Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 58
79. Lecture-79: Remote Access IPsec VPN Theory and Lab.
We can use the same technology to configure SSL, VPN, but not this time a Web portal. But this time I want to encrypt my entire PC until unless I can figure out how to to only, you know, to what is called. I forgot the name split family until at least you can figure split tunnel. They will encrypt entire PC traffic and SSL VPN. We are only limited to the web only. Okay, but this time we want to configure them to encrypt the entire traffic for their purpose. You need the application to install for the client so you will install for decline. It means the difference between web portal and for Declan Portal doesn’t require anything to install. You just need a web browser, any web browser like a Google Chrome, Firefox, anything, and just type the IP and access to a portal and access the resources button for decline. You need to install. It means you need a privileges to install an application on your mobile phone, on your laptop, on your desktop or whatever you want to access them. This the only difference between these two and also it will encrypt your entire PC. This one is only limited to the browser.
So, lets go. Let me show you the same topology outside. We are using 100, 160, 100, 100 dart or 100 range. This the Internet, 100, 100 is one PC from Internet and we have a Web server as well on the Internet somewhere. And we have to somewhat insert this is playing role of Telnet and Web and the DP is not an ad.
So, this one is well, one that one in wonder too. I need someone that and this Groner time so that they can access these resources through VPN and they can access their enterprise network an encrypted way so that nobody can see they just need Internet access and they just need an application to install on their system. Okay, so how we can configure.
So, let’s go to a VPN, okay, and there is repeal repeal SSL a be inserting. We are lidded and this will be interesting from where the traffic will come. Witchboard they will use Oh going to. It’s just this one. Okay and this the inactivation gladdened cert. Okay specify custom. Now I will change this to that they will use automatically assigned different. But I said this one. They already created one for us by the way and this one turned out to use this one. If you don’t like you can create your own as well. VNS they will use and these are the bookmark and these users which user will switch thing okay. And apply.
So, this the basic setting. Now let’s go to SSL VPN portal.
So, Web access only to allow the web access, but no need of application to install. Then Alexis means to make them tunel to create the required application to install. But there will be no web more access and full access has to.
So, why not use full access either. We can create our own by the way, it doesn’t mean to use these three.
So, full access means this will exist. There’s a limited user on SSL European connection at a time. If you want that only one person can log in through SSL portal like which we use right now so you can limit them. The same user can login multiple times, but anyway, that is related to SSL now, said Tannenwald. For Tannenwald, if somebody you know we know what you connect through will be in any application. Basically there is. They created. If I help. Where is my one. This one. This one. Be in g.P. Basically this is Palo Alto Network. Oh this one and this one. Global project same. Every firewall will create a virtual interface and this virtual interface requires virtual eternity that ritonavir every interface required IP address to connect and they range and they interface required range.
So, this strength.
So, those interfaces really good, which is standard to two. It can be anything by the way.
So, this enables split tunnelling, split dunamis. Suppose, if this user, this my user who were going to login and will access these resources, this user from house and this gun owner and covid-19, they will exist. These resources, if I said no split.
So, suppose this user also accessing these resources, but at the same time want to listen to a video? I either want to listen to music or want to watch a video.
So, what they will do, they will enable they will in the browser. They will support YouTube dot com.
So, the traffic, if you doesn’t enable the traffic, will come here tunnelers up to this fornia, then this tunnel will send them to the Internet from Internet that will get the traffic and really give it to him. Now each and everything except this PC, it will be encrypted even if they want to go to Internet service means you have a lot of burden on firewall. If every user if you have a thousand users anywhere and they want to access it nowadays and covid-19.
So, what they will do, all the traffic will come to for a while and then will go to encrypted Lee for you YouTube, because we don’t need a channel for YouTube videos, we need a tunnel. But our internal resources.
So, what you can do, you can enable split tunnel that whenever this user is hurting this range, our enterprise network, maybe enterprise network is many range, but I try you mentioned those that if they are hitting this one, make it up to this point. If this user is going to YouTube.
So, YouTube is not coming under this category, just plug them and send them unencrypted. They don’t listen to me. Don’t put extra burden on me. This is skull split tunnel.
