Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 42
58. Lecture-58: Services Objects in FortiGate Firewall.
So, this means any be a new report, no. And we always call services and policy as well, whenever we are in policy and we are creating any so here we have our services. You know, normally we use this and we always say it all means anything. And 067 or we can use like htp hdb a sausage, RTV Inartistic, be all those things because my services and we always call them here. But if you want more control, you can put your rich services, you specifically are allowed so far their purpose. We can create a service object for DCP and UDP.
And you can create a category, you can create a service group and you can create services separately, three things you can do, but there are some different category. When we go to policy A and here services look at general webpages, email and so on, like in general, they put all these things in, which is web related issue dependency initiatives, PHYLISS, file related services, email, email service, like I am at about three a.m. to be network service, network service related thing. And other indications relate to things like and and I’ll do the integration really is remote access to already be delivered. All these are remote services.
So, they held their own different category.
Some of them, they are being done for us, which is a good thing and a good sign, but if you are, you can create your own, you can get degrees sitting. It will show you another way and simply click on again. It was really difficult. I like this one.
So, these are disservices name. These are the Dudin. I’ve been fully qualified. It is. Sure. And we should wish list and we’re just is used again. You get stuffed, you get blown, you can delete and you can edit and you can create three things. Your own services for specific board, your own group and you can create a new category like this one. This is general category networking category. Another thing.
So, how we can do first list creator services.
So, click on services support doing it. I want to create a large services SRB support. I use it. It’s sort of what they whatever you give them. Commence again if you want to go color and reach category one. Again, this one. Sure. And service list here.
So, when you click on services to ensure here, so I say yes, show them the in which category you are the poor. These are the defined category. We will create our own as well.
So, I said a little bit, put them and network services by the word has to come in more. But let me put them in. Network is my protocol type. It is coming on the breach. Protocol definitely is coming under DCP. IP range, if you want to learn them for specific IP and destination port is definitely 43 and noised 33 because Canada is using this port and you can add more thing as well if you want to put the mortarboard source code is all miserendino, so no need to fast some port, maybe like a DNS.
Sorry, BCB, then you can put a support. But in this case I certainly Netcenter and okay, so my services is ready but I don’t know where I put.
So, let me sort of detonate.
So, there are two bills and one was already there, the one which I created and it’s inside of me.
So, my when I put the network services and the one which is already created is a remote access.
So, the one I, my one is and network services and I can call them here is if I refresh so and service dev now I have an object so we know what I needed and I would type here in the name service. And two of you were the one which I know this one using. What a similar thing if you see a similar.
So, this is the services to create and you can create so many services, you can put in your specific category, it can be DCP, it can be IP ICMP, but ICMP is using a type and called the specific code for ICMP for equal and equal return and equal.
So, then you have to put their type in for IP. You can put any phone number from to us from one to two for like six means TCP like Cilenti means UDP. We know I show you this and you can use TCP, Europeanists, ETP and then you can put the number.
So, services are so easy to create. Now one of the things service group, because there is some service group as well. Where is this service group? Let me go to find one.
So, instead for a while group, they have some service group, not category categories for one group, but they email.
So, email is different. Remixers, there is a study Bielecki in our own web access.
So, I can create a group of services as well, Secret Service group and name them Suppos Asabi and whatever color you want to kill and maim. But as I said, HTTP, htp is this truly is what I need is a group in Orckit.
So, there will be another group, which is Asabi.
So, really what I need, HTTP and HTTP services I can click on here and I can call this service group. Service group will be here. The one which I created is not doing so. Just refresh them.
So, rather than to call them individually, now you can call them in a group, so we’re there to serve them.
So, this is my one Web site where we have two things. One is the different one, which DNS is also included.
So, we know what I need. A specific initiative B, Initiative B, I can give this one.
