Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 46
64. Lecture-64: FortiGate Passive Authentication (AD).
Method is passive authentication with the degree to which we call them fourteeners, single sign on if it’s a school and this is simply the authentication, no need of anything, you can integrate them to actually directly into anything. And it is the best solution. But all the PC has to join their domain, then it will work and not an organization. You will see such type of integration up 40 years to the Active Directory. Which we call them passive basic means, there is no problem to come in, put the username and password and the user all the time to put the user whenever you log in from your domain user authentication, the same user credential will be used. But for this purpose, you need to install FSS or agent, which you can download from their website.
So, I know if is all set up with five 64 bit. And you can install this one by Naaman application next, accept them we are to install this should be installed in your actual directory domain controller. Put the username and password which method you want to use. It was Metellus standard method install and launch after launch. It will get the actual IP automatically. Otherwise you have to put this there before Egin is nothing. But they will exchange information between a two, three and four digit firewall. That’s why we call them agent. Choose your domain. And my guess domain is to start Leyb and choose the group. In this case we have a chat group and cell group. Okay, and then the pooling procedure. There are two methods. One is to check the e-mail log and other one is to install the services. The first one is installed. Disservices. It’s up to you both. Method will work and then changed their default password, getting ready for the password and this agent changed one and now integrate them with the Fortinet single sign and which is in security February. This like a cloud edition injection in this particular firewall and we will choose it to directly and the rest of every method. Is this similar.
So, now let’s go how we can do it.
So, we connect to directory OpenNet.
So, when when Integrate them after that, we will create the same with the group. But the group will be not a firewall this time will be Fortinet single sign in.
So, it’s asking the user name and password use different.
So, our user name is eight minutes. Eight minutes. Greater the rate. Test dark lab and pass what is A, B, C, grade one, two, three, four, five. Okay, so I want to log into my domain controller. Okay, Ectrodactyly. And I need that agent to copy here. Install, so that’s the agent, right, click on and you can download from their website. I will show you, okay, and paste them here. And domain controller. Okay, we are doing caecum at the base of our base, if you need to install this application first it to directly give it to your system administrator and tell them that these are the strip and install this agent on your EC2 directly, that I want to integrate my firewall with your acrobatically. They will get the name and detail from there basically. And we know what a system Jandro Domain, the same user name and password will be used to authenticate them to firewall.
So, the user will not no need to type the user name and password all the time. Click next except the license we are to install. Choose the direction and the password. A, B, C one, two, three, four, five again. Next, I want to use the advanced method is up to you. Let me explain you and install. Until it’s installed, let’s go to firewall and remove the other meter, because we already integrate them.
So, go system we had was. User and device go to edit and remove the method you can use both as well, by the way, but I don’t want to confuse you, so let me it’s not deleting way because it’s use click on reference and we’re just using it deleted. H.R. again, HRB are still there using a reference and bonus your so I need to go to so many places.
So, believe the policy one then delete policy too because we call them in policy now coming here. And again as for places in use, so H.R. group we created to delete those group, delete that another group now you can delete this one. Delete will be available now and create and remove. And if you go to user group nothing is deleted automatically. User definition user is not there. And when you go to policy, I already delete policy. One is manual, another rescaling there. Nothing is there now.
So, go to user and device and end up. Nothing is there now.
So, I remove the other method. Now we are doing the other.
So, this the application click finish so they collect the IP automatically report and next test that this is our domain. Next which user. Remove the administrator. They don’t call it administrator. We are using this for group to sell and sell to each other.
So, it’s okay. Next we use the different method next. Okay. Finnish.
So, this the Internet is being installed, basically, this agent will integrate with security, they will pulling the data and will give them the detail, okay? And if I click on the agent now, so change the default password, they have one different password. Give them A, B, C, any password. I’m giving this password. Okay, and apply.
So, I just. Okay, and okay, that’s it.
