Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 20
25. Lecture-25: FortiGate Firewall Policies Theory.
One policy, how we can apply in policy and follow for the year to find one.
So, what is policy policy means, you know, and if either one is, you know, most of the students are too far, one is really in square, samphire one.
So, everybody on the other, you will see policy. And basically this security policy in this foreign policy is nothing to accept or deny someone the terrific. You can create policy making, disabled policy, rekindling policy week and a policy weak and alone policy. These policy is basically a ruse. Either to deny someone, either to accept someone, the incoming traffic which holding the fire while. It can be from outside in the editing, it can be from inside and it can be from BMOC. These bonuses been. Jake, from top to bottom, you know, from top to bottom with this policy.
So, when Implement policy and for dessert for one to control the traffic. To manage their traffic, even in this policy weekend schedule, is their timing. Date and time is when. And this policy will be designed. Do know from top to bottom and when the rule is being held, it will not change anything though one. If the management found out so it will fire whatever you mentioned earlier and these match can be anything. It can be including the interface or doing interface or service source user to source the device, destination, address, destination source services to schedule time.
So, many things can be, Jake. In the NBN is implicit denial, so if it is changing from top to bottom and nothing is being found or so in the end, it will be to deny and destroy automatically. There is one rule which is very different in 40 years. One will deny. Implicitly, you cannot dictate their policy. It will be the firewall protection because it will change the policy from top to bottom, if anything, to match, it will not shrink the down wall. It will not proceed on.
So, this is called policy, which is our rule in regulation, which we put in the firewall to strengthen the firewall to do this, this is like a rule. If anybody follow this rule and now they’re either denying them. It can be a little can be denied that it can be lower. It’s up to you.
So, this is called foreign policy rules. Now, in this foreign policy, there are so many parameters, is a told you.
Some parameters are incoming interface from DiCicco Mean. It can be logical interfaces with Lipkin between being as well, which we will see later in the course and it can be a physical interface, is when outgoing interface from region professor will go out there. You have to mention that as well.
So, when you are creating rules, so you have to follow these Matamata data, which from which interface their traffic will come from, which interface the traffic will go, what will be the source IP address, what will be the source user? What will be the source device? What will be the destination address? What will be the end Internet services you can put into medicine, which is as well and is advantages.
So, if you want to allow someone that if you don’t have Facebook, so there is Internet services on Libya, you don’t need to type IP addresses. Facebook is built on the. To these are the barometer to create a policy rules. India is a barometer of serializer scale one. You can put restriction in ranges when the only Internet is allowed from eight to five, suppose an officer and then there will be not an hour either in lunch break or anything.
So, you can create a schedule, which we will see.
So, on their specific time, the policy will fire. Otherwise it will not work. Then you can put services, services like a board, no disputing people, no. Which we know there are so many more. No, I told you so many time.
So, these are the parameters which will be checking the policy. The source and tourism destination, and you will see in the near. Then the services. The incoming interface, Aldwin Interface Sorcerous resource user device destination. Here, these are the barometer when they hold the ball, as you know, later on. Many of them want to see what they want them. If you give them a good name so it will be easier to troubleshoot incoming and profess from where their traffic will go, where the traffic will go out. It can be land when it can be, land to be and can be. When to land it can be, land will be and it can be. We’d be been to land. It can be logical interface or something is so far away. What do you hope to create a different policy? Either you have to combine the interfaces, which we will see as well.
So, what is the source from where I think it will come address again, then will be source resource use a source, Internet services as well, destination again will be the destination. It is either it can be Internet services and the schedule always means on there. And we know you can create your own schedule here.
So, on the specific time we have, we’ll be lowered and there is none in as well will be nodding out any time. Certainly since it began with DCB, you be a billionaire investor so you can restrict someone to use only S.H..
So, this is you can go and definitely the action is I do believe that our tuition was in relation to accept I don’t deny the green one is is I mean, same it and the red one. That means do you want to deny them? Forget that one is fiction mode, which we will do later on.
So, this could be a policy barometer to create a policy. Okay, it’s better to go there and rest up there.
