Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 39
54. Lecture-54: Source NAT, Central Secure NAT (SNAT).
Last time we were doing so tonight, okay? So, and so, Snod, we had to connect, okay, which God we call them Burtonsville that are to use only one eye open to face then we and dynamics, American dynamic. We don’t want more than one to one fix for drink and then or plug allocation.
So, related to source that we knew another concept which is central element is Snod is means secure by the way, has to be a useful sosnick. But the name is a Snod, either a secure made network address translation.
So, rather than to apply the everything inside the policy, we can create a central connect. The name also said yes. Central named. But this Internet, we will use them to translate source and source of those things, I mean, the original source, either the source or change, we call them source Nate.
So, let’s go. This is near the same policy which we created last time. We will use their policy of the technology inside. We have 100 to 160. 1200 is assigned to my insert interface, which is board number two and four number one, which is external. And I’m also using the same for management as well. One one four hundred external. My net cloud. In your case, that can be different, but you can keep this one in your lab the same. It’s okay, but you cannot keep the same until and unless by chance both rangers’ same either you can change your change to my one. Suppose, if you really want to follow my topology.
So, what you can do, you can change your mind. This one by one is four. For one you can change. Okay, and here you can. When you click on named, here’s the change in your case, it will be 100 168. Here it will be.
Something is just put on one four and apply. Okay, after that you arrange will be the same like my one.
So, in case you were otherwise, you know, it’s not important investigatory. Okay. Which I’m using.
So, it will be changed automatically today from the gateways.
So, this is the end outside. I keep one server which is ten grand. It means one one four nurdin and this I just show you this, my next 12 and twenty is another system. When you click on it and IT configuration you can find E20 and I’m using this one and inside I have busy one with one IP 100 to 160 on one piece, you two with two and so one with three. And I have a router today. We will use them okay, and we will assign them and we will make them as written, et etc.. I hate FTB in ETP server, which is this one. And also we have also FPP initiative. We said what do we choose this one and pick one piece you two is using is a client, which is what you can use. The term here is the web term and boomboxes, this one, this tool box and this is a tool box which uses a server and your client is been outside.
So, that’s what we are already assigned the IP address.
So, if I go to console, so there’s the outside IP, which I’m using for management as well.
So, let me go to any browser and access this firewall. The IP and user name is determined by Diffa, one, two, three, I put the password so because I will do so, remind me later when you shut down the system, not properly so, then it will show you this message. But it’s okay. Okay, so let me go to quickly to realize these are my two interfaces which we are using.
So, lan is using Wunderkinder only as you load. And when is it one one 400 which is known for management excesses. It’s a reality. Configure DNS, which is so easy. I did it in one DNS and also we have a static row which ayuda traffic will go to one one four two, which is up next for this one. And definitely we have a policy to go to policy and object IP for policy. Okay, so here we have a law policy and we left last time with this one Autoblog allocation. Okay, we’re done with inside everything, with every combination of net. Now we will lose central net.
So, I cannot see central net from anywhere if I go to network. There is no central and I can see. And if I want a system, I cannot see central net and if I want to hear security profiles from nothing, there is no central net.
So, basically by from Central America does not enable.
So, what I need to do, I need to go to the system and there is sitting. Okay, Walter sitting and you will find when you go down.
So, last time we discussed next firewall one more time in.
So, I already told you about a little bit earlier as well about the Internet.
So, central is nowadays you click on it and apply. And now you will see the Internet and network, which is we cannot see again why.
So, even though I enable from here, if I go to Systrom again sitting and it sees the Internet as disabled. Okay, so it means there is something wrong. Certainly the cellular changes is being saved. But when I come here and see it disabled, so it will never give you graphically any error. What is the error? The central is not going to happen.
So, the best approaches go to here either here to subdue it, to give you a CLIA exist here as CNN comes on and on.
So, I can go here. This one is white is better.
So, element and one, two, three. Because everything we can do to command as well.
So, let me go to Faith and Systems Safety Systems sitting in here. I will say I want to enable sit, sit, sit.
So, to central and I want to enable this just like I click here and now it’s better approach. Now they give me that, okay, kidnapped. And it was sent to me with firewall policy using a p’pool so they never give me this error here, otherwise they will remove their thing.
