VIP流量无法匹配防火墙策略

问题描述

  1. 用户在防火墙策略中配置了一条引用VIP作为目标的防火墙策略(ID 6),源接口为wan1,目标接口为lan。

    config firewall vip
        edit "VIP_192.168.100.77"
            set extip 10.10.12.5
            set mappedip "192.168.100.77"
            set extintf "wan1"
        next
    end
    
    config firewall policy
        edit 6
            set name "VIP_ADC"
            set srcintf "wan1"
            set dstintf "lan"
            set action accept
            set srcaddr "all"
            set dstaddr "VIP_192.168.100.77"
            set schedule "always"
            set service "ALL"
        next
    end
    
  2. 用户想要暂时禁止从wan1到lan的流量(包括VIP流量),在上述策略前创建了一条从wan1到lan禁止所有流量的策略(ID 8)。

    config firewall policy
        edit 8
            set name "Deny_wan1_to_lan"
            set srcintf "wan1"
            set dstintf "lan"
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set logtraffic disable
        next
        edit 6
            set name "VIP_ADC"
            set srcintf "wan1"
            set dstintf "lan"
            set action accept
            set srcaddr "all"
            set dstaddr "VIP_192.168.100.77"
            set schedule "always"
            set service "ALL"
        next
    end
    
  3. 此时外部流量访问VIP时,仍然可以通过VIP映射正常访问到内网服务器,流量会话匹配的Policy ID为6,拒绝策略的Policy ID 8在Policy ID 6之上,但仍然匹配了Policy ID 6。

    session info: proto=6 proto_state=01 duration=14 expire=3585 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255
    state=may_dirty npu npd 
    statistic(bytes/packets/allow_err): org=164/3/1 reply=154/2/1 tuples=2
    tx speed(Bps/kbps): 10/0 rx speed(Bps/kbps): 10/0
    orgin->sink: org pre->post, reply pre->post dev=7->48/48->7 gwy=192.168.100.77/10.10.12.1
    hook=pre dir=org act=dnat 10.10.12.1:13034->10.10.12.5:21(192.168.100.77:21)
    hook=post dir=reply act=snat 192.168.100.77:21->10.10.12.1:13034(10.10.12.5:21)
    pos/(before,after) 0/(0,0), 0/(0,0)
    dst_mac=00:e0:4c:b9:97:7c
    misc=0 //policy_id=6// pol_uuid_idx=590 auth_info=0 chk_client_info=0 vd=0
    serial=00002ee8 tos=ff/ff app_list=0 app=0 url_cat=0
    rpdb_link_id=00000000 ngfwid=n/a
    npu_state=0x4100000
    npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
    vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
    no_ofld_reason:  offload-denied helper
    

解决方法

  1. 默认配置下(FortiOS 7.2.4之前的版本),仅当防火墙策略引用的目标地址为VIP时,访问VIP的流量才会匹配该策略。如果目标为“all”,则流量不会匹配该策略,所以上述场景下,访问VIP的流量只会匹配Policy ID 6。

  2. 通过在Policy ID 8下开启match-vip,可以使访问VIP的流量匹配目标为“all”的策略Policy ID 8,从而被丢弃。

    config firewall policy
        edit 8
            set match-vip enable
        next
    end
    
  3. 外部流量访再次问VIP时,虽然也执行了VIP的DNAT转换,但最后会匹配Policy ID 8被丢弃。

    id=65308 trace_id=13 func=print_pkt_detail line=5795 msg="vd-root:0 received a packet(proto=6, 10.10.12.1:14317->10.10.12.5:21) tun_id=0.0.0.0 from wan1. flag [S], seq 987682832, ack 0, win 65535"
    id=65308 trace_id=13 func=init_ip_session_common line=5980 msg="allocate a new session-00003270, tun_id=0.0.0.0"
    id=65308 trace_id=13 func=get_new_addr line=1231 msg="find DNAT: IP-192.168.100.77, port-0(fixed port)"
    id=65308 trace_id=13 func=fw_pre_route_handler line=180 msg="VIP-192.168.100.77:21, outdev-wan1"
    id=65308 trace_id=13 func=__ip_session_run_tuple line=3402 msg="DNAT 10.10.12.5:21->192.168.100.77:21"
    id=65308 trace_id=13 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-192.168.100.77 via lan"
    id=65308 trace_id=13 func=__iprope_tree_check line=539 msg="gnum-100004, use addr/intf hash, len=4"
    id=65308 trace_id=13 func=fw_forward_handler line=825 msg="Denied by forward policy check (policy 8)"
    

注意事项

  • 在FortiOS 7.2.4及以后版本中,防火墙策略中的match-vip选项默认为enable状态。
  • 在FortiOS 7.2.4之前的版本中,防火墙策略中的match-vip选项默认为disable状态。

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2024-03-07 17:57:58

results matching ""

    No results matching ""