Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 41
56. Lecture-56: Destination NAT, Virtual IP with Central SNAT.
A destination. But this time using central named so destination is nothing but to mean their destination will be changed to record the destination. In other words, we call them work-Related Diseases. What will it be? So, when you have a server in your data center, insert either a demsey and somebody warm to exist from outside so they will hurt the public eye. It can be your interface IP and it can be any range IP.
So, far, one will translate them to private IP.
So, that’s why we call them destination.
So, we’ve done last time.
So, what what IP was showing here and we call the object, insert the policy, the wonderful IP which we created here, and it will show you the differences that have been used. But we need a enable central nerve.
So, then the thing will be changed. How let’s see now ISIS central it and apply. Okay, so let me see certain that is applied, it’s not because I need to verify, sometimes it will say nothing.
So, the best solution is to configure a system setting system settings on safety in here set centrally and enable a pretty good error that you are using. Wurtulla happiness. It’s we are using virtual I.D., so let me go back and remove the rules from the. This one, let me tell you, this one is I know New Dublin is the way that we are using this one. And let me go back now. Let’s try again. This time it’s in at the end and it’s light and simple narratives enable this time. If I will be so central, it is anybody’s screen and it will show and object is when it will show.
So, let me refresh. Okay, and let me go to policy Central and Vietnam, but what will I be, which was without Central, his name was what will I be now? It said destination and what will it be? Now I can create again. I’m not able to sustain it. I can do and I that I can do FPP from outside because things are changing now.
So, what I need to do first, I need to go to destination and what will I be. Which we created last time to still exist, so it’s okay for this still exists. We will utilize them this time from when it will come externally like this one will not it will hurt and it will be translated wonderful, which is attending, etc. but nothing our daughter. And we have another word to like be reconfigured for our destination. It which is head by 200. It will return so it can be different and it will. It is for FPP.
So, what is the difference is underneath here and let me create a policy. Last time the issue was when somebody coming from way to learn. Okay, so what we’ve done, if somebody is coming from we’re coming to land.
So, says anything destination we put out, what will I be? Is it exist here? Not anymore. Which I do not mistake in last picture is when you see no remember we select from here FPP, which is not showing here anymore.
So, let me see if it is not free. I don’t know what to do.
So, services, it’s just simple and easy. Never learned anything to do here. We know this one in our station Enoki.
So, what I need to do, I need to go to central need and I need to create a center and let me remove this one is the old one which we created for our source. I need to create a new through the traffic of this storm coming from when it will come to land, source addresses all it can be, anyone in destination can be anyone. And how to use Aldwin interface. I didn’t know you of anything, I just said this in a funny enoki. But do you think I got any beer, any one of this water like this? No, it’s the difference is zero zero. Let’s try them is working on.
So, let me do a 10 minute.
So, let me do Telnaes one one Fordice working and let me do FTB. It will last the username and password and it will work. Ja Rule Jeunesse three. Yes I can access this segawa if DP how I know it. Let me go to use it in logs and report for the traffic last time. We really far from here. Let’s go to destination. Yes, its destination. It is working one Gartree has been hit and also wonderful has been hit. It will show here Wattenburg three and wonderful and look me really far from here is the last time we check from a good system specialist.
So, yes, there is one dartboard and wonder if this is not the old one because it’s expired after awhile, so hundred and two hundred. But we never call these objects anywhere. And this way, I last time the wrong thing, I thought, we no need to call in that one, but in that thing you have to call them virus. Let me go to policy and update my destination and work tonight. These are not used anywhere, not reference to anywhere. But again, networking, distributorships, Internet, it will care about it.
So, when the traffic is coming from where to land from any source to a destination, it will check this that yeah, there is a services to assist them. Because if I tried to exercise with the 200 HTTP.
