NSE4_FGT-6.4 Fortinet NSE 4 – FortiOS 6.4 – FortiGate Firewall V6.4 Part 9

45. Lecture-45:Policy-Based Mode for Default Services.

Policy based mode deferred services. You know, there is default services as well. If I click on this one, we already changed the mode. By the way, this one services I told you I need to show you what it means by F deferred nspecify we know this incoming interface means from where the traffic will come. It will come from LAN where the traffic will go. So let’s say when source, what is the source IP I will do a bit later destination where they want to go. In both cases I say all means zero zero and destination all means zero zero. And she told me you can put the timetable as well. Right now I say anytime, any day and anywhere service is now just the question.

So the service is let’s say that F deferred and specify what is F deferred means. So in policy based mode, F deferred means that every service has to use their deferred port number. And we know port number 6556. What is the port number? I show you last time as well. There are so many port number, virtual port number, port number, I show you so many times 026-5535. Every application is using their own port number and there is a full list. And I told you 1023 is registered for and so many things I told you. So every application like Http is using 84, four, three, telnet is using 23, SSH is using 22, DNS is using 53, DHCP is using 66, 67 and 68 and so on. So I can put restriction through policy that if some like a port hoping that Ingmar is somebody can do so, you can restrict those application. So, how can I show you?

So, I have an XP for outside. Okay, so outside, this is my outside XP which is using 100 and 921-681-1415. How I know this is outside? So I have two interfaces. Basically outside subnet, I have one four, my one is one three. And XP is using 1114 150 and they were defaulted out one three, which is our outside interface, this one. So how I make them? So basically in FortiGate you have two interfaces. Okay, if I go to interface so the first one is native which is outside. Second one is our lane which is in lane segment. So I put one XP in native mode the outside one. So automatically it’s commander native one. This is a netted one. And I put the other XP as a land segment. So it’s become under lane. Now this one and land segment. So one XP is inside which IP is one range one into 168 one which is this range. And the other one is 114113. So for outside XP gateway is one three. For inside XP gateway is 100. This is net interface, this is lane segment. So this is the basic connectivity outside XP. What I will do, I will run Zam server on a normal port on NTP httpd.

So if I check from inside, it will work because I’m using default port. So let me remove the policy, all the policies and let’s create a new one. So let me delete them, allow everything. Anyway, let’s do it. This one, modify this one. So from land to when all application default, even I can put the specific URL as well. And also I can put the specific protocol as well, like Https. This one, if you want to make them more space, https means the four four three and also 80. Pot has to be sorry, Https as well. Http, there is Http as well. Http browser says to be this one above one, this one port 80. Even this one is enough. It will work for both. So I say I want to create a policy for Http traffic for four four three TCP 80 port and four four three. But this has to be on the default port and default port. We know 84, four three and let’s create this policy. So my only single policy, I restrict them so that I can show you allow everything for specific only Http, which is port 84 four three.

So if I from here, access my outside XP IP, which is I think so 150 in the browser. 192, 168, sorry, from inside 192, 168, 1114. So web server will be accessible, yeah. So this is a server file, this is hosting NXP, this one. And I have a page here, by the way. So this why is showing me in Zim server. You can go to HD docs. This is my page. Let me edit them and put something. This is web server control is save and save. Let me show you again. It will say this is server. This is web server. So it’s accessible because we are using default port. And also the policy allowed only default port. So we are using 83. I can access by Https as well, because both are available https, it will give me a warning. But it will be accessible by both Https four four three and 80 port, because it’s allowed, okay? For some reason it has to be by the way, allowed. So let’s see, it has to be accessible by the way and both. Now, suppose if I have an application which is running not at a standard port.

So let me change this one. Let me show you why it’s not reachable. It has to work by the way, maybe it’s not enabled for some reason it’s stopping and starting. Let me start again. Yes, now it’s okay and let’s do it by the way, it will work on both http is your Https. Anyway, let me keep this simple on Http. So this is a web service, okay? If I change my port eighty s to nonstandard port, let me go to Apache and change the port to suppose 80, 80. Normally you will see this type of thing and save and let me stop and start again. Now I’m listening on at 80 even though I have Http. Do you think I will be able to access this again? Let me try them. No, because I’m using 88. Okay, let me put 88. It will give me application. Look at 40 gate application ABC application is being blocked because application Http browser and we are using this rule. You remember I told them Http browser because I’m calling the application inside but I say services has to be deferred one. So they block them that no application is being blocked even if nothing is there, just I change the port how I can see.

