Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 12
15. Lecture-15: Configure Virtual Wire Pair in FortiGate.
Related to interface is world wide beer better means better, definitely in English, beer and world, what I told you, it basically is doing like a bridging. We call them transparent is transparent firewall and Cisco terminology. And for like the firewall we call them we while we use them here as well. The stronghold of the glass. We know the to the bar to guide them. We were told where we were by, they were sorry not to watch where we were. And here we call them Rewire Abair and Cisco. We call them transparent firewall. Either breach basically what is what will work better. There is no IP address, country guarantees for whatever you want to bet on and it only required to interfaces. Keep in mind, not more than do not listen to. It’s basically breaking, so there will be no IP address on one and two and you can use the same subnet on board sorry, the same concept which will discontinue this great firewall. Those which isn’t just crazy, but also we’ve done the same concept in Palo Alto for what we call them, we were so, you know, distant when all of you for those that knew.
So, let me ask you this, like upbringing basically.
So, this far one will do nothing yet. And we are using the same subject and Samso in this site. Normally we use for one to get a different subnet. Like robot interfaces when you are the same, might be it will give you were Liberta the same Gesine and find one but you can configure firewall. Is there transparent more? okay, so the better of them. Basically they want to combine vxi one instead of one. One is a one subnet and you can assign the same policy and same everything, but it’s like a transparent one. Suppose, if any organizations said don’t change myself, just plug and play something so you can use this word. What a bad idea for some other reason. Okay.
So, how you do it? So, let’s go to live and let me remove this one, I will use this same one because it will take time to move to and from here, let me take one term is a clean one side and one tool box. As I said, one on the other side you can take and you don’t the switches as well. Not it doesn’t mean if you don’t know this one so you can use anything. Let me take this one, two or two, okay? And let me connect all three to server. Okay, so now I need to assign the same subject on both sorry, not only we assign differently in this case, I will assign Samsung so right click on ABC edit configuration and from our to start to remove the hash. Okay, and suppose let me assign one here zero one I don’t care about here because they’re not doing what any gateway.
So, forget about the one zero one is my IP on this side and. Right. Click here and add configuration control and control and little supposedly one.
So, one and one they the same stuff in the same way. Everything okay as I can and let me on this.
So, let me start with the IP one sixty years zero dark one is IP on this side in the same subnet IP is here only the last digits. This change which is one by default it will not work because it’s not configured is ok. We will see what we can do. I need four, three and four two.
So, let’s go there. What do I need to remove because it’s already in use. Again, delete is not available.
So, first you have to go there in France, click on this reference, remove the reference, okay, and now you can delete this one. Click and delete is available and okay. Now these two photos are being released. It’s not used by any other purpose.
So, two and three is available, which is down. Okay, there is no use.
So, click on Create and it is world wide affair. Click on the one. The many names of those we were. There, click on this icon and choose not to. I think so. Let me see. You are two and three, two and three. Choose two and three and okay. If there is violence or you can click the wheel in as well, so if I go down here is virtual where we were, if I click on the plaza, you will see very what is the name and type is Waterloo, Iowa Bear. There is no IP address. Configurable two and three is taking part.
So, what does that mean? It means I want to bring them these two back together to what do you think it will work. Let me see if I click on here and let me drive 190 to 160 or zero in day one, which is the IP address of this one, because this is a Web server, FPP server as an imbecile when so many server are here, but it’s not reachable if maybe the server is down.
So, let me think it will not work because I we need to do one more thing.
So, if I say one nine two one six eight one in there, one, so it’s not being given.
So, how did they know we need a policy. Let’s go to policy. Not only we do policy from here from best in class. We know IP for policy. And let me because there is implicit in this story that Africa has been denying and let’s create new. Do you think this is a winnable incoming and professional what is not available here? It means something is wrong. Either this policy will not work with the Rewa. Yes, because there is nothing available to allow but a.. I need incoming and outgoing interface.
