Fortinet black logo

Hyperscale Firewall Guide

Home FortiGate / FortiOS 7.4.3 Hyperscale Firewall Guide
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.6
6.2.9
6.2.7
6.2.6

Adding IP address threat feeds to hyperscale firewall policies

Adding IP address threat feeds to hyperscale firewall policies

You can go to Security Fabric > External Connectors > Create New and select IP address to create an IP address threat feed. You can then add this threat feed to a hyperscale firewall policy as a source or destination address. This feature allows you to add dynamic lists of IPv4 and IPv6 source or destination addresses to your hyperscale firewall configuration.

Use the following command to add an IP Address Threat Feed:

config system external-resource

edit example-address-threat-feed

set type address

set status enable

set update-method {feed | push}

set username <name>

set password <password>

set resource <url-of-address-list>

set refresh-rate <rate>

end

Use the following command to add an IP Address Threat Feed to a hyperscale firewall policy as the destination address:

config firewall policy

edit 1

set name cgn-hw1-policy44-1

set srcintf port1

set dstintf port2

set action accept

set srcaddr all

set dstaddr example-address-threat-feed

set service ALL

set nat enable

set ippool enable

set poolname test-cgn-pba-33

end

For information about IP Address Threat Feeds, see IP address threat feed.

Example diagnose iprope command output showing the IP Address Threat Feed listed as external ip pool in the destination field:

For an IPv4 IP Address Threat Feed:

diagnose firewall iprope list 100004

policy index=1 uuid_idx=16081 action=accept
flag (8050108): redir nat master use_src pol_stats 
flag2 (4000): resolve_sso 
flag3 (a0): link-local best-route 
flag4 (4): 
schedule(always)
shapers: orig=shaper10M-high(2/1280000/1280000) reply=shaper10M-high(2/1280000/1280000)
cos_fwd=255  cos_rev=255 
group=00100004 av=00004e20 au=00000000 split=00000000
host=500 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 11 -> zone(1): 12 
source(1): 0.0.0.0-255.255.255.255, uuid_idx=15932, 
destination external ip pool(1): 16065 
service(1): 
        [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto  
pba_nat(1): 5

For an IPv6 IP Address Threat Feed:

diagnose firewall iprope6 list 100004

policy id: 2, group: 00100004, uuid_idx=16082
  action: accept, schedule: always
  cos_fwd=255 cos_rev=255
  flag (08010008): redir master pol_stats
  flag2(00004000): resolve_sso
  flag3(00000080): best-route
  flag4(00000004):
  shapers: shaper10M-high(2/1280000/1280000)/shaper10M-high(2/1280000/1280000) per_ip=
  sub_groups: av 00004e20 auth 00000000 split 00000000 misc 00000000
  app_list: 0 ips_view: 0
  vdom_id: 500
  zone_from(1): 11
  zone_to(1): 12
  address_src(1):
      all uuid_idx=15953
  destination external ip pool(1):
      16065 
  service(1):
      [0:0x0:0/(0,65535)->(0,65535)] helper:auto  
  nat(0):
  nat_64(0):

Example diagnose sys npu-session list command output showing some NP7 sessions accepted by a firewall policy with an IP Address Threat Feed.

For an IPv4 session:

diagnose sys npu-session list

session info: proto=6 proto_state=00 duration=45 expire=3600 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=1
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=hw_ses 
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=0->0/0->0 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 10.1.100.11:44192->172.16.200.55:23(172.16.201.182:9141)
hook=pre dir=reply act=dnat 172.16.200.55:23->172.16.201.182:9141(10.1.100.11:44192)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=16081 auth_info=0 chk_client_info=0 vd=500
serial=00000000 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
  setup by offloaded-policy: origin=native
  O: npid=0/0, in: OID=0/VID=0, out: NHI=0 OID=0/VID=0
  R: npid=0/0, in: OID=0/VID=0, out: NHI=0 OID=0/VID=0
# hardware-session = 1

For an IPv6 session:

diagnose sys npu-session list6 

session6 info: proto=6 proto_state=00 duration=39 expire=3600 timeout=3600 refresh_dir=both flags=00000000 sockport=0 socktype=0 use=1
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=hw_ses 
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=0->0/0->0
hook=post dir=org act=noop 2000:10:1:100::11:47494->2000:172:16:200::55:23(:::0)
hook=pre dir=reply act=noop 2000:172:16:200::55:23->2000:10:1:100::11:47494(:::0)
misc=0 policy_id=2 pol_uuid_idx=16082 auth_info=0 chk_client_info=0 vd=500
serial=00000000 tos=ff/ff ips_view=25972 app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
  setup by offloaded-policy: origin=native
  O: npid=0/0, in: OID=0/VID=0, out: NHI=0 OID=0/VID=0
  R: npid=0/0, in: OID=0/VID=0, out: NHI=0 OID=0/VID=0
# hardware-session = 1
Previous
Next

Adding IP address threat feeds to hyperscale firewall policies

You can go to Security Fabric > External Connectors > Create New and select IP address to create an IP address threat feed. You can then add this threat feed to a hyperscale firewall policy as a source or destination address. This feature allows you to add dynamic lists of IPv4 and IPv6 source or destination addresses to your hyperscale firewall configuration.

