Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 2: Extra Topics

Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 2: Extra Topics

85. Lecture-85: New FortiGate FW NSE4 V7 Training.

Hi dear student and welcome to FortiGate nss ee for Virgin say one training course. This is our main topology where we have four firewall one, two, three and four. One is our edge are perimeter firewall two and three are our data center firewall and firewall four is our branch firewall while firewall one and four are connected connected to two different ISP’s. We are we’re going to test SD when ICMP policy load and many other options related to static route to increase and decrease ad value and properties. Beside for a while. One has a DMZ zone where we have two different range of servers. Web server.

So, here we will test different VLAN how to configure different VLAN and also to combine different wheelin in a zone and destination net.

So, whenever PC one which is outside and they want to access our web server, so we need a destination name while internally we have PC one and attacker here we will test security policy, security profile and also source net from here to outside. Also firewall one is connected to PN management switch where we have a D, a d is the name of Windows Server 2012. Here we’re going to install a two directory for User Authentication Certificate Authority for SSL Inspection DNS Domain Name System, DHCP and FTP, FTP and so many other services here. 40 analyser we will use for syslog and log collection. Also for security fabric lab. Besides this and between four one, one, two and three, we will test static route default route dynamic routes such as RIP, OSPF and BGP while between firewall one and four we’re going to test E BGP also between four one, one and four we will test. Site to site VPN also in firewall for we’re going to configure remote access VPN for remote PC one and two to access our resources and DMZ.

So, this is our target and we have so many other features to test. Thank you very much and see you in the course.

86. Lecture-86: Theory of Software-Defined Network.

Okay.

So, our today topic is software defined as deep vein software, defined wide area network. Keep in mind two things. We have a paper roadmap and another one, we have a GPS navigation Google map, which we are using on a daily basis. I will give you one analogy. Suppose, you are traveling by car or maybe by walk or whatever and any city. Suppose, from Manchester to London. This is your target. It can be in any place in any country.

So, in old days, we were using a paper road map. You have a printed road map and you are going from one place to another place. Now, you don’t know in advance there is a road closure or not. You don’t know that there will be a delay or not. There is in any accident or not. Because you are. You have a paper map and you are going through that paper map. But you can face many issues. Maybe there is an accident. Maybe the road is closed. Maybe it’s for any whatever the reason can be. But we don’t have any alternative until we reach there. Then we can decide to change the path. Or maybe there we don’t have any path to change. It can be.

So, this is the old paper road map. Similarly we have the traditional when like still many companies are using traditional when and we are reaching to the internet and if there is any issue, the internet link will be down. We don’t have any backup plan and we don’t know. Maybe there is a slowness. Similarly. This to definition fit to the vein and traditional vein. Consider is given like a GPS navigation recent Google map. When you are traveling by one place to another place so you can easily find out that there is a closure. Where is a road closure? Even, you know, the traffic. If there is a red line, it means there is a huge traffic and you know, each and everything how long it will take to reach the air. And you can find each and everything. While in road map, these things are not available. You are not aware of these things and at once.

So, this is the first example for Steven and traditional when.

So, it means if you are using navigation GPUs so you can easily find out a road closure, accident, travel, delay and insufficient routes and you can chain an advance to any other route. Because this navigation software. Is using satellite where you can know the real time. Road map and everything. Similarly, we have SD and edge routers which we can use for when. For centralized control and management. And we have more than one when. If one win has any issue, it will be switched over automatically. That’s why a scale HD when software defined one radio network. This solution is for wide area network. Similarly is the van will help us if there is any jitter, there is any packet loss, there is any delay and there is any latency. Like a GPS system, which they can avoid road closure, accident, travel, delay. Similarly, Esteban can help you. And Jeter Pickett it last delay latency and so on. And it will tell you in advance and it will automatically switch over if you configure them like that way, even though you can configure manually as well.

So, basically multi connection wherein solution is called is division and FortiGate firewall if you combine more than one link. Ice peeling when linked to work together is called SD vein and FortiGate firewall. And today what is very important. Why it’s important in today’s world, because nowadays every company has software as a services, such as a is Azure Cloud Application Cloud services, such as Office 365. And all those things are now. On the cloud. And we want to access those things frequently. And every organization’s. And maybe you want to access internet. Keep aside these things even though this is best fit for the cloud solution.

