Skip to main content

Transparent Firewall (IOS) and ZBPF.

I would like to continue working with transparent firewalls and today we try to implement the Zone Base Policy Firewall:

         OUTSIDE     L2 firewall      INSIDE
        [10.0.0.1]                   [10.0.0.3] 
          /----\        /----\         /----\ 
         |  R1  |------|  R2  |-------|  R3  |
          \----/      / \----/ \       \----/ 
                gig0/0.10   gig0/1.20  
                      icmp, telnet

                      <---------

R2 - firewall is not enabled:
 
bridge irb
!
bridge 1 protocol ieee
!
interface GigabitEthernet0/0
 no sh
!
interface GigabitEthernet0/0.10
 encapsu dot 10
 no ip address
 bridge-group 1
!
interface GigabitEthernet0/1
 no sh
!
interface GigabitEthernet0/1.20
 encapsu dot 20
 no ip address
 bridge-group 1
!
no ip routing
!

R2 is configured as the L2 device and it doesn’t do any traffic control:
 
r1#ping 10.0.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
r1#telnet 10.0.0.3
Trying 10.0.0.3 ... Open


Password required, but none set

[Connection to 10.0.0.3 closed by foreign host]
r1#

r3#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r3#telnet 10.0.0.1
Trying 10.0.0.1 ... Open
C
 ***********************************************************************
 *  Warning Notice:                                                    *
 *    PLEASE after you finish load DEFAULT_config.txt                  *
 ***********************************************************************


Password required, but none set

[Connection to 10.0.0.1 closed by foreign host]
r3#


Now we implement the ZBPF with icmp and telnet inspection. Traffic should be allowed only from R3 to R1, but R1 can’t initiate any traffic.
 
 
class-map type inspect match-all ZBFW-CLASS
 match protocol icmp
 match protocol telnet
!
!
policy-map type inspect ZBFW-POLICY
 class type inspect ZBFW-CLASS
  inspect
 class class-default
  drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect ZBFW-POLICY
!
interface GigabitEthernet0/0.10
 zone-member security OUTSIDE
!
interface GigabitEthernet0/0.20
 zone-member security INSIDE
!

r2#sh policy-map type inspect zone-pair sessions 

policy exists on zp INSIDE-OUTSIDE
 Zone-pair: INSIDE-OUTSIDE

  Service-policy inspect : ZBFW-POLICY

    Class-map: ZBFW-CLASS (match-all)
      Match: protocol icmp
      Match: protocol telnet

   Inspect

    Class-map: class-default (match-any)
      Match: any 
      Drop
        0 packets, 0 bytes
r2#

Let’s try send traffic:

a) inside->outside:
 
r3#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r3#


Let’s check what is doing the inspection engine:
 
