Update docs/tech_docs/firewalls.md
This commit is contained in:
@@ -1,3 +1,170 @@
|
||||
|
||||
|
||||
---
|
||||
|
||||
Certainly! Let's consider a more complex, real-world enterprise scenario and compare the configuration steps for Palo Alto Networks and Fortinet FortiGate firewalls.
|
||||
|
||||
Scenario:
|
||||
- The enterprise has multiple web servers hosting different applications, each requiring inbound HTTPS access (port 443) from specific source networks.
|
||||
- The web servers are located in a DMZ network (192.168.10.0/24) behind the firewall.
|
||||
- The firewall should perform NAT to translate public IP addresses to the respective web servers' private IP addresses.
|
||||
- The firewall should enforce security policies to inspect HTTPS traffic for potential threats and apply application-specific rules.
|
||||
|
||||
Solution 1: Palo Alto Networks
|
||||
|
||||
Step 1: Configure NAT rules for each web server.
|
||||
```
|
||||
set rulebase nat rules
|
||||
set name "NAT_Web_Server_1"
|
||||
set source any
|
||||
set destination <public_IP_1>
|
||||
set service any
|
||||
set translate-to <web_server_1_private_IP>
|
||||
|
||||
set rulebase nat rules
|
||||
set name "NAT_Web_Server_2"
|
||||
set source any
|
||||
set destination <public_IP_2>
|
||||
set service any
|
||||
set translate-to <web_server_2_private_IP>
|
||||
```
|
||||
|
||||
Step 2: Create security zones and assign interfaces.
|
||||
```
|
||||
set network interface ethernet1/1 layer3 interface-management-profile none zone untrust
|
||||
set network interface ethernet1/2 layer3 interface-management-profile none zone dmz
|
||||
set zone dmz network layer3 [ ethernet1/2 ]
|
||||
```
|
||||
|
||||
Step 3: Define security policies for each web server.
|
||||
```
|
||||
set rulebase security rules
|
||||
set name "Allow_HTTPS_Web_Server_1"
|
||||
set from untrust
|
||||
set to dmz
|
||||
set source <allowed_source_network_1>
|
||||
set destination <public_IP_1>
|
||||
set application ssl
|
||||
set service application-default
|
||||
set action allow
|
||||
set profile-setting profiles virus default spyware default vulnerability default url-filtering default
|
||||
|
||||
set rulebase security rules
|
||||
set name "Allow_HTTPS_Web_Server_2"
|
||||
set from untrust
|
||||
set to dmz
|
||||
set source <allowed_source_network_2>
|
||||
set destination <public_IP_2>
|
||||
set application ssl
|
||||
set service application-default
|
||||
set action allow
|
||||
set profile-setting profiles virus default spyware default vulnerability default url-filtering default
|
||||
```
|
||||
|
||||
Step 4: Configure SSL decryption and inspection.
|
||||
```
|
||||
set rulebase decryption rules
|
||||
set name "SSL_Inspect_Web_Servers"
|
||||
set action no-decrypt
|
||||
set source any
|
||||
set destination [ <public_IP_1> <public_IP_2> ]
|
||||
set service ssl
|
||||
```
|
||||
|
||||
In this Palo Alto Networks solution, NAT rules are configured for each web server to translate the public IP addresses to their respective private IP addresses. Security zones are created, and interfaces are assigned to segregate the untrust (Internet-facing) and DMZ networks. Security policies are defined for each web server, specifying the allowed source networks, destination IP addresses, and applications (SSL). The policies also apply default security profiles for threat prevention. SSL decryption rules are configured to inspect the HTTPS traffic for potential threats.
|
||||
|
||||
Solution 2: Fortinet FortiGate
|
||||
|
||||
Step 1: Configure firewall addresses for the web servers.
|
||||
```
|
||||
config firewall address
|
||||
edit "Web_Server_1"
|
||||
set subnet 192.168.10.10/32
|
||||
next
|
||||
edit "Web_Server_2"
|
||||
set subnet 192.168.10.20/32
|
||||
next
|
||||
end
|
||||
```
|
||||
|
||||
Step 2: Configure virtual IPs (VIPs) for each web server.