So, definitely given the name incoming, outgoing, I already told you this one, and when you created the policy, you have to wait to view them. The policy one is interface. You will be better and better. You can see them. What is fair means the policy will be rewarded in this study that he learned to win, maybe learn to learn, maybe learn to DMZ and the NBA is implicitly design, so they categorize them in bare land. To win is another bad land to Bamsey will be another pair.
So, the policy has been categorized by bad.
So, This Way is fundamentally based. Meadowview. It’s up to you on which one you want to see the policy if you have so many policy and you need only listen to him.
So, basically you do it by interface between you.
So, it will be easy for you to find out what the policy. And there is a sequence number is written by sequence number. Like, one, two, three, four, five and so on. It will be white, but it will be divided, it’s divided implicitly, separately, to win a super Lindstrom’s, you will be different, learn who will be and will be different. It will categorized by beer, but here it is on in one.
So, this is Gulbis sequence No. And these are the borders when we create policy a bit later, you will see the irony. No, what is this with No. The name of the policy from me is from the Associated Press and do me miss destination and interface and then there is source addresses, either user, either device type, either make or address. Destination means this definitive destination address to do their time schedule if you want to. The services means which services you are there to be an issue to be issued because it’s to be. Then again, you want to know they’re denying what it is, implicitly denying the and and it will be Ng’andu Dunaden and we will do it. And you did. And security improve and we will do in super but. If you want to put it, you know, inspection, we quadrio white, sand, warm and Trojan.
So, then you have to end our security profile in order to get the policy view. Then we can remove Ghanam. We can create and customize where you can filter the column. We can copy paste the rule. We the law, the it will be easy for you to make them more easy. We can to the borders, you just double click, I didn’t click the right plugin, so you have so many ways to do it. You can search the policy by source interface for the whole source destination policy logo. And you can combine many interfaces, as well by default, only one interfaces you will see in the name of very little somebody just to show you theoretical.
So, then you can combine more than one interface.
So, when you combine one, the more interface, then this will not be a bad one, which we study what was Fenmore? Behaviorial, this one interface between basically means land to end, land to be AMZI when to land.
So, when you combine many interfaces, so then this thing will disable, it will griddled. Why? Because now you combine them and Daems you do well.
So, how they will make them feel they will sell you is not making a sense to keep in mind. Anyway, I will show you in the late.
So, you can combine interfaces in one policy as well, but you have to enable this feature for this feature is enable multiple interface policy. Then you can combine. And you can search and policy if you have so many bodies, you can search here as well, and there is a policy, many of as well, when you write, there is a whole menu, copy the policy, the policy, the same thing which you can do from here will allow you to believe the policy. You can do it on the thing from here, as well. And definitely there is implicit denial which cannot be delayed to a conclusion from top to bottom if nothing is fundamental and will head this policy and there will be no dialogue because there is a denial.
So, let’s go to Libya first. Let me show you then. Then we will do so through three layers.
So, from here, let me take one final. Okay, and what else I need, I need one term. I think it’s better to take to either switch. Okay, let me take a switch here and let me turn to Dongara. This one. Okay, and let me go to. Give us. Is. Okay, and let me. One from here and four to here and let me on until the final one is on, we will configure this one on one and two. These are my landside. Lynn B.S. to PC, okay? Is W. And if you want to make them more beautiful and so simple and just we’re going to grab and from here put which. Okay, and let’s salute and make them in line. Okay, and let me put here this one here, a be part of a relatively in line. Okay, now I need to assign a B schema, by the way.
So, what I will use definitely this site is Meynard Clower. It will be automatically whatever you are using in your case, it will be different. And my guess this is one one four inch and this Sarda will assign one of those. Okay. Here I will assign to one IP. Okay, and here I will assign one dog to a. And we will be deciding who will be harder to be on this side and the other side of this dynamic and we can make them hundred is willing to talk one one four not under. That’s to right click on this doctor to do a little configuration and this animal, this one here, this one. This one and this one. And is we done one dart one will be the IP address. And one of them is the IP address of a 40 year firewall. And the business will be in it. Control and copy this one and say right, click on ABC to edit and control air control. We just changed the last day just to insert and because we changed what you need to do, just stop them and on again. Because it will not give the IP engineers three and now started.
