NSE4_FGT-6.4 Fortinet NSE 4 – FortiOS 6.4 – FortiGate Firewall V6.4 Part 13

53. Lecture-53:Policy,Source, Port Block Allowcation NAT Lab.

In sourcenet and policy inside the policy is in dynamic basically export block allocation. It’s the same concept like a fixed port but this is a block of allocation. We create block size and per user. And I told you how they identify this one here formula. Suppose we have external IP range from one to suppose one IP it can be range as well. And block size is 128. So per IP how many we have? Because we are using one IP so divide 128 block size by that 60 4116 so total possible block will be four, seven, two because one IP and one IP we have 604-1641 IP.

If it is two IP, then you have to multiply and then one divided by 128. So how many we have a block size four, seven, two and block per user. And suppose we have eight user, so 128 multiply by eight so we almost one zero twenty four per user, maximum port number you can understand? Yeah this is a difficult one, it’s like a fixed port but this one this time is per user and block size they allocate them. So then how you can find out that maximum number of internal IP can be handled. So divide this one IP, one IP, how many port they can afford to 60416 divide it by per user.

So the user is 100:24, so 59, so 59 IP can be handled by this block size and block per user. Anyway, you will not understand this one. I don’t know how to do it. So this is the dynamic one. The last way to configure it, you can use single IP and you can use range of IP. How we can configure them? Again you have to come to IP pool, create IP pool, create new and the last one is this one port block a location click on this one, give them suppose 100 and 921-681-1415 and 109, 21681, 114, 1114 is my external IP. Okay? And I will use one IP. You can increase and decrease this one per your requirement and per your IP range and okay and go to policy again we are using inside the policy net and choose dynamic remove this one. By the way you can choose multiple as well. It’s not only so it will apply one then will the other. So it can be one only and dynamic.

Anyway port, block education and okay and there will be no such difference. Everything will be accessible and only one IP will be used. But they have located them a block of IPS to use. So everything is accessible amazon, Wikipedia, everything and even if you try from server, server is pinging and even from R one it will work okay and if you check from here admin one, two, three get system session list. So you are using only 150 IP which we assign them and again we are using source net destination there is nothing and these are the IP one this is two IP and there should be three Ipswell and four Ipswin. It should be at the end somewhere. This is two, this is Port and this is three. All of them are using one, but Port is located per block size and also you can verify graphically if you come to 40 view. All session is the best place to check them. 151 and it’s better to change the source. So check by one by one IP, so one is using 150 and if I change to two so two is also using this IP and I have PC three is also and I have PC Four as well. So they are also using the same source IP.

54. Lecture-54:Source NAT, Central Secure NAT (SNAT).

Last time we were doing source net, okay? So in sourcenet we done static net, okay, which we call them pay it as well. Either to use only one IPO interface, then we done dynamic net and dynamic we done overload. Then one to one fixed portrait and then port plot allocation. So related to source net we have a new another concept which is central net. S means secure net. By the way, it has to be used for source net, but the name is Snead. Either secure net network Address translation so rather than to apply everything inside the policy, we can create a central net. The name also suggests central net, but this central net, we will use them to translate source and source net is those things with the header source IP either the source code change, we call them source net. So let’s go to SNET.

The same policy which we create last time, we will use their policy update Topology inside we have 192, 168. 100 is assigned to my inside interface which is port number two and port number one which is external. And I am also using the same for management as well. One one 1400 is external magnet cloud range. In your case it can be different, but you can keep this one and you are left the same, it’s okay. But you cannot keep the same until and unless by chance both range are same. Either you can change your range to my one. Suppose if you really want to follow my topology. So what you can do, you can change your net. This one, my one is four four one you can change setting, okay? And here you can when you click on net here’s the range, in your case it will be 192, 168, here it will be something else. Just put 1114 and apply, okay? After that your range will be the same like my one. So in case you want otherwise, you know, it’s not important. And that’s the gateway which I am using. So it will be changed automatically to that one, the gateway as well. So this is the range.

Outside I keep one server which is ten range, it means 1114. And this I just show you this my next hob. And 20 is another system. When you click on it edit configuration you can find S 20 and I’m willing this one. And inside I have PC one with one, IP 192 and 60 at one, PC two with two and server one with three. And I have a router today we will use them, okay? And we will assign them and we will make them as a telnet server. I have FTP and Http server which is this one. And outside we have also FTP and Http server which is this one and PC one. PC two is using as a client which is web term. You can use web term here it’s the Websterm and toolbox is this one. This toolbox and this is the toolbox which uses as a server and we have a client as well outside so let’s go. We already assign IP address so if I go to console so there’s the outside IP which I’m using for management as well. So let me go to any browser and access this firewall type the IP and username is admin by default. One, two, three I put the password so because I reboot so remind me later when you shut down the system not properly so then it will show you this message but it’s okay so let me go to quickly to revise.