So, my interface is two and three, which is not visible here.
So, why do you have to enable a new policy feature which is not available here, what you can do with the system and there is feature visibility, most of the stuff is not visible by a defined goal here. And and by the way, it should be. And w a. Okay. And there should be a blog on something related to policy, this policy, which we are using this one. Only a for policy is reasonable, so this one policy insurance option, and you can see the configurations click on this one and apply now you will see the difference if you go to policy and object. Look at a new policy came in before. What actual wide policy sort of means their policy is not demand out of the. We will enable policy and reception from system. Okay, now it’s available.
So, click on this one now and create the same way like this one created new and give them any names of all savvy. While Eminem is a world wide affair, which direction you want to go from two to three, the traffic control but written will be Nardiello. If you click on this one from four, three to two will be allowed. But from two to three you’ve got my one three to do with the traffic will be a load from this way, but this way traffic will be denied and it’s up to you which one you are. But in my case I will say no. Direxion okay, and who is the source? So, forget about this. I will say on who is the destination for anything will always and services anything can accept an application so that I can see their traffic in it.
So, rather than to use their policy, I create a new policy method and there is no traffic. Now you will see it has to start not going to policy and so it hopefully will start work. If I sign this IP, the same might be Mesi one dirty one. It has to be reachable. Yeah.
So, one zero one is reachable. Okay, now I can see and for some reason let me see the thing why. Because zero zero one now that will also work. Okay, and now you can verify there is zero, Vidia, if I refresh from here, sorry, there is so it’s better to refresh from here and now you will see the traffic. It’s hitting this policy, you are twenty one hour 48 and you can see the ruling and also, you know, you can really fight from here as well. Okay, after a while it will come here.
So, our plan is going there. Also, the destination is zero. He has already won fighter DCB and ICMP Internet controlling message protocol. Okay, and on station you can verify the answer. as well zero dark one going to zero in there. One participant ICMP and also you can verify from log’s as well while we’re in traffic.
So, after a while you will see here as well. Okay, so it means now it is working.
So, basically Weybridge them is a transmitter in the same subnet. Okay.
So, if you require such things so you can use Wandrille, whatever. Okay, let me see if I missed something so that I can. Yeah.
So, we enable here. Okay, and we created a policy system and now we go to a nice working.
16. Lecture-16: Administrative Access in FortiGate Firewall.
What is administrative excess, administrative excess for administrative purpose on the same interface, if you want to restrain something, if you want to limit some Propofol, either if you want to know something so that the administrator can access this file, one of by any Propofol administered to excess.
So, we are using administered under every interface you will see like a normal fire. There is a special interface for our management, but here you can enable by the Wimbledon. We also enable management on as well.
So, here under every interface, if you want to enable any administrator to access. But right now, I can only access this flood wall by this borehole number one, we administer to exercise, enable a showing, as it should be being. That’s why I’m here. I’m here to please everyone to enable me to move there at 1:00 a.m. to do so. Let me remove their door wire first. The guards use in reference to Klingon reference. First, remove the reference references being used to one in the policy and the other one is here.
So, you have to remove all the references, then you can delete it from here. Keep in mind, body building, you will face this issue. That’s why I am saying where is the interface is being resolved. Audiotapes being released two and three is not anymore in use. Let me quote insert a new IP sumai, insert IP is the subnet. Okay, so suppose let me assign one to two one six eight zero eight hundred twenty four. We know this one Yahoo to us. And let me say this is Meilin. Okay, in an hour of being delivered, by the way, talking just zeroed out under. And let me do one small changes here and configuration, and this is a great way, and because I didn’t change you, so you have to stop, okay, and start. Pitch it to me as my baby is here, one hundred. Now, let me show you the administrative exist, do anything in excess, this white one, just like this one, I exercise this one. Well, GraphicLy, this is VIP one one four two zero six. Let me check.
So, here I drive zero. Todhunter No. You and I can not bring it from my inside.