So, far as something you have to go to see, a line like this one is clearly said because you are using like people or design people. You remember last time we done, maybe you forgot, but when we were doing made oh it is an eight nine year.
So, last time, which we were doing that to, we use this IP pool, remember, we created for export, we create Werlau, we create one to one, we create or block a location.
So, they said it to know until and unless you can enable central lab when you disable your IP pool, which is used in the policy because central internet will be not using policy right now. Everything we’ve done inside the policy, you remember when we go to we had a security role in policy. You know, this be for policy, so that was inside the rule is here, and even though he’s suing here, we are using this one.
So, they say if you are using gay people, either from the right that you can farm from here, first of all, does not use reference means we to use what law is not used one to one, but this one is used for block allocation is mentioned here. One how we can find pick on this reference.
So, when I click on reference, they say you are using this rule. We can use the property where is used in our policy. You are using this one here.
So, either from here, delete, don’t use and okay, now is zero to talk. Now this will not give me an error either. You have to go to policy and remove from the ad which will be removed now because I remove them. There is no policy. No is not. Use the word now anymore.
So, I people is used for the insert. The policy are so far outside is. But anyway we use them insert policy not like an airport so up at all. And now this time is not human error and error. Me saying this. Come on and get out from here. That’s it. Now I will use internet if I were to network. Okay. Okay, refresh. And if I click on and also it will be in policy, an object, so if I click on policy, an object central estimate is available now. But you know, one thing, more change destination it with what will it be, this sea, destination it and what will it be if I do say, but if I go to strong surfing and disable Centurioni, their destination nedret what was the destination? They didn’t want to let people become only what would I be.
So, let me go to Centrelink and disable it. You will see the difference now because you will be confused.
Sometimes they look at not only what could I be, but if I enable Centrelink apply.
So, what will I be? Will become a destination net and what will I be? We had this policy and object look at.
So, keep in mind things are changing when you do enable something. Most of the time, we’ll get another destination, that technology will be available, but we will go to the airport later. Now, right now, my target is a central Ethernet click on Centralistic. But what is the difference? If I created policy, it will be a. Lizzi, look at there is no net command anymore. It’s this Internet is enabled.
So, now they’re starting from matching. Central policy will be applied.
So, it means no need a net inside the policy last time, whatever we don’t, we then insert the policy. Now it said this is outside the borders. You, Fani, no more inside of Iraq policy, Mandrel. Now let’s go to a centralized location which is called Central Estimate, secure and centrally centralized.
So, no need to create a it. It’s not available if I disable Central and there will be net available. I know the policy, keep in mind, which is not anymore because I enable central aid. It’s okay.
So, I don’t need to create a node inserted every policy, but we are still doing sausen it so it can be used for sosnick as well to translate my source IP.
So, what I need to do. Click on central arsenate. There is nothing it said I need no from the real source or destination. Translated Embrace original port and translator or and you can enable many anything like a command problem or no instant as if you want and you can search, you can delete and you can enter just like any other rule like I do for policy. And you can create mignonette for different purposes. How to create click on create new and incoming interfaces. Learn they will go to an outside interface. My source can be anything right now. I will say anything. They will go to any. Where you can specify is when. And here is the name. Look just like a bonus unit but is a centralized location. Everything is similar, like an inside the I’m not an insert policy. Keep in mind this is a central Nedd policy, not for policy here. It’s asking I p’pool configuration. Yeah. If you don’t need it then you can disable them for some reason. Maybe you are going inside your zone, then you need alternate.
So, use outgoing interface. The same concept to use my old site interface IP which is one one for Dortmunder and translate everything to that one IP which we’ve done in policy as well. But let’s see here then use dynamic pull and click. Okay, this is the same thing, it’s coming but centralized location, not in every policy. This the difference and improve upon which type of protocol will go. DCP You’ll be assisted in specify of the buffer. If you have a protocol number, which I assure you many times like this, using six UDP is using soundin and you can specify like ICMP is using a zero, you can specify your own anyway, use it any. And I want to go use outgoing interface to translate them. And you can explicitly board maybe to specificly, you can mention as well, but we don’t need that one right now. And if you want to come in and enable this is Central America policy, not the policy like which we allowed something. And definitely we want to allow this rule in. Okay, so my central first net rule is created, which is just like a policy net, which we created inside, but that was in every policy inserted and this one is centralized location. And no, let me go to create a rule. This time it will not require a net.