So, I been assigned in this side and this is our Internet. Okay, this for number one, and this is for number two, okay, what I need to do right, click on this one for management. We will use this one because now you know, you can connect them to the ABC and make them management at a difficult task. Now, you know, so it’s better to use the Venn link for purposes of management. as well and also might win interface strategically and console. Okay, and now let’s see the IP address. And there is no faster Internet buzz or one, two, three, one, two, three, you can put any password in my guess. I’m always using one, two, three, four system interface and then questionmark so it will show you the IP because you have to by default on four one there is a DCP and they will put that IP in your browser, in your browser with HHTTP.
So, this will be an intern. Okay. Eight men and then one, two, three different people ask you to change the username, so let’s change it before asking again.
So, if G is my user name, this the name of this device? First thing first, which we always do start from the name for Google interfaces. And these are my interfaces right now, I’m only using to wanting to click on Interface One. Okay, and give them some good names for their norwin and make the IP Man give the same, either that you can put them under Lisbon because management has been able to give this thing England this the man and the woman is the name to.
So, at least we know this interface really was for wind purposes. Okay, now second thing will do for number two, which is kind of due to you and what you need to do, give them aliased land and IP address one to two to one sixty eight one hundred, which will decide we’re going to focus on it. Mars only in our being Rinaudo Minister do exist now and just get these are the two interfaces which we need to configure. The second thing which we always do configure DNS, specify the domesticated aid and the other units is just one one one and apply. The third thing which we already discussed and in in detail is how the traffic will blow out anything zero zero zero means anything in gurdwaras, one nine two one sixty one one four. You know, from there I pulled this one one four. And the exact interface is one one four I took from my nade cloud, which I told you. And sure, you show me any time you and your case will be different. In my case, one on one phone and when you click this thing here way. The Detroit I for this one, it is the. One one four two. Okay, now coming to our heart, which is the third part to allow something, so when you do want to see an object, there is ideal for policy. And this is our today topic. There is a different policy is being true now. Everything is by deny that right. If I drive from here to the Internet or to not. It is not working because everything is hurting by this policy, one forms nine. It will be more now. Otherwise, we were told we have our D.A., we and we were the thing look at 2016 will become law because when the traffic is coming, there is implicitly denying Ginóbili Neuk not believe. Implicitly denying all sorts of discrimination all the time on the service is to be denied knowing their security profile log will be disabled and March will be four year.
So, here we clear the borders. This is a open for policies underdog, their is creating new to create a new policy. And it means if you want to aid in this policy, you can add a few things you get do in this policy. Maybe when you click like a or something, that’s the only thing you can enable. Lowboy nation traffic to shoot the Lowboy nation traffic. It is the only thing you can do them here.
So, I enable logs to be able to somebody here. This policy like Sean pornified fire.
So, logs will be generated and I will see in the U.S..
So, this is colonnaded. Delude me if I create not this one, this the implicit one you’re going to deliver to the policy policy at which we will see a bit later, if you want to see if you have so many policy and if you want to search for a specific IP space reform, then this policy exists or not.
So, if you want to society, we will I will show you a bit later. And this the interface between why do you find this one? And there is a synchronicity, which I told you. Now, let’s clear the rules, then we can see much needed click on create new and use out the parameters, which I assure you and I will ask you the first thing first. They are asking you to give the name to the policy.
So, I said name to. To. It’s up to you what name you want to give them. It can be anything, a combination of literal words. Well, no, it’s asking me from where the traffic is. I mean, definitely the traffic is coming from Lynn.
Sorry. That’s why I give them the name, you know, the phone number to Wasley.
So, I told them that the traffic will come from land and it will do rain because it will exit from this way.
So, we’re going to be the source. Now, later on, I will show you I will single AP again for the performance of Nick again for the Mac address and so many things you’re looking for. But right now I say it can be Aldrich’s and can be user. It can be Internet services, addresses means different addresses. Maybe, man, it can be almost anything, zero zero zero. I can create my own as well. I can create a single address, I can create something, then I can create a range, I can create a dynamic, I can create a device makers, which I will show you a bit later.
So, who will be the source Islamize anyone from Lynn now is asking me the destination.
