Fortigate -- VIP Service Port vs. Policy Service

Important Concept

The service of firewall policy is defined protocol between source interface and destination interface. It might straightforward on the service configuration when setup standard protocol between two interfaces, but it might get confused when you customize port and set it on the firewall policy.

Scenario

We have a web server host internally and need to public to Internet with static WAN IP address. We don't want to use standard HTTP and HTTPs port on the internet.

Condition (All conditions below are fake value)

• Web Server Internal IP: 192.168.1.10
• Web Server Internal Service Port: HTTP(80), HTTPS(443)
• Web Service Internet IP: 8.8.8.9
• Web Service Internet Port: HTTP(9980), HTTPS(9443)

Initial Configuration

1. Create new Virtual IP (VIP)
   config firewall vip
       edit "Web Service HTTP"
           set extip 8.8.8.9
           set extintf "WAN"
           set portforward enable
           set mappedip 192.168.1.10
           set extport 9980
           set mappedport 80
       next
       edit "Web Service HTTPS"
           set extip 8.8.8.9
           set extintf "WAN"
           set portforward enable
           set mappedip 192.168.1.10
           set extport 9443
           set mappedport 443
2. Create Custom Service
   config firewall service custom
           edit "TCP_9980"
                   set protocol TCP/UDP/SCTP
                   set tcp-portrange 9980
           next
           edit "TCP_9443"
                   set protocol TCP/UDP/SCTP
                   set tcp-portrange 9443
           next
3. Create Firewall Policy
   config firewall policy
           edit 72
                   set srcintf "WAN"
                   set dstintf "Internal"
                           set srcaddr "all"
                           set dstaddr "Web Service HTTP" "Web Service HTTPS"
                   set action accept
                   set schedule "always"
                           set service "TCP_9980" "TCP_9443"
                   set logtraffic enable
           next

Issue of Initial Configuration

After the setup, I tried to connect from Internet to customize port but fail. Why??

Refer to the beginning subject, "The service of firewall policy is defined protocol between source interface and destination interface."
Base on my requirement, Internet users access to my web service must connect to customized port 9980 and 9443, but between interface "WAN" and "Internal", it should be standard port of HTTP and HTTPS, that is why connection fail on the initial configuration.

Correct Configuration

3. Create Firewall Policy

config firewall policy
        edit 72
                set srcintf "WAN"
                set dstintf "Internal"
                        set srcaddr "all"
                        set dstaddr "Web Service HTTP" "Web Service HTTPS"
                set action accept
                set schedule "always"
                        set service "HTTP" "HTTPS"
                set logtraffic enable
        next

Schematic diagram

Fortigate -- How to allow internal users access to VIP (Public IP address)

Description

====================

Users need to access to our external services that is installed internally and published to internet via VIP (Virtual IP). 

Issue

====================

Users can access to that service by using internal IP address but can't reach external IP address when they are in the office and using internal network.

Cases

====================

Case 1: Users and Services are using same port to Fortigate.

Solution (Case 1):

Firewall VIP

    When configure VIP, external interface must set for "ALL"。
    config firewall vip
    edit "Server1"
        set extip 67.2.22.22
        set extintf "any"               <<< Specifying "any" is a requirement 
        set mappedip 172.18.10.1

Firewall Policy
    1. Allow WAN to Port1 and Port1 to Port 1。
    config firewall policy
      edit 4
        set srcintf "WAN"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Server1"
        set action accept
        set schedule "always"
            set service "ANY"
    next
       edit 3
        set srcintf "port1"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Server1"
        set action accept
        set schedule "always"
            set service "ANY"

Note: This is my case, I completed the configuration above but users still can't access to external services via VIP. 
         After review my network topology, all internal routing are completed on core switch, FG doesn't not know what subnets we have internally. I need to add policy route to FG to tell it when package come from Port 1 and need to access to another subnet, it needs to forward the package to Port1 for routing. That's all, every thing works like a charm.

