Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 3
3. Lecture-03: Introduction to Firewall Technologies.
Is the technology what is a firewall, basically a firewall is a system device, hardware, software, a combination of these. The border between the president and interest in boundary and what we call them, a firewall which protects you where you are essential air traffic, your things, you checking. We call them a firewall definition of what? One is really small to tell you. The firewall is nowadays do many things which you cannot describe and to a certain degree, what this firewall. It can do nothing for you, it can do routing for you, it can protect your devices, it can do like, it can do IEDs, it can do so many things to monitor, to check their traffic. Incoming, outgoing. Everything you can do for you, a for the next generation for. It can protect your assets and one can be assaulted and it can be a hard it can be a cloud. It can be a what? It can be a combination of all these. It’s not physically one of the things to tell you that this is a fight. Well, there are no words you’ll find. One is when based file on as well hardware and software based file, one is with.
So, it’s basically filtering. And they’re using so many techniques to protect your data for what is being divided in three men generation. First generation for one second generation firewall and third generation five to one. Like inhuman, we said that this guy is all generation by. You don’t know anything like animal, we said to our parents and elders they don’t know. And this new technology, they don’t know. Now everything is changing their thinking or mind. People in such things, we say like a concert video of our son and such thing. Yeah, we use this word. The normal were the same as in and first generation knows the old method because we do mind people. They know their own minds do so in first generation, farming has been good for returning for a while. We will discuss it more than five to one and second generation was application letter one. And the third generation, which we know we are using, gone stared for quite a while, either next generation for. Which do inspection properly? We will discuss on these three a little later, but this is called a firewall firewall, a one which we will fire to protect your inside so nobody can go and come without your permission. Which identify good and bad people and bad people. Just in a few words, otherwise, I told you, it’s not possible to explain for one. There are so many fires, one of them is Palo Alto firewall, then for the five. Of them is a. We have so many Tricorn Cisco and so many not been fired. Well, I will tell you about those as well. But under God, there is a one or two. And the second one is we are using 14 one in why we are using our ability to have our differences with.
So, the first one is for one. What is death actually shameful for while keeping the Garden State standard? Well, there is a connection. There will either start.
So, whenever somebody will out from home and when they’re coming back to homes or a security guard will not stop them because a security guard will say this guy just left the home. I know he may belong to this home.
So, the return will be known automatically. Because he put the registry, nor did this guy go out.
So, he has come back and will come back anytime.
So, this type of what we call them stateful for basically stateful firewall, when you initiate traffic from a secure zone and when you go out and when their traffic is big, so it will check the connection. I think if I mentioned this one. If you increase from your certain interface, it will religion first existing connection, is there any connection there then you go out? If yes, so it will. Allowed you directly? Because you initiate a briefing from inside and you’re moving Souderton Traffic is know because they’re keeping regard such struggle for a while, we got them to follow in any Next-Generation Firewall. This capability. Let me show you from here, if I can it, because in my soul it is because doing this is a for while it can be in any fight, while it can be for one, it can be for bigger. That can follow, can be won. It can be any support, any for one. They all have the same capability.
So, I hope this is outside our two and one is inside.
So, let me initiate or traffic from my. Inside to are two.
So, let me. Being to. Okay. And this is our who are doing this 24 hour, too. Okay, so let me go here. Now, let me turn to as well. And let me ask a follow up with. Okay, for some reason, so let me off this system so that we have some resources, somebody is in the system is very slow. Okay, so it can. Okay, we don’t need. Okay, this is make in the middle of this one, okay? Let me bring one nine to one sixty eight point forty three dollars to end this one one thousandth time, okay. We think the Boligee. This one. Okay. Definitely a kidnapping and let me go to a certified oil, an Iranian social connection. Which are you going to talk to me to stop this one? Let me read you another automotive. Either I can be dealt with.
