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/33.jpg)
Traffic Shaping
High priority
Medium priority
Low priority
HTTPFTPIM
Click here to read more about traffic shaping
![Page 34: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/34.jpg)
Traffic Shaping
High priority
Medium priority
Low priority
Click here to read more about traffic shaping
• Traffic shaping controls which policies have higher priority when large amounts of data is passing through the FortiGate unit•Normalize traffic bursts by prioritizing certain flows over others
![Page 35: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/35.jpg)
Traffic Shapers
Shared Traffic Shaper Per-IP Traffic Shaper
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
![Page 36: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/36.jpg)
Traffic Shapers
Shared Traffic Shaper Per-IP Traffic Shaper
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
• Traffic shapers apply Guaranteed Bandwidth and Maximum Bandwidth values to addresses affected by policy• Share values between all IP address
affected by the policy
• Values applied to each IP address affected by the policy
![Page 37: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/37.jpg)
Endpoint Control
?
Up to date ?
Disallowed software installed ?
![Page 38: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/38.jpg)
Virtual IPs
Firewall policywith destination address virtual IP + Static NAT
wan1 IP address: 172.16.1.1 → 192.168.1.100
wan1 IP pool: 172.16.12.2-172.16.12.12
Source IP address:10.10.10.1
Source port: 1025
Destination IP address:172.16.1.1
Destination Port: 80
Source IP address:172.16.12.2
Source port: 1025
Destination IP address:192.168.1.100
Destination Port: 80
Click here to read more about virtual IPs
10.10.10.1
172.16.1.100
internal
wan1
![Page 39: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/39.jpg)
Virtual IPs
Firewall policywith destination address virtual IP + Static NAT
wan1 IP address: 172.16.1.1 → 192.168.1.100
wan1 IP pool: 172.16.12.2-172.16.12.12
Source IP address:10.10.10.1
Source port: 1025
Destination IP address:172.16.1.1
Destination Port: 80
Source IP address:172.16.12.2
Source port: 1025
Destination IP address:192.168.1.100
Destination Port: 80
Click here to read more about virtual IPs
10.10.10.1
172.16.1.100
internal
wan1
•Used to allow connections through a FortiGate using NAT firewall policies• FortiGate unit can respond to ARP
requests on a network for a server that is installed on another network
• For example, add a virtual IP to an external interface so that the interface can respond to connection requests for users connecting to a server on the dmz or internal network
![Page 40: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/40.jpg)
Virtual IPs
Firewall policywith NAT
Source IP address:172.16.1.1
Source port: 1025
Destination IP address:10.10.10.2
Destination Port: 80
Source IP address:172.16.1.100
Source port: 1025
Destination IP address:10.10.10.2
Destination Port: 80
10.10.10.1
172.16.1.100
internal
wan1
![Page 41: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/41.jpg)
Load Balancing
Low priority
Real server
Real server
Real server
Virtual server
Click here to read more about load balancing
![Page 42: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/42.jpg)
Load Balancing
Low priority
Real server
Real server
Real server
Virtual server
Click here to read more about load balancing
• FortiGate unit intercepts incoming traffic and shares it across available servers•Multiple servers can respond as if they were a single device• Service provided can be highly available
![Page 43: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/43.jpg)
Load Balancing Methods
Source IP Hash
A B C D E
A D C
Traffic load spread evenly across all servers according to hash of source IP address
![Page 44: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/44.jpg)
Load Balancing Methods
Round Robin
Requests are directed to next server, all servers are treated equally
![Page 45: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/45.jpg)
Load Balancing Methods
Weighted
Weight=1 Weight=5 Weight=3 Weight=4Weight=2
Servers with higher weight value receive larger % of connections
![Page 46: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/46.jpg)
Load Balancing Methods
First Alive
Requests are always directed to first alive server
![Page 47: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/47.jpg)
Load Balancing Methods
Least round trip
Round trip time
Requests are directed to servers with the least round trip time
![Page 48: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/48.jpg)
Load Balancing Methods
Least session
Requests are directed to server that has the least number of current connections
![Page 49: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/49.jpg)
Load Balancing Methods
HTTP-host
A B C D E
A D C
Host HTTP header used to guide connection to the correct server
![Page 50: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/50.jpg)
Persistence
Session
SessionSession
![Page 51: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/51.jpg)
Persistence
Session
SessionSession• Persistence ensures that a user is
connected to same server every time they make a request within the same session• Persistence options:• No persistence
• HTTP cookie
• SSL session ID
![Page 52: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/52.jpg)
DoS Policies
DoS Policy Firewall Policy
![Page 53: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/53.jpg)
DoS Policies
DoS Policy Firewall Policy
•DoS policies identify network traffic that does not fit known or common patterns of behavior• If determined to be an attack, action in
DoS sensor is taken
•DoS policies applied before firewall policies• If traffic passes DoS sensor, it continues
to firewall policies
![Page 54: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/54.jpg)
Sniffer Policies
DoS Policy
![Page 55: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/55.jpg)
Sniffer Policies
DoS Policy
• FortiGate unit sniffs packets for attacks and various UTM events without actually receiving them• DoS Sensor• IPS• Application Control• Antivirus• Web Filter• DLP Sensor
• Can not block traffic, but can log detected events
![Page 56: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/56.jpg)
Firewall Object Usage
• Allows for faster changes to settings• The Reference column allows administrators to
determine where the object is being used• Navigate directly to the appropriate edit page
![Page 57: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/57.jpg)
Object Tagging
• Simplifies firewall policy object management• Useful for administering multiple VDOMs
• Easier to find and access specific firewall policies within specific VDOMs
• Available for firewall policies, address objects, IPS predefined signatures and application entries/filters•Objects can provide useful organizational information• Use of tags must be enable through administrative settings
or through the CLIconfig system object-tag
set gui-object-tags-enable
![Page 58: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/58.jpg)
Object Tagging
![Page 59: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/59.jpg)
Labs
• Lab - Firewall Policies• Creating Firewall Policy Objects
• Creating Firewall Policies
• Verifying the Firewall Policies
• Configuring Virtual IP Access
• Configuring IP Pools
• Configuring Traffic Shaping
• Testing Traffic Shaping
Click here for step-by-step instructions on completing this lab
![Page 60: Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.](https://reader035.fdocuments.in/reader035/viewer/2022062422/56649f2f5503460f94c494ca/html5/thumbnails/60.jpg)
Student Resources
Click here to view the list of resources used in this module