Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 2: Extra Topics Part 2
87. Lecture-87: Software-Defined Network Lab.
Okay so now let’s do is develop we have to win link when one and when to the gateway is 192 and 68 1.2 54 and 192 and 68 2.2 54. And this is our internal link. Ten .0.1.0 24 And this is our topology. We’re going to use 411 and we have to link. Let me show you here again.
So, 192 one 68.1 is configured on this port one you can see from here as well if you go to network interfaces. Okay, so here is 1.1 and 2.1 and the gateway is here, 1.2 54 and 2.2 54.
So, we have two when link and this is our firewall, we want to combine them to work together as is division and this is our internal zone ten .0.1 OC So, what we can do, this is the IP 1.2 54 2.2 54 two port which is connected to the when port one and port two, we will use 88 and one one for our service check protocol. We will use ping and zone name. We will give them this zone. Let me copy and member will be port one and Poe two, which is when one and when two. And we’re going to use source and destination IP based decision will be load balancing will be based on source and destination.
So, for different destination it will take different VIN for different sources will take different you remember this one we done here.
So, the first thing we need to create is the end zone.
So, let’s go to firewall one and go to Network and SD van.
So, SD van zone is the rule and performance SLA.
So, two zone are already there.
So, let’s create a new one, SD van zone and give them an m EST event zone and click. Okay, so our zone is ready, but as written down there is no member.
So, now let’s create the member. Member is nothing but the interface is the van interfaces.
So, click on this one and choose when one OC we have to. And from here keep in mind we need to choose our one, which is the end zone and the gateway gateway for this one. I just show you for when one gateway is this one 1.25 to 4.
So, let me copy this one. And Gateway is this one cost you can change and priority which we discuss in routing protocol and click. Okay, but I want to give them same cost and priority.
So, now as green only one member when one similarly we need to do the same thing as the band member and this time choose when to and this time again choose is the end zone. Our zone and choose the gateway. The gateway is this one.
So, it can be 1 to 3. And how many you have you to repeat this process.
So, cost in one and click okay and if I click okay now is green and to member are there so these are the interfaces we call them member. I just told you theoretically and this is the zone to combine these interfaces why now if I go to static route and create route when one will not be visible anymore, it’s here. But because after that the zone will be you will use this one. Okay.
So, that’s why even if you go to policy now, these things will be visible rather than these interfaces as the event zone because it’s combined them.
So, we are done with zone and we are done with the members.
So, member are done, end zone are done. OC We put this one and now it’s available like this way I show you next thing we need to create a static route now. Now let’s go to create static root route will be looked at now.
So, we’re going to use as the end zone, static route.
So, SD main is nothing but the combination of those two way link.
So, rather than to create separate, separate static route we now we have they will decide automatically when one are when two or three for whatever, how many you have and click. Okay, so now static route is there.
So, static route is configure and is available. These are the algorithm by default. The algorithm which they are using is based on source.
So, every source will get one van link all the time. You remember I show you in the routing, it’s the same approach.
So, we need to change the algorithm.
So, I will change the algorithm. We’ll say no, do the load balancing based on source and destination IP. If the traffic is going from the source but destination is different, give them different link and if they are going suppose yahoo.com give them when one. If they’re going to Facebook destination is different give them when to so they will divide the two link.
So, we need to change this one by default as the source one. I show you that in the previous one, so I need to go there and let’s change the rule here. Otherwise it will not give us the proper result.
So, control l let me clear the screen and let me type config sys sd van and here set load balancer mode and if you type, these are the mode which they have some more mode and the previous one, they have only few of them, but here they have mode. But the one which I’m stressed is source IP based and enter. And so I change this mode now and let’s go back. Okay. And now firewall policy because we want to allow this traffic to reach here.
So, how the firewall policy will be now.
So, if you go to firewall policy and let’s create a firewall policy, so here LAN to SD when I will give them SD when so my lan and they are going not you see it’s not visible when one and when to. I will choose SD when both are already there and source is all I will choose sources all, destination is all and services is all. Okay net is enabled and all session and click. Okay.
So, the policy is done. This time we create the policy to send all the traffic to SD end zone and inside zone. There are two interfaces basically. Now let’s test and verification. This is the simple configuration right now, but we want to test them from internal PC. I will try to ping eight, eight and one one and we’ll see the result. How we can see the result by diagnose, snipping packet and also from logs and report.
