Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 45
63. Lecture-63: FortiGate Active Authentication(AD).
The basic setup we created to Treweek enabled domain we configure to be in, as we have done, basic setup, we enable the ATP and everything is ready. Now, first thing first, we will do active authentication and ekta authentication. It will ask the user it will prompt to put username and password whenever they use, are going to check the resources, either want to go to Internet. This is called ekta authentication.
So, how we can do it.
So, let’s go. We have the same topology which reconfigure. And lastly, instead we are using one subnet BMC. We are using two subnet and outside we have 100 subnet. It 232 is one 200. Okay, and these pieces will get automatically IP, but before using it to directory user, which we created and lastly, H.R. Group and cell group and for the user. First, we need to integrate firewall to this EC2 directly with one of the 200.
So, come to firewalled one, two, three. Okay, and now let’s integrate them.
So, how we can integrate firewall.
So, go to the user and device and use it and devise there is a Sudworth this Ruden here elderflower what level is nothing but active directory.
So, nothing is there. Let’s create new and give them any name. Suppose, I give them a B you can give any name to the IP. We know this is two hundred. You know this one year, 200000 or two hundred and somewhat more than using three eight nine. Then there’s a common name identifier. And distinguished name, we will integrate and now this Bindiya, you know, these are mentioned here three times, we can do it when you want to integrate. If you have different branches, then you can use different sort and common name that this word is using everywhere. This is like a common name, Sam economy. And it should be like this one. If you sell them, it will give you whenever you want to use any new director, you have to type this for it. To directress, same account name for them. This is the attribute whenever you log in and use them, this is the Microsoft suggestion. They use them like this and it should be like this. It’s this model.
So, let me copy this one.
So, this is common identifier. Okay. Okay, yeah. I was talking about three things. This one. Anonymous, anonymous can be used if you have different branches and you want to do directly to them, directly to different branches, and also if anonymous searches enable, then you can use anonymous buying type regular means if you have branches and anonymous is allowed, does not denote anonymous is allowed. And also you have different branches, maybe anonymous searches. And it is an option. If you want to allow anonymous means anything, you then you can use regular. And the other one is this simple. One branch without search. And if it is a one branch and these two cases, you have different ground, you are using it to better to integrate with different branches and one you anonymous enable then use anonymous if not enable use regular and simple is the simple innerworkings as simple is the best one. But we can use regular as well, it’s okay.
So, first, come on, identify the SEMICON no need of distinguishing their distinguished names D.C.
So, our D.C. is our best. And then come our D.C. domain controller is live. This is called Distinguished Name Domain Controller des Domain Controller Live. It means our name was domain name was Just Live. You remember this one desktop name.
So, we have to write in this way and this is the administrator user name which we log in here in my state. This one administrator.
So, Administrator, Administrator, Tretter and password we put it this year that had one, two, three, four, five. Click on this. I threw that. Can you show it’s on ABC or the eight. It’s better to show otherwise it will work. It will not work if you use a secure connection. We are not using secure connection to authenticate. If you are using this protocol to authenticate and you are using cert, different certificate can be used for security purposes to integrate with actual directory. But anyway, we are using simple unsecure and it’s going to do this with analytical attention.
So, something is wrong. Administrator ID maintenance data and test connectivity now.
So, I’m not reachable let’s say. And will it credential. Okay. And let me browse them so it’s not coming up, it’s not reachable.
So, let’s see what we held this to, let’s use simple, if we can connect to know it means something is wrong. Let me remove this one and password I type ABC one, two, three, four, five, eight minutes. Administrator is correct.
So, let’s try now invalid.
So, it means I typed maybe something wrong. An as correctly, may the a diminished. Great, I got you, by the way, and ABC is the password, so they say invalid credential one. Is it to directory it being from here, it’s reachable under. Executed being one and two to one, sixtieth one dark 200 three, it’s reachable reach, but it is not an issue. What else can be the issue? okay, it’s better to talk like this. This dark live sometime is also the issue. This time it’s successful. Also, if you want to either if you browse, it will come automatically. Yes. Come up now. Be obese. You taste NBC live domain controller so either have your own either from there.