 
r2#debug ip inspect L2-transparent packets 
INSPECT L2 firewall debugging is on
r2#
*Apr 15 22:19:21.793: L2FW:insp_l2_flood: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:21.793: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Apr 15 22:19:21.793: L2FW:insp_l2_inspection: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:21.793: L2FW*:Src 10.0.0.3 dst 10.0.0.1 protocol icmp
*Apr 15 22:19:21.793: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1.20 path=0 linktype=38
*Apr 15 22:19:21.793: L2FW:Input ACL not configured or the ACL is bypassed
*Apr 15 22:19:21.793: L2FW:Output ACL is not configured or ACL is bypassed
*Apr 15 22:19:21.793: L2FW:Inspection is not configured on input or output interface.
*Apr 15 22:19:21.793: L2FW:fw_inspection_wrapper returned TRUE.Drop the packet
*Apr 15 22:19:21.793: L2FW: Packet dropped by inspection
*Apr 15 22:19:23.793: L2FW:insp_l2_flood: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:23.793: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Apr 15 22:19:23.793: L2FW:insp_l2_inspection: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:23.793: L2FW*:Src 10.0.0.3 dst 10.0.0.1 protocol icmp
*Apr 15 22:19:23.793: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1.20 path=0 linktype=38
*Apr 15 22:19:23.793: L2FW:Input ACL not configured or the ACL is bypassed
*Apr 15 22:19:23.793: L2FW:Output ACL is not configured or ACL is bypassed
*Apr 15 22:19:23.793: L2FW:Inspection is not configured on input or output interface.
*Apr 15 22:19:23.793: L2FW:fw_inspection_wrapper returned TRUE.Drop the packet
*Apr 15 22:19:23.793: L2FW: Packet dropped by inspection
*Apr 15 22:19:25.793: L2FW:insp_l2_flood: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:25.793: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Apr 15 22:19:25.793: L2FW:insp_l2_inspection: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:25.793: L2FW*:Src 10.0.0.3 dst 10.0.0.1 protocol icmp
*Apr 15 22:19:25.793: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1.20 path=0 linktype=38
*Apr 15 22:19:25.793: L2FW:Input ACL not configured or the ACL is bypassed
*Apr 15 22:19:25.793: L2FW:Output ACL is not configured or ACL is bypassed
*Apr 15 22:19:25.793: L2FW:Inspection is not configured on input or output interface.
*Apr 15 22:19:25.793: L2FW:fw_inspection_wrapper returned TRUE.Drop the packet
*Apr 15 22:19:25.793: L2FW: Packet dropped by inspection
*Apr 15 22:19:27.793: L2FW:insp_l2_flood: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:27.793: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Apr 15 22:19:27.793: L2FW:insp_l2_inspection: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:27.793: L2FW*:Src 10.0.0.3 dst 10.0.0.1 protocol icmp
*Apr 15 22:19:27.793: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1.20 path=0 linktype=38
*Apr 15 22:19:27.793: L2FW:Input ACL not configured or the ACL is bypassed
*Apr 15 22:19:27.793: L2FW:Output ACL is not configured or ACL is bypassed
*Apr 15 22:19:27.793: L2FW:Inspection is not configured on input or output interface.
*Apr 15 22:19:27.793: L2FW:fw_inspection_wrapper returned TRUE.Drop the packet
*Apr 15 22:19:27.793: L2FW: Packet dropped by inspection
*Apr 15 22:19:29.793: L2FW:insp_l2_flood: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:29.793: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Apr 15 22:19:29.793: L2FW:insp_l2_inspection: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:29.793: L2FW*:Src 10.0.0.3 dst 10.0.0.1 protocol icmp
*Apr 15 22:19:29.793: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1.20 path=0 linktype=38
*Apr 15 22:19:29.793: L2FW:Input ACL not configured or the ACL is bypassed
*Apr 15 22:19:29.793: L2FW:Output ACL is not configured or ACL is bypassed
*Apr 15 22:19:29.793: L2FW:Inspection is not configured on input or output interface.
*Apr 15 22:19:29.793: L2FW:fw_inspection_wrapper returned TRUE.Drop the packet
*Apr 15 22:19:29.793: L2FW: Packet dropped by inspection


It looks like the CBAC is active instead of ZBPF, why ?
 
 
r2#debug policy-firewall L2-transparent 
Policy-Firewall L2 transparent debugging is on
r2#sh policy-map type inspect zone-pair sessions 

policy exists on zp INSIDE-OUTSIDE
 Zone-pair: INSIDE-OUTSIDE

  Service-policy inspect : ZBFW-POLICY

    Class-map: ZBFW-CLASS (match-all)
      Match: protocol icmp
      Match: protocol telnet

   Inspect

    Class-map: class-default (match-any)
      Match: any 
      Drop
        0 packets, 0 bytes
r2#conf t