So let’s go to user sorry, log and report. And also we can verify forwarding traffic as well. Here it says that one dot two, which is our inside XP going to 1114 150 outside XP for Http browser we deny them and why they deny them. So let’s take what is the issue? Policy violation. But to be mentioned simply are the policy violation method. So let’s verify from other places. Well, application control, maybe they can give us some more detail. So now I came to application control one two Is or XP inside one, one 4150 is outside, it’s been blocked and go to detail. So they say non default port use 80 80 so we can control port hopping attack on nonstandard port by policy as well. Now you may be thinking, and maybe Chandran is thinking most of our application are using nonstandard port as in our infrastructure, we have most of the application we are using nonstandard. So what we can do then you have to specify and also in parallel to such type of things are there.

So if you want to allow and you know that no the port they are using nonstandard port, then you have to go back to policy and object to go to security policy and the policy which you create for default port. Okay, this one, what you need to say if default instead of F default, change them to specify. So now you got the idea. What does it mean by F? Deferred means every application is using their default port. Specify means I will specify my own which is not here. So. Which I can do. I will create a new one with services that will open services. I will tell you services. Maybe if you find the time today, suppose TCP 80 80 normally when you create an object, it is better to give them TCP or UDP, better to give comments if you want to give them any color color and show in the service list. So when you click on this policy, it will show you DN the service list. If you say unchecked, it will not show there. But we need to see their category. You can put them in any category.

Suppose network services and this is a TCP or UDP. So if you have more you can click more and we will discuss new services in detail. But I just created okay source code always random, as we know, so no need to put the source code. So now it’s showing me here and choose this one rather than I told them that whenever somebody is going to here so we have a specific service in destination you will put the IP let me put them normally we do like this. What is my Server IP? You can type like a web server if you want to give them any color subnet and let me type 100 and 921-681-1415 is my server IP with 24 and any interface in OK, normally like this one and let me put this to destination always. You can put restrict the time as well source. You can put your lens of net rather into all we will do in slowly when we reach the array anyway. Right now I say allowed and okay.

Before it was not accessible. Let’s try again now this time and refresh. Look at now it’s coming. And it will not generate any logs because now we’ll tell them that we are using nonstandard port. So that’s why we use a specify rather than FD for if we make them like this, it will not work we specify then the port which they are using you have to specify and also we bring some more restrictions put a specific IP of the server and also you can put single IP as well, subnet as well. It’s up to you to make the policy more control means to bring more control. So let me go there this. Was our Insider PC going to Web Server, which they are using 83. So we use default one and we check outside XP and when we change the port number, okay, so it’s deny us from Application control and also we verify from some other places as well. And then we create our own port and we test them. And now it’s working.

46. Lecture-46:FortiGate Firewall Modes (Transparent).

40 gate firewall mode. The other was inspection mode. Then we done next generation firewall mode. This is 40 gate firewall mode. It means you can deploy 40 gate firewall into mode, native mode, which we call them route mode as well. And transparent mode. Transparent mode like like a transparent, like a bridge, like a switch. In Cisco we also call them transparent mode. In Palo Alto to farwell. We call them V Wire. Here we call them transparent mode. So you can deploy, but most of the time 99%, you will see native and routed mode, which is the default mode. But if for some reason some organization needs transparent mode, then you can change the mode. Netted mode or routed mode means that you are in the middle between two different subnet. You’re taking the traffic from lane and forwarding to Wayne. You are checking the policy. You are the gateway for every lane and you are in the middle between two zone, either more than two zone and you are working as a broker between the different subnet. You are providing the internet.

You can provide redundant internet link. It’s also possible through native and routed mode. You are also in routed in native mode, you can do policy based routing, you can do routing, you can do VPN, you can do side to side VPN everything. And that’s why this is the preferred one. And most of the time you will see them. If you want to fully utilize your 40 gate firewall, then you have to deploy them and route your mode and every Firewall by default coming in this mode. But for some reason, if some organization needs NS for their requirement, then you can change them to transparent mode. In transparent mode you will lose so many capability. You will work like a layer to bridge, you will work like a bridge, you will work like a transparent. You cannot configure SSL, VPN, DHCP, server and so many things you will lose. But still you can apply the policy. You can protect your two zone using transparent mode. The only advantages of transparent mode, there is no need to change anything in your network. It’s just like a plug in play. Suppose organization need that.