So, HTTP on one one four two one, it is not working for you on the policy is the. There is also the. But destination, our destination, IP is in virtual IP is not there. If I create that, it will start work automatically. Let’s create them for which someone rips or anything else, or we give them money. I mean, whatever you want interfaces with in this time, I say 190 to 160 to the Saudi government for 200. If someone had to 200 for web services, give it to one, not three, which is our Web server, 190 to 160, 168. 133 for which filter I say for the services only HHTTP. Okay. And now if I try to look at now, it will come up. I hope so. Look at this come up, because this is our this trip so far and how I know logs in report go forwarding traffic. There will be a report now we’re looking at the board, which is headed by 80 and also 50 people with Wonder Tree just create what would it be and it will start work automatically. But if you your Central Americans in April, if you are central, it is not in there, but then you have to call you on and it every policy which you want to rule out, which I then a mistake. I’m repeating their theme, but it is a central and you don’t need to do anything simple. Would care about it. Will check that. Yes. The policy there, they’re hurting from where to live. Yes. Let me really from top to bottom, is there any services in our. And it’s working, and we really far from two places you can really fight from here, as we now see there is a 43, there is a 21 and there is a with. And if you want, you can create for a few tips as well. Let’s make this a HTTP so we know we can create IP, ETP, secure, so on.
So, let me make this is a city and IP GTP authentication logon and let me create one user username amendment privilege 15 and password one, two, three. Now my are four.
Sony are one, which is to show IP interface brief, which is with one dart for IP. I made them as EPA, so so do you think somebody can exist if I had this one? HTTP is. No senator is not prompting until I created a new word for Sarah, and our one is DHBs Asami. Anything from when an IP is 190 to 160 odd 114000 200, you can give us similar type. What I did, 190 to 160, I told you 200 and might ultimately be 192, 160 had one dart for. With services, HTTP is this time, HHTTP is an. This is nothing but four for three enoki now it will come on. Because it’s still moving, so everyone one has to be open. Not this one. This was HTTP.
So, let’s go big to the issues in our area. Now it’s come up here, your connection is not securites all at once. And I was hit and gone from security, so user name might create an admin we just created this one element in password is one, two, three. One, two, three, and okay, no doubt is here, had a one on one. If you want to check, let’s do it graphically from here. Suppose, you execute self-command. Sure. IP address. Sure, IP. I believe so, yes, this might be rich, I just show you this one, this coming along here graphic.
So, this is called estimation right center named. To finish this topic, you can do port forwarding with destination narratives when there is a port forwarding, maybe the server which is running with some other port. He wouldn’t make them like this one, remove the services from external, maybe it’s running on the floor for three, but internally it’s running on four four, four, three support.
So, you can do this one as well, so the people will hate you on four for three, but it’s reached with the far one father translated for four, three, two, four, four, four, three, and will give it because it will check this thing and then it will check this so you can look forward for our is it with what will I be. It’s also possible because part of their purpose, I need a server with different services.
So, I don’t have anything because it’s running on a report and this one is running. Unfortunately, I cannot change the board in order. There is some command, but I don’t know so that I can show you this one.
So, in the people who cared for from for four three, it will use that disclaimer. But when it’s read the firewall, it will translate them to this one because the services inside as welli are not non diffenbaugh.
So, it’s also possible with destination made and it said this, the topic was made how we can configure Naved destination it in two different way with Central and with our center. And there was a huge difference between two.
57. Lecture-57: Addresses Objects in FortiGate Firewall.
Addresses subject, what is interesting subject. Every time when we are creating any policy or any policy will be creating, you have to be more specific. I suppose if someone is going from land to win source, we always use sort of this. What is on is nothing but anything, any interface and any IP, which is not a good practice. You will allow everyone you heard to be more specific, to create a policy and allow a specific subnet specific IP more control mean more renumber policy so that you can allow the specific thing. This what we want more control. What he had on the time I use on and on is nothing. But there is a zero zero and this to me addresses in the same case as in this nation addresses. And this is what I want to show you. Addresses object.
So, I can create my own addresses, which I can utilize again and again, it can be a single IP, it can be a range of IP, it can be a Southerner, and it can be a fully qualified domain name.