So, I say enable split tunnel, but routing address which address? So, I said my local subnet, if they’re coming to one hundred and sixty eight, that one, which is my internal wrench and it can be many just mentioned there may me what to do and source I people, you know, I just show you the interface. It will create a virtual interface and virtual interface need address.
So, I set aside from this range and I do want to do something, whatever you can change them. I already mentioned just added and if you don’t like, just give them one darb. One dart, one dart one one that one dart, hundreds of balls. And okay, now this is the new subnet which they will get one one one. It means one hundred user can come. Another thing they’re asking something. Allow client to say password if you want. You don’t like this one. If I login so my user will be there. This is my colleague. Yeah, but if you say allow plan so it will be Severine in the click. It will connect automatically but sometime user directly connected and they are in office, they are just wasting day.
So, that’s why it’s better not to allow client to say password, allow blind to connect automatically whenever they can. It’s also not a good idea.
So, uncheck, allow client to keep the connection alive so they will connect it automatically. It’s also not good and then is split. You can enable I enable road but you can enable split DNS as well. Maybe user has their own DNS horse check. If you mentioned they will check the firewall. If Wirawan is not available and the PC, they will not exist. Our VPN just for the extra security and real time and be if they don’t have our antivirus either. Both. But anyway, I don’t want. But in real world you have to enable this one.
So, if a user has disable firewall so they will not just open so unchecked restrict to space if somebody is trying to connect from a Window XP system from home.
So, it’s not a good idea because they are using a very weak operating system.
So, you can put restriction that at least then you’d render aid and you can put all cruise control and choose many windows like a window pane, etc.. But I don’t want it’s okay enable with more now we just check it with more. This is more related because this is full, X is full. Access can be used for both purposes. Okay, if you need a bookmark. And Aberfoyle declined to download and we already discussed and okay, so this is already created just a little bit. I modified them. No, let’s go to visit. I Bisek, visit and hear SSL VPN client. Client based client is in a but remote access to the remote access, you know, remote user will log in to your firewall and then they will assist the resources client base and for the client will require next incoming interface, definitely. Well, from when it will come. What is the. We just give them one, two, three, four, five, six. Suppos and rich user will use these resources we already created. We are to use that are already there. We open one and we’ll be in two, which is local. You can enable active directory as well, which we already discuss. Local interface, my local interfaces, lan local addresses. I already created one local subnet 192. This is just an object and glan addresses range.
So, Kleinwort which is the only one that one dot, one slash, one word, one dot, one hundred things. Two hundred full. And what is the subnet mask. Okay, so sorry.
So, let me give them like this BNF somewhat so they will use their own and I before I told you and allow informed registration if you want to register them. And next, say, password, I already told you are talking to each other dimension and always keep alive if you want. And next, so they are already created a split tunnel. They created phase one. They created phase two. They created a present for you and they also end point registration and create okay, so everything they’ve done it already. Lets see they create a policy for us on our. If not, then we have to create a policy as well.
So, let’s go. Okay, so they are listed in the policy as well.
So, no need of anything I believe to win. And ssl vpn if they who I think so they it if not then I will check. If we cannot exist then I will check back.
So, this was Clandestino. Let me go to Klein and for Klein to either login through web which is VPN one, one, two, three and download VPN client from here, you know you give them the option to download from your window. Second, if you don’t have this one, go to any Web site, Google and type forty eight reply forty. Good reply. Download which is free available on their website.
So, go to line would be in like a global protest, like a Cisco any connect.
So, they held their own and let’s try to download our window and download them.
So, you have two options. Either take your PC, try to support to install and give it to you. Ready made to click on this one. I download and click around. Okay, so it will require some time.
So, this is not a big base, okay, it is. You required a client to install and when you install a line that will create a new virtual interface, keep in mind every firewall client created this concept is similar. I have only two of Whitmanesque installed. Let me give them something name. This is my Ren interface and let me give them this other man so that I can show you. This is my little interface. After a while they will create a new interface and there interface will you connected so successfully they will get one one one which we assign them. Okay, and let’s see, it will take some time to download the image and install up to that point. Let’s go there so we can go to VPN. Oh okay.