So, same thing where they want to go. Do you want to allow them to in only either to allow them to Facebook? These are the Internet services, the most famous one. Either you want to allow them for anything so easy, for anything different, what we do not only up to now scheduled means. It will be a lot of the time, if you click here, you see zero zero start time and an extra. There is a different engine for this timetable. One to one 30 you can choose and none means it will be stopped. And you can create a new one as. In which time this policy has to work, give them the name, change the color if you want to give them any color. Okay, first to give it the name, then you can change the color. You didn’t start then, which you did in time. It will be start in the end time and should regenerator. Blogs are not this one dial because it’s supposed to feel better. But you can a. Cutting means again and again looking for the name change, the color of this policy just to report a secular day Monday, because it means this again and again, this policy, and this is one time policy, Monday or Tuesday, whichever you want to use either all day. Okay, and you put the this to start time and apply here so you can restrict the policy by time as welli services, which I do for you. These are sort of like ICMP, TCP will be HHTTP if you can choose which services.
So, in the inside lane, why do you give them. SCDP, when he was trying to reach is to be larger because the policies, anybody from Lahn going to win and he can be sors, but the only Services’s allowed HTTP, so it will not work.
So, you can put restriction here and definitely distribution, so I want to allowed everything in inspection order, which we will do a bit later, maybe tomorrow night, which we will do in more detail.
So, many made out of the. You to allow me to show the inside I’d be willing to do the old interface. And you can keep the source for us so far with this one, also forget about security profile, which we will do if you are indeed in India as we filtering in so many ideas, ideas, inspiration you want to enable. Yes, this dialogue, the logs, which will show twice in all station, if you say security and only this one. Anything that can divide us anything, and it will show only those loads, but I need all the logs today that I can show you from here.
So, that’s I enable Alsatian logs. And if you say if the station starts to their logs is well, you can enable their one and get we will do later on and you can the station assorting comments land in the future. This policy is far into it and definitely want to enable this policy. If you are disabled, it will be created, but it will not work in all this. The policy to create. But in this policy and I’ll do anything just to show you. Now, look at this land when. If I create a new one lane to you, it will be another bad. Let me do another thing simple as lane to. I don’t know, we can create to show you services, anything, the situation, anything. And no need of logs or just to show you something.
So, now to Lane is a new bear because we are in bed with you to name the lane, is another better plan to rein in a little better. Okay, and implicit is the last one is inevitable if I create a new one when suppose went to. On and on and on and so on, which is is an okay. It will be another better learn to learn and learn to win, win to win. If I click on my sequence, it will be changed. No secrets, no one, two three zero zero is the first one to deny one and the end from top to bottom, which will choke. You can rig the policy to up in this way. And there is a small got when you click here, so it only issuing this one issue I had to do to list a sequence number is the name of the policy source interface destination and the Sorcerous location destination scheduled services nurdin security profile. If you need more information, you can click on this one.
So, if you show me user applying, then you will see you use it as well as the user. You can remove as well, as well from here if you don’t need any economy, like Mansoor’s said, which is Asian. Laws, if you want don’t want to see you again, just click and apply. And if you apply some things, of course, ideas, ideas, head count and so many things you apply now, you don’t the right thing I enable.
So, what you can do, you can say reassure them what they want. Their department it will make them want to look at is gone. Everything, only their defiant one is their only.
So, you can use this on a recent day then best friend column. It will make the rest of us busy. The arrest of bullies. If I make a huge spears’ and if you click this one, it will make it just. We you know, this the policy now, you can read them from here on this fence and I can hear, you can hear and let me give them to in all policy. Suppose, I want to change the name. Enrique.
So, I added this name. Lane to Lane, suppose if I want to enter this one, there is a small advance and you want to see it as well. And here is click on here. You can genuinely hear this one if you need the old one. Right. And there is a. Again, you can go from here, the third one to three did something double click on this policy again and put it in here. I don’t want it. When It.
