-
Using Management Center for Firewalls 1.2
-
Preface
-
Getting Started With Firewall MC
-
Task Flow Checklists
-
Preparing the Firewall MC Environment
-
Managing Activities
-
Preparing Your Network
-
Creating an Inheritance and Grouping Strategy
-
Representing Network Assets in Firewall MC
-
Configuring Device-Level Settings
-
Configuring Routing Rules
-
Defining Your Policy Building Blocks
-
Configuring Access Rules
-
Configuring Translation Rules
-
Manually Defining Rules Using CLI Syntax
-
Generating and Verifying Configuration Files
-
Deploying Configuration Files
-
Monitoring and Reports
-
Configuring VPN Settings
-
Configuring Failover
-
Maintaining your Firewall MC Server
-
Troubleshooting
-
Understanding User Roles and Permissions
-
Index
-
Table of Contents
Configuring Routing RulesLearn More About Routing
Configuring Static Routes
Deleting a Static Route
Static Route Field-Level Elements and Descriptions
Adding or Editing a RIP Rule
Deleting a RIP Rule
RIP Field-Level Elements and Descriptions
Configuring Routing Rules
Routing refers to the delivery of network packets to their destinations over a network. To communicate with a gateway, every network object must have a routing rule defined that permits the network object to reach the gateway, must use the default route, or must use the Address Resolution Protocol (ARP) to find the MAC address of the gateway on the network segment. In addition, the gateway must have a rule defined that permits it to reach the network on which the network object resides or to select the next gateway object in the path.
The firewall devices managed by Firewall MC accomplish routing by using one or more of the following:
- Implicit routes. Implicit routes are static routes based on the networks attached directly to the firewall device. You cannot change or delete these routes. These routes are never specified as part of the device-specific command set that is generated and deployed to a firewall device. In other words, they are not included in the command sets that are generated for a firewall device. They are discussed here to provide the full picture of the routing rules active on a firewall device,
- Static routes. Static routes are manual routes defined by an administrator of a firewall device. Static routes are useful when you need to route to network objects that are not along the default route, when you want to define a preferred route, or when you want to define an alternate route to use if the default route goes down.
- Dynamic routes. Dynamic routes are routes discovered from neighbor gateways via specialized protocols, such as the Routing Information Protocol (RIP). To enable dynamic routes, you must ensure that the gateways in your network also support the same dynamic routing protocol. Otherwise, the routing information will not be propagated automatically. Because dynamic routing rules are updated via router-to-router communications, the dynamic routes can be vulnerable to attack because of the inherent security weakness in some dynamic routing protocols. RIP version 2, which is supported by the firewall devices, provides encrypted communications to lessen the weaknesses of dynamic routing. However, only those devices that support RIP version 2 can participate in authenticated, encrypted sessions.
- Proxy Address Resolution Protocol (ARP). ARP can serve in place of actual routing rules on a per interface basis. When proxy ARP is enabled for an interface, a firewall device answers ARP requests intended for another host. By assuming the identity of the destination host, the firewall accepts responsibility for routing packets to the actual host. If proxy ARP is enabled, hosts on a subnet can reach remote subnets without configuring routing or a default gateway. In addition, the firewall devices can operate using only the implicit routes, which are initialized automatically when an IP address is assigned to an interface in the firewall.
As the administrator of firewall devices, you must determine which method you prefer to use to obtain routing information on your network.
Learn More About Routing
To define rules properly, you must understand how routing works. This section is a high-level discussion about routing network packets and how a gateway selects which routing rule to apply for a specific communication.
 |
Note For this discussion, a network object is a host or consumer of network services. This host has layer 3 (OSI model) intelligence, and it is an endpoint that acts as the initiator or recipient of a network communication. |
Before any network packet can traverse the network from NetObject A to NetObject B, for example, routes must exist for NetObject B on every gateway along the path from NetObject A to NetObject B. Each gateway moves the network packet one step farther down the path, using routing rules to determine the next gateway. The address of the next gateway is the hop IP address. For a network session to occur between NetObject A and NetObject B, the inverse routes must exist on every gateway along the path from NetObject B to NetObject A. The two paths do not have to be symmetric.
Just because a computer exists on your internal networks does not mean that gateways have a routing rule defined for it. If a computer cannot communicate with a gateway, most likely no routing rule is defined to reach that computer (or the computer does not have a routing rule to reach the gateway). Even when the computer resides on your trusted networks, a gateway drops all network packets destined for that computer if a route is not defined directly to that computer or the network on which that computer resides.
Defining routing rules is similar to charting a course of travel. When you look at a map, you can plan an optimal route to a specific destination. When a gateway determines what route to use, it selects the most specific routing rule (based on the highest netmask).
To understand how netmasks are used, consider a gateway that is attached to the 10.0.0.0 network.