So, we need such solution. And there is a division software defined wide area network. Now what you can do is division is a virtual interface, basically an FortiGate firewall, which group member app interfaces.

So, basically it’s combined more than one interfaces in a group we call them SD vein and minimum is one. It means you can combine one as well and maximum two, five, five. And you can group them now. After you win, you group them so you will use this is the van and your group and your firewall policy rather than the individual interfaces because now you combine them.

So, it’s better to use and definitely we will use the SD van logical interface and our routes and also in our firewall policies.

So, it means these interfaces are the member is the end zone. Which we group them. And then you can use a various balance algorithm, which we will see in the lab.

So, what you can do, you can apply many load balancing methods such as by source and by destination. By source and destination. Also, there is many methods available to choose based on such as bandwidth, such as best cost. And also you can do it manually as well, which we will discuss a bit later.

So, it means we can create maximum 4000 estimated rules. We will discuss about the rule a bit later. And also health monitors. We will discuss health monitoring related to Esteban as well. This is just an introduction to SD van and FortiGate firewall.

So, as I told you, Esteban is a software defined approach to manage a wide area network is a software base. That’s why we call them software defined. Saffir will take the decision based on the criteria. And we can use this for the underlay and also for the. Physical. Now we will apply a health check and as the event rules. As per our expectation and as per the business requirement, what they want. This FortiGate firewall will automatically and intelligently change the route based on your criteria, based on newer is the rules. You can use application, you can use Internet services and whatever you want. Is there a tool you e one you can manually define that always send traffic to this SD when member.

So, this is as the event.

So, it’s the vanguard is higher capacity bandwidth, centralized management and network visibility and multiple connection type. These are the benefit. The top benefit up is the are higher capacity bandwidth because we combine them and we can distribute the traffic on both and we can send the traffic when one is down, it will go to the other link. Other link is down, it will go to the third link and we can do all the things from centralized management to. One location. We can manage all these links and we will see the visibility of all these links and all these multiple connection. Now to configure SD when we need a zone.

So, you mean is the is divided into zone? Basically when you put those. ISP interfaces. We call them as the event zone. Suppose, you have two ISP’s, maybe you have more than two ISP. You need to put in combine these isps link. In a zone. We call them a zone such like a zone. And any firewall which we create, we combine something. We call them a zone.

So, these member interfaces are assigned to the zone and zone. Use and policy and static road. As I told you before as well.

So, it means it will logically grouping these. Ice peeling. And then we can use the zone and our firewall policy is a source and destination for more control. And definitely, as the U.N. member cannot be used directly in the policy because we combine them for such purpose. Now we will call. This is the end zone and the policy rather than individual member. And also in statecraft as well.

So, now we know zone zones basically combined interfaces which interfaces your ISP link interfaces such as IP one, SP two, which connected to your FortiGate firewall. You combine them and put them in Sd-wan zone. You give them any name. Suppose, SD When and this is our zone. Now, the advantage is, I already told you, is the U.N. is a way to remove high cost, low speed connection from your location and replace them with lower cost, high speed connection. It gives you flexibility and it provides you better bandwidth utilization and secure connection. Definitely it will save money and time as well. And a scalable. Now what is is the when member. As the main member are also called interfaces. Your ISP interfaces card is the band member. Either those sport are interfaces which use. To run the traffic, to take the traffic and combine them in a zone a scale is the when member. And at least one interface must be configured for the event to function and work. I told you you can combine up two and 40, get up to two, five, five. Minimum one is required and a zone. And that interface is called member of the zone. Another thing which we will use in practical labor related to SD event is performance. SLA performance. SLA also called Health Check. Basically performing a slave will check the link, the quality of the link. We are already using Cisco as well as LA for health monitoring.

So, if there is any issue, if the link is fail, if there is the quality of the link is not good, maybe there is a jitter, maybe there is a delay, maybe there is any other issue.

So, which thing will recognize these interfaces? We call them SLA.

So, it means when the sleigh fall below configure threshold, the route can be removed. And this is the job of the sleigh. The threshold, which you said that if the delay is that much and if the jitter is dead match.

So, what you do remove this interface from the routing table and the other link will be used the different link which you combine them. And you can use many options for the sleigh, such as maybe you want the quality to monitor. Maybe you want to check the latency and jitter packet loss. And maybe if the link is fail or not detect off, not reachable.

So, it will be removed from the routing table and another interface will be used.

