Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 22
28. Lecture-28: IP Address Based Policy in FortiGate Firewall.
We will continue with the same name, but this time I want to introduce you to based on the source IP rather than on source make editress. Is it possible? Yes, so what we can do is go to policy and object. What do I do for. But going before to create a policy is better to create addresses, it can be anything we will discuss. Indeed, there are so many different as well and one we created and last by many countries we can create. We want to create a risk and give them peace to be. What will be the culprits? Do you want to deal with them and choose this over time? And I want to do want to say to your daughter to make them to do something. If my only single IP, we want to load this one. And it can come from an interface that you can see, Lynn, ensure this in the last. Do you want to configure the crowd for this sooner? We are going to be here, okay? And if you want to go in, okay. Okay, now let’s do it beautiful and create a new policy, this time Bisa to do in. And I give them women from year to year come from Lynn, where they want to win, what will be the source now? Give them this piece, you do I one too, and where they want to go all the time. And the services can be anything. And I want all station to be recorded each week from two or three places in.
So, this time I created a policy specially for C two, which is in the bottom one, but anyhow, what will change this policy will here.
So, definitely it will hurt to let do you do before it was not going to do it, and I hope so. This time it will go. Yes. And B C when reality this is going.
So, this one is going by Mackendrick and this policy is created by IP addresses and we can see the logs from 40 Mubi source. You will see two APIs, No. One in one dark one. You can see which policy is being here to policy. Be sure to do in Atlanta in this is the of policy and this one is the source IP addresses and you can see all the station we they in.
So, first time they were going to DNS and you can starting from here is when forwarding traffic. And you can see all that you did in much detail, which we will discuss.
So, do policy be created based on merit and based on address to restrict the policy?
29. Lecture-29: Services and Schedule Based Policy in FortiGate.
Now, let’s do one more thing policy, but fight in front of us, I need us to maintain the mystery where this one is going to go from here. Let me take this one to switch and from switch to. Because I want to put another device here in on, okay, so basically let me do it this way is the same thing only I need to pull another order or something. You. Okay, either I can put a Web server tool box, you know, North Korea, which is a Web server of police or DPP Sarwan.
So, here I bought two devices more in the and started maybe maybe these two devices are available on the ring on the Internet. Okay.
So, let me put them in the wind, sorry, so all these are the two services available on the van. This should you start, but this one I need to copy from here that I can do the NCP as well to make them more easy, it will it automatically IP. From Ned Clower, so I’m busy to enable BHP and let me know.
So, this will give some might be automatically from this man. Let me see, which took. This is our GDP issue, Beebs and BP is an MP. It’s a small Kalkarindji industry if convicted.
So, let’s see if this IP. I want them here to this to win, so what I see and hear this one, we will assign they so to console that this is the older. We can assign the configuration and interface is usually zero IP address, DCP knows you’re a dog and it will take automatic automatically after a full day IP. But before I take IP, I need to enable something. I used to do this or I’d be. Okay, and what I need to like when were in to four principal input on AMEA Log-in Local. I am here what I need to do, I need to create a memory privilege for being in password. One, two, three. Andrea. Why, okay, what’s the IP address, the IP address, sure, IP address, brief.
So, it’s two one ninety five, which is far away. And by the way, from this one to something like this one. But anyway, this is the IP address. Now I want to restrict my services. You know, my health services is really here and we will the policy and I foreign policy. And there is a bow, let me deliver this one, I just needed one policy to make them click on this policy to Aaron. Okay, and let me do Atlanta in no name change. I don’t need to use a source. Can be Allmusic. What are you doing? Alkies destination can be all it can be always when the sun rises. I want only HHTTP services in our.
So, I can restrict the policy by services as well, and I’ll get.
So, there is no such policy. Only one policy. Let me go from inside D.C. to Rob Driveby. What was it like? B, which is being enable? And also this one, GDP enable one major to one sixty eight one one four two four zero. Yes, I can reach to this one and I wonder if I will do the road before one nine two two three one nine five. Yes, I did reach and use was one, two, three, and our outer one will open everymen in one, two, three.
