认证与策略顺序的关系

网络需求

  1. 源地址为192.168.100.77/32、192.168.100.78/32的PC需要经过防火墙认证才能访问Internet。
  2. 其他源IP不需要防火墙认证就可以直接访问Internet。

配置步骤

  1. 在FortiGate上配置防火墙认证的用户与用户组。

    config user local
        edit "user1"
            set type password
            set passwd xxxxxx
        next
        edit "user2"
            set type password
            set passwd xxxxxx
        next
    end
    
    config user group
        edit "Auth_Users"
            set member "user1" "user2"
        next
    end
    
  2. 创建第1条上网策略,源IP为192.168.100.77/32、192.168.100.78/32,用户选择用户组Auth_Users,目标为all,开启SNAT。

    image-20240306182053388

  3. 在步骤2的策略下创建第2条上网策略,源IP为192.168.100.0/24,不选择用户,目标为all,开启SNAT。

    image-20240306182143372

    image-20240306182419552

    config firewall policy
        edit 17
            set srcintf "internal5"
            set dstintf "virtual-wan-link"
            set action accept
            set srcaddr "192.168.100.77/32" "192.168.100.78/32"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set nat enable
            set groups "Auth_Users"
        next
        edit 1
            set srcintf "internal5"
            set dstintf "virtual-wan-link"
            set action accept
            set srcaddr "192.168.100.0/24"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end
    

结果验证

  1. 192.168.100.77/32、192.168.100.78/32与192.168.100.0/24的其他PC都不需要防火墙认证,可以直接访问Internet,这显然与用户的需求是不一致的。

    image-20240308130838766

  2. 对应会话显示匹配的策略为ID 1(配置的第2条其他网段的上网策略),没有认证标记。

    session info: proto=6 proto_state=01 duration=2 expire=3597 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
    state=log may_dirty npu synced f00    //未包含auth标记//
    statistic(bytes/packets/allow_err): org=92/2/1 reply=52/1/1 tuples=2
    tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
    orgin->sink: org pre->post, reply pre->post dev=12->5/5->12 gwy=172.22.6.1/10.10.12.2
    hook=post dir=org act=snat 192.168.100.77:18489->110.242.68.4:443(172.22.6.128:40598)
    hook=pre dir=reply act=dnat 110.242.68.4:443->172.22.6.128:40598(192.168.100.77:18489)
    pos/(before,after) 0/(0,0), 0/(0,0)
    src_mac=e0:23:ff:67:e3:9c
    misc=0 policy_id=1 //匹配策略ID 17// pol_uuid_idx=636 auth_info=0 chk_client_info=0 vd=0
    serial=013c33e2 tos=ff/ff app_list=0 app=0 url_cat=0
    sdwan_mbr_seq=3 sdwan_service_id=1
    rpdb_link_id=ff000001 ngfwid=n/a
    npu_state=0x4000c00 ofld-O ofld-R
    npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=64/71, ipid=71/64, vlan=0x0000/0x0000
    vlifid=71/64, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=1/3
    

解决办法

  1. 默认配置下,未认证的流量经过FortiGate时,允许匹配开启认证的策略(ID 17)后的防火墙策略,由于开启认证的策略(ID 17)后的策略(ID 1)为整个网段的上网策略,且未开启认证,所以需要认证的流量就可以匹配策略ID 1直接访问Internet。

  2. 默认情况,该特性配置如下,auth-on-demand的模式为implicitly

    FortiGate # config user setting 
    FortiGate (setting) # set auth-on-demand ?
    always        Always trigger firewall authentication on demand.
    implicitly    Implicitly trigger firewall authentication on demand.
    
    • always:按照策略配置的顺序来触发防火墙身份验证,如果已经匹配上认证策略,则不能匹配认证策略后的其他策略,没有经过认证的流量会被丢弃。
    • implicitly:默认配置。隐式触发防火墙身份验证,未认证的流量也可以匹配认证策略下的其他策略,如果认证策略后有其他可以匹配的策略,则没有经过认证也可以匹配其他策略放通。
  3. 想要实现此用户的需求,需要将auth-on-demand的模式修改为always,表示按照策略配置的顺序来触发防火墙身份验证:

    config user setting
        set auth-on-demand always
    end
    
  4. 再次使用192.168.100.77/32访问Internet,弹出了认证页面。

    image-20240308135028202

  5. 查看会话需要认证的流量匹配了策略ID 17,也就是配置的第1条认证策略,会话中有auth标记。

    session info: proto=6 proto_state=05 duration=0 expire=0 timeout=3600 flags=00000004 socktype=4 sockport=10100 av_idx=0 use=4
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
    state=redir log local may_dirty auth npu synced f00    //包含auth标记//
    statistic(bytes/packets/allow_err): org=0/0/0 reply=6945/9/1 tuples=2
    tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
    orgin->sink: org pre->post, reply pre->post dev=12->5/5->12 gwy=172.22.6.1/0.0.0.0
    hook=pre dir=org act=noop 192.168.100.77:19011->110.242.68.4:443(0.0.0.0:0)
    hook=post dir=reply act=noop 110.242.68.4:443->192.168.100.77:19011(0.0.0.0:0)
    pos/(before,after) 0/(0,0), 0/(0,0)
    src_mac=e0:23:ff:67:e3:9c
    misc=0 policy_id=17 //匹配策略ID 17// pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
    serial=013d220f tos=ff/ff app_list=0 app=0 url_cat=0
    sdwan_mbr_seq=3 sdwan_service_id=1
    rpdb_link_id=ff000001 ngfwid=n/a
    npu_state=0x4000000
    npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
    vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
    no_ofld_reason:  redir-to-av auth    //提示重定向到认证模块//
    
  6. 认证成功后,192.168.100.77/32可以正常访问Internet。

    image-20240308135626341

  7. 会话状态的auth标记变为authed,匹配的策略ID仍为认证策略17。

    session info: proto=6 proto_state=01 duration=3 expire=3596 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
    user=user1 state=log may_dirty npu authed synced f00 acct-ext    //包含authed标记//
    statistic(bytes/packets/allow_err): org=92/2/1 reply=52/1/1 tuples=2
    tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
    orgin->sink: org pre->post, reply pre->post dev=12->5/5->12 gwy=172.22.6.1/10.10.12.2
    hook=post dir=org act=snat 192.168.100.77:19231->110.242.68.4:443(172.22.6.128:19231)
    hook=pre dir=reply act=dnat 110.242.68.4:443->172.22.6.128:19231(192.168.100.77:19231)
    pos/(before,after) 0/(0,0), 0/(0,0)
    src_mac=e0:23:ff:67:e3:9c
    misc=0 policy_id=17 //匹配策略ID 17// pol_uuid_idx=643 auth_info=3 chk_client_info=0 vd=0
    serial=013d776b tos=ff/ff app_list=0 app=0 url_cat=0
    sdwan_mbr_seq=3 sdwan_service_id=1
    rpdb_link_id=ff000001 ngfwid=n/a
    npu_state=0x4000c00 ofld-O ofld-R
    npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=64/71, ipid=71/64, vlan=0x0000/0x0000
    vlifid=71/64, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=0/2
    

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2024-03-08 14:08:23

results matching ""

    No results matching ""