So, there’s the detail, they are using this board to listen on these three board. This three board has to be open if you hear another one in the middle. Okay. And you can see the logs and everything from here that’s done. Now go to a two directly how we will integrate so far to their purpose. You have to go to security fabric, not here. And there is security. There is fabric connector and fabric connector. Create new okay.
So, there have so many method to integrate with this firewall, the one which we are using single sign on, which is to be somewhere. Yeah, this is single sign on identity and this the one which we are using Fortinet single sign and agent and we are Ladin’s drug agent here and click on this one, they say what name you want to use it Dubarry. Plus because last time we give it to directress or maybe you confuse or give them a directory plus and what is it to be 192, 168 wunder 200. This the IP now this one. And what is the password. A, B, C, grade one, two, three, four, five. Okay, and again it’s asking me the SSL, the secure one. Okay, and so I say apply and refresh so it will apply if the password is correct.
So, it will integrate them to the actual directory through that region.
So, it’s checked now and let’s. Okay, and let’s see, it’s down arrow until it’s green and up so it means it’s not integrated.
So, you need to it either just refresh until it’s showing green, otherwise there is something wrong in your setup.
So, let me refresh still Redhill this one. Okay, so one hundred is okay, I don’t know what is correct and not apply and refresh, so let’s see. Okay, and okay, now let’s see, it’s okay, after a while, it will become green if everything is okay and if we did not bypass or wrong.
So, what we’ve done up to this point, so we came here and single time and, okay, we put in the name and the and correct again and apply and refresh. Okay, after all, it has to show anyway, let’s wait for the word sometime. Let’s take time to integrate them and let’s go to the year. And we loved so and let’s see. Sure. Service. Sure, login yuzu. Seven laws, let me enable it, because we changed the password. Maybe they’re 20, so, okay, and now let’s go back there and to refresh, maybe this time. Still, it’s the down arrow anyway, that’s weird. Still, let me check connectivity. It is a cute being. 92 and 68, one 200. Yes, we held Achievability. Another thing we need to check firewalled. Maybe firewall is blocking.
So, let’s go there and see if it gets well, is enable. I went too far to one yard, so let’s turn off by the wall for a test, but first. Okay, and now let’s go back there. Yes, Greeno, so the issue was far one now is the user, all the user, because there are so many user. Okay. And when you click on it, you will see Facebook now and the group is here now. Go to the same thing. Where is our user interface? Go to user group and this time create a new group supports each other, which we do, but this time not a firewall basically for what is just the name for it to direct. This is also a tool directory, but this is a different method and this is a different method. Now I will use Fortinet single Sinon and click on Member and it will use it to directory to you all day to directory the group I need. Is this the edger click and ared.
So, this Starmaker group is for Fortinet single Sinem and create new and the other group is a social group to single click and choose yourself. And talking to my two group is integrated here, but in a way almost similar thing. Now go to policy and object IP for policy just like the other one. Create to policy land to win. The user will come from lan. They want to go to when source should be lan subnet and users should be a teacher and cell group. It can be anyone. And this generation, it’s all services is all and all station regarding them.
So, lan is done now I need to create for BMC as well. BMC to end user will come from DMZ. They will go to when source should be B.M. Zone which we create the subnet you remember last time, but user will be also authenticated. HLN sales and destination should be all, service should be all and it will be now enacted and everything and ok. Now, Lesters, do you think the user will go like last time this my one back if I tried to go to Facebook? I don’t think it will work and neither it will ask me the username and password to vote even though I have the IP and everything is correctly. This this one is the inside ABC. And there was another PC, this one which we got from BMOC again, try them. It will not go. Let me close the browser. Maybe you think this the whole story, but it will not reach to the Internet neither it will exist any resources because now the method is different passive.
So, if I tried to reach any Google or anything, it will Nardwuar way and neither asking the user name and password because we are not using it. You know, this PC has to join the domain. How to join the domain.
So. Right. Click on my computer to go to properties.
So, this is a on PC where they held to join the domain click change and click here. The Domain.
So, honorable man is best dart lib and okay if everything is okay and no issue and this piece is reachable there.