Case 2: Users and services are in different port on Fortigate

Solution (Case 2):

Firewall VIP

    When configure VIP, external interface must set for "ALL"。
    config firewall vip
    edit "Server1"
        set extip 67.2.22.22
        set extintf "any"               <<< Specifying "any" is a requirement 
        set mappedip 172.18.10.1
    next
    config firewall vip
    edit "Server1"
        set extip 67.2.22.23
        set extintf "any"               <<< Specifying "any" is a requirement 
        set mappedip 172.18.50.1

Firewall Policy
    1. Allow "WAN to Port1"、"WAN to Port3"、"Port1 to Port1" and "Port1 to Port3"。
    config firewall policy
    edit 4
        set srcintf "WAN"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Server1"
        set action accept
        set schedule "always"
            set service "ANY"
    next
       edit 3
        set srcintf "port1"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Server1"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 5
        set srcintf "WAN"
        set dstintf "port3"
            set srcaddr "all"
            set dstaddr "Server2"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 6
        set srcintf "port1"
        set dstintf "port3"
            set srcaddr "all"
            set dstaddr "Server2"
        set action accept
        set schedule "always"
            set service "ANY"
    next
end

Reference Fortigate KB:
Technical Note : How internal users can access internal resources via an external VIP (public IP address)

Fortigate -- How to format boot device and reinstall firmware

In this post, I listed the pre-require list and steps to format boot device and reinstall firmare and configuration.

Pre-requirement
1. Console cable.
2. Terminal program.
3. Latest firmware.
4. TFTP server.
5. Set static IP on PC ( suggest to set IP 192.168.1.168/24)
6. Backup configuration.
7. Allow the TFTP flow pass through the firewall.
8. Configure serial port as below value.
    Baud Rate: 9600
    Data: 8
    Parity: none
    Stop: 1
    Flow Control: none

Formating boot device (Total process takes about 30 Sec.)
Reboot the unit (or unplug and plug the power cord) and interrupt the boot process when "press any key ..." to enter configuration. Press any key and take you into the menu and select "F" to format the boot device. If no error occurred, you can keep on next step to load the firmware.

Installing Firmware (Total process takes about 8.5 minutes)
From the menu, select "G" to download the firmware through tftp server.
1. Input the PC IP set in pre-requirement. (Can be changed when need)
2. Input local IP address for FG. The IP has to be same subnet as PC.
3. Input firmware name in tftp server. (ex:image.out)
4. After firmware has been loaded, save it as default firmware by pressing "D".
The screenshoot as below:

5.When all process done, the unit will restart.

Restoring the configuration (Total process takes about 1 minute and 45 Sec.)
1. Use default account (admin) and password (blank) to logon to the unit.
2. Execute the command " execute restore config tftp FG-FW_20100120.conf 192.168.1.168"
3. After the configuration has been downloaded, the unit will restart with original configuration.

Fortigate -- Setup auto initiate the VPN connection by Fortigate Dialup unit

As my posted before, we replaced the firewall on Shanghai office to Fortigate 60B and it used two dynamic PPPoE DSL for internet and VPN connection. Everything works smoothly but we found that the VPN tunnel can't create automatically and needs traffic triggered by dialup side to create the VPN tunnel. The tunnel can't be created by dialup server. It means that if users behind of dialup server and need to access to the resource behind of dialup client but VPN tunnel is not created, the access will fail. It is annoying.
To solve this issue, we need to enable auto-negotiate on Fortigate dialup client side through CLI mode.
Please refer the example configuration as below:
========================================
config vpn ipsec phase2
    edit "VPN_IKE"
        set auto-negotiate enable
        set keepalive enable
        set phase1name "VPN"
        set proposal aes128-sha1
        set dhgrp 1
        set dst-subnet 192.168.11.0 255.255.255.0
        set src-subnet 192.168.22.0 255.255.255.0
    next
end
========================================
After enable the auto-negotiate function on phase2 IKE, the VPN tunnel can create automatically and I don't have to worry about users can't access to remote resource through VPN tunnel.