So, this is a group of services. And the last thing which you can do here to create your own category like this category, click on category and give them suppose my category and comments, anything in okay. And this way, if you pull Big Mike it will be here, which is not here. Why it will not show either. Chain them here. It will show you here Mike it. But when you go to the another way it’s not showing because you need to put something in my card then it will show.
So, let’s go to the turtleneck, which I use. Let me pull that one.
So, let me pick on my category. I might Mitnik and put them in my card because I’m like, you’re destroying here. And okay, now you will see my card here before it was not shown here, which has one services.
So, you can create your own different categories with forward, maybe for other someone other maybe some other people, maybe mix up up these protocol so you can create your own category for them and you can create your service group to call them at once. And it will work straight away rather than to call many services one by one.
So, this is called they have some Diffa, which we check uncategorized did was you know, there was a big Sesemann authentication for Weiss and the proxy in something really category. We can create our own category and we can give them a color services in everything we can put them and we can create a over time. We can create TCP UDP, which I assure you, and IP we can put and we can service and we can call them and verify is.
59. Lecture-59: High Availability (HA) Theory.
Another topic is redundancy, what is redundancy? Redundancy, we call them, failed, what we call the high availability class to Red and Fardella is this thing is the name of one thing, one way or another. I know there is some difference, but are together. These word can be used for one specific thing, which we call them redundancy either how higher availability, why we need a redundancy, we need a backup solution. It can be hardware, it can be software, but it can be a combination of software. It can be worked. It can be anything and anyone in our real life, we need a redundancy. Normally we say we will do this course and if it do, something goes wrong, I will do this because either I will apply it as well. If this job not being so successful, I will apply here. I will apply to this, you know, Steve, for this position I did for this degree. And also I will apply to another university. Maybe this if I didn’t get admission here, then I will go to the other one. The same thing we do in the network is with redundancy. If our hardware is fair to stop the spread. I think it’s been our idea is to spend our hardware experience our best friend. What an environment. If we have some backup solution and then the backup solution, we call them redundancy, high availability, a checklist read, for example, redundancy. And it can be a link. It can be an enterprise. It can be in a firewall. It can be Oroton, it can be a switches. It can be anything. And everywhere you will see Ed, Nancy, you and I don’t do in real life, we do the same thing.
So, you can go through all these, what is this I’ll mention I will go straight away to show you even in every device we know what you buy today from a Cisco device to any any SA1 you will see to our supply. We call them redundant power supply. You plug one power supply and the other power supply.
So, it means there here is a redundancy. High availability for tolerance. If one is from the other will work.
So, even in the device nowadays, in every device, the network device is coming up, it is a Cisco switch out around the road to the firewall. It can be anything you wanted to supply.
So, it proved it. Everywhere is a redundancy and itching to link every organization from a smaller organization to a big organization. They have to link one is primarily and there is a coupling primarily because normally, like maybe a huge 200, 500, whatever they are using. And the big opening is not only like 20 and we are maybe 30 and they are a bit different notarization and they are using different ISPs.
So, if one of these for some reason is doing so, they will they are going to do so again. We are using it in the link as well. If you pick any sort of word like HP, and then you will see Red Raiders, nothing redundant array of independent base. And not only that, configure it 550, which is a.
So, if one device is spin, one hard drive is just plug a new one and it will straight away. It will work because they have a million consumers there and they will pull up from there.
So, again and nowadays and they will decide what we are using this concept. And Cisco, which we have, which is we are using ether channel, we have bundling, we have so many other way.
So, if one interfaces fail, the other is working between the switches we are using GNB, we are using, we are IP, we are using HSP. If one switches dolin one router one get Brazde on the other we lower.
So, again, we are using high availability, so what is the high availability and why we need and why is the demand of nowadays everywhere and nobody want a single second downtime? We have a critical segment which is 24 hour available and we have a service is we providing a service which has to be on all the time. Otherwise, you have to pay your customer that if your service is not available.