So, the only way to do the policy now I need you to do this filter is a small filter thing. If you want to filter by name, suppose any borders you might want to apply, it will not show anything. Only by name. Learn to learn policy because I filter them by learning to learn this thing. If I don’t just remove it, it will show you the filter is being cleared out so you can do filter. By Carlo. Here you can such as well, suppose if you see anything with the way. It will make them yellow to show you. Any policy within it will show you so you can filter here as well. This is set you, by the way, not to filter. Knowing what you think is a reasonable. Again, I want to interface a of your show now and interface better to make them better, and this is the sequence number again, you can do it filter here by form as well and source and destination it within the filter. If you want to delay any policy issues here and there isn’t an okay, you’re going to be eight. I to you and you click right click and there is a detailed policy. And rightly, you can make a decision, but it will not work, and there is. Icon on as well to this policy will not work. If you want to enable them, bride and groom to enable. When you click on this one, so there is a status enable disable filter that in which we apply here, you can apply from here as well. Gobbi, if you want to copy the policy and write, click and based them best above this policy, either below policy choices and below policy, which is disable. Even you can put in the policy, suppose we say, well, look at the policy. If you need for somebody and give them the name latera now, give them the name so if you want to give them duded.
So, the empty borders, you know, you give them the name. The words you can reverse them, as well. Sequence, and you’re going to do this one later on if you want to make them in a group, as well. And if you want, this policy is being held or not and want to see the locks click on this one, it will take you to forward in traffic. No, this policy is not been heard to someone like me will do another policy to show you the one which is from Linda in. This land to we’re in regional areas until we know it will work. Because there is a bonus, you know, I can go to Wikipedia, is there anything? From Lempke to Facebook, as you know, if I want to see right, click on here and they show me making love, it will take you and you will see that this policy is being handled by our inside system. One, not one. This one. Let me go back to policy IPO for policy. Right, Glenn? And you can go to edit, I will show you and forgive you, because you can see the logs from here as as well go there and we’ll show you the policies. We’ll use this policy, one that when I use this policy. What is the destination he went to make Imperia and also he went to Facebook, which application you use, what is that Opinionator website? And I guarantee you the station, which is the similar thing which we will discuss anyway, right now our focus is something else. And you can edit this policy and see and will open here with CNN and it will take you directly to the policy NOAMAN policy.
So, don’t need to go right, and we’ll do config then policy just right click and you can go directly to the policy and the last thing to the policy. Now I want to hear them. And I want to delete this policy, as well.
So, we’ve done some policy policy look, suppose if I see this from Len. With IP address, protocol number 18. Either through the whole No. B, c, b. What would be 17 or something to and sort ebiz 190 to 160 or not one by the Rooney. And destination, I want to take part in that egg that is there any policy which follow this I want to set.
So, I need to check things with you. The board number, it is 16. I say one I forgot. Anyway, let me say one thing to check.
So, if there is any policy, you know, it will be. Heidi, out of this one, Linda, and follow this rule. It’s become like a great idea. It’s great, so you can check the borders. You suppose if you want to check for a specific policy, specific resource, then any policy you follow this rule or another so you can use policy local. Now going to interfere, spare me, we are again switch from one policy to another one to the question is why is enterprise spread? We will work until you are using one interface for policy gain. I used to interface policy. No. If I win, can I add another? No, no, it’s not adding if I sell it to change it by antifa, only one interface can be it. But if you want the system and want to feed generalizability, there are so many features which is disabled by antifa. And when you do multiple interface and policy, enable this one to allow the configuration of policy with multiple source and destination interfaces from system feature visibility apply. Now, if I go back to the policy object, I argue for the policy and create a new policy with any name. Now I can add many interface lane within four, five, six before it wasn’t possible and outgoing interface. Can we also learn anything? And it’s always different. I didn’t give them anything in destination because I want to show you one more thing and apply. Now you’ll see Bill and the first family will be, well, it’s not working anymore. The only way, Siegrist no way, because I use many interfaces.
So, the bad is not any meaning because they’re Musicland to win here, the situation is different. We went to Venezuela and went to Venezuela and learned to hold as well and for three, so there is no bidding.
So, that’s why the barrier has been disabled.
So, in case if you find out that the Perez disabled, there are two things. Either you are using multivalent interfaces, foreign policy. Either you have any any policy to handle these two cases. This is the first pair will be disabled. Let me tell you this one. That was just to show you that in which case this can be reasonable because now I have a neighbor that tries to disable, if you will, the system and disable that feature reasonability. And we’ll do multiple interfaces. And dissimulate. And if you will be to the policy. Okay, policy, I believe, for policy. Now the bear is big. Just sometimes you will face this issue. Okay, this and this, the policy we show you from where we can go, policy and object IPO for policy and create a policy to the interfaces, multiple interfaces, source action and all those things. And we check here.