So, we created SSL, VPN client client base which we give them the name by the way, our interface binding the traffic will come from when statuses and it appeared and it is being used in two places, definitely in policies. Okay, which we created this one and these are the predefined Doublemint if you want to utilize this the portal and if you want to create your own, you can create your own as well. Like my VPN. And you, if you need a tunnel, just choose a tunnel. If you use a pool, suppose full, you want to allow access anything if you enable more as well. If you see I know only this one, so it will be only one. The other will be disable my VPN. This is enabled, this is disable rebought. But if you say no, I need both on one policy, just enable web mode and Galera and everything bookmark which will discuss a.k.a. it both is enabled.
So, you create your own template as well and utilize them. Either they already have three for you to use them, you can use those as well. Okay, and for SSL VPN inserting you have to do some searching basically before use SSL portal, either client base VPN, either client list, VPN from Wizzard or any other place. First you have to configure SSL VPN setting like from where it will come, the traffic jam, the port and other, these idle time and etc. all these things to reconfigure first.
So, let’s go. There still are downloading because this required Internet access to download from Internet and then you will install. Application, but if you don’t have a right, normally an organization, your P.C. will be under domain, so you will require what is because this is what you will require authority to install and authorization.
So, therefore, I normally I.T. support will install it and give it to you. This one, this application. Okay, so what else I need to tell you. Okay, let’s go there. At least we need to discuss and to listen.
So, there are basically two way to configure. One is a basic VPN and other one is SSL, VPN, IP, and this is https based which we call them SSL artlessly IP can be used for, for decline and also for 40 for bigger ones that you need to install for declined digits. We are installing and others are to be photographed. But you can use for our side to side with as well so far to get one certain for the other side. But SSL VPN can only be used for web based only. By the way you can use this one. as well Browse for decline and for bigger. Now we are doing this one associated with this and now we are doing for declined as well SSL.
So, both can provide you configuration but SSL you cannot configure side to side. But I think you can configure to start here. It only can give you a web based and for the client as well. At this, the difference between these two, it worked on from four to seven live and it only works on layer three. Okay, is required only web browser if you are using as a result IDP’s. But if you are using is a full declined, so then you need a unit application application to install.
So, these are the two protocol to use them SSL. Normally we call them are mode as well and it can be used for web mode or portal mode as well, which we just use in the last layer. Okay, and SSL can also be useful for the client as well. That’s it. That’s the difference. Let’s go there. It’s almost done. Okay, so let’s wait for a while, it will download for decline to install. Okay. We just need to click next, next next to install. It’s not difficult to install, but it’s better to show you. Okay, because this one, this application at least required Windows seven and above to work, okay, so if you are trying and live in the window, it will not work because it’s the updated one.
So, an updated one. It’s required minimum Windows seven to work. That’s why I use Windows eight in this lab so that I do not face any issue because I check it’s not working. The old one is working anyway, so it’s come up for decline. Okay, so except next, if you location just a different location and it’s done. Okay, so let’s see. Will take not more than two minutes to finalize it. Okay? This is only one time job to install this application and your system, if you are using Max, then you require another. Application Sam for declined, but for me and also for Linux, even for a mobile phone, they have a different version. Okay, but I download Windows Origin, so. Okay, it’s almost done. Okay, let’s see. You know, after a while, it will create an interface here. A virtual interface maybe they already created. Let me rephrase, it is not your tier. Okay. Okay, so my IP address is one nine two one six 100 or 200. Okay, and I have another interface, which is not I’m not using.
So, it’s 169. But they will create a third interface, by the way, as well. Let me go, dude, if anything. Okay, so we already can figure this one out there and we’ve been with it done and we already created one VPN tunnel, which is inactive right now because nobody’s connected yet. Okay, so let’s go. They’re still waiting. And okay, if you want to see the detail, let’s see what would we can configure them.
So, all the detail is here and go back at it. And to see them, you can edit them if you want to edit some changes, anything. If you want to change like this to something that they will assign and it’s the other group and everything, they will use it. Okay, so you can change as well from here. Now, you see before it was on land and now there is they created two more that will make them one after a while, every can do the same things. The client base one. But client list will be a new site was so easy, just type in browser and accessed the resources. But the only thing was you are only encrypted, only that browser. You are limited to that one. Okay, so just to show you now is still and after a while we connect, it will get one one, one IP automatically, which I will show you from here anyway, when you type IP config slash also it will show you here. Now I hope for interfaces issuing now. Okay, so. It’s almost done. By the way, take much time, yeah, so finish. Now, there is a particular application, this the installation one to do with this one, it will come here automatically. First time you have to create a profile to acknowledge I except configure VPN, which we are using, we are using SSL. VPN chooses to sell and give them anything like SSL, Galion based VPN. Just give them their name description if you want to give remote gateways to my remote gateways 192 one sixty eight hundred to three for the public IP of our firewall to 340 on which they will access them customized for Y by the way they will use in an airport. But anyway single sign and we don’t need any more certificate. We are using its okay prompt and login either. SEO authentication if you want, don’t want, don’t. If you have an invalid certificate that we you.