These are my two interfaces which we are using. So LAN is using 100 only ping is allowed and LAN is one 1400 which allowed for management access as well. That’s it. We already configure DNS, which is so easy. Eight eight and one. One we have a DNS, and also we have a strategic route which every traffic will go to 1114 two, which is our next hub. This one. And definitely we have a policy to go to policy and object IP four policy. So here we have allowed policy and we left last time with this one port block allocation. Okay we done with inside everything with every combination of net now we will do central net so I cannot see central net from anywhere. If I go to network there is no central net I can see and if I go to system I cannot see central net and if I go to here security profile so nothing, there is no central net. So basically by default central net is not enabled. So what I need to do I need to go to system and there is setting OK go to setting and you will find when you go down last time we discussed next generation firewall mode so I already told you about a little bit there as well. About central net. So Central Snat is here. Click OK and apply. And now you will see central network, which is we cannot see again. Why? So even though I enable from here, if I go to system again setting and let’s see central net is disable again. Okay, so it means there is something wrong.

So it means let’s say your changes is being saved but when I come here and see it disabled so it will never give you graphically any error. What is the error? The central link is not going to enable so the best approach is go to here either here is up to you, it’s give you a CLI extra see here as well CLI console and also I can go here. So this one is white, it’s better so admin and one, two, three because everything we can do through command as well. So let me go to config and system setting. System setting and enter. Here I will say I want to enable set central net. Sorry. Central net. I want to enable this. Just like I click here and enter. Now it’s better approach now they give me that okay cannot enable central net with firewall policy using IP pool so they never give me this error here otherwise I will remove that thing so far something you have to go to CLI like this one is clearly said because you are using IP pool what is IP pool? You remember last time we done maybe you forgot but when we were doing net where is net? Yeah so last time which we were doing net so we use this IP pool you remember? We create fix port. We create overload. We create one to one. We create port, block location. So they said it no until in Ayze you cannot enable central net when you disable your IP pool, which is used in the policy because Central Net will be not used in policy right now. Everything we done inside the policy. You remember when we go to various security rule and policy, this IP Four policy. So Net was inside the rule. It’s here and even though it’s showing here, we are using this one.

So they say if you are using IP pool either from there either you can find from here fixed port is not used. Reference means we are at used overload is not used one to one but this one is used port block education it’s mentioned here one how we can find click on this reference so when I click on reference they say you are using this rule. We can use the property where it’s used it’s in allow our policy. You are using this one here. So either from here delete don’t use and okay now it’s zero. So it’s okay now this will not give me an error. Either you have to go to policy and remove from there, which will be removed now because I removed them. There is no policy now, so it’s not used there now anymore. So IP pool is used for the inside the policy or so far outside as well. But anyway, we use them in inside policy. Now I can enable so up arrow enter now. This time is not given error and end means save this. Command and get out from here. That’s it. Now, I will see central net. If I go to network okay, refresh. And if I click on sorry, it will be in policy, in object. So if I click on policy and object central Snat is available now. But you know one thing more.

Change destination net with virtual IP. They see destination net and virtual IP if I disable if I go to system setting and disable central net the destination net with what was the destination net and virtual IP. It will become only virtual IP. So let me go to central net and disable it. You will see the difference now. Because you will be confused sometime. There to look at now is only virtual IP. But if I enable central net apply so virtual IP will become destination net and virtual IP where is policy and object locate. So keep in mind, things are changing when you do enable something most of the time. Okay, so now destination net and virtual IP available. But we will go to that one later. Now right now my target is a central Snat. Click on Central Snat. But what is the difference? If I create a policy, it will be a net there. Let’s see, look at there is no net command anymore. It says central net is enabled. So net sitting from matching central net policy will be applied. So it means no need a net inside the policy. Last time, whatever we done, we done inside the policy. Now let’s say this is outside the policy rule for net, no more inside in every policy net rule. Now let’s go to a centralized location which is called central SNET secure net and central means centralized. So no need to create a net, it’s not available.