So, really, what I need, I will utilize this year this Grayskull address object and programming the object to call him again and again.
So, it’s like a container which we whenever we need, we can utilize them every time rather than to type IP address and range of IP seven and fully qualified domain name again and again. Why not create them once and call them again whenever we need. Like. And these are some different from Meurice coming only nine. Empress’s should be in some group. Basically, it’s here if we go to policy and object here as it is, it’s coming from you.
So, these are the addresses, you know, all which we used here as zero zero invisible. And it’s been used for time issuing your reference. But there it was me, meaning in this showing here one way, because some of the images here. I said, don’t show me the police, so when you choose you them, it will be natural policy. Let me open this policy, a new window to show you.
So, when need creating policy, some object will not be showing here if I use a source. Like, let me create here, I suppose, if I want to create a interest group, but before that, let me explain you this one.
So, these are the name of addresses, this type of which I assure you, these are many type single IP range subnet and fully qualified domain name. These are the type these are the detail which you put inside and we generate visibility to show here, here either not to show in how many diamonds have been used, you can view them by another way to view them. And just because these are the Diffa one, we cannot deliver them. And you can clone the same policy to create the same policy like this one. Suppose, cologne and cologne for all of the millennium supposed known for all. And so this my new policy I create with the same on this one I can believe because I created the Diffa when I cannot believe them. And some of you have so many and you can create your own click, create new addresses and give them the names of those Meilin subnet. What something? I’m using Meilin 192 168 is my name subnet, so we need what I need landslip so I will use here live subnet. You can give them a color which will be shown here. These are color and none of the they are all have a black color.
So, let me change the color as opposed to orange.
So, I guess suddenly these are the things which you can support, subnet, IP range, fully qualified, geographic dynamic and diverse, I will show you.
So, say something new in this myself. Need for which interface? Normally, I would say from within. But anyway, you can if any, you can use them anywhere. Sure. And address this the question and static crowd configuration. If you want to put them in particular configuration the same subnet, I will show that one. Suppose, they say this might end up just comments anything in Orckit.
Some Meilin segment object is created if I go here and I’ll just refresh and so you will see that one. Okay, I need to refresh to fill in segment. If I say a source now, so.
So, my little segment, okay? I need to give them a line to win in all sorts.
So, Lane segment is here because they say only four lanes.
So, that’s right.
So, it’s a lane segment. Okay. And here is my Lane Segment 101 168 1.0. Really what I need my Lane segment. I can call this object anywhere. That’s the beauty of it is, but it’s the color.
So, now the color is clear to you and lens segment.
So, showing me here, if I say land segment and I say sure and address this, no, don’t show this one and address list.
So, if I refresh this one, it will be not showing here. And if I choose anything from lame to win and if I say so, so it’s not showing here. Why, because I hear them visibility is higher than we are in the borders and everywhere, an endless list. Now, if I say okay and okay and if I said refresh, so I need to refresh here as well. Now, it will be showing here again. Give them any name and from the land to where, if I say a source, it will be reasonable. Now it’s reasonable. And you can edit it on this pencil is when it will go together the same way where we create them and you can the here as well. It will go to the same place which we just created both with.
So, now let’s go back you.
So, this might lend subject and let me correct sorry, not edit, let me create a new address this time single I suppose might insert a bewitches, might be equal, maybe give them any color you want SOAPnet. But there is no IP single IP. This something that can be used for both the type here 192 168 140. In fact you do. I’m using this part of this one support.
So, let me make them out of one supples. And it will be for many interfaith support and there I told you this one and okay, now if I refresh here, I need to refresh it walshaw not so I need to refresh it on me. And if I click here, you will see the singularity as well. This is our one single IP, but this time is showing me and Lynn is not showing land will be sold because I told them. Sure, only for land bought when they could when somebody whose land bought.
So, if I see old going interface rain and so land, then the other will be visible then. But if I remove this one it will be Nazri now on one issue because I say any interface. Okay, so these two thing is clear.
