Local-in策略

Local-in Policy介绍

普通的防火墙策略仅能针对穿越防火墙接口的流量生效,针对目标是FortiGate自身地址(且未穿越FortiGate接口)的流量是不起作用的。Local-in Policy可以控制发送到FortiGate接口的入方向(未穿越FortiGate接口)流量。

即使流量的目标是FortiGate自身接口的地址,但穿越了FortiGate的接口,就不算Local-in流量,可以被普通防火墙策略控制,例如穿越FortiGate的WAN接口访问设备的内网口的流量。

管理流量(如HTTPS、PING、SSH等)可以在接口中配置允许或拒绝。受信任的管理主机可以在管理员选项中配置,以限制可以访问管理服务的主机。Local-in Policy可以自定义Local-in流量的源地址、目的地址、接口和服务。以控制以上功能无法控制的入方向本地流量:

  • 可用于限制管理员访问或其他服务,例如SSL VPN服务,定义源地址或地址组来限制访问。例如,通过使用地理位置类型的地址,限制某个特定地理区域的IP访问FortiGate。也可以将“Security Fabric→外部连接器”中配置的“IP地址威胁来源”用作源地址或目的地址。
  • 可以使用虚拟补丁(Virtual Patch)来减少针对FortiGate的已知漏洞的攻击。漏洞规则会在指定接口上对本地入方向流量进行扫描,并丢弃所有匹配攻击特征的流量。关于虚拟补丁(Virtual Patch)的使用方法,请参考虚拟补丁章节。

Local-in Policy配置

config firewall {local-in-policy | local-in-policy6}
    edit <policy_number>
        set intf <interface>
        set srcaddr <source_address> [source_address] ...
        set dstaddr <destination_address> [destination_address] ...
        set action {accept | deny}
        set service <service_name> [service_name] ...
        set schedule <schedule_name>
        set virtual-patch {enable | disable}
        set comments <string>
    next
end
需要注意的是,Local-in Policy不像普通的防火墙策略,普通防火墙策略默认隐含策略的动作为deny all,而Local-in Policy默认隐含策略的动作为permit all。

配置步骤

举例1

用户在公网口port1上开启了SSL VPN功能。发现某些异常IP地址段经常尝试登录SSL VPN,但登录失败,并产生SSL VPN相关日志。用户想要禁止这些IP地址段尝试登录SSL VPN,不要产生SSL VPN登录日志。

  1. 配置异常IP地址段的地址对象和地址组对象,例如尝试登录的异常源IP段为117.53.1.0/24、27.1.5.0/24和113.25.0.0/16,并使用地址组引用。

    config firewall address
        edit "117.53.1.0/24"
            set subnet 117.53.1.0 255.255.255.0
        next
        edit "27.1.5.0/24"
            set subnet 27.1.5.0 255.255.255.0
        next
        edit "113.25.0.0/16"
            set subnet 113.25.0.0 255.255.0.0
        next
    end
    
    config firewall addrgrp
        edit "SSL_VPN_Deny_IP"
            set member "117.53.1.0/24" "27.1.5.0/24" "113.25.0.0/16"
        next
    end
    
  2. 配置用户使用的SSL VPN端口的服务对象,例如用户配置的SSL VPN端口为10443。

    config firewall service custom
        edit "SSL_VPN_10443"
            set tcp-portrange 10443
        next
    end
    
  3. 配置Local-in Policy禁止这些异常IP访问FortiGate的SSL VPN服务。

    config firewall local-in-policy
        edit 1
            set intf "port1"
            set srcaddr "SSL_VPN_Deny_IP"
            set dstaddr "all"
            set action deny
            set service "SSL_VPN_10443"
            set schedule "always"
        next
    end
    