So, let me get the word and quickly come here. It is a connection. I say ICMP Internet control message Propofol outside 23 door to from inside one dark one. This one I didn’t invite, says Beilenson. And this is a. This is a connection to the devil.
So, that’s why this person is sending traffic. Are resuming. It is well. Because when the routine traffic is coming, so instead the connection is already the connection. But let me do from updo, because from our one, I can think of differently being replaced coming back here and there is that equal reply.
So, if the ego is coming or definitely are talking also about this, what were you thinking? Something 100 to 160, a little dark one cannot be. No, but when I’m building from one, two, three. It’s bringing I can receive traffic from to but we name generating traffic from hour to hour one is not going. Why? Because from day one, we had this the perfect game big and I received it, so why not if I miss you, too, initiated that way is stopping me. Because, well, I mean, I’m not actually supposed I mean, I go out from home for, oh, maybe I want to buy some bread or milk or something.
So, I mean, I come back to on security level, ignored me because, you know, me. Then this guy just left the home and is going coming back. There is already a connection established. But when somebody came directly from outside and come into my home, the security guard will stop them. Do you understand fully one until and unless you get permission? This is another story. I’m not saying that while he is not alone, there are so many material to create a policy for him. He has to show the security guards some identity to allow them. That is a different story. But still, Wolf, while keeping record and I assure you. Sure. Connection and see. And then when a state list for one. State lists, they are not keeping any legat.
So, this is an issue. It means even if you go out from inside, what was. Now, I know this one, we saw this one. This was this beautiful firewalled. Let me show you stand list for a while now, I was doing this for one which is around, and I kind to figure here a list. And I want to allow the ABC one two outside ABC to but return is not allowed.
So, the ABC is not coming, let me close in on this one I in.
So, let me put this one in the middle and P.S. one is here now, the same story like this one, but we will see if everyone is reasonable to be sure to. If it is not so, then why, if it is way so let’s see their story, so then you will get the idea about. I standardless FireWire. It means faster, at least for a while. It’s not keeping records, if you will, out from the building when you come back.
So, you need to get permission again, like in previous case, that was my home security guard. Know me because he is working with me from last 10 years.
So, when I go out for a bread, when I come back, you didn’t tell me anything and he allowed me. But when I go to some other support office and I hear about a mission of guard once when I was there, I suppose that a hotel manager or something. Suppose,. But when I am going next time, they will stop me again, even if you say no, no, no, I went out for a cigarette and I’m coming. When he was a little. And the last batch, I give them example of this death listed fully five to one, and you cannot win, you win, you hold to any club.
So, they put something on your hand, you know, on the order you.
So, what is this guy? I don’t know. On the one hand, I will say. They will put us down.
So, when you go inside your club and when you come out for a cigarette or whatever.
So, when you go beg them in jail, under torture or hell, if the standard is there, they will make you loud. This is gonna stay full for a while because they say they’ve got a scam, he was inside, then he coming out, then he can go inside. But when somebody’s going to enter the club, either, Bob.
So, the security guard, they will stop them there. They don’t have a stamp, it means this is your first time and you have to take a permission to pay something. But instead, this is not like this, there is no stem, no nothing.
So, if I bring from this, you want to three the same like I learned in the previous case, 123 two. It’s not allowing me. Do you think the brigade is not going nor the think is reaching. Let me be but I’d be ICMP and let me send the brigade again. Is receiving. Let me see the picture now. After a while you will see the brigade here. He is being fingered as reaching a year after a while, you will see because the system is slow for some reason.
So, to me, after awhile you will see that because I’ve been here. 23 24. A 24 hour, 43, maybe 23 local incident source, 23 to distillations, little dark one turned back on to this guy. He says, Somebody sent me the word administratively prohibitor, unreachable. It is you. Because there is a fire, there is a rule this. I say allow that one, which is allowed from inside to go to 23 inmates, but I said deny any any and ended up also for an interface is usually one. There is a rule that nobody is allowed inside and nobody is allowed from nobody. The.