I need a Firewall, but don’t change anything in my network. Then change the firewall to transparent mode and plug them and it will start work. Then you can deploy 48 Firewall in transparent mode. Okay, this is theoretically there are two difference between routed mode and transparent mode. Routed mode whatever we done up to this point, from the first lecture to till today lecture, the last lecture which we had done, everything was in netted mode. So the only thing left, how we can change the Firewall mode to transparent mode, that’s what we will do. So in transparent mode, you cannot assign IP to the interfaces. Then what the hell is this? Then how we will access the Firewall if there is no interface no interface IP how I will reach to the device? So yes, there is a way management IP we can configure but there will be no IP on a lane interface. There will be no IP and a lane interface. It’s amazing. And then still you can access them through Management IP. Even though there will be no IP on the lane, no IP on the way, no IP on any interface.

So how we can do this? Let’s go to Lamb and do a transparent mode deployment. So I need a 40 gate firewall. This is the one which we have. And what else? Media. That’s it. Another thing I need inside PC so let me take window and let me take Windows Seven and let me change them to RDP so I can access Windows RDP and I need one outside. This is my internet I will use here. Management is the outside my this one. So my outside is port one, my inside is port two. Okay? And we have XP. Let’s say this is the only thing I need. Yeah, start and start normally. What we do in netted mode we assign IP here, we assign IP here, then we assign IP here and we put that one as a gateway and then this lane will reach to the outside because there will be net enable and routing enable DNS enable this the normal procedure we do. But this time I’m doing something else as a transparent first let me access this device is a native mode because by default is coming is a native mode. So how I can access double click and go to 40 gate because on port one it will get IP automatically. As we know by default is getting IP because DCP is enabled and also Management is enabled on port one. So let me access them. It will take some time, so it’s better let me assign IP which range we will use.

So one dot one I will assign to my Windows Seven is the IP and because we cannot assign as a transparent support IP, but I need Management IP so that I can access this device and do changes. So Management IP will be suppose 100 this is my Management IP of this device which will not be assigned to any port. By the way, I will show you. So it’s come up now admin there is no password. Enter new password 123123 and show system interface question mark on first port I get IP through DHCP and also on first port everything is enabled. So let me type this IP here and access this device. What is the IP? Do I type rangi 192 one system. Okay, it should be as http not https is. I told you this not a registered device. Edmund one, two, three it will ask me to change the name. So let’s change them the name, otherwise they will tease us all the time. That’s done. So I access them to this interface. And let me show you on which mode we are. Look at mode is nate. So by default is native mode. Either we call them routed mode, but I don’t need this one. And also in native mode you have to assign IP separately to every interface. And also different subnet.

So this one is 1114. If I click on put two, you will find IP address location here. Look at this here. After transparent, this will be not available. Keep in mind. So it’s not showing here. It’s showing like this. Because it’s a native mode. How I can change them. So it’s impossible through graphically some of the things you have to do at CLI. So unfortunately I will come here command based config interface. Config system interface. Sorry. Go to config system interface and go to port two. Port two and enable the services. I can do this graphically as well. With services set allow access http http ping telnet SSH that’s the first thing. Sorry, end. So same like and this interface which is ping and everything allowed.

I allowed on port two as well. If I refresh, you will see you can do graphically. This part you can do graphically as well. I’m just showing you from the command. Look, it is enabled now. Now the rest of the thing you have to do it from needs to change the mode. How I can change the mode from native to transparent. Keep in mind is showing here what is the mode. Native mode. Let me show you native mode. Now come here and go to config system setting and set operation mode. So operation mode they say native or transparent. Native is already I want transparent because I donate the changes. Now I need how I can access because everything is lost. Now I cannot access them anymore from this IP. It’s lost nothing. It will be not accessible.

Oh, yes. Because I am not out from here. So I need said management IP. This is the command and type 192, 168, 100. This is what we decide for management and set the gateway, which is the gateway. So our next hop is this 1114 dot 219-216-8114 dot to this our gateway. And that’s it. Now it will change the mode. It will show your message changing to TP mode. Now it will be not accessible on this IP anymore, because it’s changed. Now it’s not accessible. That’s it. Even I cannot access them from here. Now I need to go here because I allowed 101 hundred is only on port two. I am connected to this device through port one. So I cannot access from here this device anymore. And let me close this one. I need to go here to access this device, this management IP from my Len.