Fortigate -- Setup LDAP server for SSL-VPN client authentication on Fortigate

Our office located on three area and have to provide SSL-VPN for mobile users to connect to access office resource. We are using Local user accounts on Fortigate for SSL-VPN client authentication.If users requested that he/she needs to access to all office's VPN, i need to create three accounts. It is not smart.
To simplify the process and centralize the authentication, I decided to use Windows 2008 AD as LDAP server and setup LDAP authentication on three fortigate to reduce the management process.

On Windows 2008:
1. Create a group on AD for SSL VPN clients. (SSLVPN Group)
2. Create an account on AD and as a member of "SSLVPN Group"

 On Fortigate:
3. User -> Remote, on LDAP tab, click "Create New" icon.
4. Fill in the information. (See below for example)
- Name: SSLVPN Client
- Server Name/IP: 192.168.2.2
- Server Port: 389 (default)
- Common Name Identifier: sAMAccountName (Can select one of AD account attributes.
  ex: cn or userPrincipalName)
- Distinguished Name:

  ex1: ou=TPE,dc=ppp,dc=corp (User account need to belong to "TPE" ou for authentication.

          the account in other ou or container (no matter parent or syb) will not be allowed.

  ex2: dc=ppp,dc=corp (user can belong to any ou or container under domain for authentication
           This method can work with group restrict to manage account. Please refer Note below.)
- Bind Type: Regular
- Filter: (&(objectcategory=group)(member=*)) <-- this is default value
- User DN: cn=user1,ou=users,ou=tpe,dc=ppp,dc=corp (For AD authentication to get
   the AD information)
- Password: password
- Secure Connection: not selected

Note:
Because we need to have a group to restrict the user account on SSL VPN accessing.
We need to add one more setting on Fortigate through CLI.
TPE-FW #config user ldap
TPE-FW (ldap) #edit "SSLVPN"
TPE-FW (SSLVPN) #set group "cn=SSLVPN Group,ou=Permission_Group,ou=TPE,dc=ppp,dc=corp"
end

Refer the document:
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=13141&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=1326745&stateId=0%200%201324960

Fortigate -- 60B two PPPoE (Dynamic IP, Gateway) create IPSec VPN

We have two PPPoE with dynamic IP address in the Shanghai office. In the past days, we used DrayTek Virgo2950 as firewall and created IPSec VPN with other offices(Taipei, Hangzhou and San Jose). The connections works normally.
Recently, we purchased Fortigate 60B and want to replace the Virgo2950 as firewall in the Shanghai office. I have to setup FG 60B to create VPN tunnel through two PPPoE to the other offices.

To Hangzhou and San Jose need go through WAN1
To Taipei and IDC need go through WAN2

I got some issues on the default gateway because that we used dynamic IP with dynamic gateway. I can't setup fixed default route on the FG. For this reason, I did not have sufficient routing information for hosts to communicate with remote hosts. Users can access to internet but can't access to remote resource. After some research and google some documents, i got the solution and make it works as our demand.

This memo will forcuse on how to create VPN tunnel and routing to use two PPPoE to access other office resource. It will not content detail steps on all the configurations.

Shanghai FG:
1. Create address for each office network.
2. Create VPN Phase1 and Phase2.
For the Phase1, there have some items need to note.
※Pre-Share Key must same on both VPN peers.


※Because the FG VPN can not dial-up automatically and will disconnect the tunnel if no traffic through the VPN tunnel. To make sure the connection keep alive. "Dead Peer Detection" must be selected.


For the phase2
※To make sure the autokey keep alive, "Autokey Keep Alive" must be enabled.


3. Create Firewall Policy


4. Create Route Policy
This is an important section that need to pay attention.
(If you lost this part, you might connect to remote VPN gateway, but you can't access any hosts behind of remote VPN unit.)
Because I don't have fixed gateway to set on the Static Route, I used Policy Route to set the direction of the flow to correct WAN port as i wished.

For example, i want to direct the flow to destination address by going through WAN1 Port.
On the edit page, I selected "Internal" as incoming interface and let the source address as defaul.
I filled in the remote subnet as distination address. For outgoing interface, i selected WAN1 as i wished and let the Gateway as blank ( 0.0.0.0).

When all the configuration done, you can start to verify the VPN connection and enjoy your VPN connections through PPPoE.