So, it means I am not giving them full privileges in one configuration.
Sorry, this come on better local. I didn’t know this one. Let’s go big to busy and admin, sorry, small. In one, two, three, it has to be open. Oh, men, one, two, three. Okay, so if I might have given the privilege 14 instead of 15, thank you to you men and women. And privilege from being passed to one, two, three, okay, now, so if I will begin here today. Anderman, one, two, three, yes, now I can exist. Do you think I can actually agree that out of this reasonable. Do you think I can exercise despite being Shortbus? No. Well, the both services that enable denied being them limited to dubious. Let me drive from here. Being in work was the idea, because this is why I can’t deliver 190 to 160 one one four one ninety five nor unbreachable to actually be in conducting the service is a stranger because we restrain them by satirises. I only give that anybody from land to him, with any source, with any destination, but in lingonberries GDP, let me add ICMP being. And now ICMP either being before it was here really is this one, it’s not working, we enable this Faunus you will start bringing. Look, it started. Because now I said the borders, he my services. Lasting to end with this services, there is a schedule, as well. All this means all the time it is, you know, if you create a policy, okay, to of policy, you can create one time and you can reallocating all the damn supplies all the time. What color you want to choose their day, which they will, which is day to day. It means Monday, Tuesday, Wednesday, Thursday, Friday and not Saturday and Sunday. Okay, from drill to drill in ANWR, anyway, in okay. Now, I put restrictions in the hallways all the time. Do you think it will? What is this policy sorry, let me remove this one, it will stop working. Control and don’t know even know EPB, which was an hour before, it’s not working. No, both are not working. Why? Because now we restrain them by schedule this time. If I go to any. And we’ll do this policy and this policy and allow this one Saturday and Sunday, because today is Saturday. And I’m sure that I’m sure, Jake, now we start talking and other one is also come up now.
So, it’s been through. Did you hear so many things to check the policy and the policy and the policy by source and by source, user and Internet services, beautifying services which you can use directly? You’re gain strength by destination and this is going to go in earlier will be so many possibilities, I can assure you, of the possibility, but I give you the idea and also Internet services. Also, by the by time in due time, I assure you, and also wire services, so many services on this issue do be studious if you dare, BP and BP.
So, we know what in real world you are creating policy, you have to make them restrengthened as soon as and as much you can. Not to put all the time on an Emmy and such thing. You have to be more specific in this way so you can use words, you can use this nation, you can use and you can use services, don’t make them more restrictive and by use it as well and by making addresses as well and by IP addresses as well. For example, and this is gun policy and policy, this is actioning, deny, you can deny as well the same thing nor deny is being selective.
So, anything hurting this thing and rebuilding and restoring everything, whatever your next quote is here. And we see the laws of this policy and whenever the policy’s been created, we’ll discuss all this way how the policy is looked like and how we can see by bear in sequence number and again, such.
So, this was an important policy.
30. Lecture-30: FortiGate Firewall DHCP Server Theory.
Today, our biggest DHP, How We Can Configurability Be and for the year firewalled. BTP means dynamic host configuration protocol, the name suggests dynamic means dynamically ostomy. The device which connects to the network and configuration means definitely will configure input on means, set up rules and regulation to meet this protocol very dynamically, configure the system automatically and those dynamic configuration into each thing that can be IP address, subnet, Mos Def, hard to get into DNS and so many other details which we call them option, which will come. These are the exception. Okay, like two, three, four, five, six, seven. And so many options can configure like four NDB if you want to configure so you can use option number forty one. Okay. When I told you it can be somewhere, is the student body the.
So, basically, the ECB not only provide every detail, but it can provide the gateway to be an extra business and so many other details of B were listening controller and so many things you can use the ECB to provide to the host and hostess and nothing but the which is connected to your network. Okay, so this is the NCP now. Everywhere you will find WCP from your home, you know, you are a wi fi. This is when you go to home. You’re directly connected to your device without any input of your ideas in anything.
So, how you are connected basically with this device is using the NCP.