So, it will then be shared with Active Directory and it will join the domain.
So, let’s see it giving error. Not another PC from LAN. It’s also not reachable here. I really tried right. Click properties change, sitting change and this time I will use IP 192 168 one but two hundred to join this domain and. Okay. Okay, maybe I will be an issue, but anyway, let’s hear this, what I was expecting so you can type best simple and try. Again, an issue why, because this P.C. will reach to both men and we are using different DNS audiences, this one wondered how to change their business to the which you want to join.
So, type only DNS 192 168 one 200. Okay and okay, and now let’s try. Best, I hope so this time it will work. Again, an issue this time type this darkling. Okay. This is due to be announced because we are using our wi fi to our DNS and we are reaching now integrated with this one.
So, more detail. It’s the same thing I noticed the issue of domain controller. Okay, let me go to the other piece here until this will go up. No, not this one. Okay, so this one has to get better.
So, what we need to do is go to my morning, go to the interface change interface and we are using one, not two, but our DNA is a different one.
So, remove this IP for six entire business, 192, 168, one 200 and one nine two two one sixty eight, one hundred and five to one. Okay, and now let’s see, it’s using already anesthesia. And now let’s try for the last time. Okay. And change, showing, change Dauman and daftest Dakhla and okay, so now is correct. And what was Erdmann is director and A, B, c, one, two, three, four, five. This is the administrative gurnani to direct and okay, it will prompt you to welcome message and you need to reboot the system. Now this user PC will change from one group to domain and Australia is done, okay. And now straight away, this bookchin let me change the P.C. name as well, because both have the same name. Okay. Okay, so no need. Restart now and now, let’s go to the other P.S. we will too busy with the old man.
So, this one is not working out why? Because of being so let’s go to here. Change after sitting.
So, we are using one third hand. But the issue is IPV six is enable and also you need to put 192 168 one dark under and ok, ok, ok, ok. And now change them and put. This dark lab, okay, before let me change the PC one. Okay, and also that starlet will reach. I need to check if I’m reachable, are not being 192 on 60, earth one 200. Yeah, so I’m not reachable why? Because I put restriction here as a user so far. Well, what you need to do either let me create one quick rule, because it’s not Rejuvenator asking username.
So, my piece is not reachable via Skype. Allow all just parties purpose. I will say from Demsey to lan because there is no way and it should be all it should be on and certainly should be on and on the station. And okay, now let’s try not this one. Where is my second PC and let’s try it now. Can I being. Yes, now I can reach and now type ok and ok. Hopefully this time it will be reachable because there was no policy.
So, username is it. I mean it may traitor. And password is ABC that aired one, two, three, four, five, and okay, I hope it will give you a welcome message.
So, I don’t want B.S. from TMZ to Domain Controller and I just want B.S. from Len. Now, I will log in one piece with H.R. and one BCI will login with cell group automatically. It will be authenticated. They will not bomb them. Anything restart. And now this will maybe the other piece is now available. This one.
So, this my domain controller. Now let’s see here.
So, click on this one, Len PCLOB join in.
So, I hope so. It will be available now and now I can use my it to directly use it in group to join B.C. and Dudly log with this one. Okay.
So, this order to directory. Let me show you. Let them come. We created these groups. We will begin with this group. Keep in mind.
So, let’s go back. ABC is asking now, so now we need to tap other username and password. Which one chart? One ad that aired this dark Leyb. This this piece, your game and password is one, two, three. And okay, you got the idea. Now, ABC is under domain and password things, so we put one, two, three. Like most people aren’t allowed log in through terminal services. Okay, what the hell? Now, I need to change this one because it’s three more days, tops. They’re not allowing them to stop them and change them to edit. Vincey, this is really hurting this, okay? And now start them.
So, unfortunately, we will do in this one as well stop and start and not start them and can see the old woman Bishes cannot be logging through remote desktop. The help or restriction either way need to go to it to directly and instead permission for every user to log in through remote control.
So, it’s better to log in them here with this one.