So, if I said being 190 to 160 years old, which is my gate you and I cannot bring graphical extras is a different thing. Can I get a chicken or anything? No. This is called administrative excess, which is showing here. This one, because I’m bored. Number two, there is no administrative to or nothing issuing nothing when I click here.
So, what do you want to do on this interface? These are going to start to expire IP before you won’t be allowed to debate means GraphicLy, something that exists like this you want to allow.
So, let me know. At least now I can bring before it was not thinkable. Let’s start now. Before it was not working, though, it started being. And before it was not accessible, now it has to be accessible. Yes, because I need to allow you to be astute about this through license, but it’s not showing or showing. It has to force me to stop, by the way.
So, let me start with you. Enter because there is no license.
So, why is the be will not be accessible without a license? If you have a license, then it’s allowed to be.
So, it’s not accessible due to this license issue. Don’t worry, there is no Sudip issuing on one interface. It will show you one in the other. It will not show you some time due to license. Otherwise you can. Now I am logging through HTTP, not secure due to license, but when you are you can do it.
Something is working secich if you want to enable.
So, now you can do a search through this system, ok. Yes I would presume. Yes. You say know I’m supposed to go to the command post. I don’t know. I don’t know. Not only basically football is not working on this so far to get firewall until you hear what will it license because you are using 14 days license.
So, they try on 14 days license, they limit something. One of them is you cannot get the DP is accessible. I’m logging herea if I try to be as deep as. Okay, you made an error. But next, I’m sorry, let me move this one and next flight delays and then I will truly will work to secure connections. That’s the issue, and this is due to license when I bought the license, then I will take baby steps.
So, this is just a limitation. Don’t worry. I will show you a next class. I already request a license, but I will install in next class so that I can save some time because it’s will for 60 days.
So. What I was going to administer to assess what you want to include on this specific interface to the administrative can access this device now let’s see what is in those things. First one is HHTTP and definitely hypertext transfer protocol. Secure means it’s a secure way, which I flew in the first class. Another one is HTTP Hypertext Transport Protocol. This is unsecure and there is being an Internet group. But this is a utility where you can test your devices just to send an equal reply from means for the manager, for the manager, just like a Panorama and Palo Alto firewall. I will give an example of that one either like in Cisco, Squaresville, FMC, sorry if we can use to configure too many devices from one centralized location.
So, here we are from FMG means fogie manager. And I will show you in one lecture I will attempt to three four the Great Firewall from one Spart to configure the same, you will find CBW. Maybe this is far less. Suppose, if you are using before to get wireless capability one device so you can configure this one the extra Spaan use this protocol. XSLT definitely singular. This is the way to securely Drucilla configure any device. It’s an employee’s simple network management protocol or guest for management purpose. Again, we will do later in the course and LTM for you to come forward, organize like this one you can use for Tongon so you can enable that feature as well from here for the Dorgan and FPM and FMJ means for the managerialist.
So, this is also related to administer devices for the client elementary. If you are using their Comintern, which is dual communication between 40 Glenden 40, which is not available in some of them you will see here. That’s why I’m showing you all this, to say definitely I w singular shelach, which is using board number 22 for our management purposes, we are using this protocol and this is a TCP based and using for number twenty two. It’s in a simple network management protocol and using for or number one sixty one and one sixty two one six two four. We will see in detail later in the course. To help them win these things. Okay, so this is a minister to access it means online now you can do before it was not working unless you can access this to us through SCDP from LENNI. You can use this decision now from Lynn. If you want to be either on the line, you are connected to the manager.
So, you know this. It will not work at the end when we will do for the manager. I will enable this one. Otherwise it will not work.
So, this is the minister to access this, you want to go like I told you, this is when Echikson beauteous protocol, which authentication we are using Mediastinal to show you how to use these method to enable.
So, these protocol, we call them and minister to access and until you not allowed, it will not work. Okay.