So, it means far more to Enterprise Network. You will find the server everywhere. Okay, not only in Enterprise, you will see the Berrendo server, which I will show you in limbo came because in real world nobody is using force to get firewall either in the firewall, in any other juniper or any other is the DCP server. But you can if you do have a smaller organization, then you can use. I’m not saying that you cannot, but in a big organization you will not only find WCP server either Linux one and most of the time 80 percent. You will find a friend or someone you want. Or you can make a counterinsurgency episode where you can make switches or DCB server. You can make any firewall DCP server and you can make Linux is on the ATP server.
So, this is Dinham because it’s going to be mission protocol. Now this DCB is UDP best we know UDP based user data protocol to category. Normally one is you wouldn’t be anywhere. Is PXP backbends using to board, which I will show you if I remember through Wireshark phone six to seven and board number sixty they are using. Language using 68 and instead what is using 67, not only our application are using only one board source code is always random, but in this case, they held to board. Okay, most of it, like if you are existing, should so your source will be random and your destination will be LDN 443 and so on. Okay, now what does this mean? Basically we create Phoolan to be. This is my board applying this fool to host whatever you are going to do and when request them, provide them all these details. We call them a pool, which is nothing but an actual game. BNC is working on a same model application, which we call them, let’s say one. Okay, and what else? okay.
So, 40 Goodkind reconfigured is a DCP server for Biggart firewall can be configured as a DC line and for the Great Firewall can be a country that is A, B and C B religion, which we will see all three. Okay, so you will see DCB everywhere from your home to the big organization and not only domain name Gateway Subnet instead or DNS DFT be wireless link.
So, many things you can apply to be a CB. Okay. Oh this is B and C. Now why we need dcb this thing.
So, definitely your management will be easy, easy and it will be managed by a DCP rather than if you are going to every system and typing the IP address in every house and every device in every server.
So, it’s a difficult task to maintain. And as a human, you can do a mistake, okay, and there can be error and then there will be conflict between the IP to be used to do everything for you dynamically. And this is a centralized system where you can configure any you and you can see who are connected to a system, what is the make or address? What is the IP address assigned to them? Again, you can assign you can reside in as well. You can really wipe as well, you can remove wipe as well, you can block IP address, you can block make list based on makers. You can block by hostname.
So, many things you can do by DCB, which is very difficult to do with a man willing to go to every system and reuse an IP address. You will see which IP is being used in since Wednesday’s use. You can renew the IP, you can release the IP and so many things.
So, that’s why you need are being sibusiso to make things easy for us. Okay, now going to, as I told you for the Great Firewall can be configured through three different way as a server than what is said to be BCB salamis which me IP addresses in all the data which I mentioned in so many detail you can give through the NAACP server to the client.
So, the host will receive those details.
So, it means BCB is 40, good for one, is playing the role of DCB server. Women can feel the need to be informed again, and whenever somebody can enter into any zone, okay, they will get their training domestically under the interface is okay.
So, this is regarding C B.
So, another thing is the client so we can make for the Great Firewall is a client as well to retrieve and obtain the information from another DCP? So, it means you begin to configure is a server and client music will review the information from other DCP and to configure the interfaces so they will play the role of client and client is using old number 60. Okay, then the third one is DCB. Really what is DCB really. It’s like a ajin. You know, when whenever there is a layer, three delays, always three days delayed and it will not, you know, followed our broadcast record every three days, it can be around, it can be a firewall and it can be anything like alertly switches.
So, whenever anything coming is a level three between the ECB and Horst, so you ought to be asleep. It will never reach to the why anyway. Because I live through the wires not forwarding broadcast braker. No, from the broadcast period came in the studio, all the bankers. The process, which is Dubai, you basically said to our daughter, we got him to discover a foreigner with an acknowledgment which we will see and the all argues for good on this broadcast plan on to request as a broadcast and several will you the IP detail in broadcast.
So, can foreign broadcast and pumpkin fodder to broadcast it any other domestic and foreign broadcast. But when there is a little device like a 40 year old, like Palo Alto, like a juniper, like any other far one in as well, it will terminate the broadcast the SO and their story. Then we need to configure their duties as isn’t being by agent.