So, that’s try in every scenario we did, high availability and high availability is nothing availability. It has to be available on your service all the time. We know what is required. We don’t need a single point of failure if you have a single point of failure, if this thing is done, everything is done so far. But we need a redundancy.
So, let the business continue and their data is maintained and synchronized.
So, how they will work? Basically, if one device is Nardwuar, the other will watch the device. When one is not available, the other will stay the way it will work. And this optimistic scenario, we call them high availability.
So, two devices working in synchronization based like if one supposin were not available tomorrow in office, I hope to tell to my colleagues so that they can continue what I did never my going on vacation.
So, I needed someone to be available to provide the same service, which I do.
So, this is called high availability, the same thing we do in 40 year. It is really for to get fired, one will reply to five to one to work together. And this work together, the concept is called high reliability.
So, how they will work and how this will be synchronized and how so. There are two concepts to use and for the Great Firewall is a H.R. one. Is it to perceive that there is activity? And it is the name suggests it didn’t activate the device, which receiving the data and forwarding basically means just listening to one.
So, when for some reason the device is not available, the pacing will take what automatically and how they’re using the concept of it being. They are connected with each other, with the interface, and they are listening with each other.
So, if the listening stops would mean they say the device is down and it can monitor the parties, will it give money to the system? It can monitor the link. Well, maybe the link is done automatically. It will take water.
So, in this one, we have one device is a master and the other one is like a slave, the master, because they make do and the slave one, we’ve got them basically how we choose. We will see them in the lab. You can give more priority to the master ones so it will become active and you can give less priority to your slave. It will become. Bassem. But in this scenario, it depends person one device will work at the same time, not what the device is. It’s easy to configure, easy to be polite and easy to design, and most of the time you would see this type of scenario because an active, passive and alternative solution is a directive. We have both the devices will work together. But it really inaudible instead of it.
So, an activity, but it only for acquisition not would be. An activity we will never see in real world, because it’s difficult to deploy, difficult to maintain and difficult to troubleshoot, and most of the time you will face the issue. They try all the time. The student asking me why everywhere we can see it, but we never see it to scenario. Most of the department, most of the companies, even an enterprise network, because activity you can utilize both devices, you can use both the devices all the time. Maybe an active base. One device is not being done for the year and years, which means you are using one device is good for nothing, but it’s okay. But in a way, you can utilize both the device and the same time you can distribute the traffic you can maintain, but it is difficult to be polite and difficult to troubleshoot and difficult to maintain. And also in 40 get, only DCP station will be lower balance.
So, what they want you to be an ICMP and multiclass in broadcast.
So, then why to do this one particularly, I need to take a big risk to troubleshoot and deploy and be worried the traffic to go there and divert the traffic to another device. What the hell is this? So, that’s why you will never see such type of thing. Most of the time in real world you will see active, passive. But anyway, is there this concept, if you are organization one such type of deployment so you can use both the devices to work at the same time, which we call them active. Active, but to flight? Chair in 48 for a while, there is some prerequisite board that was has to be on the same moral board that the US has to be on the same interfaces smoothly with the same hardware model, same operating system, same for the U.S. Virgin, whatever, same signature, same updated everything. Same model, same format installed. It means it has to be same on everything. Same license file. The only thing which can never be same is the last name and priority, these two are the only thing which can be saved. And these are the only two things to identify the hostname and definitely the priority because we have to give them one. It do so definitely we will give them more priority list of everything has to be similar to the fly to firewall. Is it okay? Clear. It can be an activity, but it can be active, passive in any combination. These things has to be followed then otherwise you will face issue. Now, can a monitor live as well, maybe the device is up, but the link is down, the main interface either delayed interface. We can do that one as well. Now, the next thing you know, these far what we know about each other, this device is not exist either don’t either. The link is don’t either. The devices don’t.
So, they’re using high availability link, which is between the two. For one, you have to configure them, which we call them actually gives way.