So click on this one. And now go to windows seven. And windows seven IP username is I think so user and password is test one, two, three. Testified username and password of EV ng windows seven user and test t capital one, two, three. So first I need to assign this IP which we decide one dot one, then I will be able to manage this device. So I am here. Now I need to go to someone from inside any system, go to properties. Okay, I don’t need IPV six, IP four and type 192-1681 dot one one and gateway 192-1681 dot 100, which is our management IP. And DNS is eight, eight, eight and okay, okay. And now I will be able to access the management IP and ping as well. 190, so 100, so yes, it’s pingable. And now I will open a browser. I will show you. You will not find this IP on any interface because guys become like a transparent, like a bridge between two different network. So the firewall mode is changed now, so 192 I will type here 192, 168, 100. Now we will access the firewall from inside subnet list the IP which is reachable from inside so and type admin.

Okay, so let’s see, the mode is changed to transparent or not. How we can verify? We can verify from our dashboard, so let them come, because it’s very slow from this side, so it will take some time to show you. Here you will find a transparent mode rather than look at mode is transparent. Now I change the mode, so how I can see the difference. Let’s go to network interfaces. Go to interfaces, okay? And you will see there will be no IP addresses and also you cannot assign IP addresses now anymore. So go to physical interfaces. This port one is the outside interface. Let me click on it. Do you have any IP? Here you will see no IP and also there will be no location to type the IP address. Nothing is here. Is there any way to type before it was?

Let me give them at least name when so that we know this is our when interface. In transparent I can assign and I don’t need Http in this one because this is not any more management, only ping has to be okay. It’s just giving me error. They say maybe we are using this interface for management, so it gives me a warning, but it’s okay. And my port two is management as well, and my lane as well. So here I will say lane but no IP. Again there is no IP concept anymore. That’s it. So my lane is okay, my lane is there. Okay. There is no IP addresses because this is in transparent mode again I still need a DNS service so that my lane PC can go to outside. So let me configure DNS just like a normal one. So specify, let me say eight and one one apply. Okay?

And I still need a default out, but which I already done, so no need to type again. You know, when I type default out there, so 1114 two is already configured. The only thing is I need a policy that my inside PC. This is my inside PC as well and also using for management as well. So let me try. Can I go to Internet? Because I’m intransparent, I need to go to internet. So I hope that will be not reachable because we need a policy as well. So go to IP four policy and create a policy. So it means policy is the same like naked mode. Click on this one, okay? And give them any name length concept is the same length but without IP outgoing. So there is no internet. It’s not accessible because there’s no policy.

When source can be anything, destination can be anything, services can be anything and we don’t care about this one, okay? And I hope so after this policy we will be reachable to Facebook. Yeah, now there is internet. I’m in the same PC, okay? I’m using this as a land PC as well and a management as well. So I allowed the policy. Now I’m accessible the internet. How I can verify same procedure. If you check the log forwarding log, you will see the log and forwarding you will see the logs. After a while it will come by the way. And also you can verify from dashboard and 40 view as well as the source. Who is the source IP. So one one is the source IP. It will come after a while. It’s the one one they were going to Facebook. So it will show you eight eight and also Facebook.

So it’s here and also which policy we use. So the island to win, it will show you the policy as well. In our session it will show you the station as well. Okay, this session and everything. And if you go to logs and report now it will show you forwarding traffic. It takes some time to come out anyway. After a while it will show you. And also from lane to DMZ you can see the traffic here as well. So the mode has changed, but still it’s almost the same concept. This is the destination, this is the source. Okay? So now it’s transparent. From here I’m going here. There is no IP and there is no IP, okay? This is my management IP only we need, but we convert them using CLI.

There is no graphical way to change from netted mode to transparent. And we check here is a transparent mode. Basically most of the time you will see native mode for 199% maybe in one case for some reason. So it’s showing me transparent. Let me go if I missed something. So we done this part. We change the mode showing you, then we go to our window and then we type and go there. And mode is transparent. There is no IP assign and any interfaces we configure DNS static route was already there. We create one policy and we check the Internet, BBC or whatever, and we check all the station and everything for TV. And so it’s working normally. Yeah. We cannot configure VPN because they require any IP to reach you. There is no IP on any interfaces. So some of the things which you will miss them in Transparent Mode, one of them is SSL, VPN, DHCP and also side to side VPN and so many other things which you cannot do it using Transparent Mode. Beside everything we’ve done that was in Native and Routine mode up to this point, beside this live. So that’s the only thing.

• Category: Uncategorized