一、组网需求
内部有两个vlan(trunk环境),网关在路由器上,防火墙工作在透明模式,部署在核心交换与核心路由之间,允许两个vlan访问外网,同时两个vlan之间需要互访,并且对这两个vlan进行保护,开启反病毒过滤。
二、网络拓扑
拓扑1:单VLAN透传:
拓扑2:多VLAN透传,以及VLAN之间互访:
三、配置要点
拓扑1:单VLAN10透传:
1、 SW交换机/Internet_R路由器的基础配置
2、 将防火墙配置为透明模式并开启网管
3、 配置Inside和Outside接口的VLAN子接口并加入到forward-domain
4、配置安全策略允许内网PC(VLAN10内主机)访问互联网
拓扑2:多VLAN透传,以及VLAN之间互访:
1、 SW交换机/Internet_R路由器的基础配置
2、 新增Inside和Outside关于VLAN20的子接口并加入到Forward-domain
3、 配置Inside_VLAN20 到 Outside_VLAN20的安全策略允许内网PC(VLAN20内主机)访问互联网
4、配置VLAN10与VLAN20之间互访的策略:
四、操作步骤
拓扑1:单VLAN10透传:
1、SW交换机/Internet_R路由器的基础配置
SW的基本配置:
interface Ethernet0/0
switchport trunk allowed vlan 1,10
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/1
switchport access vlan 10
switchport mode access
!
Internet_R路由器的基本配置:
hostname Internet_R
!
interface Ethernet0/0
ip address 192.168.1.99 255.255.255.0
no shutdown
ip nat inside
!
interface Ethernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.99 255.255.255.0
no shutdown
ip nat inside
!
interface Ethernet0/1
ip address 202.100.1.179 255.255.255.0
no shutdown
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 202.100.1.192
!
access-list 101 permit ip any any
ip nat inside source list 101 interface Ethernet0/1 overload
2、将防火墙配置为透明模式并开启网管
进入设备命令行(CLI)中进行配置,将模式修改为"透明模式"同时为设备配置好管理地址和网关。
FortiGate-VM64-KVM # config system global
FortiGate-VM64-KVM (global) # set hostname FortiGate_Transparent
FortiGate_Transparent (global) # set timezone 55
FortiGate_Transparent (global) # set language simch
FortiGate-VM64-KVM (global) # end
FortiGate_Transparent #
FortiGate_Transparent # config system settings
FortiGate_Transparent (settings) # set opmode transparent // 修改FGT的运行模式为透明模式,默认为NAT路由模式。,注意切换透明模式防火墙需要防火墙没有相关接口、策略、路由等配置。
FortiGate_Transparent (settings) # set manageip 192.168.1.100 255.255.255.0 // 配置可以管理防火墙的本地IP和网关,以便HTTP/SSH管理防火墙及防火墙的服务更新。
FortiGate_Transparent (settings) # set gateway 192.168.1.99
FortiGate_Transparent (settings) # end
Changing to TP mode
FortiGate_Transparent # execute ping 192.168.1.99
PING 192.168.1.99 (192.168.1.99): 56 data bytes
64 bytes from 192.168.1.99: icmp_seq=0 ttl=255 time=0.7 ms
64 bytes from 192.168.1.99: icmp_seq=1 ttl=255 time=0.9 ms
64 bytes from 192.168.1.99: icmp_seq=2 ttl=255 time=0.8 ms
64 bytes from 192.168.1.99: icmp_seq=3 ttl=255 time=0.9 ms
64 bytes from 192.168.1.99: icmp_seq=4 ttl=255 time=0.7 ms
--- 192.168.1.99 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.7/0.8/0.9 ms
FortiGate_Transparent #
FortiGate_Transparent # get system status
Version: FortiGate-VM64-KVM v6.2.0,build0866,190328 (GA)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 0.00000(2001-01-01 00:00)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
Serial-Number: FGVM01TM19000127
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Botnet DB: 1.00000(2012-05-28 22:51)