So, it can be used for a single IP and it can be used for the whole subnet. Let me create a new thing so suddenly you can give a ranges will support you. Future 192 168 one dot one dash 192 one sixty eight one or two for the whole range.
So, I give them in a price range and in the interface I show you what is the difference between there and. Okay, so this is the range one and let me create a new thing. Another thing is fully qualified domain name. Suppose, if I want to create for Facebook. Fully qualified woman right down to this. Outcome for any interpretation. Okay, so you are fully qualified domain name is also unresolved to resolve them after a while if you want so fully qualified domain name as it is, which you can call them here as well. Again, if you refresh and you source, either destination is there at Facebook, so you can call them as well. Where is a Facebook? It should be this one. It’s the one which I cleared. Now it is up to the EPA to start politically.
So, no, there is a general Jaromil, the countries these are going to be supportive if I you it Pakistan. Just drive the country and create Pakistan out of whatever anarchy and the same thing when you refresh so country wise, if you want to learn a policy to create anything, it will be available here. There is a Pakistan now. Is a subject and the other thing, which he is a dynamic dynamic when we do later on February, can also single out like I do not actually have. We used to show you those details, right? No, we don’t we haven’t done at least part of your about this one. We can call it, too, that we use a similar thing here as well. We haven’t configured it, so therefore it’s not free. And the other thing is device maker dress that, you know, when you create one policy is americanus. Suppose, if you want to allow this what the makers of this device suppose, I want to make sure interface is zero zero distinctness of this device. Let me copy this one if I want to load only this one. But here the policies of after two door, there is a column in the US. It will be different because as we know, the strategy.
So, now I make them like this and it can come from anywhere.
So, I would say one Mac address. And if you want to give them any color. Okay. And if you refresh it, so why make a dress if you want to know and create a new policy so it will be visible. Here are one, make a dress. There is a major address. This object, whenever you need them, you can call it.
So, this is the addresses? Yeah. This shows a plurality state crowd configuration. If you want to configure the ground directly from this object, suppose out of one and configure the crowd as well. Okay, if you want to state to crowd will be created last time the network states crowd. Okay. And the object will be available here. Yeah, here.
So, if you need them here for the different purpose, so we just know only one which is visible here, so you can do it this way as well. Let me go to policy and object again is so these are the addresses, but there are some addresses, group like former Microsoft Office and G-suit, something they different one. And this Microsoft is showing here is a different address from G-suit and Microsoft. If I need as a group as one so you can create an interest group will click on this one and suppos web group, anything. I don’t know what to give them. And again, change color, whatever you want and make a but like I said, Linda Franklin, subtenant Facebook. This is a different one this way, so let me make this one, because some of them, we use them for different. It will be the same bridge.
So, I suppose I guess my Web group, it will be group, you have to create a service like that one again, the same story should interest group start to grow and convince and okay, so I have created my own group.
So, whenever I need these two things, I can call this Web group rather than to call two things and if I will, back here so we what I need and policy these two things. Okay, and source, so you will see here is where people to think events are in Kalinin, so rather than to put one by one, I make them as a group and I call the Hidir.
So, this revitalization of thing, so we don’t be something that we can create a whole subnet, we can create a range, reach out to the range, we can create a fully qualified domain name, we can create any country and dynamic which we don’t have right now. But you can create with ClearPath is also a dynamic feature which will then I will show you a single sign in an interest group. I created an interest group for anything you can create for anything and you can exclude as well because an interest group there was exclude as well.
So, if I click on this one, there is okay, the exclude one is removed from the new Werdum in New Orleans and it was there.
So, it’s not any more leave it and we can call them here from this group, not anywhere it can be called in any way, but normally we use them in security policy to call these things.
So, this was a group, a small thing, but reorganisations and it really is it will clean up your policy and it will be easier to troubleshoot.
So, that’s why it’s really important. Otherwise, it’s a small.