Update docs/tech_docs/firewalls.md
This commit is contained in:
@@ -1,3 +1,94 @@
|
||||
Certainly! Here's a reference guide for how each OEM (Cisco ASA, Fortinet FortiGate, Palo Alto Networks, and Cisco Meraki MX) performs the core firewall tasks (traffic filtering, NAT, VPN, and threat prevention) via CLI:
|
||||
|
||||
1. Traffic Filtering
|
||||
a. Cisco ASA:
|
||||
- Configure access-list: `access-list <ACL_name> <line_number> <permit/deny> <protocol> <source_IP> <source_mask> <destination_IP> <destination_mask>`
|
||||
- Apply access-list to interface: `access-group <ACL_name> <in/out> interface <interface_name>`
|
||||
|
||||
b. Fortinet FortiGate:
|
||||
- Configure firewall policy: `config firewall policy`
|
||||
- Set policy details: `edit <policy_id>`, `set srcintf <source_interface>`, `set dstintf <destination_interface>`, `set srcaddr <source_address>`, `set dstaddr <destination_address>`, `set service <service_name>`, `set action <accept/deny>`
|
||||
|
||||
c. Palo Alto Networks:
|
||||
- Configure security rule: `set rulebase security rules`
|
||||
- Set rule details: `set name <rule_name>`, `set from <source_zone>`, `set to <destination_zone>`, `set source <source_address>`, `set destination <destination_address>`, `set service <service_name>`, `set action <allow/deny>`
|
||||
|
||||
d. Cisco Meraki MX (via Dashboard):
|
||||
- Configure firewall rule in the Meraki Dashboard:
|
||||
- Navigate to Security & SD-WAN > Configure > Firewall
|
||||
- Click "Add a Rule" and set the rule details (source, destination, service, action)
|
||||
|
||||
2. Network Address Translation (NAT)
|
||||
a. Cisco ASA:
|
||||
- Configure static NAT: `nat (<inside_interface>,<outside_interface>) source static <local_IP> <global_IP>`
|
||||
- Configure dynamic NAT: `nat (<inside_interface>,<outside_interface>) source dynamic <local_network> <global_IP_pool>`
|
||||
|
||||
b. Fortinet FortiGate:
|
||||
- Configure SNAT: `config firewall ippool`, `edit <ippool_name>`, `set startip <start_IP>`, `set endip <end_IP>`
|
||||
- Apply SNAT to policy: `config firewall policy`, `edit <policy_id>`, `set ippool enable`, `set poolname <ippool_name>`
|
||||
|
||||
c. Palo Alto Networks:
|
||||
- Configure NAT rule: `set rulebase nat rules`
|
||||
- Set rule details: `set name <rule_name>`, `set source <source_zone>`, `set destination <destination_zone>`, `set service <service_name>`, `set source-translation dynamic-ip-and-port <interface_name> <IP_address>`
|
||||
|
||||
d. Cisco Meraki MX (via Dashboard):
|
||||
- Configure NAT in the Meraki Dashboard:
|
||||
- Navigate to Security & SD-WAN > Configure > NAT
|
||||
- Click "Add a Rule" and set the rule details (source, destination, service, translation type)
|
||||
|
||||
3. Virtual Private Network (VPN)
|
||||
a. Cisco ASA:
|
||||
- Configure IKEv1 policy: `crypto ikev1 policy <priority>`, `authentication pre-share`, `encryption <encryption_algorithm>`, `hash <hash_algorithm>`, `group <DH_group>`, `lifetime <seconds>`
|
||||
- Configure IPsec transform set: `crypto ipsec transform-set <transform_set_name> <encryption_algorithm> <authentication_algorithm>`
|
||||
- Configure tunnel group: `tunnel-group <peer_IP> type ipsec-l2l`, `tunnel-group <peer_IP> ipsec-attributes`, `pre-shared-key <key>`
|
||||
- Configure crypto map: `crypto map <map_name> <priority> ipsec-isakmp`, `set peer <peer_IP>`, `set transform-set <transform_set_name>`, `set pfs <DH_group>`, `match address <ACL_name>`
|
||||
|
||||
b. Fortinet FortiGate:
|
||||
- Configure Phase 1 (IKE): `config vpn ipsec phase1-interface`, `edit <tunnel_name>`, `set interface <interface_name>`, `set remote-gw <peer_IP>`, `set proposal <encryption_algorithm>-<authentication_algorithm>-<DH_group>`
|
||||
- Configure Phase 2 (IPsec): `config vpn ipsec phase2
|
||||
|
||||
-interface`, `edit <tunnel_name>`, `set phase1name <phase1_tunnel_name>`, `set proposal <encryption_algorithm>-<authentication_algorithm>-<DH_group>`
|
||||
- Configure firewall policy for VPN: `config firewall policy`, `edit <policy_id>`, `set srcintf <source_interface>`, `set dstintf <destination_interface>`, `set srcaddr <source_address>`, `set dstaddr <destination_address>`, `set action ipsec`, `set schedule always`, `set service ANY`, `set inbound enable`, `set outbound enable`
|
||||
|
||||
c. Palo Alto Networks:
|
||||
- Configure IKE gateway: `set network ike gateway <gateway_name>`, `set address <peer_IP>`, `set authentication pre-shared-key <key>`, `set local-address <interface_name>`, `set protocol ikev1`
|
||||