So, I use regular. There are three methods symbolisms. One, if you are using to try to find one branch anonymized for many branch. But Anonymous is allowed and regular for many branch. But Anonymous is not allowed and this is secure connection. And here you can disconnect to try to guess this expl, then you can get in best use or maybe you eho use or you know each other user H.R. one by the authority and password of one, two, three. Testim is a successful user credential and it has to be aira. You can type best Darton Leyb maybe.
So, it’s a sexual connection, it’s a six user credential, is it on H.R. one vehicle and the other one is still one and one, two, three was the past.
So, let’s see this one.
So, connection is okay and maybe it’s not done that way.
So, you can test the user as well if you are so always talking anecdotally to Jane. It was so simple.
Somyurek, do that name is ADA, you give them the 80 this to celebrate being 200 reporters using Sam name calling this the distinguished name. Is this one in reference? Nobody is using the security right now. If you want to delete, if you want to clone either if you want to edit, it will come here again.
So, this is done, integration is done now how we can call the user, we have this user, that one which we created in here so far, that you have to come to user definition independent. Now, click on user definition. Last time we create local user here, this time we will create new local user. No, this time we don’t need local yuzu, and rather than why not click on user group, we would have. Why not call a group rather than one user by user? So, click on user group and create new okay and okay. These names shouldn’t be the same. We have group each and group says it can be like suppose this is a charter group, I can give them any other name and type should be fired while this will we will do a bit later the other method and click on aid and click remote Exubera to which we just integrated. We give them this name and such for that group which you want to map here.
So, the member group is richer and richer and okay.
So, I say my local user groups, each group, I want to integrate them to the I did not do it etcher. You’re right, click and it’s selected and okay, so I said my local member should be here. Display a chart below, but actually behind the scene will be a group, which is this one, and Echard will get up to use it. And again, now there is another will be created. Let me give them the same name.
So, it has been proof that these names shouldn’t be similar like this. It can be same and it can be different.
So, cell types should be fired. One click on ADD Choose the Order Deliberately, which you just integrated. Search which group you want to map here. Right. Click on that group and add selected and ok it will show here and press. Okay, so two group is integrated here now then and this way you have to integrate all. If I go to end of server now it will show for references because now when Integrated for use out of here because when Integrated the group and every group there are two users now is done. Now I can use active directory group inside my policies. Now let’s go to the last step and policy in Objet IPA for policy. Okay, there is only Biffa rule here. Knew this rule I want to create from LAN to either DBMS you to win. The traffic will come from BMOC, the traffic will go to when source will be all zero, either create your own subnet. You remember we created let me create some I.B.M. zone, reach one one nine one six year two. Now I can create two Demsey subnet, give them any color if you want and put the subnet 192 on 60 or 2.0. I’m showing you the real world, so that’s why I want to make them more.
So, now this is my subnet. Rather than to call all is better to restrict them. Demsey, I said Demsey plus user will be reachable to each other and said It’s up to you. Which group will come either if you share both will come support both and the destination can be anything. I know they can go to internet anywhere all the time. Services be all the time. We already discussed this should be except flow. Bayes Net will be enabled. No need to apply the policy election. I want to apply and okay, but this rule was created from BMOC to Internet. What about this guy? So, far they need to create a new rule, create new rule. And this time I said lanta in. This time I said the guy will come from land, they will go to win souls. Now I need to put others in and I can create Sam like this one.
So, it’s better to create the best way to do it.
So, this one lands subnet. Either you’re going to low single IP as well, if you were to give them any color and submit 192 on 60 yeard 1.0, 24 still Sabaneta, it’s 1.0.