License Status: Warning
License Expires: 2020-01-14
Log hard disk: Not available
Hostname: FortiGate_Transparent
Operation Mode: Transparent
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 0 in NAT mode, 1 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 0866
Release Version Information: GA
FortiOS x86-64: Yes
System time: Mon Jul 1 12:48:30 2019
(MGMT1或MGMT2口默认有管理权限),以要通过port1(LAN)接口管理设备为例,开启port1(LAN)管理FGT的命令如下:
FortiGate_Transparent # config system interface
FortiGate_Transparent (interface) # edit port1
FortiGate_Transparent (port1) # set allowaccess https http ping ssh // 允许网管协议从Port1接口通过https/http/SSH/Ping访问透明模式的FortiGate
FortiGate_Transparent (port1) # end
FortiGate_Transparent #
3、配置Inside和Outside接口的VLAN子接口并加入到forward-domain
创建LAN和WAN接口的VLAN10子接口:
注意:建议在不需要的情况下关闭接口配置下的“设备探测”(Device detection)功能,该功能用于MAC地址厂商设备信息识别及MAC地址过滤,会消耗较多的设备资源。
为Inside_VLAN10 和 Outside_VLAN10接口配置forward-domain:
FortiGate_Transparent # config system interface
FortiGate_Transparent (interface) # edit Inside_VLAN10
FortiGate_Transparent (Inside_VLAN10) # set forward-domain 10
FortiGate_Transparent (Inside_VLAN10) # next
FortiGate_Transparent (interface) # edit Outside_VLAN10
FortiGate_Transparent (Outside_VLAN10) # set forward-domain 10
FortiGate_Transparent (Outside_VLAN10) # end
FortiGate_Transparent #
Forward-Domain说明:
默认所有的接口都属于Forward-Doamin 0,可以理解为同一个广播域,在FortiGate的概念中,Forward-Domain才代表真正的广播域,并非VLAN,而一般的理解交换机的常识都是VLAN隔离广播域,因此如果需要使用VLAN则务必将VLAN-ID和Fortiward-Domain ID关联起来,这样就可以以正常的交换机VLAN隔离广播域的思维去考虑FortiGate的透明模式。Forward-Domain是一个FGT透明模式下比较特别的东西,记住:只要有VLAN-ID的场景就需要配置对应的Forward-Domain ID这样就不会出现什么问题。
旧版本中默认情况下:所有接口属于Forward-Doamin 0,不管是物理接口还是VLAN接口都属于Forward-Doamin 0。同时接口下又默认开启了vlanforward enable(由于此原因,v5.0.10, v5.2.2, and v5.4.0后的较新版本已经默认disable),这样所有的接口/VLAN都属于一个广播域,同时又默认转发携带vlan-tag的数据,这样就会出现环路,比如我们现在配置的这个场景,如果是旧版本(vlanforward enable),同时没有配置Forward-Domain则很容易出现环路。
4、配置安全策略允许内网PC(VLAN10内主机)访问互联网
配置Inside_VLAN10 到 Outside_VLAN10的安全策略:
拓扑2:多VLAN透传,以及VLAN之间互访:
1、SW交换机/Internet_R路由器的基础配置
新增SW的配置:
interface Ethernet0/0
switchport trunk allowed vlan 1,10,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/1
switchport access vlan 10
switchport mode access
!
interface Ethernet0/2
switchport access vlan 20
switchport mode access
!
Internet_R路由器的基本配置:
hostname Internet_R
!
interface Ethernet0/0
ip address 192.168.1.99 255.255.255.0
no shutdown
ip nat inside
!
interface Ethernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.99 255.255.255.0
no shutdown
ip nat inside
!
interface Ethernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.99 255.255.255.0
no shutdown
ip nat inside
!
interface Ethernet0/1
ip address 202.100.1.179 255.255.255.0
no shutdown
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 202.100.1.192
!
