NSE4_FGT-6.4 Fortinet NSE 4 – FortiOS 6.4 – FortiGate Firewall V6.4 Part 10

47. Lecture-47:Configure and Verify IPv4 DoS Policy.

Topic is IPV four Dos policy the same. We have IPV six Dos policy as well. We know dos policy. I believe you already know Dos Denial of services. And I show you a lab as well. If you want to bring down any services, anything, any network, any something. So for this purpose we are using Dos Attack denial of services and it can be any. It can be sink. Flooding attack. It can be sweeping attack. It can be. ICMP flooding attack. It can be ping of depth attack. It can be so many attack to use CDP Flooding Attack. If you want to down the switch. Make flooding attack. You want to down the switch. CDP flooding attack to down the router. Just for the example. So does to bring something down the same thing we can bring down the router other the services as well. So if somebody is going to attack on your devices on your server from outside to bring down the devices you can control them.

To use IP four Dos policy and 40 gate firewall they will check for everything flooding Attack scanning as well there is a text, we call them Reconnaissance Attack. Reconnaissance Attack means to search for open port. We call them Scanning like in map we are using because army like army means they want to attack some place first we call them reconnaissance. They also call them an army terminology. They search the place, they investigate the place, they get the information, then they attack. The same is reconnaissance attack. First the attacker will collect the data port scan and port detail, IPS detail everything. So they are using so many tools, we call them Reconnaissance Attack.

So IP four policy not only protect you from Dos Attack but from scanning attack either sweeping a tag we call them Dos Policy will protect from any such type of things. It can be sweeping, it can be scanning, it can be flooding, it can be anything. So this way you can mitigate your inside server in DMZ and inside from any sort of attack. To use IP four Dos policy in 40 Gate firewall we will use a small topology. I’m connected through net outside and I’m connected to lane segment inside. In real world it will be opposite, this will be here. Internet will be also here. Here you will be a so many server and DMZ and inside land and DMC server. So somebody will try to attack from outside to down your server to do attack.

But because for lay purpose I will use Kali Linux for inside and will do or take outside on my server which is outside XP but it will be opposite in real world, test will be outside and your server will be inside. Anyway, it’s okay, we adjust the test purpose just to create the policy opposite lead. So let me show you my topology which is mentioned here. So I have XP outside. So outside we are using this subnet IEP config this is my net subnet 1114 150 is my server and let me enable the server as well zem Server you can use any Zem server, VM server, whatever you want to use. Also there is a small utility to open so many port icecast. org start this one what this small tool will do, it will open so many port in this XP for a take purpose. So I enable this one as well. So my ad port is enabled my 80 80 let me stop them. Normally they checking for default port so it’s better to make them default for last lab. We change them here, you remember? So let me change them to 80 save and let me start again now.

So 84 four three is enable my SQL port is enable 113-43-3006 file zero if you want to enable file zero, a port is enabled mercury and Tom kit is also let enable those port as well. So many port will enable and also I use a small utility to start so many services. So many port has been enabled for a take purpose. Suppose you have a server, you don’t know which port is enabled so many things is enabled on your DMC server either inside Kali Linux in real world it will be from outside but in our cases in inside so I enable Kali Linux if I go there, it is in lane segment, okay? So I put them in a lane segment because this interface is in lane segment this one so I will assign from same range any IP and Xpout service from Lens net subnet I already show you by the way that you know so let me login root and toad is the password. Okay? So I need to assign IP address to Kali Linux first from the same range. So let me go to Kali Linux interface. Okay? You can use a terminal to assign IP address either.

It’s better to do it graphically. Here you will find a setting somewhere setting and the interface to configure them. So go to wire and setting and let me go to Ethernet and IP four setting manual. So we have already by the way one five IP and 100 is our gateway. So it’s good. We already have so no need to assign. Let me check them if we have this IP or not. So the command is Fconfic in linux. So one five and let me ping our gateway 192168 100 this is my gateway firewall IP. So yes, reachable so it’s done. My topology is ready and outside we have one one 4150 IP sorry, this one 1114 now if you configure IP four dash policy, anybody can down this services this server web server which we have here, we already enable Web server by sync flooding or take in two minutes I can down this server how? You already know? I show you as well? I think so if I open a browser and go to any browser and open this server and then I will attack to make them down by sync floating attack and so many other attack you can use. So let me type 109 216-811-4158 the Xpip where server is enabled. I think the rule is there or not. I think so I remove the services that we are reachable there or not.