So, let me give them my name. I want to go from land to win because the previous was was deleted when I enabled a central net.
So, nothing is zero lane to win. And so anybody from my insert in there or to outside all the time. But any services. No need omnia it will take from the European medically and no need of security profile. We are already done and allow logging out. All stations that we can see them will enable this rule. And okay, so now only negative policy. I don’t need to create the magic rule there’s done.
So, let’s try again. My PC go from inside to outside.
So, let me console this PC one, which is a bit. Okay, for some reason. This one is not going to. It sometime it will not work, I need to restart, though returns better to use server is a console. It’s okay. We just need something to generate a trophy.
So, being from here and I’ve got it.
So, it’s working on it and it will be Najid how we know.
So, if I refresh this room, you will see there is zero Biergarten. Now you will see some traffic which is headed by this is five zero four. It mean this policy is being used. Okay, how we can verify the source, Nat, like we really find the other.
So, basically we went to full review and organization. This the best place to verify source name.
So, it’s a one, not three win two it for ICMP Internet control message protocol. Okay, and Destination Port is this one and this debate. But we need something else.
So, let me sosnick from here swordsmith address and let me source Borders. I need something inside and out here so bring this one here. It’s better to break them and bring them here after.
So, it will be good to see both the okay. It is more space as well, so putting them here is better.
So, my source is one of the three, which is this solar if one, part three.
So, when they go outside four eight eight, which is their destination address, so source and it is being applied and this IP is being changed to one one four gartenberg and one one four 900 does nothing by but my outside interface IP because this was my central need to use the outside to beat everybody by the minute.
So, let me go from another system from our one as well.
So, let me take a couple, two on one and let me maybe I signed the IPO market will let me check. Yes, it’s under any personal need. And let me bring from here to Yahoo! Dot com. Because there is no business to use this. And now let’s go back here and refresh this one now you will see do I be okay because I want to know what the other one is expired.
So, let me use this one. And now you will see two.
So, one, three and one dot for both has been translated to one. I b this word freedom one one four hundred and one one for so souls exchange.
So, that’s why we call them sort of named because the source was water three and the destination was a destination is still the same, but sources change and only one IP is the interface one.
So, that’s why we call them interface either because we either stay dignity’s will end well for you, not another one. We never call demonstrating that there is a static net concept as different, which I told you in last time. Okay, what does we need to do here, Richard? So, this is a central language we use for outsourcing there. Let’s go back to Sosnick again. Okay, let’s go to system sorry policy and object and go to central WestNet again. This time we created this rule to use outgoing interface. Can we do something else with this centralizes a source.
So, yes, there is a use dynamic IP people and created this old dynamic Paul-Louis last time created effort is not there. You can create here either. You can come here IP pool, which I need done last time, but we use them in insert policy.
So, let me reach one one. I don’t want overload and all is nothing but a range from hundred to one.
So, it will give me more support because outgoing interface can only give you last time I mentioned or while this one can give you only these four. No, but this time I said no, I need more.
So, how many like the harder one then.
So, they might be multiplied by this one.
So, there much be you can create a station.
So, this time central node I use dynamic the same concept like a policy but centrally inaugural if you ok, no idea what range of IP.
So, this time if I check again it can use the same IP and it can use multiple IP. How we can do it if I want to IP three forty view on station and no you really see different IP. Look at one zero three is being used in one zero four. It’s been used before. When we check only one IP was used hundert hundred because we were using central outside IP this time just like think about like this time I give them a range just starting from hundred and 192 one sixty eight one one four. That one thing which is assigned I just think about like this interfaces now this tonight because so many what the traffic is coming, it will pick any IP from this and one IP in support of two six zero four one six four.
So, then I begin support more and just do it now outside and create more sation. This the only thing we need are dynamic range, which I showed you last time.
So, can I do something more with the central edge which we don’t like in policy. Yes, the same concept this time. Let me go to Senator Elect and change the rule. And there is a world order. Right? Click on here one to one hundred and one to one to support two hundred and two if you wanted me and one to one. We discussed that it only allowed the range IP.