r2#debug policy-firewall detail ?
  <cr>

r2#debug policy-firewall detail 
Policy-Firewall detailed debugging is on
r2#
*Apr 15 22:36:23.883: FIREWALL: ret_val 0 is not PASS_PAK
*Apr 15 22:36:23.883: FIREWALL: ret_val NO_ACTION, but not valid router traffic .Dropping pak
*Apr 15 22:36:25.879: FIREWALL: ret_val 0 is not PASS_PAK
*Apr 15 22:36:25.879: FIREWALL: ret_val NO_ACTION, but not valid router traffic .Dropping pak
*Apr 15 22:36:27.879: FIREWALL: ret_val 0 is not PASS_PAK
*Apr 15 22:36:27.879: FIREWALL: ret_val NO_ACTION, but not valid router traffic .Dropping pak
*Apr 15 22:36:29.879: FIREWALL: ret_val 0 is not PASS_PAK
*Apr 15 22:36:29.879: FIREWALL: ret_val NO_ACTION, but not valid router traffic .Dropping pak
*Apr 15 22:36:31.879: FIREWALL: ret_val 0 is not PASS_PAK
*Apr 15 22:36:31.879: FIREWALL: ret_val NO_ACTION, but not valid router traffic .Dropping pak


It looks like a bug, I found one similar issue but only for 12.4 IOS, this one is:
 
 
r2#sh ver
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M5, RELEASE SOFTWARE (fc2)

Let’s try tomorrow with different IOS version.


..day later…


 
I reload R2 with the new software: “Version 15.2(1)” and I see exactly the same error messages:

r2_newIOS#debug policy-firewall detail 
Policy-Firewall detailed debugging is on
r2_newIOS#
Apr 16 08:26:03.107: FIREWALL*: ret_val 0 is not PASS_PAK
Apr 16 08:26:03.107: FIREWALL*: ret_val NO_ACTION, but not valid router traffic .Dropping pak
Apr 16 08:26:05.107: FIREWALL*: ret_val 0 is not PASS_PAK
Apr 16 08:26:05.107: FIREWALL*: ret_val NO_ACTION, but not valid router traffic .Dropping pak
Apr 16 08:26:07.107: FIREWALL*: ret_val 0 is not PASS_PAK
Apr 16 08:26:07.107: FIREWALL*: ret_val NO_ACTION, but not valid router traffic .Dropping pak
Apr 16 08:26:09.107: FIREWALL*: ret_val 0 is not PASS_PAK
Apr 16 08:26:09.107: FIREWALL*: ret_val NO_ACTION, but not valid router traffic .Dropping pak
Apr 16 08:26:11.107: FIREWALL*: ret_val 0 is not PASS_PAK
Apr 16 08:26:11.107: FIREWALL*: ret_val NO_ACTION, but not valid router traffic .Dropping pak
r2_newIOS#

r2_newIOS#
Apr 16 08:29:18.911: L2FW*:insp_l2_fast_inspection: pak 308BE9E8, input-interface GigabitEthernet0/0.10, output-interface GigabitEthernet0/1.20
Apr 16 08:29:18.911: L2FW*:Src 10.0.0.1 dst 10.0.0.3 protocol icmp
Apr 16 08:29:18.911: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/0.10 path=1 linktype=38
Apr 16 08:29:18.911: L2FW:Input ACL not configured or the ACL is bypassed
Apr 16 08:29:18.911: L2FW:Output ACL is not configured or ACL is bypassed
Apr 16 08:29:18.911: L2FW*:IP inspect firewall is not cfged on  input or output interface.PASS
Apr 16 08:29:18.911: L2FW*:CCE FW l2 fast returning INSP_L2_DROP
Apr 16 08:29:20.911: L2FW*:insp_l2_fast_inspection: pak 308BE9E8, input-interface GigabitEthernet0/0.10, output-interface GigabitEthernet0/1.20

During this investigation I discovered one my mistake:
 
interface GigabitEthernet0/0.20
 zone-member security INSIDE

Instead of Gig0/1.20 I added non-existing sub-interface to the INSIDE zone:
 
r2#sh run int gig0/0.20
Building configuration...

Current configuration : 87 bytes
!
interface GigabitEthernet0/0.20
 zone-member security INSIDE
 no ip route-cache
end

r2#sh run int gig0/1.20
Building configuration...

Current configuration : 98 bytes
!
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 1
end

r2#

As we see the sub-interface was added but the Vlan and the bridge group are not specified.
Let’s fix the interface settings:
 
r2#sh run int gig0/1.20
Building configuration...