access-list 101 permit ip any any
ip nat inside source list 101 interface Ethernet0/1 overload
2、新增Inside和Outside关于VLAN20的子接口并加入到Forward-domain
为Inside_VLAN20 和 Outside_VLAN20接口配置forward-domain:
FortiGate_Transparent # config system interface
FortiGate_Transparent (interface) # edit Inside_VLAN20
FortiGate_Transparent (Inside_VLAN10) # set forward-domain 20
FortiGate_Transparent (Inside_VLAN10) # next
FortiGate_Transparent (interface) # edit Outside_VLAN20
FortiGate_Transparent (Outside_VLAN10) # set forward-domain 20
FortiGate_Transparent (Outside_VLAN10) # end
FortiGate_Transparent #
Forward-Domain说明:
默认所有的接口都属于Forward-Doamin 0,可以理解为同一个广播域,在FortiGate的概念中,Forward-Domain才代表真正的广播域,并非VLAN,通常的理解交换机的常识都是VLAN隔离广播域,因此如果需要使用VLAN则务必将VLAN-ID和Fortiward-Domain ID关联起来,这样就可以以交换机VLAN隔离广播域的思维去考虑FortiGate的透明模式。Forward-Domain是一个FGT透明模式下比较特别的东西,记住:只要有VLAN-ID的场景就需要配置对应的Forward-Domain ID这样就不会出现什么问题。例如:VLAN-ID为10,也建议将Forward-Domain ID配置为10。
旧版本中默认情况下:所有接口属于Forward-Doamin 0,不管是物理接口还是VLAN接口都属于Forward-Doamin 0。同时接口下又默认开启了vlanforward enable(v5.0.10, v5.2.2, and v5.4.0后的较新版本已经默认vlanforward disable),这样所有的接口/VLAN都属于一个广播域,由于又同时默认转发携带vlan-tag的数据,这样就会很容易出现环路,引起广播风暴。比如我们现在配置的这个场景,如果是旧版本(vlanforward enable),同时没有配置Forward-Domain则很容易出现环路。
3、配置Inside_VLAN20 到 Outside_VLAN20的安全策略,允许VLAN20内的主机访问Internet
4、配置VLAN10与VLAN20之间互访的策略
按照数据流的走线:
增加策略1: Inside_VLAN 10 到 Outside_VLAN 10 192.168.10.0/24 到 192.168.20.0/24
增加策略2: Inside_VLAN 20 到 Outside_VLAN 20 192.168.20.0/24 到 192.168.10.0/24的策略
五、验证效果
拓扑1:单VLAN10透传:
VLAN10内的PC通过透明模式的FortiGate访问互联网:
拓扑2:多VLAN10/20透传,以及VLAN之间互访:
VLAN20内的PC访问互联网:
VLAN10内的PC访问VLAN20的PC:
FortiGate_Transparent # diagnose sniffer packet any "host 192.168.20.10 and icmp" 4
interfaces=[any]
filters=[host 192.168.20.10 and icmp]
6.970084 Inside_VLAN10 in 192.168.10.10 -> 192.168.20.10: icmp: echo request
6.970111 Outside_VLAN10 out 192.168.10.10 -> 192.168.20.10: icmp: echo request
6.970114 port2 out 192.168.10.10 -> 192.168.20.10: icmp: echo request
6.970623 Outside_VLAN20 in 192.168.10.10 -> 192.168.20.10: icmp: echo request
6.970642 Inside_VLAN20 out 192.168.10.10 -> 192.168.20.10: icmp: echo request
6.970643 port1 out 192.168.10.10 -> 192.168.20.10: icmp: echo request
6.971737 Inside_VLAN20 in 192.168.20.10 -> 192.168.10.10: icmp: echo reply
6.971753 Outside_VLAN20 out 192.168.20.10 -> 192.168.10.10: icmp: echo reply
6.971754 port2 out 192.168.20.10 -> 192.168.10.10: icmp: echo reply
6.972072 Outside_VLAN10 in 192.168.20.10 -> 192.168.10.10: icmp: echo reply
6.972078 Inside_VLAN10 out 192.168.20.10 -> 192.168.10.10: icmp: echo reply
6.972080 port1 out 192.168.20.10 -> 192.168.10.10: icmp: echo reply
^C
12 packets received by filter
0 packets dropped by kernel
FortiGate_Transparent #
#diagnose debug flow filter addr 192.168.20.10
#diagnose debug flow filter proto 1
#diagnose debug flow show console enable
#diagnose debug flow show function-name enable
#diagnose debug flow trace start 10
#diagnose debug enable
id=20085 trace_id=43 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 192.168.10.10:1->192.168.20.10:2048) from Inside_VLAN10. type=8, code=0, id=1, seq=247."
id=20085 trace_id=43 func=init_ip_session_common line=5593 msg="allocate a new session-0000244c"
id=20085 trace_id=43 func=br_fw_forward_handler line=577 msg="Allowed by Policy-3:"
id=20085 trace_id=43 func=__if_queue_push_xmit line=393 msg="send out via dev-Outside_VLAN10, dst-mac-aa:bb:cc:00:20:00"
id=20085 trace_id=44 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 192.168.10.10:1->192.168.20.10:2048) from Outside_VLAN20. type=8, code=0, id=1, seq=247."
