firewall policy
DESCRIPTION
firewall policyTRANSCRIPT
Slide 1
Firewall policy introductionA firewall is a part of a computer system or network.
Designed for allow/deny the network traffic unwantedly.
Used to block unwanted incoming and outgoing traffic.
It is a hardware-based network device or software running on computer.
That inspects and controls the flow of traffic between computer networks of different levels.
Firewall main function is to keep information from leaking in and out.Firewall FeaturesPolicy list is based on the source and destination addresses.
Traffic logging is enabled in a firewall policy so all log are get stored.
If General policy is created so it can accept connections from all source and destination addresses.
Allowing connections to an internal network.
3Types of FirewallPacket filter
Application gateway
State full firewall.ContPacket filter: It inspects each packet passing through the network. accepts or rejects it based on user-defined rules. Although difficult to configure.
Application gateway: Specialized application, to handle specific traffic such as FTP and Telnet servers. It is very effective.It consists of three types namely Transparent, non-Transparent, Semi-Transparent.
Cont..State full firewall: Is a firewall that keeps track of the state of network connections. The proxy server effectively hides the true network addresses. State full firewall depends on the three-way Handshake.state table holds entries that represent all the communication sessions of which the device is aware.when traffic returns, the device compares the packets information to the state table information to determine whether it is part of a currently logged communication session.If the packet is related to a current table entry, it is allowed to pass.Creating new policy
Policy Accept
8Policy deny
9Addresses Firewall address are added to firewall to the source and destination IP address fields of firewall policies.
Two types of addresses:Subnet / IP RangeFully Qualified Domain Name (FQDN)
SUBNET/IP RANGE:A single IP address can be added with no subnet or for a single computer EG: 192.168.20.1/255.255.255.255All possible IP addresses0.0.0.0/0.0.0.0An IP range address represents the range of IP addresses in a subnet.EG:192.168.20.1 to 192.168.20.1010Create AddressesAdd, edit, and delete firewall addresses and address ranges.
Firewall > Address > Address > Create New
11ContThe firewall address can also be a Fully Qualified Domain Name(FQDN).
Name assigned to the address will be used to identify the address in the firewall dialog box.
Addresses, address groups, and Virtual IPs must have a unique names. EG:www.google.com
In type we have to choose ad FQDN in the dialog box.
Create a new FQDN
Address Group
14Schedulesschedules which defines that policies are active or inactive
Two types of schedules:
One-time schedules Recurring schedules
15One-time SchedulesIt is effective once for the period of time specified in the schedules.
Firewall > Schedule > One-time > Create New
16Recurring SchedulesReoccurring schedules repeat weekly for an indefinite period of time, its very effective at specified times of the day or week.
Firewall > Schedule > Recurring > Create New
17ServicesServices to determine the types of communication accepted or denied by the firewall.
It can control the opening and closing of ports.
The firewall has many predefined service objects.
Creation of custom service objects.
A services group can be created and then create one policy to allow or block access for all the services in the group.
18Predefined Services
Custom ServicesWe can add a custom services to create a policy for a service that is not in the predefined services list.
Service GroupsWe can create groups of services and then create one policy to allow or block access for all the services in the group.
Firewall > Service > Group > Create New
21NATNetwork Address Translation which hides the private IP address and sends the public IP address
ContNAT is the process where a network device, usually a firewall, assigns a public address to a computer (or group of computers) inside a private network.
The main use of NAT is to limit the number of public Ip addresses an organization or company must use, for economy.
NAT is widely used in residential networks, its of two types dynamic and static.Policy SequencePolicy list is to select through for a policy that matches the connection attempt.
The policy starts at the top of the selected policy list and searches down.
The first policy that matches is applied to the connection attempt.
If no policy matches, the matches the connection is get dropped.
The policy list based on the source and destination addresses of the connection attempt.
24Cont
Virtual IP An IP address that is shared among multiple domain names or multiple servers.
Virtual IPs are also widely used to balance incoming traffic to multiple servers
Virtual IPs are used to allow the connection to FortiGate unit using network address translation (NAT) firewall policies.
By using VIP we can access our system from outside.
Creates a bi-directional translation between an internal IP and an external IP
Port Forwarding can be used to alter the source or destination ports.26Create port forward
Enable port forwarding
Cont
Traffic ShaperTraffic shaping is especially for allocate and controlling the bandwidth for network performance.
once included in a firewall policy, controls the bandwidth available.
Sets the priority of traffic processed by the policy to control the volume of traffic for a specific period.
It applied at the network edges to control traffic entering the network.
Is effective for normal Ip at the normal rates, it not effective at extremely high-traffic.
30Firewall Authentication ProtocolsThe firewalls allows authentication on the following protocols:HTTP/HTTPSFTPTelnet
Default authentication timeout is 15 minutes