Use the following command to add an IP Address Threat Feed:

config system external-resource

edit example-address-threat-feed

set type address

set status enable

set update-method {feed | push}

set username <name>

set password <password>

set resource <url-of-address-list>

set refresh-rate <rate>

end

Use the following command to add an IP Address Threat Feed to a hyperscale firewall policy as the destination address:

config firewall policy

edit 1

set name cgn-hw1-policy44-1

set srcintf port1

set dstintf port2

set action accept

set srcaddr all

set dstaddr example-address-threat-feed

set service ALL

set nat enable

set ippool enable

set poolname test-cgn-pba-33

end

For information about IP Address Threat Feeds, see IP address threat feed.

Example diagnose iprope command output showing the IP Address Threat Feed listed as external ip pool in the destination field:

For an IPv4 IP Address Threat Feed:

diagnose firewall iprope list 100004

policy index=1 uuid_idx=16081 action=accept
flag (8050108): redir nat master use_src pol_stats 
flag2 (4000): resolve_sso 
flag3 (a0): link-local best-route 
flag4 (4): 
schedule(always)
shapers: orig=shaper10M-high(2/1280000/1280000) reply=shaper10M-high(2/1280000/1280000)
cos_fwd=255  cos_rev=255 
group=00100004 av=00004e20 au=00000000 split=00000000
host=500 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 11 -> zone(1): 12 
source(1): 0.0.0.0-255.255.255.255, uuid_idx=15932, 
destination external ip pool(1): 16065 
service(1): 
        [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto  
pba_nat(1): 5

For an IPv6 IP Address Threat Feed:

diagnose firewall iprope6 list 100004

policy id: 2, group: 00100004, uuid_idx=16082
  action: accept, schedule: always
  cos_fwd=255 cos_rev=255
  flag (08010008): redir master pol_stats
  flag2(00004000): resolve_sso
  flag3(00000080): best-route
  flag4(00000004):
  shapers: shaper10M-high(2/1280000/1280000)/shaper10M-high(2/1280000/1280000) per_ip=
  sub_groups: av 00004e20 auth 00000000 split 00000000 misc 00000000
  app_list: 0 ips_view: 0
  vdom_id: 500
  zone_from(1): 11
  zone_to(1): 12
  address_src(1):
      all uuid_idx=15953
  destination external ip pool(1):
      16065 
  service(1):
      [0:0x0:0/(0,65535)->(0,65535)] helper:auto  
  nat(0):
  nat_64(0):

Example diagnose sys npu-session list command output showing some NP7 sessions accepted by a firewall policy with an IP Address Threat Feed.

For an IPv4 session:

diagnose sys npu-session list

session info: proto=6 proto_state=00 duration=45 expire=3600 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=1
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=hw_ses 
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=0->0/0->0 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 10.1.100.11:44192->172.16.200.55:23(172.16.201.182:9141)
hook=pre dir=reply act=dnat 172.16.200.55:23->172.16.201.182:9141(10.1.100.11:44192)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=16081 auth_info=0 chk_client_info=0 vd=500
serial=00000000 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
  setup by offloaded-policy: origin=native
  O: npid=0/0, in: OID=0/VID=0, out: NHI=0 OID=0/VID=0
  R: npid=0/0, in: OID=0/VID=0, out: NHI=0 OID=0/VID=0
# hardware-session = 1

For an IPv6 session:

diagnose sys npu-session list6 

session6 info: proto=6 proto_state=00 duration=39 expire=3600 timeout=3600 refresh_dir=both flags=00000000 sockport=0 socktype=0 use=1
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=hw_ses 
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=0->0/0->0
hook=post dir=org act=noop 2000:10:1:100::11:47494->2000:172:16:200::55:23(:::0)
hook=pre dir=reply act=noop 2000:172:16:200::55:23->2000:10:1:100::11:47494(:::0)
misc=0 policy_id=2 pol_uuid_idx=16082 auth_info=0 chk_client_info=0 vd=500
serial=00000000 tos=ff/ff ips_view=25972 app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
  setup by offloaded-policy: origin=native
  O: npid=0/0, in: OID=0/VID=0, out: NHI=0 OID=0/VID=0
  R: npid=0/0, in: OID=0/VID=0, out: NHI=0 OID=0/VID=0
# hardware-session = 1
Previous
Next