So let me change the rule rather than import at because we allowed only 80 80 so this way it’s not going so allow all and make them all remove everything so all and done. Okay and let’s try again now it will be accessible. So this is a web server and let me enable and down them in two minutes so if we have already the command otherwise I need to apply the command. 150 is our server hping is a utility and Linux it will generate sync flooding a take. If I go to web server this server will be not reachable. After a while it will down because I’m doing a Dos attack this server will become down. Look at the connection is time out. If I stop the attack sync flooding attack it will be accessible stop and refresh it will be accessible now after a while because so many sync they are receiving so many files they are receiving so they are not responding every they cannot respond to every packet. So it has become down. After a while the server will be up again because there is no more request again did I stop the server? Yeah so it has to be baked now? Yeah okay so let’s refresh it will come after a while because it receives so many sync yes available now if I generate again sync letting a take again this server will be down. After a while it will be not reachable again.

So it means we don’t have any protection. If somebody from outside attack on our web server which is in our side is again down let me stop the attack. This is one of type of Dos attack. There are so many attacks of death attack as well ICMP flooding attack as well. But in this case we have a web server so we make them down. So now what I can do as a security engineer I need to configure Dos policy that nobody can do such type of attack on our inside server. So let’s protect that server which is in our infra what we can do? So there is go to policy and object down you will see IP four dots policy click on that one. It’s a separate policy, nothing is configured that’s why they attack on us. Click on create new and give them any name. Suppose dust protection whatever you give them a name ncoming I told you in real world it will be from Wayne to lane but here I will say it’s coming from lane and source can be anything. Destination can be anything. Services can be anything.

Now it’s starting the policy. They say L three means layer three. These two are related to layer three. Like a source station and destination station. And then layer four. Anomalies. Anomalies is nothing but a sensor. Just like a sensor, it sends something. The sensor name IP source session and IP destination. So these are sensor when they sense IP related source session. How many different thresholds? Suppose ten I say and ten I say if you sense that somebody from source IP generating more than ten packets per second, what action you need? First we need to enable logs so that we can see what happened so I enable logs which we can see logs from here test the logs so this one is related to logs logs means it is logs which alert generate and you will see the message and sock and also, you know, the monitoring. This part is action which action to take disable, which we don’t need now. It’s disabled the policy. Block. Yes, we want this one. Either. To monitor.

Monitor means it will monitor. It will generate logs, but it will not take any action to stop the attack. So it’s not a good thing. So it’s better. For lay purpose, I will say block, and that’s my threshold. Threshold means how many packets per second? So I say ten because I want to see the traffic quickly otherwise in real world they have a specific scenario. If I mentioned something, the default here is the default one 2000 picket per second normally for TCP Sync Flooding Attack you can use 2000 threshold Normalists again depend on organization, how many packets they want to see and to consider them as an attack but here I said ten. So source session if a source IP is generating, they’d much traffic per second block it IP destination session. If a source is generating, they’d much pick it to hit a specific destination. Ten packet per second. Consider them and block them is or take silver two anomalies as a sensor is a layer four session. Again, I want to block all the thing. I want to enable log like layer three TCP sync floating attack. I just done sync flooding attack. Let me show you.

By the way, I didn’t capture the packet. Let me show you why you will see it. So if I earn the wireshake basically TCP is using three way handshake sync, sync, acknowledgement and acknowledgement three thing so I kept your item. So I’ll show you this some other lecture. So if I visit this one so it will be three way handshake. You will see this one sync, sync, acknowledgment and acknowledgement.

If you want to see more magnum, TCP so sync, sync, acknowledgement and acknowledgement. Three things three way handshake. Sync, sync, acknowledgment and acknowledgment. But in the case of attack, it will be sync all the time. Only this was the attack. Where is the attack? This one, where is it? Let me go back to typed. Come on. This one. But let me make my IP now. You will see so many sync picket. Look at Sync. So this is called sync flooding attack. Let me stop it. It’s enough to show you where is control C. So that’s why I’m telling them that if somebody is sending as a source sync Flooding Attack how many packets? I will make them ten. By the way, ten is not normal. 2000 3000 is a normal it’s. Okay, so if somebody has a source IP is sending ten sync flooding like this one. I don’t know. And once you can understand how many sync look at I enable in so many packets. Stop input. Okay, so consider a Blocket same as TCP port scale. You know, we can use a port scan in map. There is a Zen map as well as a graphical Zen map, I think.