So, if they are going to different destination because you are going to eight eight, so maybe they will give them when 1411, they will give them when to because we changed the load balancing method you remember.
So, let’s go to insert PC and test.
So, let me go to this PC and let’s log in to any internal PC and try to access external resources.
So, A, B, C, eight, one, two, three, four, five OC and in firewall here I will say log and report forwarding traffic and what is the IP of the source.
So, let me the source IP is if I have here ten .0.1 let me filter by this one so it will be more easy. Okay. And this is two second ago anyway. And let me close this one and let’s try to ping.
So, ping will be more easy to trace them.
So, let’s open up cmd. Okay. And let’s ping to different destination. And also, let me open this firewall to capture the packet. Diagnose. Diagnose. Snipper it and it is any interface any I don’t care. And it will be ICMP four. Okay, so now a start and let’s see where is PC one and let’s try to ping 8.8.8.8. Okay. And let me open another command prompt and ping another destination 1.1.1.1. And let’s try from here now.
So, I try to access to different places. Okay, so this is ten .0.1 is this one, and it’s going to eight, eight, eight.
So, it’s used for two. You see this is port two. When two.
Sorry, where is. Let me go to firewall and for the one one. Let’s see where is one one.
So, they use port to port two because we are using eight and let’s go to one and they use also port two.
So, how is it possible they give them port two? Both. We changed the policy and still they give them let’s see, it should be port one. Okay, let’s see here.
So, if I refresh here.
So, it it they are going to add eight.
So, they give them a destination when two is correct. And if I go to one one.
So, they also give them one too.
So, there is something wrong. It should give them different because we change the policy.
So, let’s try again. They need to give them different.
So, let’s see again. And there is ten, ten when they are going to 1172.
So, they give them when two again. And let’s try it. Eight. 8.8.8.8.
So, now the destination is different. They give them. They need to give them different, by the way. But there is something wrong. I need to figure out why they need to give them.
So, again, they give them when to. It means the rule is not apply correctly.
So, let’s see. Config.
Sorry. Config system is different.
Sorry SD. It’s division and set load balancer mode.
Source ha. Yes, I choose source IP based. It is. I remember by mistake. I type this one. There should be source and destination IP based. Now it’s okay. This one I remember by mistake. If I go back here, I typed the wrong one by source IP and source IP means if they are going anywhere, give them one. Now I change them that if they are going different destination and sources same but destination is different give them different now let’s try so control L and now let’s capture the traffic and now let’s try.
So, if I try to bring it at eight, okay, so they give them port one this time is correct. And if I try to one one they will give them port two and here is port two and if I go back here and try now, okay, so if they are going it 110 .0.1 is going to eight eight.
So, give them when one and if they are going the other one will come now.
So, they will give them when one and when to link.
So, this is when two. It will come a bit later. Still issuing the old logs 48 second so when two and it will show a bit later. But anyhow here you can see it will come. Now you see export two and here is export one.
So, our port one is this one. Let me show you this one and this is port two. Okay, so let’s go back to the firewall. And when you refresh because it’s the old log.
So, when the new log come so I can show you. It’s still the let’s do it again. You guys come up now.
So, it is taking when one and one sorry one one is taking when to so now it’s getting the different this the first tiff just to show you so we test this one when we going to different destination is give them different way right now we don’t have any rule we don’t have a health monitor, we don’t have anything but it distributing the traffic on both ling just to show you the basic setup and we captured from here using diagnosis snip, snip or packet any I say, any means any interface and if the traffic is related to ICMP, so show me that one.
So, that’s why it’s showing me that when you can use this transmitter. And also from log in report, we see that when one and when two is being used, both the link are utilized now coming to the rule.
So, we discussed theoretically is the end rule. We need to create rule. Now it’s up to you what rule you want. First, we will create a rule that if somebody is going to one, one, one, give them manually. What when one all the time. Now if I going to one one what they are giving me they are giving me when to whenever I’m going to going to ping one, one, one.
So, right now I will give up wizard so that you can understand.
So, let’s see why. Let me stop the CAPTCHA because it if it is huge, so then let’s stop working and let’s try ping one and let’s stop and see. Now I am it’s giving me po two and put two is 2.1 and 2.1 is when to put two. This is two.