Example: Consider two routing rules:
1. address: 10.1.2.0 netmask: 255.255.255.0 gateway: 10.0.0.4
2. address: 10.1.0.0 netmask: 255.255.0.0 gateway: 10.0.0.5
Rule 1 applies for network packets that are destined for the more exclusive 10.1.2.* subnetwork, whereas Rule 2 applies to those network packets destined to the 10.1.*.* subnetwork, but not to the 10.1.2.* subnetwork. For example, Rule 2 would apply to network packets destined for 10.1.3.13, and Rule 1 would apply to network packets destined for 10.1.2.13.
In this example, the most specific netmask value determines which rule to use. This value is selected from the list of available rules that are applicable to the destination address of a network packet.
Because the netmask value in Rule 1 is 255.255.255.0, we know that the first three octets in the address must match when determining whether to apply this routing rule. In Rule 2, we know that only the first two octets must match when determining whether to apply it. Because Rule 1 has three significant octets, it has the highest netmask value. When the gateway receives a network packet destined for a host on the 10.1.2 network, Rule 1 is always applied instead of Rule 2. Rule 1 applies because it is a valid rule for routing the network packet (as is Rule 2) and Rule 1 has a larger netmask value than Rule 2.
Currently, gateways support the concept of classless networks, or Classless Inter-Domain Routing (CIDR). For more information about CIDR, review the Request for Comment (RFC) documents 1517, 1518, and 1519 at http://www.rfc-editor.org/rfc-index2.html .
Each gateway actually maintains two sets of routing rules: one set is dynamic and the other is static. The dynamic routing rules are updated by router-to-router communications if such protocols are enabled.
Configuring Static Routes
A static route is a routing rule that is configured explicitly and entered into the routing table of the firewall device. The Static Route feature allows you to define static routes for a specified interface. To enter a default route, set the destination IP address and mask to 0.0.0.0.
|
Note Routes are displayed in the "best-match" order. Routes with larger mask bit counts appear first. This follows the running order on the firewall device. |
Adding or Editing a Static Route
Unless one of the following criteria is met, you should define a static route to ensure that the firewall device correctly forwards network packets it receives:
- Proxy ARP is enabled for the interface to discover the routes. By default, proxy ARP is enabled. See Configuring Proxy ARP Settings.
- Dynamic routing (RIP) is enabled for the interface to discover the routes.
- A more general static route, such as the default route, is already defined.
You can also use a static route to override any dynamic routes that are discovered for this host or network by specifying a static route with a lower metric than the discovered dynamic routes. To create a static route for a host or network, you must define the IP address and metric for the hop gateway to which the firewall will forward packets destined to the selected host or network. You can also define multiple static routes for a host or network.
Step 1 Select Configuration > Device Settings > Routing > Static Route.
The Static Route page appears.
Step 2 Do one of the following:
Step 3 In the Interface Name list, select the interface that is expected to receive the traffic that you want to route. The wizard displays a list of all interfaces defined at the current scope.
Step 4 Enter the address of the network or host to which you are routing in the Destination IP Address field.
Because routes to all directly connected networks are derived automatically, this value identifies an address of a network that is not directly connected to one of the firewall device's network interfaces.
Use 0.0.0.0 to specify a default route. The default route is used when a packet is destined for a network that is unknown to the firewall device receiving that packet. In this case, all traffic is forwarded to the gateway IP address that is specified in Step 6.
Step 5 To specify the network mask that corresponds to the object specified in the Destination IP Address field, enter that value in the Destination IP Mask field.
Use 0.0.0.0 to specify a default route mask.
Step 6 To specify the default gateway (or the next hop gateway) that forwards any network packets destined to this network or host, enter the new IP address in the Gateway IP Address field.
If the static route uses the IP address from one of the firewall device's interfaces as the gateway IP address, the firewall uses ARP to locate the destination IP address in the packet instead of using ARP to locate the gateway IP address. In this case, the firewall device is the last hop.
Step 7 Verify the metric setting is correct.
The metric setting identifies the expense of the route. Values are 1-15. The default is 1.
Step 8 Click Next.
The static route summary page appears. Settings enabled during the configuration process are displayed as true in the summary page.
Step 9 Verify the information is correct, then click Finish.
Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.
Deleting a Static Route
If you enable dynamic routing or chose to use another solution, such as proxy ARP, you might find it necessary to delete a previously defined static route. However, before you delete a static route, ensure that the traffic is addressed using another routing solution or via a more general routing rule, such as a default route. Otherwise, network traffic will be interrupted.
Step 1 Select Configuration > Device Settings > Routing > Static Route.
The Static Route table appears.
Step 2 Select the check box for the row, then click Delete.
You are prompted to confirm the delete request.
Step 3 Click OK.
The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.
Static Route Field-Level Elements and Descriptions
|
Configuring RIP
Routing Information Protocol (RIP) is a distance-vector, intradomain routing protocol. When this feature is enabled, the firewall devices exchange RIP broadcasts with neighbor devices to learn about and advertise route updates. In other words, dynamic routing is enabled on the firewall.
