FortiGate can match the traffic by device type by selecting the device in the source field. There are two types of device identification:
Agentless device identification uses traffic from the device and devices indexed by their MAC address.
Agent-based device identification uses FortiClient which send its unique FortiClient ID to FortiGate.
In this lab, you will use the agentless device identification technique. You will add the device in the source field to the existing firewall policy and observe the firewall policy source matching behavior.
Disabling Existing Firewall Policy
First, you will disable the Block_Ping firewall policy and your traffic will match to the Internet_Access firewall policy.
To disable existing firewall policy
1. On the Local-Windows VM, open a web browser and log in as admin to the Local-FortiGate GUI
at 10.0.1.254.
2. Go to Policy & Objects > IPv4 Policy.
3. Right-click on the Seq.# column for Block_Ping firewall policy.
4. Select Status and click on Disable.
Configuring and Testing Device Identification
Now, you will run a continuous ping to an IP address. To test the firewall policy source matching behavior, you will add a non-matching device, such as Linux PC, to the source field.
To configure and test device identification
1. On the Local-Windows VM, open a command prompt.
2. Run a continuous ping to 10.200.1.254. Enter: ping –t 10.200.1.254
3. In the Policy & Objects > IPv4 Policy on the Local-FortiGate GUI, right click the Seq.# column
for Internet_Access firewall policy.
4. Click Edit. 5. Select Source.
6. On the right hand side, select Device. 7. Click Linux PC.
You are choosing a device type that doesn’t match your device (Windows).
DO NOT REPRINT
© FORTINET
LAB 3–Firewall Policies
8. Click OK.
FortiGate will notify you that this action enables device identification on the source interface.
9. Click OK.
Note: If you enable a source device type in the firewall policy, FortiGate enables device detection on the source interface(s) of the policy,
10. Return to the command prompt on the Local-Windows VM, where you were running continuous
ping.
You should see that traffic is blocked.
11. On the Local-Windows VM, try browsing the Internet by opening web browsers and connecting to
various external web sites such as www.fortinet.com, www.bbc.com. Confirm the firewall blocks this traffic.
The traffic is blocked because the source device type in the firewall policy is set to Linux-PC, which does not match the Windows device from which the traffic is generated.
Modify the Implicit Deny Firewall Policy
FortiGate checks from top to bottom to find a firewall policy that matches the traffic. If none of the firewall policies match the traffic, the default implicit deny firewall policy drops the traffic.
To confirm that the traffic is dropped by the implicit deny policy, you will enable logging on the implicit firewall policy and then check the logs.
To enable logging on the implicit deny firewall policy
1. In Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy. 2. Right click the Seq.# column for the Implicit Deny firewall policy.
DO NOT REPRINT
© FORTINET
LAB 3–Firewall Policies
3. Click Edit.
4. Enable Log Violation Traffic. 5. Click OK.
To confirm traffic is dropped by the implicit deny firewall policy
1. In Local-FortiGate GUI, go to Log & Report > Forward Traffic.2. Confirm there are logging entries for the denied ping traffic.
Reconfiguring Device Identification
Now you will edit the Internet_Access firewall policy and add a Windows PC to match your Local- Windows VM. You will see that the traffic will be allowed by this policy after you add a matching source device.
To reconfiguring device identification
1. In the Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy. 2. Right click on the Source column for the Internet_Access firewall policy. 3. Click Select Entries.
4. Click Device.
5. Click Windows PC to select it.
6. Click Linux PC to unselect it. 7. Click OK.
To confirm traffic is allowed by a firewall policy
1. On the Local-Windows VM, return to the continuous ping that you started previously. You should see that traffic is allowed.
2. Close the command prompt window.
3. On the Local-Windows VM, try browsing the Internet by opening web browsers and connecting
DO NOT REPRINT
© FORTINET
LAB 3–Firewall Policies
Confirm that the firewall allows this traffic.
Viewing the Details of an Identified Device
Once a device is identified, FortiGate updates its list of devices and caches the list to the flash disk to speed up detection. You can view the details of an identified device. These details include device type, detection method, and IP address to name a few.
To view the details of identified device
1. In the Local-FortiGate GUI, go to User & Device > Device Inventory. 2. Click the + sign to expand the list.
3. Review the details of your detected host device.
You can see device details, such as IP address, interface, status, and more.
4. In the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE saved session
(connect over SSH).
5. Log in as admin and execute the following command to view detection method and other device
details:
diagnose user device list
Adding an Identified Device to the Configuration File
The identified device is cached on the FortiGate and is not added to the configuration file. You will be adding the identified device to the configuration file by adding an alias to the device.
To add an identified device to the configuration file
1. In a LOCAL-FORTIGATE PuTTY session, run the following command to confirm that there are
no devices in the configuration file:
DO NOT REPRINT
© FORTINET
LAB 3–Firewall Policies
show user device
2. In the Local-FortiGate GUI, go to User & Device > Device Inventory. 3. Click on your device.
4. Click Edit.
5. Configure the following:
Field Value
Alias MyDevice
This creates a static device in the configuration file.
6. Click OK.
7. In the LOCAL-FORTIGATE PuTTY session, run the following command to confirm that the device now appears in the configuration file as a permanent device:
show user device
8. In the Local-FortiGate GUI, go to User & Device > Custom Devices & Groups.
Note that your device is listed under Custom Devices.
Adding a Custom Device to the Firewall Policy
Now that you've added your device as a custom device, you'll add it to the firewall policy.
To add a custom device to the firewall policy
1. In the Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy. 2. Right click the Source column for Internet_Access firewall policy. 3. Click Select Entries.
4. Click Device on the right hand side. 5. Click Windows PC to unselect it.
6. Under CUSTOM DEVICE, click MyDevice to select it. 7. Click OK.
To confirm traffic is allowed by the firewall policy
1. On the Local-Windows VM, try browsing the Internet by opening web browsers and connecting
to various external web sites such as www.yahoo.com, www.google.com.
DO NOT REPRINT
© FORTINET
LAB 3–Firewall Policies