So, I’m getting when to now I need to make a rule that always give when one if somebody is going to one, one, one.
So, let’s create a rule. Let’s go to network and SD when I’m giving you different scenarios so that you can get the idea here is is the main rule on the top. There is no rule by default there is source destination IP. We just create the criteria. We change them by default source IP.
So, we change the criteria and let’s create a new rule and let me give them a DNS 1.1.1 this the name like here I mentioned.
So, I create a the rule and if the source is anyone from inside anyone, you can specify the group as well. Right now we have h.r. Group so you can specify if the group is h.r. Or i.t or sale or whatever. You can mention those group as well and addresses, destination address we need to create.
So, let me create address and DNS. Let me give them DNS slash 1.1.1 OC and 1.1.1. Let me paste here and 32 and can from any interface and click okay so I created this one and protocol number can be anything you can specify if it is a TCP or UDP OC Internet services, you can specify the services and application as well. Here is I told you about this one. Best quality, lowest cost, maximum bandwidth ICM manually. This is my way. I say that manually assign outgoing interface when one all the time. If somebody is going to 111 for anything from any source from any of these users always give them when one ock and the rule is enable and click. Okay so I create this rule manually. I assign them and now create the rule. Okay, but I need another rule for the rest of the traffic.
So, I need to create another rule here.
So, create a new rule. And this time all other traffic. Okay and let’s so all other traffic source can be all user group I don’t care and address can be all OC destination can be all internet services can be URL and manually assign them when to and click. Okay, so you see that this time I clicked. Now the other is important. Now this rule has to be on the top DNS one because it will hit this one if I take this one.
So, it’s useless because one one is also coming in all so it’s useless. It means the other is important. You need to make a proper order.
So, I say if somebody is going to one, one, one from all this group, user or any source internally give them always when one and rest of the traffic if they are going to anywhere give them when to.
So, if you go back and see before so when we were going one one so we always get when to link now we will get when one link because we change the rule manually.
So, let me start this one and let’s go to PC one and start to ping one, one and stop. And now let’s see. You see it’s getting when to again.
Sorry, what do I give them. Yeah, it should be one one. Oh sorry.
So, I think so I did not assign this one only. Okay, so let’s see. Maybe the user can be the issue even though we are lagging with h.r. One, but i am not sure.
So, let’s delete the group. It can be the source can be anything. This the only doubt i have.
So, let’s try again and let me close this one clear and start diagnosed again and let’s try. Okay. Yes, I remember. You know, you need to clear the cache IP config flush DNS. Okay. And there is also command.
So, the.
So, to diagnose. I diagnose session. What was the command? I forgot the command. There was a command.
So, it was. Diagnosed. Anyway, it will work. Let’s see, because we clear from that site.
So, hopefully let’s check out again and let’s try to ping one, one and close.
So, it’s correct. Now you can see now it’s giving them port one because it’s going to 192 and 60 at 1.1 above it was going to 2.1. Yeah. Yes it diagnosis system session clear.
So, you can see now it’s taking all the time when one so whenever I’m going to one, one, one it will get to win one all the time and beside one one. If I go anywhere it will take when two you can see port two when 22.1 and here is 1.1 because the destination is one third one and here the destination is eight eight. It can be any anything. It will go through port two all the time. Even if I try to ping Yahoo dot com again it will use the let me close it will use port two again. It will use port two. You can see is port to all the time rest of the traffic.
So, this is hitting this rule. You can see now it’s hitting the rule.
So, if I refresh so you can see the hits here as well. Let me refresh. You can see 32 heads are coming and when one because we ping this one.
So, it’s taking when one all the time if the destination. Now I just give an example but in real world rather than this DNS address, it can be Internet services as well and it can be application as well and it can be the source user as well.
So, if you are top management is going give them this link all the time.
So, you reserve this link for someone. Now it’s up to you how you use this logic I just given in the lab that if somebody is going to one one always give them manually this way in one link, even though it’s not good idea if you have a good link then it’s okay. But manually means if this link is down for some reason.
So, because you decide this one, it will take always this one. If it is slow, whatever, because you take a manual decision, but at least you get the idea of what you can do with the manual way. Okay. And for the rest of the traffic, we say use the other link. Where is the main rule? Here is all other traffic it will take when to link and if it is not all of these.