So, because they’re not giving any guards who will go out but is not allowed to come back. Not like this one you got my point is the same story. It is not because this is a surplus is not keeping it here. There is no such thing to keep, regardless if it that one go old.
So, twenty three or twenty three are allowed to come back to fill in that regard. No, there is no such regard for this one, but this is going to stay in place for a while. And normally we are using Atheel, which I show you a configuration of the.
So, you need to rule to either do three or whatever the rule you need for inside and outside to allow. But this is not in this case. The third one is big enough for a all the same, which I feel this is because got bigger for quite a while, we win. Reconfiguration makes us less dangerous. His last name, Essien Infrastructure, is an ambitious Seattle dynamic dynamic, extending this year to do these things and reconfigure them. We’ve got Lempicka filter. Firewall is keeping the record like a source, a destination source or destination the same, which I kind of feel good to hear. This is issue. I just I miss you, IP. You can use the board number is eighty, eighty four for three, whatever you can see.
So, this type of what we call them filter firewall or firewall and if that is a proxy firewall proxy, basically firewall is in the middle, they’re receiving their traffic and behalf of the client. They give them to the server and when they’re done traffic jam.
So, they give it to the client make.
So, he stole the detail, everything we have on the ground here is doing everything, but this is a single point of failure. If this device dome, your whole Internet filter will be not visible to outside.
So, this type of what we call them, proxy for one another, application for knowledge. This there’s a second generation firewall. Now, it will drink not only the source and destination, but it will by implication, like a DNA sample to be too deep issue DBS is to say whatever.
So, this time, for one, we call them for one that’s checking by application layer. Not by boat, no. Okay, on another one is personnel file on what is personal firewall, the firewall which is installed in your system, like we have so many firewall installed here. Like this one. And when do we have a built in firewall with this one, which protects us for a while, okay? And also we can install our personal firewall. There are so many like Perskie and so many other I you to get things. This is software based firewall, which protects your own device to weaken the personal firewall. Another type of far less transparent, flat or transparent means. It is work like a little too like a switch. You can assign the same subnet IP normally for work like a router, so you cannot assign same range to the amount of interfaces that will give you a better. Like, suppose if I go to that one. Suppose, I have to show a B interface brief to different Ranja, let me assign to one and assign from the same range maybe even before and I suppose one zero one two two five five to five. I really and no sorry, IP address. And will you that to me the same or live with ease, as you say you are? I think so. Married in the. Interrupted me. There you are, Adrian. The faces are different, something that might be a different network. Then you need a suit. If you are using Samsung on it, but in the case of precipitant for a while, you can assign Sandbranch IP and then it will work on the basis of making this is not on the IP addresses and we’ve got to get more transparent. Finatawa the same technology. This is in fact when we got them in Cisco, but in Palo Alto we got them worldwide five to one. Either rewire, same technique, same method. Same range you can use, same network you can connect like a switch, we call them Lambertville wide and the same technology we will use in 48 as well between we go and beat it. Another is a traditional qualifier, like a normal filter for a while, because a more traditional firewall is one which is doing on the basis of IP address and phone number blocking the machine, which anybody can bypass, anybody can join the IP to bypass the traffic.