So, this is the job of SLA and SD will. We can monitor one or two target server. How we can use this easily. Suppose, you have two isp’s link so you can set when one and when to. Suppose, these are the two eyes building. What you can do. You can ping a server eight eight continuously from when one and when to if it is not reachable. Either it is slow. Either there is a jitter. Either there is a packet loss. Change the link to the other one and remove that from the link. Suppose, when one is reachable and one second and when two is reachable and ten second.

So, definitely when one is the best thing based on the quality and bandwidth.

So, what they will do, they will remove an one and they will forward the traffic to win one.

So, this is the job of the performance SLA. We can set ping, we can set HHTTP and there are more other protocol which we can set for checking through CLIA, but these two are available through GUI graphically. You can use Ping and you can use HHTTP to check some server so that you can decide which link is the best one.

So, this is the job of performance excellence. Stephen Another thing related to Stephen is rules. Rules is called services. And rule control path selection, how which path will be selected? You need to create the rules, specify traffic and be dynamic. Listen to the best link either you can specify manually as well.

So, these are rules rules in history. When suppose if you say that if the sources this one and destination is this one use this link. This is called rules of SD when.

So, the outgoing interfaces of your Wendling. Which is combined and which is the member of is the end zone. You can create rules for these interfaces and you can decide the criteria. To use the best link. Maybe by bandwidth, by jitter, by delay. And you. Whatever you can do dynamically or statically. It’s up to you. These are called x-division rules.

So, as the main rule match the traffic and then. Implicit rule apply. Suppose, we note as the van rule match.

So, there is top to bottom. They will check these rules. If none of the rules is heard, what they will do, they will apply implicit rules. There is one implicit rule as well.

So, it’s like a policy route. And and these rule, we can identify the traffic and specify the outgoing interface for it. And these rules will be checked, as I told you, such like a policy from top to bottom and the first match applies first fit. If not, we’ll make the default. Use is the rule. There is a default rule that will be used so you can create a rules. To select the best link. This the simple way is the event rule. Now, before going to, we need to know some terminology. The first one is bandwidth.

So, when we speed up the link, our interface, our bit per second is called bandwidth. Either bandwidth is the capacity of the link. Either. How many betwee we can be sent over? The link per second is called bandwidth. It means. Number of bit that can be transmitted in a single second is called bandwidth.

So, it’s like a pipe. You know how much water can go in one second so you can analyze and you can check the capacity of the pipe.

So, similarly as a bandwidth. Another terminology is congestion. Congestion basically caused delay and latency. It’s like traffic when there is a huge traffic. You can call them congestion. Congestion is suppose there is a huge packet coming. There is 1000 megabits per second coming, but the outgoing is 100 megabits per second.

So, definitely there will be congestion. And suppose you have an aggregate interface, it’s 100, 101 hundred and 100, so it’s become 500 while there is 100 outgoing interface.

So, what will happen? There will be congestion. Similarly, you have 1000 megabits per second lane, but the outside when is going 100 megabits per second.

So, definitely there will be congestion. And congestion will cause delay and latency. Now coming to what is delay, delay or latency refers to the time it takes for a packet travel from source to destination. It means. DeLay or latency means time when the packet takes from one source to destination. There is two types of delay, fix, delay and variable delay. Maybe fix delay is similar every time. Fix delay is a specific amount of time for a specific process. Take all the time it will take that one. Such is how long it takes a place a bit in the transmission media, so definitely every time it will take the same time. And. Variable delay take unspecified amount of time and affected by factors. It can be by many factor. It can take maybe once a steak. Ten second. Next time, it will take more than ten second or less than ten second.

So, this is called variable delay.

So, there are two types of delay. Now coming to Jeter. Jeter means variation of the delay. A breezy packet. It means different between the delay of the IP packet. A skull jitter variation of the delay streaming application is called jitter. Let me explain. You suppose this one is packet every time it’s taking same time. Suppose, to second to second to second every time. Now jitter means this picture take to second next to mistake ten second next to mistake 32nd.

So, this is variation. This variation is called Jeter. Even though Jeter is also type of delay. Like here. I told you, DeLay. Repair means time it takes for a packet to travel from source to the destination is called delay. How long it will take from source through the destination if it is taking same time every time. Suppose, you are going to office on a daily basis and you are reaching your office in half an hour a daily basis. But for some reason next day you take one hour because there was an accident.