Current configuration : 127 bytes
!
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 zone-member security INSIDE
 no ip route-cache
 bridge-group 1
end

r2#

and do some tests:
 
r3#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r3#

r3#telnet 10.0.0.1
Trying 10.0.0.1 ... 
% Connection timed out; remote host not responding

r3#

on the R2 we can see:
 
*Apr 16 08:34:41.575: %FW-6-LOG_SUMMARY: 4 packets were dropped from 10.0.0.3:25987 => 10.0.0.1:23 (target:class)-(INSIDE-OUTSIDE:class-default)
*Apr 16 08:35:13.047: %FW-6-DROP_PKT: Dropping tcp session 10.0.0.3:28705 10.0.0.1:23 on zone-pair INSIDE-OUTSIDE class class-default due to  DROP action found in policy-map with ip ident 0 
*Apr 16 08:35:41.575: %FW-6-LOG_SUMMARY: 4 packets were dropped from 10.0.0.3:28705 => 10.0.0.1:23 (target:class)-(INSIDE-OUTSIDE:class-default)

Why the ping and telnet are processed by the class-default?
 
r2#sh run | s class-map
class-map type inspect match-all ZBFW-CLASS
 match protocol icmp
 match protocol telnet
r2#

ok, as we see the class has wrong parameter: ‘match-all’ - the packet can’t be ‘icmp’ and ‘tcp/23’ at the same time. The correct one should be:
 
!
class-map type inspect match-any ZBFW-CLASS1
 match protocol icmp
 match protocol telnet
!
policy-map type inspect ZBFW-POLICY
 class type inspect ZBFW-CLASS1
  inspect 
 class class-default
  drop log
!

Time for the final test:
 
r3#ping 10.0.0.1  

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
r3#telnet 10.0.0.1
Trying 10.0.0.1 ... Open
C
 ***********************************************************************
 *  Warning Notice:                                                    *
 *    PLEASE after you finish load DEFAULT_config.txt                  *
 ***********************************************************************


Password required, but none set

[Connection to 10.0.0.1 closed by foreign host]
r3#

and now everything works as expected:
 
r2#sh policy-map type inspect zone-pair sessions 

policy exists on zp INSIDE-OUTSIDE
 Zone-pair: INSIDE-OUTSIDE

  Service-policy inspect : ZBFW-POLICY

    Class-map: ZBFW-CLASS1 (match-any)
      Match: protocol icmp
        1 packets, 80 bytes
        30 second rate 0 bps
      Match: protocol telnet
        2 packets, 48 bytes
        30 second rate 0 bps

   Inspect

      Number of Established Sessions = 1
      Established Sessions
        Session 298FB200 (10.0.0.3:55798)=>(10.0.0.1:23) telnet:tcp SIS_OPEN
          Created 00:00:00, Last heard 00:00:00
          Bytes sent (initiator:responder) [27:348]


    Class-map: class-default (match-any)
      Match: any 
      Drop
        13 packets, 592 bytes
r2#

traffic from the outside to the inside is silently dropped:
 
r1#ping 10.0.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r1#

as there is no policy map and zone pair with direction OUTSIDE-INSIDE. Be careful when you configure class maps, the default parameter is ‘match-all’.


Labels:

Comments

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an
8 comments
Read more

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.   ! aaa new - model aaa authentication dot1x default group radius ! ! int Fas1 / 0 / 2 authentication host - mode single - host authentication port - control auto mab ! I haven’t configured ACS yet but let’s see what error message I receive:   SW1 ( config - if ) # mab - ev ( Fa1 / 0 / 2 ): Received MAB context create from AuthMgr mab - ev ( Fa1 / 0 / 2 ): Created MAB client context 0x1100000F mab : initial state mab_initialize has enter mab - ev ( Fa1 / 0 / 2 ): Sending create new context event to EAP from MAB for 0x1100000F ( 0000.0000 . 0000 ) mab - sm ( Fa1 / 0 / 2 ): Received event 'MAB_START' on handle 0x1100000F mab : during state mab_initia
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo
1 comment
Read more