So, Isilon subnet, but the user will be etcher. And since they can go anywhere, we already discussed restriction and everything. Services restriction, rediscuss Nedret will discuss policy. We discuss in all station and okay, so two policies but user has been called without user they can nativo and user we pull out from including three the last thing to test them logs and report here you will see there should be a call for logs to use it anyway. We will see log later on. Let’s see now. Now go from Demsey and test them.
So, let me go to our Damski and let me generate some traffic to go outside. And let me see that I can go on.
So, more choice and left use different.
So, user is user and password is. Test one, two, three. I told you, Systema using user and test one, two, three password. Okay, so now I’m here and let me generate some traffic from here. I already get IP, by the way, if I check here from BTB. Okay, I don’t know. I hear ya. One nine two one six year two that one and different gateways there and you want to in will be there.
So, look at this set open network login page. I can go now. It will ask the user credential then I can do this the ID.
So, we have H.R. one because I know both on this subnet, H.R. one and password is one, two, three, continue. Then this can go to Internet. It will be authenticated. Until then I will be redirected. Now I’m Marissa successful and now I can go to any Web site from here to Facebook, either Twitter, either anything so I can go now to Facebook dot com and either BBC or whatever you want. You can go there.
So, yes, Facebook is open, but how I know that it’s working a lot so we can verify from firewall. From far away, so many places we can check them if we go to there is log and report, there is another way monitor you. And if we sit around and know there is one more option, you are a firewall user.
So, if I click on find one user to H.R., one is login. Yes, because we are tested only one user. And restricting, you can check them logs if you aren’t followed in traffic.
So, we visit Facebook, so it will be mentioned after a while, by the way, and either from faulty view, if we go to all station, it should be mentioned here as well. Okay, so this why the word has to use assure the user as well to that one is the P.C. from TMZ, but no user. I don’t know why they have to show. Let me go from here as well, from many places. Now you can verify by the results are showing it has to show user anyway. For some reason after a while, it maybe assure the user here because now we are using user user base authentication and this is a two authentication in the same way. If you want to test from Lempke, just Google NBC this time and both are using the same do authentication users pulling out from it to directory. And whenever you are accessing any resources, they will ask for username and password.
So, user and password is just one, two, three, four. Me look into this. Now this is inside your Keadilan PC. You can restrict but of as well. Okay, so let me try to go somewhere. And we used last time which one, let me see for dual use. We use each other this time. We will begin with cell so that we can test both.
So, there is no open network authentication.
So, it will redirect me and this time I will sell one cell one and password is one, two, three, continue. Okay, and we sat to integrated. Let me go to BBC dot com and I hope so. It will work if I have been authenticated.
So, lets you answer is BBC is working now let’s go to here and refresh.
So, now says is login with the cell group 17 second duration this the IP one or two and this is DMCA is using different branch to dart one this traffic and matrix firewall firewall media to directly because you re creating groups.
So, we, you know this was calling this one. We will do our bit later. And this is not part of the answer. That’s is it really is the same method we will do a bit later this one.
So, when Integrate firewall this way they call the firewall.
So, that’s why you can test them from here from logs and report it should be now here as well. Okay, policy is hitting Demsey to this one and this is also IP as well. Okay, and what else. Okay, we can verify from LAN to N so now there should be two IP now. Okay, and also from forty which is a source as well. It will show you the sources showing here now.
So, sell one and each one this to two users which are going there. And also if you want to test their DNS application policy analyzation, you can verify from here which they are doing.
So, this is called active authentication. We test them, okay, what we done, we create a local group and we match them to the Active Directory group by clicking it selected one, okay? And this way we created two groups. And after that which we create, when Integrate group, okay, this one. And then we create a group policy and we call the user. You can restrict Barazan a group as well, but I called both the group and one zone and also both the group and others on what you can put that restriction as well.
So, we call each other group and sends group to the policy for verification.
So, it’s asking me like this way. And after that we test from here forward using the monitor to to monitor. And here on station you can see by name as well and also from source, you can see by name.
So, this was the method of a dual authentication.