|
||||
```
|
||||
config firewall vip
|
||||
edit "VIP_Web_Server_1"
|
||||
set extip <public_IP_1>
|
||||
set mappedip "Web_Server_1"
|
||||
set extintf "port1"
|
||||
set portforward enable
|
||||
set extport 443
|
||||
set mappedport 443
|
||||
next
|
||||
edit "VIP_Web_Server_2"
|
||||
set extip <public_IP_2>
|
||||
set mappedip "Web_Server_2"
|
||||
set extintf "port1"
|
||||
set portforward enable
|
||||
set extport 443
|
||||
set mappedport 443
|
||||
next
|
||||
end
|
||||
```
|
||||
|
||||
Step 3: Create firewall policies for each web server.
|
||||
```
|
||||
config firewall policy
|
||||
edit 1
|
||||
set name "Allow_HTTPS_Web_Server_1"
|
||||
set srcintf "port1"
|
||||
set dstintf "dmz"
|
||||
set srcaddr <allowed_source_network_1>
|
||||
set dstaddr "VIP_Web_Server_1"
|
||||
set action accept
|
||||
set service "HTTPS"
|
||||
set ssl-ssh-profile "deep-inspection"
|
||||
set nat enable
|
||||
next
|
||||
edit 2
|
||||
set name "Allow_HTTPS_Web_Server_2"
|
||||
set srcintf "port1"
|
||||
set dstintf "dmz"
|
||||
set srcaddr <allowed_source_network_2>
|
||||
set dstaddr "VIP_Web_Server_2"
|
||||
set action accept
|
||||
set service "HTTPS"
|
||||
set ssl-ssh-profile "deep-inspection"
|
||||
set nat enable
|
||||
next
|
||||
end
|
||||
```
|
||||
|
||||
Step 4: Configure SSL deep inspection.
|
||||
```
|
||||
config firewall ssl-ssh-profile
|
||||
edit "deep-inspection"
|
||||
set comment "SSL deep inspection"
|
||||
set ssl inspect-all
|
||||
set untrusted-caname "Fortinet_CA_SSL"
|
||||
next
|
||||
end
|
||||
```
|
||||
|
||||
In the Fortinet FortiGate solution, firewall addresses are defined for each web server. Virtual IPs (VIPs) are configured to map the public IP addresses to the respective web server addresses and specify the port translation. Firewall policies are created for each web server, allowing HTTPS traffic from specific source networks to the corresponding VIPs. The policies also enable NAT and apply an SSL deep inspection profile to examine the encrypted traffic for threats.
|
||||
|
||||
Comparison:
|
||||
Both Palo Alto Networks and Fortinet FortiGate offer robust security features and granular control for managing inbound HTTPS traffic in an enterprise environment. However, there are differences in their configuration approaches and terminology.
|
||||
|
||||
Palo Alto Networks uses a zone-based approach, where security zones are created, and interfaces are assigned to them. NAT rules and security policies are configured separately, allowing for more flexibility and control over traffic flows. Palo Alto Networks also provides a comprehensive set of security profiles for threat prevention.
|
||||
|
||||
Fortinet FortiGate, on the other hand, uses a more integrated approach with firewall addresses, VIPs, and firewall policies. VIPs combine the NAT configuration with the firewall rules, simplifying the setup. Firewall policies define the allowed traffic flow and include security features like SSL deep inspection.
|
||||
|
||||
Both firewalls offer advanced security features, such as SSL decryption and inspection, to detect and prevent threats in encrypted traffic. They also provide granular control over source and destination networks, applications, and services.
|
||||
|
||||
When choosing between Palo Alto Networks and Fortinet FortiGate for an enterprise environment, factors like the organization's security requirements, existing network infrastructure, ease of management, and integration with other security tools should be considered.
|
||||
|
||||
In summary, this real-world enterprise scenario demonstrates the configuration steps for allowing inbound HTTPS traffic to multiple web servers using Palo Alto Networks and Fortinet FortiGate firewalls. While both firewalls provide comprehensive security features, their configuration approaches and terminology differ, reflecting their unique architectures and philosophies.
|
||||
|
||||
---
|
||||
|
||||
Certainly! Here's a reference guide for how each OEM (Cisco ASA, Fortinet FortiGate, Palo Alto Networks, and Cisco Meraki MX) performs the core firewall tasks (traffic filtering, NAT, VPN, and threat prevention) via CLI:
|
||||
|
||||
1. Traffic Filtering
|
||||
|
||||
Reference in New Issue
Block a user