So, it will hit the default rule. There is an implicit rule as well, which is this one.
So, we create a zone and inside we make a member of them and then we create two rules to distribute the traffic manually. But now coming to another way, also you can verify from here, by the way, and similarly, let me stop this one by here. Either if you go to log, then report and forwarding traffic, okay? And if you go to one one, you see one one is taking when one link all the time and rest of the traffic is when to when to when to eight, eight, 7 to 2. All of them taking when two.
So, you can verify from here. Done. Now let’s come into performance. SLA, which we discussed is a health monitor which can help monitor by packet loss, latency or jitter or whatever you can use for many method.
So, we will create one SLA and the protocol we will use. Ping. I told you you can use some other protocol as well, which is true CLIA here is show only HHTTP and DNS and we will ping it continuously. And this is our target. We discuss about latency, we discuss about jitter and we discuss about packet loss.
So, we will set some value. And if this threshold is sparse, this is in milliseconds and this is in percentage and here we will give them both. Link I did not mention here. Okay, first we need to create this slash.
So, let’s go to create a cell network and let’s go to SD van and there is a performance SLA, the third tab.
So, the expected loss, latency and jitter which we discussed there is by default some already created and you can create your own.
So, let’s create a new one and let me give them a name. Okay, so let’s give them as event SLA, whatever the name and we will use ping protocol and here I will say okay they said don’t use this one.
So, anyway let me give them sla.
Sorry, is l is enough. And now the third one which I want to get at at eight and always remember because we have to remember when we. And when to.
So, you can use one, either two, or if you have more, all of them. You want to choose to choose this one. And this is a select target. This is my target latency threshold. Let’s set 50 and threshold. Let me make them 20. Let’s put them 30 and pick it last one person. Okay. And what else. Yeah. And check intervals.
So, this is 500 millisecond and failed before inactive.
So, this is five which we discuss and restore the link after five check they will check this one and if it is available this link is five times it means they will restore. And this is the update static load. It has to be enabled if for some reason this is not reachable, they will remove from the routing table that route that will link.
So, these are the thing and our sla’s configure done.
So, this is our one right now. It’s not showing anything. It will show a bit later. Now we need to go to the end rule again and we need to create our own rule. Now, the previous one you can disable and you can create your own.
So, let me disable this one we don’t need. Okay? And you can delete because it will hit this one. Now we need to create a new one. Create new one. And this time come, it was just one. Okay.
So, what I need to do, I need to create a new rule.
So, let me give them SD van rule and the source can be anything and user group. We don’t care. And destination I don’t know what destination I give them all. Okay.
So, we don’t care about the destination as well and let’s go to choose best quality protocol is any and this time maximum bandwidth our best quality whatever you choose them so we choose maximum bandwidth. And here’s the interface preferences first choose when one and then when to end the required slide we just created with the name SLA and I choose that one and the statuses enable the third.
So, we enable this one and now let’s click. Okay, so this should be on the top. You won’t do that. That is disabled, but anyway, way better.
So, the rule is if the source is anything, destination is anything, use the criteria and choose when one first and then when to and what is that? SLA It will check this eight eight continuously and from one when and from the other. These two you can choose like this one as well.
So, it will be more visible.
So, I say continuously ping from when one, eight, eight and from when to eight eight and decide the best length based on latency. We just discussed latency and based on threshold we give them 30 millisecond and the 50 millisecond and based on packet loss and take a decision which link is the best sender traffic on that one. That’s the only thing. This is called health monitor.
So, we are using Ping to decide these two links which one is the best one and click. Okay.
So, if I go back, so here you can see it’s almost 65 and 65, one is a bit slow, 33 and this one is 1.524 millisecond, this is 1.64.
So, you can see the latency and also you will see the report here as well. They are continuously pinging, so you will see latency.
So, that’s the latency. Okay. And this is port one and port two. And you can see the detail here if I can drag them.
Sorry. I need to. I thought maybe it will make them bigger.