So, we call them traditional network firewall, saying we have a zone based firewall zone based firewall. You can make a firewall from the rotors Esquires router. You can create a zone and make them a firewall, so a Cisco is out there. There is a possibility to make them work like cut out like a firewall. What if the if they’re out there with support, they’re there, then you can create a zone misfire one not like I, it’s a different way. Another high profile one is cloud based firewall when you deploy your firewall in the cloud because everything is moving to cloud like a firewall as a services and security, as I said, which is is two example of cloud based firewall, same like software, as I said, which is we have a firewall in the services sambi infrastructure as a service and cloud. Do we have a firewall? Is the services. In. Last but not the least is a virtual firewall when you imply you are for what actually and we read either in June three that in every engy, either in exile and it would be a virtual and virtual environments. We call them a virtual firewall. And every firewall had circulation as well. Now it is. Now coming to the end, this is UTM, Yulya means unified threat management. UTM, you will, and most importantly, they will ask you, what is the difference between your team and Next-Generation Firewall? This is the most troubling question when they asked you in the interview, what is the difference between you and Next-Generation Firewall? So, let’s discuss what is your view as you continue to amaze UniFi management? And is the combination of. They can filter Roxxy ideas about protection and proxy and so many things. One of services, antivirus, Eurail, data prevention, Ibbs ideas, all these things, but separately and will be affected one by one, like suppose if you enter the bank somewhere. Okay, and first place security guard JQ, then he give it to another person to go to the counter counter to give you what is called a token. Then you go to another counter and they sign your documents. Then you go to another counter and they check your file. Then you go to another counter and they check and you will say, what the hell is this? I bust so many counter in the. And you say, no, it’s not destructible. The same thing’s doing by UTM. The big will come it will by declaring victory, then it will pass to the other one, didn’t they rally prevention, then it will will do endurance, then it will go do it, because then it will go to follow suit and it will hold the quality of services and so many things. It will hold the.
So, it’s a slow process. Is doing the next generation for a real job, but really slow process, but the next generation for a while has three main thing. User only. And been in Carlton, these three things make Next-Generation Firewall difference from UTM and any other one, otherwise, Next-Generation Firewall will all the thing, which is our traditional firewall to help what when we study like durational firewall, that can filter out a lot of stiffle for a lot of statelets for one more day. What we study, all those things are already included in Next-Generation Firewall. But the difference between other firewall and next generation firewall is three things. MWD, use Ariba and cardinality. And what do you mean Next-Generation Firewall? Not doing thing by of services is doing by implication like Facebook is application like Facebook is different from and other application content is in another application like YouTube is a different application. You do voodoo’s or different application. They will way this way.
So, this is called Next-Generation Firewall. Then another thing is usually it will not only be suicide, but it can change the user by user name.
So, this is another good thing. Because I mean, anybody can spoof their IP, but you said you can because you need a username and password to log in, then if you then definitely you can bypass. And the last thing this continuity content means, anything mentioned here is called to check the antivirus, to check out your peers, to check the proxy quality of service ads.
So, many things which we will discuss later in the course, all these things to check the data for out of the any maybe there is something. And the fourth thing, this next generation for a while and be inspiration, it’s like a DNA test, which none of the firewall will be an artist and DNA test, and they wouldn’t be false because DNA came all you or did you or the skin. We need to do it later on. It can be positive. It can be wrong. It can be anything any test can be your blood test, you or anything. But the what is called I forget the name. Okay, so this is going to be inspiration, this thing only to next generation, who now coming to the last part of what is the difference between you would be in next generation because you are so doing, you are in and use also you are essentially doing Beilby and it’s also doing it’s also doing quality of service at the same might besides essential thing.
So, then what is the difference between next generation? And so the difference between is. They’re doing by one shot and they are doing my part. They will do like I give an example, I will do this counter, this, counter, this Squantum next generation, they will get just security guard, check them just from their students and we will be able to sing for you. And one minute your file will be ready and go of it. It’s the next generation doing in one way and by one shot, and they will do it by slowly process to make you tired. Okay, last thing related to follow on the question is not only they will ask you an interview where they had to deploy, you fired. What do you recommend me to reply, if you will say no? There is no such thing to reply for while you can deploy for while inside. You can deploy for what an age you can deploy in parameter. You can deploy on your age. You can deploy inside your data center. You can distinguish two different departments if I had one.
So, there is no such way either nor rule to reply, if only externally. No, it can be anywhere in yours. And you wonder what is going on in your network is what you are requirements so you can deploy a firewall inside the outside and data center and parameter.