So, in this case, two to two zero one, only two percent good works. Are you remember the studio because extended IP range is only two.
So, if I say one to one, it means two people can go certain the same time.
So, definitely we have two systems. It will go and this system is already going. But if I try a third system, it will never go. But I don’t know. My system is not running if it can run.
So, I need to restart anyway if I drive from here so it will never go okay. But anyway, to IP, it’s still going because we have one to one session and only to appear in our that. I can change the range if I go to IP bool. And one to one and make them 200 hit with only one person can go on the same time.
So, if I drive from here, it will not one. This one is working out. One will not want to look at is not going. And I told you last time, what is the difference between one to one, okay, which we created last time. If it is not created then you have to create here. You remember the story. This one dynamic has so many range, this new dynamic range. Worland one to one for export.
So, it means you can use this dynamic range and start center late. But last time we done this one and every policy. Now this one is in centralized location. It’s the only difference. Okay, so not only one system can go. Let’s go back to central land and can we do something else, okay? So, yes, we can use for block allocation in each of the last time. No need to repeat everything and you can put restriction to use DCB only.
So, if you repeat traffic, it will be nominated and you can specify your own well. And let me make this one is outside, okay? I did not outside. Let me make them one thing more to clarify one more thing. Now I’m using one to one.
So, one, two one means to a lot and I put only one IP.
So, that’s why this system inaudible because that one is already reserved, their type one diabetes know, and one is IP. They’re using this system. This one is like this time this one is using. I think so.
So, who is using. Let me see. Traffic is going under control. See I was using I think so it’s stuck.
So, I need to refresh what I need to do at the station and remove it.
So, analyzation. I need to shoot another thing. That’s right.
So, I think so now server one will start working, it will go outside control and edit it. None of them is using and it’s not going to let me see my role does I done something? So, learn to win one to one who’s doing. What did you say when you’re DCB and this is what is ICMP? So, by mistake, I put this one for Amy. And now you can see the traffic from server one, so they’re leaving and one cannot use them.
So, it’s not easy. I need to show you one more thing in Central America doesn’t mean that you can create only one policy, create a new one. And this time, again, it’s going from they’re going to win. And this can be anything. Destination can be anything. And they are using old going interface this time. And it can choose another thing as well.
So, okay, so now I have to pause. It will check from top to bottom.
So, before Round was not working, it was start work. It has to start one. By the way, this one is going and it is close to one.
So, let me go to one console. And okay, for this, I need to clear the policy. Quest means that we’ll check from top to bottom. Let me put this one on the top like a policy, okay? And let’s try now. It’s okay now. Yeah. This is what I need to show you.
So, both are working now, why this one, this the yellow this item means that this policy has been hit and which is not working in the end. Exactly.
So, you can create multiple central letters, like a policy that will be checked from top to bottom.
So, on one was not working because at that time I had only one policy. Now I have two policy. This one don’t to many IP.
So, it has been you heard the other one is by here because it’s been already created.
So, they are using this one and one is using this policy how we know.
So, let’s go to 42.
So, one will be 200, other will be harder IP. Okay, it’s using by the way, both are using same by the way the station was already there. I don’t know why anyway or whatever, but they are using both the rule. It can be both. But let me do it in one thing more. I need to show you something. But if it is what I want, I want to show you if it is work like it. Okay, it’s not hitting this time.
So, if I put them on the top, then it will not go to the second policy because it’s like a policy so central it is nothing but like a policy reduced from top to bottom. It will reject this. Might want to show you, okay, what else.
So, and to let let me go if I missed something in central me.
So, this was our topology. We login. You need to create a business. Diffa, which was already there and these are the protocol which you can download through okay. And you need any policy insert and then we test them okay. And we can see from monetization, the traffic and also from the command, by the way, which I missed to show you.
So, admin and one, two, three, four.
Sorry, not true. There are two things which I will tell you. And next, class, abort command, abort the command list.
So, here you will see sorceror. The station is still empty and next plus you will see hear something, but it is nothing.
So, they are using Harpur and going to eight. Okay, and unity, traffic safety, traffic, whatever they are using and it means translated to this IP and DNS. Okay, and this one is also translated to one Saudi Haggada, one one four. That’s it.
So, this is a central net. Okay, we call them it’s admin security apparatus translation.