So, now I will agree with H.R. and one with cell group and then we will see them. Okay, so let’s see. And also let me on this demsey, because when I did not change this one, unfortunately, I need to change this to Yansi. Okay, and start anywhere until they’re their land, landmarks will be available. Yes, now it’s come up. But how we will again, we will use these users, okay? Keep in mind. Okay, and before logging, let’s see from here, it will show you show logging user look at issuing a chart I tried earlier.
So, that’s why the chart is now here in the logs one region.
So, now control are delayed and type switch user and other user here type it is still one and password is one, two, three. This what we do normally an organization. You have to use your own username and password to log in and then when you log in your username and password, you do need to authenticate again to find one. They will use this same credentialled and this is called passive authentication. And now if I go there and refresh, they will show since that stands from user PC with one two IP, they are using Sandbrook and they log in and what they will do, they will send this detail from active directory to firewall that allowed this person now and this the things which the firewall will say, okay, you are allowed. I already authenticate you and your what I will pull whatever your restriction here you have a restriction. It will follow. Maybe you put some restriction here, they will follow the ATM and they can reach anywhere.
So, now let’s see. And until their time limit on the other options will. Okay, and here we will again with each other so that we can test both.
So, let me like in, switch to the other and hear each other two and one, two, three is the buzzer.
So, one from Demsey, another is from land.
So, we will test both. Let’s see which one is coming.
So, this one is. Now I am logging under Dauman. Okay. That’s my user cell one and my BKA Liljana domain. Let me remind you again, if I go to my computer, go to property so it will show me their domain, ok. This user user peashooters dart lab and this is my domain and okay, now I can go directly to Internet without any restriction because I allow them everything. Now the rest of the thing is beside authentication. You have to set the rule where they can access what they cannot access. But related authentication. Their tissues are already Satoh because he already login and is showing here who log in now to user and H.R. two.
So, they send this traffic to this agent because the name is agent. And if I go to Internet before it was not working. I hope so. This time it has to work. If I said it will not come so it will reach to Google dot com. It has to work because, yes, the business was the issue, so I need to change their business now, I believe. Because I joining the domains, so I changed the business so far, their purpose, yes, they are using still their business.
So, we need a security minister to access. What the hell? Oh, yes, so unfortunately, one small doubt, which I forgot to change them, so let me log off and login with the administrator. We’re going to change the DNA to this voice, not eligible. Otherwise, it’s okay. Now, everything you know for the joining, I change the DNS.
So, switch user and this time that we login with eight minutes later and password is A, B, C, one, two, three, four, five. But administrator at the best dart level to change their DNS thing again. This one is also will not work.
So, you want everything is okay but so long. Small things we need to inject their DNA, which I forgot to do before, so let me log in with administrator. The best part and parcel is ABC that aired one, two, three, four, five. And now let’s go back to the special still coming up. Okay, so I’m just waiting for this to be easy to log in as Administrator Iwon, they will. Okay, Administrator, I will not sure because we removed Administrator Donehue administrator because they will never log in front line system. You remember when we were installing this agency, we uncheck administrator. Okay, so administrative is login Lagendijk and change the thing.
So, let me go and change the properties and change I be reformed and make them automated. Okay. Okay, let’s see. And also, let’s go to this one, obviously, this one is coming up. Okay, and I hope so, Jane, now. Yes, and now let’s logoff and again with proper use and so logoff and also this one is come up.
So, until that one. And let me log in now with Twitter user, which one, each one, suppose each one and one, two, three. And now let’s go to the other system and change the IP being necessary DNS entry, which we put just prior to joining. Okay. And updating automatically. Okay. Now, this time I’m looking with a of one with this picture window for, okay, this one went before showing window forward. I’m not getting it in here. I’m changing the DNS entry to log in another user before also is done. And now let me log of. And logging property use a. Okay, and now let’s try this a chart here, I will try to sell sell one one, two, three. Oh, okay. Now let’s wait for the user to log in and there will be no need to put the user name and password in the prompt, but they will authenticate directly and we can see the authentication here as well. And if we refresh now, it are one in ten when I login and also from firewall, let’s go to our wallet and now we can see monitor and it should be no, it will not show this one show. And if it’s a small log in here, you can see each one is log in and said was was like in their user gradated duration one minute and 36 second one or two and one hundred. I be very, very strong. And these are the detail and method is 14 and single sign on method. Okay, if you click on this one you can get them to get them and refresh them. You can see them okay. And if you click directly, it will show you the other user. If you click, it will show you a normal user firewall. When you click here, it will show you if it’s all login.