id=20085 trace_id=44 func=resolve_ip_tuple_fast line=5508 msg="Find an existing session, id-0000244c, original direction"
id=20085 trace_id=44 func=br_fw_forward_dirty_handler line=330 msg="Found a reflect session: pro=1, 192.168.10.10/1=>192.168.20.10/8, dev=16->15" //注意这个reflect,再一次进的ping请求不需要策略,而是查reflect会话
id=20085 trace_id=44 func=__if_queue_push_xmit line=393 msg="send out via dev-Inside_VLAN20, dst-mac-50:00:00:05:00:00"
id=20085 trace_id=45 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 192.168.20.10:1->192.168.10.10:0) from Inside_VLAN20. type=0, code=0, id=1, seq=247."
id=20085 trace_id=45 func=resolve_ip_tuple_fast line=5508 msg="Find an existing session, id-0000244c, reply direction"
id=20085 trace_id=45 func=br_fw_forward_dirty_handler line=330 msg="Found a reflect session: pro=1, 192.168.20.10/1=>192.168.10.10/0, dev=15->16"
id=20085 trace_id=45 func=__if_queue_push_xmit line=393 msg="send out via dev-Outside_VLAN20, dst-mac-aa:bb:cc:00:20:00"
id=20085 trace_id=46 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 192.168.20.10:1->192.168.10.10:0) from Outside_VLAN10. type=0, code=0, id=1, seq=247."
id=20085 trace_id=46 func=resolve_ip_tuple_fast line=5508 msg="Find an existing session, id-0000244c, reply direction"
id=20085 trace_id=46 func=br_ipv4_fast_cb line=68 msg="enter fast path"
id=20085 trace_id=46 func=__if_queue_push_xmit line=393 msg="send out via dev-Inside_VLAN10, dst-mac-50:00:00:04:00:00"
FortiGate_Transparent # diagnose sys session filter proto 1
FortiGate_Transparent # diagnose sys session list
session info: proto=1 proto_state=00 duration=17 expire=43 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=may_dirty br
statistic(bytes/packets/allow_err): org=60/1/1 reply=60/1/1 tuples=2
tx speed(Bps/kbps): 3/0 rx speed(Bps/kbps): 3/0
orgin->sink: org pre->post, reply pre->post dev=13->14/14->13 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 192.168.10.10:1->192.168.20.10:8(0.0.0.0:0)
hook=post dir=reply act=noop 192.168.20.10:1->192.168.10.10:0(0.0.0.0:0)
src_mac=50:00:00:04:00:00
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
serial=00004e96 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
reflect info 0:
dev=16->15/15->16
total reflect session num: 1
total session 1
FortiGate_Transparent # diagnose sys device list root
list virtual firewall root info:
ip4 route_cache: table_size=65536 max_depth=1 used=18 total=18
arp: table_size=8 max_depth=1 used=2 total=2
proxy_arp: table_size=256 max_depth=0 used=0 total=0
arp6: table_size=16 max_depth=2 used=2 total=3
proxy_arp6: table_size=256 max_depth=0 used=0 total=0
local table version=00000000 main table version=00000009
vf=root dev=port1 index=3 vrf=0
vf=root dev=port2 index=4 vrf=0
vf=root dev=port3 index=5 vrf=0
vf=root dev=port4 index=6 vrf=0
vf=root dev=root index=7 vrf=0
vf=root dev=root.b index=11 vrf=0
vf=root dev=Inside_VLAN10 index=13 vrf=0
vf=root dev=Outside_VLAN10 index=14 vrf=0
vf=root dev=Inside_VLAN20 index=15 vrf=0
vf=root dev=Outside_VLAN20 index=16 vrf=0
ses=0/0 ses6=0/0 rt=0/0 rt6=0/0
FortiGate_Transparent # diagnose sniffer packet any "icmp" 4
interfaces=[any]
filters=[icmp]
3.592713 Inside_VLAN20 in 192.168.20.10 -> 192.168.10.10: icmp: echo request
3.592949 Outside_VLAN20 out 192.168.20.10 -> 192.168.10.10: icmp: echo request
3.592953 port2 out 192.168.20.10 -> 192.168.10.10: icmp: echo request
3.596196 Outside_VLAN10 in 192.168.20.10 -> 192.168.10.10: icmp: echo request
3.596315 Inside_VLAN10 out 192.168.20.10 -> 192.168.10.10: icmp: echo request
3.596330 port1 out 192.168.20.10 -> 192.168.10.10: icmp: echo request
3.613463 Inside_VLAN10 in 192.168.10.10 -> 192.168.20.10: icmp: echo reply
3.613534 Outside_VLAN10 out 192.168.10.10 -> 192.168.20.10: icmp: echo reply
3.613537 port2 out 192.168.10.10 -> 192.168.20.10: icmp: echo reply
3.614860 Outside_VLAN20 in 192.168.10.10 -> 192.168.20.10: icmp: echo reply
3.614886 Inside_VLAN20 out 192.168.10.10 -> 192.168.20.10: icmp: echo reply
3.614889 port1 out 192.168.10.10 -> 192.168.20.10: icmp: echo reply
#diagnose debug flow filter addr 192.168.20.10
#diagnose debug flow filter proto 1
#diagnose debug flow show console enable
#diagnose debug flow show function-name enable
#diagnose debug flow trace start 10
#diagnose debug enable
id=20085 trace_id=98 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 192.168.20.10:1->192.168.10.10:2048) from Inside_VLAN20. type=8, code=0, id=1, seq=107."