If I disable central net, there will be net available in every policy. Keep in mind, which is not anymore. Because I enable central net, it’s okay. So I don’t need to create a net inside in every policy. But we are still doing sourcenet. So SNET can be used for source net as well. To translate my source IP. So what I need to do click on central Snat. There is nothing it say the ID number from to real source address, destination, translated address, original port and translated port. And you can enable many things like a commands, protocol number and status if you want. And you can search, you can delete and you can edit just like any other rule like IP four policy. And you can create many net for different purposes. How to create, click and create new. And here say incoming interface is LAN. They will go to when outside interface. My source can be anything right now I will say anything. They will go to anywhere you can specify as well. And here is the net. Look at just like a policy net. But it’s a centralized location. Everything is similar, like not an inside policy. Keep in mind this is a central net policy, not IP four policy. Here it’s asking IP pool configuration. Yeah, if you don’t need a net, then you can disable them for some reason. Maybe you are going inside your zone. Then you need of net. So use outgoing interfaces, the same concept to use my outside interface IP which is one 1400 and translate everything to that one IP which we’ve done in policy as well. But let’s see here then use dynamic pool and click okay, it’s the same thing is coming but centralized location, not in every policy.

That’s the difference. And in protocol, which type of protocol will go TCP, UDP, SSTP and specify up to two five five. You have a protocol number which I show you many times, like TCPs using six, UDPS using 17, and you can specify like icmps using zero, you can specify your own any, I say any and I want to go use outgoing interface to translate them. And you can explicitly pour map into specifically you can mention as well, but we don’t need that one right now. And if you want to come in and enable this is central net policy, not the policy like which we allowed something. And definitely we want to allow this rule. And okay, so my central first net rule is created, which is just like a policy net which we created inside, but that was in every policy inside. And this one is centralized location. And now let me go to create a rule. This time it will not require a net. So let me give them a name. I want to go from lane to vein because the previous was deleted when I enable central net so nothing is there. Lane to vent and source anybody from my inside when they go to outside all the time for any services. No need of name it will take from there automatically and no need of security profile.

We already done and log allowed all sessions that we can see them. Okay. And enable this rule. So now in every policy I don’t need to create the netted rule, they’ve done. So let’s try can my PC go from inside to outside? So let me console this PC one which is a web term ducker. Okay, for some reason this one is not going. So anyway sometime it will not work. I need to restart the GNS three so it’s better to use server as a console. It’s okay, we just need something to generate a traffic so ping from year eight. So it’s working and it will be named how we know? So if I refresh this rule you will see there is zero byte here. Now you will see some traffic which is hit by this rule. It’s 50 four, it means this policy has been used. Okay, how we can verify the source net? Same like we verify the other. So basically we went to 40 view in all session. This is the best place to verify a source name. So it’s a one three Win 2888 for ICMP internet control message protocol. Okay and destination port is this one and this the byte. But we need something else. So let me source net from here, source net address and let me source net port as well. I need something else so I allowed them here.

So bring this one here, is better to drag them and bring them here after here. So it will be good to see both IP okay, there is more space as well so bring them here is better. So my source is one three, which is this server one three. So when they go outside for eight at eight which is a destination address. So source net has been applied and this IP has been changed to one one 4101 1400 is nothing by but my outside interface IP because this was my central net to use the outside IP. Everybody by the way so let me go from another system from R one as well. So let me take a console to R one and let me maybe I assign the IP or not. Let me check. Yes, it’s already there so no need. And let me ping from here to@yahoo. com okay, it’s better because there is no DNS to use this eight. And now let’s go back here and refresh this one. Now you will see two IP okay? Because our other one is expired. So let me use this one as well. Now you will see two. So one three and one four both has been translated to one IP. That’s what we’ve done. 1114, 101, 114 so source is changed. So that’s why we call them source net because the source was what dot three and the destination was it destination is still the same but source has changed and only one IP is the interface one. So that’s why we call them interface IP is a pay it as well. Either static net as well not in other firewall we never call them a static net. There is a static net concept is different which I told you in last time. Okay, what else we need to do? Yeah, that’s it. So this is a central net which we use for source net. Let’s go back to source net again. Okay, let’s go to system sorry policy and object and go to central Snat again. This time we create this rule to use outgoing interface. Can we do something else with this central nest as a source?

So yes, there is a use dynamic IP pool and create here that’s our dynamic pool we last time created. If it is not there, you can create here either. You can come here IP pool which I done last time, but we use them in inside policy. So let me take which one one to an overload and overload is nothing but a range from 100 to 110. So it will give me more port. Because outgoing interface can only give you last time I mentioned what was this one can give you only these port number. But this time I say no, I need more. So how many IP? 100 to 110. So ten IP multiplied by this one. So that much PC can create a session. So this time central net I use dynamic the same concept like a policy but centrally and okay if you okay, now I have a range of IP. So this time if I check again, it can use the same IP and it can use multiple IP how we can verify 40 view all session and now you will see different IP. Look at 10 three SB news and 10 four SB news before, when we check, only one IP was used 100 because we were using in Central Net outside IP this time, just like think about like this time I gave them a range. A range is starting from 101, 921681, 114, which is a sign that just think about like this interface is now there’s ten IPS. So whenever the traffic is coming, it will pick any IP from this.