So, it’s not. Click on here. And here is so it’s almost same. There is a big difference. But anyway, we can bring a difference in it. And 2.6 and 1.7. And they will use, based on these criteria, packet loss, latency and jitter. Now this is the dynamic way and this is the best way to choose them. They will decide which one is the best one based on packet loss, latency and jitter. How we know how we can do this one. First, let’s check from any PC to ping eight, eight and one one or whatever which link they are sending the traffic. Then we will take a decision.
So, let’s go to our internal system. Now the situation is different, okay. Because now we have SLA so it will not take the link. It may take one link maybe.
So, let’s try ping eight eight. Okay, control l and let’s see which link they can take.
So, eight, eight and let’s see they choose both. They are using both the link and the same time.
So, that means both are same. It’s okay if I go back and if I go to logs and report forwarding traffic and see I ping eight eight.
So, eight it is not yet available. Okay. Let’s see if I can ping again. Let’s ping eight eight. Okay. And let’s go back and see. I just want to show you once, then I will explain you.
So, still we cannot see the logs for the this is a minute ago we ping eight, eight and which is not available. Let’s see what we can do. Stop this one even though it’s using both the link. But IP config slash flush DNS because you know if they are in the DNS, they will use that one first.
So, eight, eight here is clear. They are using both the link you can see. But I just want to show you here graphically as well. Okay. Still I cannot see it. Eight is when two. But just the old one. Okay. Let them come up. Let me ping continuously. It’s very hard. The wine is not showing quickly. I’m thinking one or 88. Let me filter by eight as well. Okay.
So, you can see it’s using eight. It is using even though it’s ten minute, the duration will come. Now it’s using both the link and it will use both the link right now because both link almost similar right now. For some reason I cannot see the traffic here as clear if I diagnosed.
So, you can see it’s using port 11.1 and 2.1 from here. It’s clear, but just to show you graphically as well so yeah it’s come up now so 12 second is going to eight it is using when one but I need the other one anyway. It’s using both the link because both the link right now is similar. If I go back and let’s go to performance SLA and check out one almost similar three and 3.0, 3.466 and six six and 0000 if I clicked and pick it last.
So, almost similar. No packet loss and latency almost both the link going same way and jitter almost one link is a bit you know. Hi, this one. This is port one and the green one. This one is port two.
So, there is a slight difference. But anyway, we can bring the difference now.
So, you get the idea. Okay. Traceroute will be the better.
So, let’s do the tracer t tracer d and 8.8.8.8 and see how the traffic is going. It may show us both maybe 2.1 and 2.2.
So, let’s see 1.2 54 and OCS using the link one is considered there. The link one is the best one. It’s okay. And let me stop this one and do again. Let’s see which link they will use this time. 1.2524 they use it’s okay and 1.2524. Again, it means when one is better this time. And if you see yes, it’s almost because this is 10.0 second and this is 10.4 and this one is 66.48 and this one is. But anyway, it’s here. It’s good one.
So, end of the day when one is linked. Good.
So, that’s why they choose them when one it’s okay now we can do so when one is user. I tried three times and they choose when one they say when one is better. Let me do again. Why? Because now I will change the jitter and those value again. They choose 11. 254 you know. Yeah. Now let’s do the test. What I can do from when one let me increase the jitter. Okay. Either let me suspend them first.
So, they’re using which link. Okay. When? One year. I need to show you two things. Pink 8.8.8 and we know it using let me do continuous pink. I know it’s using when one lets go to when one. This is when one year right click and suspend and let’s go back to PC one.
So, I suspend that link. It means that link is not available. There is a slight one drop, even though in real world it will not be. But anywhere two. And now it start. It means the switch. How do I know it’s here if I trace it out again? So, it will be 2.2 54 this time. Yeah. You can see 2.2 55. If you cannot see, let me bring them.
So, it is 2.2 55 and let me stop and show you the previous one. Let me stop this one. And if we go up so it was 1.2 54 and then when I check again, it was 1.2 54. And when I check it was so three times I show you. And now when I start being and disable the interface means the when one is not available.
So, it is a few drop even though in real world it will not be a simulation and the switch where the interface means the GPS system told you that there is a delay, so you change the path.