So, you take more time and reach to office next day. Again, you type take suppose 40 minute, maybe there is a road closure.

So, every day you take different time to reach office. It means this is called jitter and even packet arrival time is called jitter. On arrival of you to office.

Sometime you take 30 minutes, then 40 minutes, 60 minutes, maybe 10 minutes, 15 minutes.

So, this variation is called jitter and then definitely latency.

So, latency means the packet. Data packet. To reach to the destination from the source is called latency. Either the time between two execution up events as call latency either process message at both source and destination and a scale latency. It means process in the delay generated in the given network is called latency. Either time it take a packet to travel from point A to point B is called latency. Either the roundtrip suppose you are going to office and from office to home how long you will take.

So, this is called latency. You take 20 milliseconds to reach your office and then 25 milliseconds to reach back to your home.

So, when you combine this so it means 45 milliseconds is called latency. And sometimes one side we also call them latency. Suppose, 20 milliseconds.

So, from your office to home is called latency. Either the round trip when you reach to your office and come home.

So, definitely this combined time is called latency. Another. Terminology is packet loss. Packet loss is a tool. If you have any issue, the above issue, definitely your packet will be lost and router and switches and your network and definitely those packet will be lost first, which is sensitive such as real time radio wise. Those will be dropped first.

So, this is called packet loss due to delay and maybe due to jitter or maybe due to bandwidth and whatever. It can be many reason. And with its reach to the destination. And maybe it’s failed to reach to the destination and maybe it’s lost and some of them reach.

So, this is called packet loss. Finally, we need to discuss the event strategy. There is many strategy, Manuel. Best quality, lowest cost and maximum bandwidth and manual mode. If you are using manual mode, no health check are used. We use manual strategies to select the preferred interface. Is I tool you. Which strategy you need. You can define the IT manual and you say send the traffic to win one all the time. If when one is not available, send to when two. That’s it. This is what you decide. Maybe you can decide that. Send this traffic to when one and send this traffic to when two.

So, no need a health check. This is called manual strategy. There is a best quality. Best quality more. Choose the best link to forward the traffic. It will compare them by cost and a link cost factor specify. It can be latency, it can be packet loss and so on. And based on these criteria, it will choose the best quality link and they will forward the traffic to that link.

So, this is like a dynamic you can use best quality strategy. It can be by latency jitter packet loss downstream upstream bandwidth. And they will decide the best quality strategy and they will send the traffic to that one. Similarly lowest cost SLA strategy. It will choose the lowest cost link that satisfy SLA to forward the traffic. Here you need to define the SLA and based on that SLA, it will choose the best link based on your SLA. Suppose, the interface that meet SLA target is selected. It means the interface with lowest assigned cost if there is an equal.

So, definitely the cost equal they will choose the lowest cost. Possible, which is zero. If there are multiple links with the same Lewis cast.

So, you can use Lewis car strategy as well. And finally, a maximized bandwidth strategy.

So, you can use a definitely SLA based on load balancing algorithm and based on load balancing algorithm. The the one which is past the criteria which is SLA, they will choose their link.

So, here you put them both the link and the link which require SLA target and they specify the load balancing algorithm. They will choose that one. Finally, SLA targets, you will see these value latency threshold we discussed latency latency SLA to make decision and millisecond by default is five and you can maximize you can put different value and millisecond.

So, latency threshold this is the threshold if the interface passed this threshold jitter threshold.

So, jitter threshold is also by default five millisecond. And to make a decision so you can put the jitter threshold and packet last threshold is and percentage by default is zero and you can put suppose 1% traffic is dropping.

So, the threshold will be passed and they will take a decision. Check it link status check interval the interval in which the FortiGate checked the interface and millisecond difference 500. And this is failure before any activity. The number of fail status checked before the interface show is inactive by default is five. And restore the link when the link will be restored.

So, by default is five. These values are here check interval and failures before inactive and restore the link so it will check after five. Restore the link by default is five. Check and they will check the link. If link is five time available, they will restore them and this is if they fail.

So, they will check them and this is the interval and millisecond. And finally, this option will remove the root from the routing table. If it is not available, if the link is not satisfy the criteria and when it’s available, they will put them in the routing table back.

So, these are the theoretically stuff related to the way in which we discuss and the next video we will see practically. SD when configuration and FortiGate firewall.