And one IP can support up to 60416 port. So ten IP can support more ranges to allowed outside and create more session. That’s the only thing we need a dynamic range which I show you last time. So can I do something more with the Central Net which we don’t like in policy? Yes, the same concept. This time let me go to Central Net and change the rule. And there is overload as well. Click on here, one to one as well and one to one is support 221, it means and one to one we discussed that it only allowed the range IP. So in this case two to 20 one, only 2% can go outside. You remember this turia because extended IP range is only two. So if I say one to one, so it means two people can go outside at the same time. So definitely we have two systems, so it will go and the system is already going. But if I try a third system, it will never go. But I don’t know, my system is not running if it can run, no. So I need to restart anyway if I try from here, so it will never go.

Okay, but anyway two IP is still going because we have one to one session and only two IP are allowed either I can change the range if I go to IP pool and one to one and make them 200. So it means only one person can go on the same time. So if I try from here, it will not work. This one is working, r one will not work. Look, it is not going now and I told you last time, what is the difference between one to one which we created last time? If it is not created, then you have to create here. You remember this story? This one dynamic has so many range. This three dynamic range overload one to one fetch port. So it means you can use this dynamic range inside Central Net. But last time we done this one in every policy. Now this one is in centralized location, that’s the only difference. Okay, so now only one system can go. Let’s go back to Central Net and can we do something else? Okay, so yes, we can use port block allocation in which we don’t last time we need to repeat everything and you can put restriction to use TCP only. So if you repeat traffic, it will be not native and you can specify your own as well and let me make this one is outside okay? Either. Not outside. Let me make them one thing more to clarify you. One more thing. Now, I’m using one to one. So one to one means to allow. And I put only one IP. So that’s why this system will not go because Server has already reserved that IP. One IP is allowed and one is IP there using this system. This one is blocked this time. This one is using? I think so. Who is using? Let me see traffic is going or not control C who is using? I think so it’s stuck. So I need to refresh. What I need to do, I’ll session and remove it. I need to show you another thing. That’s why so I think so now Server One will start working it. Will go outside control in eight eight eight. None of them is using and it’s not going. So let me see my rule design done something.

Okay, so lend to when one to one use dynamic. Okay, sorry. I say only TCP and this is what is ICMP. So by mistake I put this one so any and now you will see the traffic from server one so they are using and r one cannot use them. So it’s not using. I need to show you one more thing. In Central ledger doesn’t mean that you can create only one policy. Create a new one. And this time again, it’s going from when going to when. And source can be anything. Destination can be anything. And they are using outgoing interface this time. And it can use another thing as well. Okay, so now I have two policy. It will check from top to bottom. So before router was not working. It will start work. It has to start work. By the way, this one is going and where is I close R One. So let me go to R One console. Okay? For this I need to clear the policy first means it will check from top to bottom. Let me put this one on the top, like a policy. Okay. And let’s try now. It’s okay now. Yeah. This is what I need to show you. So both are working. Now, this one, the yellow icon, means that this policy has been hit and which is not working, means the error exhausted legally. So you can create multiple central net.

It’s like a policy. It will be checked. From top to bottom so R one was not working because that time I have only one policy now I have two policy this one allowed many IP so it has been ahead the other one is by head because it’s been already created so if they are using this one and R one is using this policy how we know? So let’s go to 40 view so one will be 200 the other will be 100 IP okay, it’s using by the way both are using same so by the way, the session was already there. I don’t know why. Anyway, whatever, but they are using both the rule. It can be both the rule, but let me do it in one thing more. I need to show you something. But if it is whatever I want to show you, if it is work like that, okay, it’s not hitting this time. So if I put them on the top, then it will not go to the second policy because it’s like a policy. So central net is nothing but like a policy which is from top to bottom. It will be checked.

This might want to show you. Okay, what else in central net let me go if I missed something in central net so this was our topology. We log in. You need to create a DNS default route which was already there. And these are the protocol which you can allow through and you need any policy inside. And then we test them and we can see from all session the traffic and also from the command by the way, which I missed to show you. So admin ten, one, two, three, show. Sorry. There are two things which I will tell you in next class about command, all about the command. So list. So here you will see source net destination is still empty and next class you will see here something, but here is nothing. So they are using 100 and going to eight, okay? And UDP traffic, ICMP traffic, whatever they are using. And it means translated to this IP and going to DNS. Okay? And this one is also translated to one dot, sorry, 100. That’s it. So this is a central net, okay? We call them SNET means secure network address. Translation.

• Category: Uncategorized