So, it’s changed the path. Yeah, this is the first way. Okay, let me bring them back. It means if they interface one way link is down, continue automatically. It will switch over the other one. And if you go back to SD when? So, it will show you the detail here as well, the jitter and all those. Now it will be a huge difference because one link was different. In the other one you can see latency and jitter. There is a huge difference now, but I bring back the interface now there is 91 and there was zero zero and here is 67 and this is 68. But now it’s again similar. It’s okay, now I need to change these three values packet. Lastly ten C and then I will know that is the when is working based on these criteria or not. Then I will understand this. Yes, it’s a bit option to use them.
So, what I can do. Okay, now let’s see which part they are using again.
So, let me clear and let’s go to traceroute, let’s see which path it is using again.
So, let’s see now it’s using when to OC. It’s okay, no issue.
So, let me stop again and let’s try again. Let me try three four times. They make sure which link they are using. Here are two.
So, two is coming again. Okay, let me stop and let’s do again.
So, three time, I need to make sure that which path it will take.
So, again it’s using 2.2 54 when two. Okay, great.
So, if I try to ping from here so it will use when to so let’s change the value of when to this one. They are using this one right click and edit the edit the quality. And here we have a delay. Let me increase the delay, which delay we give them.
So, if I go to performance SLA and this rule, so I give them latency almost 50 and jitter 30 if they cross 30.
So, let’s go to jitter and cross the 30, let’s give them 50 and packet loss, I give them 1%. If the packet is more than 1%, let’s give them two. And what else.
So, this is the, this interface, but this side, I change this side.
So, I need to change this set as well, make sure it’s not an issue. But anyway, so jitter let me give them 50 and packet loss. They gave them two and delay should be 60 and delay should be 60. Why am two time? Because you know in here this port and this port, this side of the port and this third.
So, that’s why I configure both. Even if you configure one set again, it’s also OC.
So, it’s cross the value here and let’s apply and save.
So, now I change the value and let’s go back to PC one, what they will do this time. And let’s see maybe if the switch were to one or not, because we have a latency and now we have a jitter as well and we have a packet loss as well. Now let’s see that. SD When will switch over automatically or not, which we discussed theoretically that it will do all the things automatically based on jitter, based on delay and based on all those things. And also we can come here and SD When and from performance SLA and here you can see as well.
So, packet loss to this one port one is not port one, by the way, we change port one or two. This is what is better from here. You can see it’s here.
So, it’s when do we change the way you look at now 174 and here is 66 and also here is 53 and here says three.
So, based on this criteria, now they need to choose one, one.
So, let’s go back and let’s stop because I need to clear the ISO in one now so you can see they choose when one automatically and if I do again.
So, it should switch automatically to when one. Yes.
So, when one automatically switch over not only this PC, but if you try from this PC based on that criteria, that is the when will tell him that to use when one link because when to has more jitter and delay.
So, if I go from here as well and let me see that what they will do, which path they will take.
So, traceroute. And 8.8.8.8. And here is you can see also using when one link so it’s proof and also from here if I go to jitter.
So, you can see the jitter. And from here you can see we can see the value from jitter and also latency and packet loss.
So, based on this criteria and here is threshold as well. And based on this criteria, now they are switching over to win one automatically.
So, it’s proof that if we change the value, they will automatically change the path and now switch over to when one based on packet latency and that one. If I bring them back and if I remove that one.
So, definitely it will become same. We change this one. Yeah.
So, added quality and if I choose zero and it was also 000. And zero and zero and click save and apply.
So, I hope it will become same now after a while because it’s take time to do it. Still, there is an issue, so let’s them and let’s see. Yeah, it’s almost similar now. Okay. And let’s check again. Refresh them and performance easily. Yeah. Now it’s okay.
So, now they will decide again, even though when two is still some issue because we changed the value.
So, you can verify from here and this is there is the rule which we create.
So, when one is most widely used, when one this heads are coming on this way and one because this is the one which is low latency, it’s showing here as well.
So, they use this link most of the time and that’s it.
So, this was a strain which if you have multiple links, so you can combine and you can create a health monitor and you can create a policy and rule. And based on that rule, if one link is low, so it will switch over to the other one automatically. And also you can make them manually and also based on best quality also and based on low cost as well. It’s up to you, but this time I use maximum bandwidth based. It can be a best quality as well, the one which is in best performance.
So, it will give you the same result, almost like this one. It will choose the one which is the best performance based on low latency and all those things.
So, this was Esteban, which you can configure in FortiGate firewall.