- Configure IPsec tunnel: `set network tunnel ipsec <tunnel_name>`, `set auto-key ike-gateway <gateway_name>`, `set auto-key ipsec-crypto-profile <profile_name>`
|
||||
- Configure IPsec crypto profile: `set network ipsec crypto-profiles <profile_name>`, `set esp encryption <encryption_algorithm>`, `set esp authentication <authentication_algorithm>`
|
||||
- Configure security policy for VPN: `set rulebase security rules`, `set name <rule_name>`, `set from <source_zone>`, `set to <destination_zone>`, `set source <source_address>`, `set destination <destination_address>`, `set application any`, `set service any`, `set action allow`, `set profile-setting profiles spyware <anti_spyware_profile> virus <anti_virus_profile>`
|
||||
|
||||
d. Cisco Meraki MX (via Dashboard):
|
||||
- Configure site-to-site VPN in the Meraki Dashboard:
|
||||
- Navigate to Security & SD-WAN > Configure > Site-to-site VPN
|
||||
- Click "Add a peer" and set the peer details (peer IP, remote subnet, pre-shared key)
|
||||
- Configure the local networks to be advertised
|
||||
- Configure client VPN (L2TP over IPsec) in the Meraki Dashboard:
|
||||
- Navigate to Security & SD-WAN > Configure > Client VPN
|
||||
- Enable client VPN and set the authentication details (pre-shared key, client IP range)
|
||||
|
||||
4. Threat Prevention
|
||||
a. Cisco ASA with FirePOWER Services:
|
||||
- Configure access control policy: `access-control-policy`, `edit <policy_name>`, `rule add <rule_name>`, `action <allow/block>`, `source <source_network>`, `destination <destination_network>`, `port <port_number>`, `application <application_name>`, `intrusion-policy <intrusion_policy_name>`, `file-policy <file_policy_name>`, `logging <enable/disable>`
|
||||
|
||||
b. Fortinet FortiGate:
|
||||
- Configure antivirus profile: `config antivirus profile`, `edit <profile_name>`, `set comment <description>`, `set inspection-mode <proxy/flow-based>`, `set ftgd-analytics <enable/disable>`
|
||||
- Configure IPS sensor: `config ips sensor`, `edit <sensor_name>`, `set comment <description>`, `set block-malicious-url <enable/disable>`, `set extended-log <enable/disable>`
|
||||
- Apply antivirus and IPS profiles to firewall policy: `config firewall policy`, `edit <policy_id>`, `set av-profile <antivirus_profile_name>`, `set ips-sensor <ips_sensor_name>`
|
||||
|
||||
c. Palo Alto Networks:
|
||||
- Configure antivirus profile: `set deviceconfig system profiles anti-virus <profile_name>`, `set threat-prevention packet-capture <enable/disable>`, `set action <default/allow/alert/block/drop>`
|
||||
- Configure anti-spyware profile: `set deviceconfig system profiles spyware <profile_name>`, `set threat-prevention packet-capture <enable/disable>`, `set action <default/allow/alert/block/drop>`
|
||||
- Configure vulnerability protection profile: `set deviceconfig system profiles vulnerability <profile_name>`, `set threat-prevention packet-capture <enable/disable>`, `set action <default/allow/alert/block/drop/reset-both/reset-client/reset-server>`
|
||||
- Attach profiles to security policy: `set rulebase security rules`, `set name <rule_name>`, `set profile-setting profiles spyware <anti_spyware_profile> virus <anti_virus_profile> vulnerability <vulnerability_protection_profile>`
|
||||
|
||||
d. Cisco Meraki MX (via Dashboard):
|
||||
- Configure threat protection in the Meraki Dashboard:
|
||||
- Navigate to Security & SD-WAN > Configure > Threat Protection
|
||||
- Enable intrusion detection and prevention (IDS/IPS) and set the security level
|
||||
- Enable advanced malware protection (AMP) and set the detection and blocking options
|
||||
- Configure URL filtering and set the content categories to be blocked
|
||||
|
||||
This reference guide provides a high-level overview of how to configure core firewall tasks using the CLI for each OEM. Keep in mind that the exact commands and syntax may vary depending on the specific device model and software version. It's always recommended to refer to the official documentation and command references provided by the respective vendors for the most accurate and up-to-date information.
|
||||
|
||||
Introduction
|
||||
|
||||
Firewalls are essential components of network security, serving as the first line of defense against external threats and unauthorized access. They enforce security policies by controlling the flow of network traffic based on predefined rules and criteria. The effectiveness and functionality of a firewall depend heavily on how it implements key features such as traffic filtering, Network Address Translation (NAT), Virtual Private Network (VPN), and threat prevention.
|
||||
|
||||
Reference in New Issue
Block a user