Zen map? Yeah, graphically. We call them Zen map. And normally as a command based, we call them Nmap. And let me scan the one. One 4150, which is our outside server. Intensive scan means in detail. So it will scan and whatever port they find out, they will tell you. Look at the scanning. They say port number 80 is open. Look at port three 30. What is three 30? I just told you there. I deliberately open. This is 33006. It’s open. They say my SQL port is open. 21 is open. 1114. They will show you all these port here in this attack. So you are collecting the data through scan. Look at one three nine is open. 80 port is open. Four four three is open. 3389 is open. 5060 is open. The other port I enable this application to open more port. This application so that I can give you a better idea. So all these port, this is called scaling a tape. Reconnect is a tape basically. So it means you are discovering so many ports. Now you can use this port to attach. Let me cancel this can. And I’m doing this. Can by the way, I am passing the firewall and scanning and getting the details from home.

So what the hell is this firewall? Why I’m using them this? So that’s why I told them TCP port scan. If somebody is doing ten picket per second, port scanning from the source Blocket same as TCP source session from the same source. Let me make them ten TCP destination hitting a destination IP. UDP flooding. There is UDP Flooding attack. The same is like a TCP attack. We have a UDP based attack. Let me make them ten UDP scan. You can do UDP scanning as well. UDP source, any value already? We already discusses the source. We change in UDP. Only ten. ICMP flooding attack. You can use a script. ICMP means Internet Control Message Protocol. Like a ping of death attack. We call them as well. If you sending huge packet and I already told you by the way, in so many forces, like if I ping. com, so it will ping. But if I increase the packet length, suppose 1024 again it will ping. But if I increase them to 5000 or 7000 packet, it will not start sorry, more it will not ping. By the way. Yeah, who is pinging? That means they don’t have protection. So let’s make them Google.

They have a protection and length of the file is supposed 20,000. It will stop working, it will not. This is called Ping of death attack. They say you want to test something. Either you want to bring me down to sending me a huge packet to test me why you are sending me a huge packet? So this is called Ping up there. And again you can use so many utility Linux. So this is called ICMP flooding attack. So I say if somebody is using sending, I make them ten either sweep. If somebody wants to try to make them ten source from one source, suppose ten and also is the one destination somebody is hitting. These four are related to the voice related. So we don’t have wise. So let me ignore this one SCTP, which is something I forgot the abbreviation for this one. If I mentioned here no, I did not mention here. Sctpie. Something protocol. Anyway, this is our related one. So my Dos policy is ready. You want to put any commands and you want to enable definitely we want to enable this policy. And okay, now my policy is ready, which will protect me from lane interface to going to all for all services and where we can verify, go to logs and report and go to anomalies should be here somewhere.

This one anomaly. So nothing is there right now. Because nobody does a take. Now we will do a take and let’s go to Kali Linux. And whatever we done before, what was this one attack and let’s do it now. You will see here some traffic. Look at it says severity is high. Somebody from one five, which is our Kali Linux protocol number six, which is TCP action is clear session. And the attack was TCP Sync Flooding attack. And yes, we were doing sync flooding attack. For scanning we use Zem server. Let me start scanning here again this IP. And let me this one. Now this time they say that somebody is doing TCP Sync Flooding IP is a one source. Somebody is trying from one source to so much count this we increase the count as this one and it will be Scan Israel. After a while the scan will also come here. TCP port scania has come up. Now somebody is trying to scan the port. And yes, we are trying to scan the port there’s. TCP Sync Flooding. TCP Port Scanning and TCP Sync Flooding.

Attack. And this way you can try so many attack which I mentioned here. Because I need to copy the code of Kalynnix. I don’t know this one like Zen map either. This one is the same thing, but this is command based and the other one is graphical. So it’s up to you. You want to use graphical. Either you want to use this one. So nmap o capital 150, which is our XP server. Again it will show you here this IP Source agent now so you can try this one as well. And you can verify from here. This one is to select the other UDP base as well. Just put SNP with NME. So if I put SNP sorry. S is not capital. So again you will see a new here. The last one is IP source session. You will see a new attack here. It’s not started yet. Okay, it started, but the reason is stopping by this attack the same thing because it’s interrelated. So they count them. This increase this one, look at this 461 it will be increased 969 now and four, so it’s interrelated to the other attack.