  4. 使用Debug Flow查看限制网段发起的SSL VPN访问,流量被Local-in Policy(ID 1)阻断,且不再触发SSL VPN日志生成。

    id=65308 trace_id=12 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=6, 117.53.1.37:16008->202.103.12.2:10443) tun_id=0.0.0.0 from port1. flag [S], seq 4019479492, ack 0, win 29200"
    id=65308 trace_id=12 func=init_ip_session_common line=6073 msg="allocate a new session-0000004e"
    id=65308 trace_id=12 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=80000000 gw-0.0.0.0 via root"
    id=65308 trace_id=12 func=fw_local_in_handler line=618 msg="iprope_in_check() check failed on policy 1, drop"
    
  5. 使用Debug Flow查看非限制网段的IP访问SSL VPN服务,可以正常访问TCP 10443端口。

    id=65308 trace_id=39 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=6, 202.103.12.1:16204->202.103.12.2:10443) tun_id=0.0.0.0 from port1. flag [S], seq 2461158975, ack 0, win 29200"
    id=65308 trace_id=39 func=init_ip_session_common line=6073 msg="allocate a new session-0000003d"
    id=65308 trace_id=39 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=80000000 gw-0.0.0.0 via root"
    id=65308 trace_id=39 func=ip_session_confirm_final line=3111 msg="npu_state=0x0, hook=1"
    id=65308 trace_id=40 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=6, 202.103.12.2:10443->202.103.12.1:16204) tun_id=0.0.0.0 from local. flag [S.], seq 1646480095, ack 2461158976, win 28960"
    id=65308 trace_id=40 func=resolve_ip_tuple_fast line=5976 msg="Find an existing session, id-0000003d, reply direction"
    ...
    
  6. 查看相关Local-in会话。

    session info: proto=6 proto_state=01 duration=2 expire=3597 timeout=3600 refresh_dir=both flags=00000000 socktype=3 sockport=0 av_idx=0 use=3
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
    state=local may_dirty 
    statistic(bytes/packets/allow_err): org=112/2/1 reply=60/1/1 tuples=2
    tx speed(Bps/kbps): 50/0 rx speed(Bps/kbps): 27/0
    orgin->sink: org pre->in, reply out->post dev=3->9/9->3 gwy=0.0.0.0/0.0.0.0
    hook=pre dir=org act=noop 202.103.12.1:16208->202.103.12.2:10443(0.0.0.0:0)
    hook=post dir=reply act=noop 202.103.12.2:10443->202.103.12.1:16208(0.0.0.0:0)
    pos/(before,after) 0/(0,0), 0/(0,0)
    misc=0 policy_id=4294967295 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
    serial=00000042 tos=ff/ff app_list=0 app=0 url_cat=0
    rpdb_link_id=00000000 ngfwid=n/a
    npu_state=00000000
    no_ofld_reason:  local
    

举例2

用户在公网口port1上开启了SSH访问功能。发现经常有国外IP尝试通过SSH登录FortiGate,但登录失败。用户想要禁止国外的IP访问SSH,但允许国内IP访问SSH。

  1. 配置基于地理位置的国内IP地址对象。

    config firewall address
        edit "China"
            set type geography
            set country "CN"
        next 
    end
    
  2. 配置Local-in Policy允许国内IP的客户端访问FortiGate的SSH服务,但不允许其他IP访问FortiGate的SSH服务。

    config firewall local-in-policy
        edit 1
            set intf "port1"
            set srcaddr "China"
            set dstaddr "all"
            set action accept
            set service "SSH"
            set schedule "always"
        next
        edit 2
            set intf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action deny
            set service "ALL"
            set schedule "always"
        next
    end
    
  3. 使用Debug Flow查看国内IP的SSH访问,可以正常访问。

    id=65308 trace_id=1 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=6, 202.103.12.1:18768->202.103.12.2:22) tun_id=0.0.0.0 from port1. flag [S], seq 3436667351, ack 0, win 29200"
    id=65308 trace_id=1 func=init_ip_session_common line=6073 msg="allocate a new session-0000005a"
    id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=80000000 gw-0.0.0.0 via root"
    id=65308 trace_id=1 func=ip_session_confirm_final line=3111 msg="npu_state=0x0, hook=1"
    id=65308 trace_id=2 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=6, 202.103.12.2:22->202.103.12.1:18768) tun_id=0.0.0.0 from local. flag [S.], seq 4214370010, ack 3436667352, win 28960"
    id=65308 trace_id=2 func=resolve_ip_tuple_fast line=5976 msg="Find an existing session, id-0000005a, reply direction"
    ...
    