So, basically this actually they’re sending a hello heartbeat. And Hinata, it is like just like a heartbeat or one. If somebody is alive, their heart will beat.
So, the same thing on this agenda, which is between the two for a while, if I have somewhere like this one. This is just use between these two for while we call them, actually. They’re sending a hello and heartbeat of this interfaces with each of them and then some time. And this heartbeat is being sent, which I will show you and Wireshark, they’re using DCB packet with these ether video I will show you from washup when we do this. The name in Havruta soon after every 206 milliseconds, Audy. And they’re using local IP, you know, we call them Abebooks when this IP 160 renewer in my window operating system, the system did not find any DCB and any either you did not find any IP short will get this IP. We call them my PIPA, Artomatic, private IP addresses.
So, these are legally using this IP to send and receive hardboard packet. And between these two, for one, we will use crossable, we have to buy what, a cable, straight cable and cross cable. And the heartbeat of range can be searched again and eventually when we do, though, so when they’re not receiving in a heartbeat, so they will consider the other one is down and it will consider itself as a victim. And this is the way it works. Now, whatever decision decision will be translated will be not disconnected. Maybe you are only beginning to believe this is HHTTP and suddenly the device is down the active one. Don’t worry, it will be the station is already there as well. And the basic placement. Now, before doing it, we need to know some terminologies, friend, what is Bedwyr failure means one one device is not working for some reason and not forwarding the traffic for some reason. And maybe it’s down, maybe some other issue and the other device did.
So, this method, we call them, failed to fail. Were the failed devices been ordered to pay? So, this Dick Automator, we call them failure and to achieve fair.
So, in this case, this device was a and M. but for some reason is down and this device did work because it was made before, but now it’s active.
So, this method, we call them failure and there is a heartbeat message is what is hard. It makes it hard to read messages and nothing to just to verify that the other devices activate and other devices available alive are not to check the heart. It is beating or not. If it is not, the person is doing the same thing they are sending and receiving, which I assure you not be back on under two hundred millisecond with each other if they are not receiving.
So, they will consider the other device down. Link monitoring not only the device, maybe the device is, but the interface of the brain interface is down so we can monitor them as well.
So, the way the interface is down, the other firewall will take over because the other part one has another interface to win.
So, you can do this one is well, maybe the device is a.
So, this type of thing we call them interface monitoring board monitoring and other terminology is priority. What is priority? And to device you have to be smart because both devices, the same hardware, the same interface, same operating system, same everything.
So, how you will make one device is victim.
So, you have to use priority. Priority is nothing, just a value. The more you give the value that it will become a tool and it will take a master role and other will become automatically Slive.
So, this type of thing, when we need to reconfigure priority, which we call a priority and priority, is nothing just available numerical value. Now, how it will work, this numerical value, and if one does is down and it is rebuilt, so it will have one.
So, suppose you have a master fired one. And for some reason, as dawn, so the lower number, the priority, which I give you a numerical value, it will automatically become master. But if you want if the monster is big, you can make them that automatically make them a monster again. It’s also possible. And nor do we call them preemption and also interschool because in preemption. Another thing in terminology, session, pick up what decision pick up I to remember, maybe you are only beginning to trace the situation at HTTP, which is three way handshake is being done and everything thing. You are connected. Certainly the device is done. It’s okay. The second device will keep the station so we know what the primary device don’t see. Do you already synchronize the station and this recolonisation pickup and it will already be connected automatically in simple words. You can configure them unicast each heartbeat if you want, and you can configure both the device not to use a broadcast for some reason, if the broadcast is not supported on your environment or some other thing, not one in virtual environment.
So, you can configure it your heartbeat on unicast isbin. It’s also possible that it and this third apology, which we will use next time to primary, and secondly, we will create two for one and we will make them as agent, we will generate some traffic and we don’t want one fired one that realisation pick up out loud and then we will make some progress down to see the other state, whether or not these are the things which we will see in the lab. And these are some terminology before going to etcher.