So, I said no. And so now this is the first time to create your profile and now you can connect to our user was VPN one and password was one, two, three and connect.
So, there is nothing wrong in configuration.
So, credentialism said we’ve been configuration is wrong. Okay, so this will be in one and one, two, three. This all use the right thing so we’ll be in one. Okay, so they say there is something wrong, so which one. We use it.
So, let me see. We use VPN, SSL one. Either we use the other one.
So, let’s go to where is this one.
So, let me see which protocol we use. Okay, let me try maybe we use IP six, so let’s go back there and create a regional and a new connection. Let me create IP safety, this one. I basically be in description nothing and Montenegran 192, 160 or 200 or two, three, four and three, Shirkey, one, two, three, four, five, six, I think.
So, we did not use this one prompt. And so let’s try this one.
So, when In one and one, two, three, we have to protocol to use either I Bisek so I can’t remember. I can figure as a sister like that, I can figure is our APC.
So, I created two different profiles so I can figure out basic scenarist connected, assuring me that I can look at this the same IP oneone range. And if you go to that interfaces, okay, you will see that interface really get IP. Which one. This one one one one IP looking and now I can access all the resources directly. No need to go to Browsr directly tie the IP 192 168 one Daquan one this the IP of my Saawariya. It will open automatically. Look at Edman one, two, three. And you have said what is enabled there and I can do to connect directly 192 168 one dot one. An open yes, one, two, three, now women in charge said, what do you think it is? I’m using HTTP? No, it will be encrypted. If I go to this one, it will be a basic. Look at this wing encrypted, there is no Internet traffic before the firewall alert, but after the firewall there will be 10 traffic. The arrest and traffic, you know, last time I opened these two, Warshak one, Warshak is open from here and one is after this one.
So, the one now in Derbyshire is encrypted and sending in traffic is here and now. I don’t need to go to browser in the browser to enter to exit this right now. I can access these resources that equally my entire piece is encrypted and what is spread now.
So, if I to into this traffic will not go to browser, it will go directly.
So, this is not encrypted and the other one is encrypted. If I were wireshark here so I can show you what I should know, I start to show you when I’m sending Google traffic, it will be beardless because this is also a GPS. But when I am accessing this one, this will be a busy traffic because I’m connected here. But if I disconnect, then we will talk. But this server will be Natixis. Well, not anymore, because I don’t I cannot accept this. Look at your connection is not interrupted. It will not work. But as it will be and do user either vpn one if I click. Okay, so now these resources will be accessible after connected and connected and if you refresh it will open because my piece is not encrypted and it’s open now. And if I can see the detail, there is one detail that rich resources, this little detail I want to show you, okay, there is one place where we can see the detail. Okay, no, it’s not showing there was one place to see there and this sitting in the back of. No, I start showing. I thought there was only one place to show you which subnet will be encrypted, but it’s not showing in this one. Let me see. No, this exit. No way to get this the application. Okay, and maybe rightly, I saw some murderers in place a about shut down open console. No, anyway, this decision now I can access the resources and repeatedly, but entire system I don’t need I can access my any resources which is allowed by my firewall. It doesn’t mean that any user will access all the time. Then you can put restriction that from VPN. If there’s user Kim just allowed them this IP only not enter this IP. It’s up to you Richard. All you want to put in here, you can see the traffic. It will be IP traffic for that it will use. There is a protocol even is. No, there is another. Yeah, this one. And there is one. I basically me drive by Piecyk, maybe they will show me. I forgot the protocol name to show you from here. Okay, anyway, so said this was the fall tunnel through ABC, and also you can create a full tunnel through SSL as well. But anyway, it’s the same thing just to show you what is the difference between client base and client list VPN?