  4. 查看相关Local-in会话。

    session info: proto=6 proto_state=01 duration=9 expire=3590 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
    state=local may_dirty 
    statistic(bytes/packets/allow_err): org=164/3/1 reply=127/2/1 tuples=2
    tx speed(Bps/kbps): 17/0 rx speed(Bps/kbps): 13/0
    orgin->sink: org pre->in, reply out->post dev=3->9/9->3 gwy=0.0.0.0/0.0.0.0
    hook=pre dir=org act=noop 202.103.12.1:18782->202.103.12.2:22(0.0.0.0:0)
    hook=post dir=reply act=noop 202.103.12.2:22->202.103.12.1:18782(0.0.0.0:0)
    pos/(before,after) 0/(0,0), 0/(0,0)
    misc=0 policy_id=1 pol_uuid_idx=15846 auth_info=0 chk_client_info=0 vd=0
    serial=00000092 tos=ff/ff app_list=0 app=0 url_cat=0
    rpdb_link_id=00000000 ngfwid=n/a
    npu_state=00000000
    no_ofld_reason:  local
    
  5. 使用Debug Flow查看国外IP的SSH访问,流量被Local-in Policy(ID 2)阻断。

    id=65308 trace_id=1 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=6, 35.1.2.3:10648->35.1.2.1:22) tun_id=0.0.0.0 from port1. flag [S], seq 891389291, ack 0, win 29200"
    id=65308 trace_id=1 func=init_ip_session_common line=6073 msg="allocate a new session-0000008c"
    id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=80000000 gw-0.0.0.0 via root"
    id=65308 trace_id=1 func=fw_local_in_handler line=618 msg="iprope_in_check() check failed on policy 2, drop"
    

举例3

在HA环境下,用户开启并配置了HA独立管理口,需要在HA独立管理口下配置Local-in Policy。

  1. 查看FortiGate HA的独立管理口配置,独立管理口为internal1。

    config system ha
        config ha-mgmt-interfaces
            edit 1
                set interface "internal1"
            next
        end
    end
    
  2. 在internal1上配置Local-in Policy,入接口无法选择HA独立管理口internal1。

    FortiGate # config firewall local-in-policy 
    FortiGate (local-in-policy) # edit 1
    new entry '1' added
    FortiGate (1) # set intf ?
    <string>    Please input string value.
    any             Match any interface in the virtual domain.
    dmz     interface
    fortilink       interface
    internal        interface
    internal4       interface
    internal5(to_FW2_90D_internal_12_13)    interface
    l2t.root        interface
    naf.root        interface
    ssl.root(SSL VPN interface)     interface
    to_Home_WAN1    interface
    to_Home_WAN2    interface
    wan1    interface
    wan2    interface
    
  3. 在HA独立管理口上配置Local-in Policy时,需要开启ha-mgmt-intf-only选项,配置为enable后,Local-in Policy可以在HA独立管理口上正常下发。

    config firewall local-in-policy
        edit 1
            set ha-mgmt-intf-only enable
            set intf "internal1"
            set srcaddr "Beijing_LAB_88"
            set dstaddr "all"
            set service "HTTPS"
            set schedule "always"
        next
    end
    

TTL Policy

通过配置TTL Policy,可以阻止具有较高TTL的攻击流量。此功能与Local-in Policy一样仅用于本地入向流量,不适用于穿越FortiGate接口的流量,使用srcintf设置本地入向流量命中的接口(不能用于HA独立管理口)。

config firewall ttl-policy
    edit <id>
        set status {enable | disable}
        set action {accept | deny}
        set srcintf <interface>
        set srcaddr <source_address> [source_address] ...
        set service <service_name> [service_name] ...
        set schedule <schedule_name>
        set ttl <value/range>
    next
end

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2024-02-02 09:55:11

results matching ""

    No results matching ""