So, I hope so. One of them has log in. Not yet. Both are trying to login to create their profile. First time and user is login, so they need to create a profile.
So, therefore it’s take time and I hope so. The last thing we need to test when they use it is log in. They have to access Internet directly because in our policy we allow them everything. If you want to put the restriction per user now, you can put the restriction here and also here. Now, this is the restriction area per user either. But anyway, we know everything is the DMZ subnet and each other and they can go anywhere. Okay, and from here for view, we can see on the station for these two users. Okay, and also we go today for toplane DMZ. You will see that I did. And use that written to and it will be changed after a while because they are still logging and also from logs and report forwarding traffic. You can really far from here.
So, H.R. one this time, H.R. one, H.R. one, they are going to DNS right now. They are reaching DNS. I think they are not yet. Still, this one is preparing the desktop, so let them.
So, let’s go there. If I missed something.
So, when Integrated the group, we created the policy sim like the one and we ginder domain domantas not live ok. We the detail and we log in with each other and from here show logging user. We can see from a category three and when you log in it will show you the detail and also when you click and it is all login.
So, it will show from one after two while using a monitor and when you go to forwarding traffic it will show the user treated and if you will, to source it will show you the detail. And also, again, it will show you the detail and also from the agent side, okay, these are the agenda. Monitor user login, okay, monitor user login A1. It means that monitor user whenever the user login, monitor them when you uncheck it will not support and delimiter indication this the old method authentication. It will support Administrators’ whenever the agent.
So, it’s the agent buton all the things are mentioned here they are using this to board or TCP and UDP. This one is the agent and this one is for SSL and this is the forty eight one log even which log you want to send it and you want to see the log in, how much space you want to give the logs. This the password for this authentication. Okay, for the agent authentication. And these are the time of the details. And from here you can see sure services sure monitor this. You should log in users to monitor more of the detail. You can see which I mentioned here one by one. You can go through them if you need more detail. Okay, and that’s it for now. Let’s see this last thing. It has to access the Internet without any prompt.
So, let’s go to Google dot com and let’s see, we. An extra sanat. And any BBC, dot com BBC.
So, I hope so. It has to work because everything is configured perfectly and they will authenticate basically and they can access Google and everything. Oh, yes, and for the better to thing, what you can do. We can test here as well. Being entertained, not entertained, so is reachable, it means it’s working. Yes, Google is coming now and also the BBC will be there after a while. It’s slow, but it’s okay. That is a different story. Okay, so it’s working. Yes. No prompt, no nothing. Because they already been authenticated with domain login, with Eja because this is a passive method. Yes. It’s come up and also BBC will be after a while.
So, we test to see if it is working.
So, definitely it’s working. Okay. And from here now you can see falling log is well ok. This is H.R. one, H.R. one is the user and also we verify from we verify from monitor. And here is firewall user monitor.
So, here is login. And also you can want to authenticate as well. It will return ticket in case you want. Okay, so I hope so.
So, enough no need to show you from the other user the same. What is taking some time for this. Come up quickly. We will try from here as well. Window window to surrender to is this one Demsey one which is better if it is come up.
So, it’s okay to test properly but anyway it will work.
So, this is the story. How to integrate and how to integrate firewall to different method. Okay, active and passive method and how to authenticate user with the actual directory. How to join the domain. Okay, so I believe it’s taking much time so don’t waste your time. It’s okay. You can test your own if any should let me know.