RIP works well in small, homogeneous networks. However, in larger, more complex internetworks it has many limitations. These limitations include a maximum hop count of 15, lack of support for variable-length subnet masks (VLSMs), inefficient use of bandwidth, and slow convergence. The default configuration enables IP routing table updates from RIP broadcast packets received from neighbor routers and other devices; however, the firewall device cannot pass RIP updates between its own interfaces.
The firewall devices support both RIP version 1 and version 2. Version 2 supports VLSMs, and it enables neighbor authentication and can protect the RIP packets using MD5-based encryption. When configured, neighbor authentication occurs whenever routing updates are exchanged between neighboring devices. This authentication ensures that the device receives reliable routing information from a trusted source.
You should configure any firewall device for neighbor authentication if that device meets all of these conditions:
RIP Version 2 Important Notes
- The key and key ID must be the same as those used by neighbor devices that provide RIP version 2 updates.
- In passive mode, PIX Firewall version 5.3 and later accepts RIP version 2 multicast updates with an IP destination of 224.0.0.9. This address is also valid for FWSM.
- In the RIP version 2 default mode, the firewall device transmits default route updates using an IP destination of 224.0.0.9.
- When RIP version 2 is configured, it registers the multicast address 224.0.0.9 on the respective interface to accept multicast RIP version 2 updates.
- When the RIP version 2 commands for an interface are removed, the multicast address is unregistered from that interface.
Adding or Editing a RIP Rule
For each interface in a firewall device, you can define one or more RIP rules.
Step 1 Select Configuration > Device Settings > Routing > RIP.
Step 2 Do one of the following:
The Create RIP Rule page appears.
The Create RIP Rule page appears.
Step 3 Select the interface name from the list.
Step 4 Select the action for each interface. Options are:
Step 5 Select the version of RIP (1 or 2) enabled for this interface.
|
Note |
- We recommend version 2.
Step 6 Click Next.
Step 7 To configure RIP authentication:
|
Note Although supported, plain text authentication is not recommended for use as part of your security strategy. Its primary use is to avoid accidental changes to the routing infrastructure. Using MD-5 authentication, however, is a recommended security practice. |
b. Enter the authentication key shared with routers and other RIP version 2 devices communicating with a firewall device. The key is an encrypted text string with a maximum of 16 characters.
 |
Tip As with all keys, passwords, and other security secrets, it is imperative that you closely guard authentication keys used in neighbor authentication. The security benefits of this feature rely on your keeping all authenticating keys confidential. |
c. Enter the key identification number that must be shared with routers and other version 2 devices communicating with a firewall device. Values are 1-255.
The RIP summary page appears. Settings enabled during configuration are displayed as true in the summary page.
Step 8 Verify the information is correct, then click Finish.
Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.
Deleting a RIP Rule
If you prefer to use static routes or another solution, such as proxy ARP, you might find it necessary to delete a previously defined RIP route. However, before you delete a RIP route, ensure that the traffic is addressed using another routing solution or via a more general routing rule, such as a default route. Otherwise, network traffic will be interrupted.
Step 1 Select Configuration > Device Settings > Routing > RIP.
Step 2 Select the check box for the row, then click Delete.
You are prompted to confirm the delete.
Step 3 Click OK.
The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.
RIP Field-Level Elements and Descriptions
|
Configuring Proxy ARP Settings
When the proxy Address Resolution Protocol (ARP) feature is enabled, a firewall device answers ARP requests intended for another host. By assuming the identity of the destination, the gateway accepts responsibility for routing packets to the actual destination. When proxy ARP is enabled, hosts on a subnet can reach remote subnets without configuring routing or a default gateway.
The main advantage of using proxy ARP is that firewall devices can enable it and be inserted into the network without disturbing the routing tables of other routers. In addition, you should enable proxy ARP when network hosts are not configured with default gateway information or have no routing intelligence, such as that provided by standard DHCP or WINS configurations.
When proxy ARP is enabled, hosts are unaware of the network and assume that any destination can be reached by sending an ARP request. Therefore, proxy ARP has the following disadvantages:
- ARP traffic on the network segment increases.
- Hosts require larger ARP tables to handle IP-to-MAC address mappings.
- Security can be undermined. A host can claim to be another in order to intercept packets, an act called "spoofing."
- It does not work for networks that do not use ARP for address resolution.
- It does not generalize to all network topologies (for example, more than one router connecting two physical networks).
Disabling Proxy ARP
For each interface in a firewall device, you can enable or disable proxy ARP. By default, all interfaces have proxy ARP enabled.
Step 1 Select Configuration > Device Settings > Routing > Proxy ARP.
Step 2 Select the check box(es) if you want to disable the Proxy ARP feature for the inside or outside interface at the current scope.
Step 3 Click Apply.
Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.
Proxy ARP Field-Level Elements and Descriptions
|