Helpful ReplyHot!Add interface in existing firewall ruleset

Author
skogaren
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/07 02:24:24
  • Status: offline
2019/12/07 02:38:27 (permalink)
0

Add interface in existing firewall ruleset

Hello,
Currently our Fortigate 500E has many vlan interfaces.
The vlan interfaces are divided into zones in the firewall ruleset, for example:
ZONE-CLIENT
- vlan interface/subnet where we have the internal PC clients.
ZONE-SERVER
- vlan interface/subnet where we have the internal servers.

Here's an example of firewall rule and who it looks in the cli of the Fortigate.
SOURCE
192.168.1.0/24
DESTINATION
192.168.10.100,192.168.10.101
PROTOCOL/PORT
TCP/80
---
config firewall policy
edit 25
set name "CLIENT HTTP TRAFFIC"
set srcintf "ZONE_CLIENT"
set dstintf "ZONE_SERVER"
set srcaddr "ADDR_NET_192.168.1.0"
set dstaddr "ADDR_SRV_192.168.10.100" "ADDR_SRV_192.168.10.101"
set action accept
set schedule "always"
set service "HTTP"
next
end
---
We are in the process of migrating routing from the Fortigate firewall to a Cisco core switch.
The Fortigate will still be used as a firewall and the vlan interface with corresponding ip ranges will be created in the new core switch.
 
We have created a vlan interface on the core switch and Fortinet to use as a link-net between the core switch and firewall.
 
Can I add the new vlan interface as the incoming interface and can it co-exist with the same zone?
 
Like this?
---
config firewall policy
edit 25
set name "CLIENT HTTP TRAFFIC"
set srcintf "ZONE_CLIENT,INTERFACE-LINKNET"
set dstintf "ZONE_SERVER"
set srcaddr "ADDR_NET_192.168.1.0"
set dstaddr "ADDR_SRV_192.168.10.100" "ADDR_SRV_192.168.10.101"
set action accept
set schedule "always"
set service "HTTP"
next
end
---
Or do I have to create a zone for that link-net and build a copy of the existing firewall ruleset?
 
Kind regards,
 
#1
Toshi Esumi
Expert Member
  • Total Posts : 2177
  • Scores: 215
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Add interface in existing firewall ruleset 2019/12/07 11:25:51 (permalink)
0
You can try it to see the effect. It would break "Interface Pair View" in policy GUI then show them as "By Sequence". You can always go back if you didn't like it.
To me, creating a new policy with the new interface is much easier in the next step: just "del 25" in the policies.
#2
skogaren
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/07 02:24:24
  • Status: offline
Re: Add interface in existing firewall ruleset 2019/12/07 21:47:52 (permalink)
0
OK, I agree that it is better to create a new policy. I am new at Fortigate but I think that I would first clone the existing rule and then edit it and replace the zone with the interface?
 
There is about 100 policies that need to be edited so any tips is gladly appreciate.
 
Kind regards,
#3
Toshi Esumi
Expert Member
  • Total Posts : 2177
  • Scores: 215
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Add interface in existing firewall ruleset 2019/12/08 10:19:50 (permalink) ☄ Helpfulby skogaren 2019/12/08 11:55:04
0
If you have that many policies to migrate to the new circuit, I don't recommend using GUI. Just dump the policies into a text editor, replace the zone name with the new interface name, then change all "edit N" to "edit 0". Then paste them back into "config firewall policy".
#4
skogaren
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/07 02:24:24
  • Status: offline
Re: Add interface in existing firewall ruleset 2019/12/08 10:38:59 (permalink)
0
Thanks for the respond!
 
I will go about as you suggested!
 
I have an additional question regarding zones. For example:
 
Will the traffic be dropped if we move both the client and modify the rule with the new interface but keep the zone as destination-interface?
 
Will the Fortigate only look at the destination ip address? 
 
config firewall policy
edit 25
set name "CLIENT HTTP TRAFFIC"
set srcintf "INTERFACE-LINKNET"
set dstintf "ZONE_SERVER"
set srcaddr "ADDR_NET_192.168.1.0"
set dstaddr "ADDR_SRV_192.168.10.100" "ADDR_SRV_192.168.10.101"
set action accept
set schedule "always"
set service "HTTP"
next
end
#5
Toshi Esumi
Expert Member
  • Total Posts : 2177
  • Scores: 215
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Add interface in existing firewall ruleset 2019/12/08 10:56:04 (permalink) ☄ Helpfulby skogaren 2019/12/08 11:54:45
0
You said to create a new VLAN interface for the new policies. And it's not in the current zone. So it's up to the Cisco L3 switch routing which interface the client traffic is routed toward. It can't be on the both zone and the interface at the same time. So it would hit only one side of policy sets at a time.
#6
Toshi Esumi
Expert Member
  • Total Posts : 2177
  • Scores: 215
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Add interface in existing firewall ruleset 2019/12/08 11:13:43 (permalink) ☄ Helpfulby skogaren 2019/12/08 11:54:43
0
In other words, if [srcintf AND dstintf] don't match with the traffic, FGTs wouldn't even look up the rest of the policies. Only matching ones would affect to the traffic. Just create a new 100+ policy and test them. Then when you confirmed working, you can delete all 100+ old config.
By the way, the new policy IDs would be much higher unless some lower IDs don't exist now because you deleted them in the past. That's the reason you should use only "edit 0" to create new policies in order to let the FGT figure out available policy IDs itself.
#7
skogaren
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/07 02:24:24
  • Status: offline
Re: Add interface in existing firewall ruleset 2019/12/08 11:26:15 (permalink)
0
Thanks for the clarification and for your input. I will try to create the new policies and test it.
 
Kind regards,
#8
Jump to:
© 2020 APG vNext Commercial Version 5.5