Testing FortiGate FortiOS nested adress object groups

Sometimes it is useful to know, if a device really supports nested groups. This little test shows, that a Fortinet FortiGate 60D running FortiOS 5.6 actually supports an address object, which is nested into five different groups:

address object "h-192.168.2.2" is in group "srcgrp05"
address object group "srcgrp05" is in group "srcgrp04"
address object group "srcgrp04" is in group "srcgrp03"
address object group "srcgrp03" is in group "srcgrp02"
address object group "srcgrp02" is in group "srcgrp01"
address object group "srcgrp01" is used in firewall policy with id 10:


srcgrp01/
├──srcgrp02/
│   └──  srcgrp03/
│       └──  srcgrp04/
│           └── srcgrp05/
│               └── h-192.168.2.2/
 
dstgrp01/
├──dstgrp02/
│   └──  dstgrp03/
│       └──  dstgrp04/
│           └── dstgrp05/
│               └── h-172.16.0.182/ 
 
Firewall policy 10 uses srcgrp1 and dstgrp05 (by mistake, should have been dstgrp01)


Config:

config firewall address
    edit "h-192.168.2.2"
        set subnet 192.168.2.2 255.255.255.255
    next
    edit "h-172.16.0.182"
        set subnet 172.16.0.182 255.255.255.255
    next
end

config firewall addrgrp
    edit "srcgrp05"
        set member "h-192.168.2.2"
    next
   edit "srcgrp04"
        set member "srcgrp05"
    next
    edit "srcgrp03"
        set member "srcgrp04"
    next
    edit "srcgrp02"
        set member "srcgrp03"
    next
    edit "srcgrp01"
        set member "srcgrp02"
    next
    edit "dstgrp05"
        set member "h-172.16.0.182"
    next
    edit "dstgrp04"
        set member "dstgrp05"
    next
    edit "dstgrp03"
        set member "dstgrp04"
    next
    edit "dstgrp02"
        set member "dstgrp03"
    next
    edit "dstgrp01"
        set member "dstgrp02"
    next
end

config firewall policy
    edit 10
        set srcintf "internal3"
        set dstintf "wan1"
        set srcaddr "srcgrp01"
        set dstaddr "dstgrp05"
        set action accept
        set schedule "always"
        set service "SSH"
        set logtraffic all
        set fsso disable
        set nat enable
    next
end  



Test using diag debug flow:

FGT60D123456789 # id=20085 trace_id=4 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=6, 192.168.2.2:58871->172.16.0.182:22) from internal3. flag [S], seq 1083753677, ack 0, win 64240"
id=20085 trace_id=4 func=init_ip_session_common line=5614 msg="allocate a new session-0005ea9f"
id=20085 trace_id=4 func=vf_ip4_route_input line=1604 msg="find a route: flags=00000000 gw-172.16.0.182 via wan1"
id=20085 trace_id=4 func=fw_forward_handler line=746 msg="Allowed by Policy-10: SNAT"
id=20085 trace_id=4 func=__ip_session_run_tuple line=3284 msg="SNAT 192.168.2.2->172.16.255.254:58871"
id=20085 trace_id=5 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=6, 172.16.0.182:22->172.16.255.254:58871) from wan1. flag [S.], seq 3921820808, ack 1083753678, win 29200"
id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5530 msg="Find an existing session, id-0005ea9f, reply direction"
id=20085 trace_id=5 func=__ip_session_run_tuple line=3298 msg="DNAT 172.16.255.254:58871->192.168.2.2:58871"
id=20085 trace_id=5 func=vf_ip4_route_input line=1604 msg="find a route: flags=00000000 gw-192.168.2.2 via internal3"
id=20085 trace_id=5 func=npu_handle_session44 line=919 msg="Trying to offloading session from wan1 to internal3, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x00000000"
id=20085 trace_id=5 func=ip_session_install_npu_session line=270 msg="npu session intallation succeeded"
id=20085 trace_id=6 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=6, 192.168.2.2:58871->172.16.0.182:22) from internal3. flag [.], seq 1083753678, ack 3921820809, win 1026"
id=20085 trace_id=6 func=resolve_ip_tuple_fast line=5530 msg="Find an existing session, id-0005ea9f, original direction"
id=20085 trace_id=6 func=npu_handle_session44 line=919 msg="Trying to offloading session from internal3 to wan1, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x00002000"
id=20085 trace_id=6 func=ip_session_install_npu_session line=270 msg="npu session intallation succeeded"
id=20085 trace_id=6 func=__ip_session_run_tuple line=3284 msg="SNAT 192.168.2.2->172.16.255.254:58871"
id=20085 trace_id=7 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=6, 172.16.0.182:22->172.16.255.254:58871) from wan1. flag [F.], seq 3921820867, ack 1083753680, win 229"
id=20085 trace_id=7 func=resolve_ip_tuple_fast line=5530 msg="Find an existing session, id-0005ea9f, reply direction"
id=20085 trace_id=7 func=__ip_session_run_tuple line=3298 msg="DNAT 172.16.255.254:58871->192.168.2.2:58871"
id=20085 trace_id=7 func=npu_handle_session44 line=919 msg="Trying to offloading session from wan1 to internal3, skb.npu_flag=00000000 ses.state=00010204 ses.npu_state=0x00003000"
id=20085 trace_id=8 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=6, 192.168.2.2:58871->172.16.0.182:22) from internal3. flag [F.], seq 1083753680, ack 3921820868, win 1026"
id=20085 trace_id=8 func=resolve_ip_tuple_fast line=5530 msg="Find an existing session, id-0005ea9f, original direction"
id=20085 trace_id=8 func=npu_handle_session44 line=919 msg="Trying to offloading session from internal3 to wan1, skb.npu_flag=00000000 ses.state=00010204 ses.npu_state=0x00003000"
id=20085 trace_id=8 func=__ip_session_run_tuple line=3284 msg="SNAT 192.168.2.2->172.16.255.254:58871" 


Result

The working with an address object, which is nested in 5 address object groups works.

No comments:

Post a Comment

Azure Managed Identities (technical service accounts)

Explaination Azure Managed Identities = technical service accounts Password is automatically managed, as it was the case in managed service ...