id=20085 trace_id=98 func=init_ip_session_common line=5593 msg="allocate a new session-00004fc8"
id=20085 trace_id=98 func=br_fw_forward_handler line=577 msg="Allowed by Policy-4:"
id=20085 trace_id=98 func=__if_queue_push_xmit line=393 msg="send out via dev-Outside_VLAN20, dst-mac-aa:bb:cc:00:20:00"
id=20085 trace_id=99 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 192.168.20.10:1->192.168.10.10:2048) from Outside_VLAN10. type=8, code=0, id=1, seq=107."
id=20085 trace_id=99 func=resolve_ip_tuple_fast line=5508 msg="Find an existing session, id-00004fc8, original direction"
id=20085 trace_id=99 func=br_fw_forward_dirty_handler line=330 msg="Found a reflect session: pro=1, 192.168.20.10/1=>192.168.10.10/8, dev=14->13"
id=20085 trace_id=99 func=__if_queue_push_xmit line=393 msg="send out via dev-Inside_VLAN10, dst-mac-50:00:00:04:00:00"
id=20085 trace_id=100 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 192.168.10.10:1->192.168.20.10:0) from Inside_VLAN10. type=0, code=0, id=1, seq=107."
id=20085 trace_id=100 func=resolve_ip_tuple_fast line=5508 msg="Find an existing session, id-00004fc8, reply direction"
id=20085 trace_id=100 func=br_fw_forward_dirty_handler line=330 msg="Found a reflect session: pro=1, 192.168.10.10/1=>192.168.20.10/0, dev=13->14"
id=20085 trace_id=100 func=__if_queue_push_xmit line=393 msg="send out via dev-Outside_VLAN10, dst-mac-aa:bb:cc:00:20:00"
id=20085 trace_id=101 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 192.168.10.10:1->192.168.20.10:0) from Outside_VLAN20. type=0, code=0, id=1, seq=107."
id=20085 trace_id=101 func=resolve_ip_tuple_fast line=5508 msg="Find an existing session, id-00004fc8, reply direction"
id=20085 trace_id=101 func=br_ipv4_fast_cb line=68 msg="enter fast path"
id=20085 trace_id=101 func=__if_queue_push_xmit line=393 msg="send out via dev-Inside_VLAN20, dst-mac-50:00:00:05:00:00"
FortiGate_Transparent # diagnose sys session filter proto 1
FortiGate_Transparent # diagnose sys session list
session info: proto=1 proto_state=00 duration=10 expire=59 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=may_dirty br
statistic(bytes/packets/allow_err): org=600/10/1 reply=600/10/1 tuples=2
tx speed(Bps/kbps): 55/0 rx speed(Bps/kbps): 55/0
orgin->sink: org pre->post, reply pre->post dev=15->16/16->15 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 192.168.20.10:1->192.168.10.10:8(0.0.0.0:0)
hook=post dir=reply act=noop 192.168.10.10:1->192.168.20.10:0(0.0.0.0:0)
src_mac=50:00:00:05:00:00 dst_mac=aa:bb:cc:00:20:00
misc=0 policy_id=4 auth_info=0 chk_client_info=0 vd=0
serial=00004ff8 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
reflect info 0:
dev=14->13/13->14
total reflect session num: 1
total session 1
FortiGate_Transparent #
Forward-Domain参考文档:
https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD30083&languageId=