So, it will make broadcasters a unicast and will follow it to the host. Then it will be broadcast to make them unicast and give it to the sawat, which we will see again in Wireshark. And I show you in USA for one as well and I show you in order to fight one as well, those students reach out to my old students who they know already. But anyway, I will show you here as well.
So, this regarding BCB and. Now, coming to those for the record, which I was talking about, so I’m inclined to question when you connect that line and make is a big line, so what they do, they will send and receive because. And they will exchange some information and messages, those four messages we call them Dora the in our disco armies, that the line will go out and they will send a broadcast beacon. Is there anyone to give me I.B. and the details like a DNS domain? WINCER What analagous to anybody is there to give me all these details.
So, this package will be broadcast, this Dominque address, because it is always in this when I show you as well, if we go here and set it to broadcast this broadcast so you can see the Mankiewicz’s if to broadcast, we can always go back and watch this from hexadecimal to disembowel.
So, it will become too far and far too far away for you. If you can work this one or give from this symbol to hexadecimal to it will become.
So, that’s why the broadcast maker make making this news media. It’s just controlling the physical interest and the bigger sizes. Not only this one, again, we will see from the wide shot because so this has nothing. The system has nothing new. Wonderful show. Zero zero zero. They will broadcast using this IP, this any body. He is there to give me the IP and the details. Then the server will reply to we call them off our message again, this speaker is not a within thirty three or four to bind broadcast major address and broadcast IP. The satellite will say Yes, I can offer you the IP address.
So, this is an offer. Okay, then the client will send a request that yes, I agree again, the client don’t have IP or do you just offer them, not give them, but they just deal with them. And again, it will be broadcast and the makers will be broadcast. I am showing you this because of religion.
So, when we do reagents, you will see this. It will not pass that firewall.
So, that’s why.
So, at the request, the seller will say acknowledgment, it will say yes, let me give you the I.B. and the detail.
So, this is schol acknowledgement.
So, altogether, we call it total disclosure of our request and acknowledgment. And this way, after four messages, the client will receive the IP addresses and the detail. Okay, so how we can configure them under interface. There is a reason to be sure we will assign range reach and we can assign you can create three Rangin differently when you click a button so it can come to Dinmore, so you can create three different range and then definitely the subnet must reach a gate where you want to assign okay so it can be interface, can be whatever interface you configure. Either you can specify which DNS or what you want to assign, same as a system. DNS either IP addresses or DNS either specify it’s up to you. Lesedi means for how long can this IP will be with the host when this second is completed.
So, it will be the new automatically ok if the system is not there and will be washow and will be given to someone. And so this week on the DSP e I am ok then there is some extra stuff as well. Which more do you want to use. Because this more can be a server already, which we will do both. But right now I’m using 40 year firewall. Is there DHP server. Okay, so there are two more delays which I told you and server type regular IP sic. Normally you will see a regular IPCA because normally you dial up we’d be in the site and be notified. And basically this is our data which we and we go to and so I will show you.
So, this one is for NBC Dinham Client NBP Network Time Protocol if you want to do time. as well through the queries I told you so many things you can configure wireless LAN controller again. You can specify either the interface ibsa wireless LAN Controller Timezone which time you want to give and next bootstrap server any a backup DSP.
So, so you can put there is a backup server and guess this DCP server is down and these are the additional BHB option, which is a huge list I suppose if you want to do FPP solution to the IP form content and indeed in the ringtone and everything.
So, then you have to configure. What is there is a 50 50. Yeah, this one, so 66, you have to type 66 option to BCB has so many option and to give you more than I do to configure and give it to the client so you can configure from additional DCB Creative new and you can put the detail between reality and they may decide this DCB is more than any other option. Maybe you want to fill it by making the are based on block someone. And so things that you can do is that by the way, that can be from here, not here is the option. Come on. Okay, so you can do it from here. I built this assignment so you can do so many things okay from here.
So, I already told you are these things so you can see from here.
So, let’s do it from the lab to the.