That’s why they stopped them. Otherwise they have one by one. You want to try? So I gave them here as an example. Just change like a far, UDP Sync Flooding Attack and so many you can use this command. And also I have a file as well. Because we use this in 40 gate as well by Pole also as well. I remember the same Dos policy if I go there to 40 gate and we have somewhere this Dosake. Yeah, because we test one by one in Paul Alto as well. So this is for TCP. Sync, flooding or take. Using HP for ICMP Flooding or Take, you have to use this command. So if I copy this one and go to Kali Linux Control L and paste them. But in our case, our IEP is one one 4150 and the source can be anything. It’s okay. So in this way we will see some other attack. Now look at ICMP Flooding Attack now. We can see now Control c the same is this is ICMP Flooding Attack. For UDP base you have to use this command either this to change the source. So anyway, let me do it. This one CTRL C and paste here and 1114 is this time go over this one. Okay, now you will see UDP based attack here.

This is UDP Flooding Control C and so on for each and everything. For port scanning you have to use this command. For how sweep. You have to use this command for TCP flooding. Again, you can use this command and so on. Anyway, I will share this file. Just copy and paste and change the IP, whatever your IP is. And you can test all the thing which we configure. UDP Flooding IP Source Session ICMP Flooding TCP Flooding TCP Sync Flooding TCP Source Session all has been verified here has been blocking by Dos policy which we configure dos policy here to protect our services from outside this one. So we tested one by one all these IP sources. Their destination is there sink, flooding, port scanning and all those stuff. If it is increasing the threshold ten again, threshold depend on your organization requirement, how much they want to say. And there is a default issue, which I told you is mentioned here. Normal environment, thousand picket per second. 2000 you can increase, you can decrease per your requirement. So this is IP four Dos Policy to protect such type of attack. And we see it scanning has been stopped by this way. Port scanning and all those stuff can be stopped using Dos Policy. Not only the name is Dos Policy, but everything coming under this Dos Policy.

48. Lecture-48:Network Address Translation Theory.

Topic is net. What is Net and 40 gate Firewall and how we can figure Net and FortiGate firewall. So net means network address translation. Network address translation means a translating network address. And network address is nothing but the IP address. OK, class ABC so when we translating from translating one IP to another IP, we call this mechanism Net. When we translate private IPS to public IP, we call this technique Network address Translation. So it can be from one private to another private, either from one public to another public, either from private to public. Most of the time you will see this type of thing from private to public to this concept. We call them network address translation. In all houses, whatever you have, you are using WiFi.

Maybe you are using WiFi as their cable, you are using Net. We call them modem. Those modem or router or switches, you can call them anything which is at home, deploy in your home, broadband, all of them, they are using Net to translate your private IPS to public. So in this way we can save the IP and we can hide our private IP and we can protect the inside devices due to Net. Like in my case, if I go there, I’m using cable, but I’m connected to my mode M. So inside of using private IPS, 192 168 whenever you see 192 168s private range is Vlog ten n class A private 192 168 n, class C private and 172 something 232. This is called class B private addresses. In most company you will see such type of setup. In every home you will see such type of IPS. So I’m using 87 IP. I have some server, iPhone, kids, iPad, my mobile phone, my wife mobile phone, all of them, they have a private IP, but all of them convert them to one IP. This is what our public IP is outside.

So in most cases, Net we are using to convert private IPS to public IPS. So inside I have 109 216878 IP, but this is not my actual IP when I go outside to the internet. So this is my IP. What is my IP address? It will show me my public IP. It’s better to use chicken. There is one website they will show you directly IP chicken or something, because I’m using IP addresses. So this is my public IP. So inside I have 18 system connected phone and laptop, server systems, desktop and outside I’m using one IP to reach all the world. Who the hell is doing this for me? This Net. Also, nobody can directly hit me because my inside IP is 192 one 6878, but they will hit my modem. So I’m protected due to net. So basically Net saving the IP, they’re translating one IP to another IP. In most cases they’re translating private IPS to public IPS and they protect your devices from directly hitting because we have limited IP, IP four and IP four we can only use class A, B and C we cannot use DDI’s multicast, we cannot use E dies for research purpose. Then in class A we cannot use 172 IP. Then we cannot use ten range, which is private range. Then in class B we cannot use 172 range.

Then in class C we cannot use 192 168 range. Then in class A we cannot use 169 range, which is a piper. And the whole world is connected to the Internet, so how they will get the IP? We don’t have that much IP. Billion and billion people are connected. So we are using the techniques to save the IP network address Translation and they have so many advantages. Yeah, it’s slow down the connection because it will be translated. It will take some time, but it’s okay. So when we are talking about network address translation so basically it translating one IP to another IP. So it means it’s working on layer three, because IP work on layer three. But there is another concept. We call them port address translation. And normally you will see both word net paid. They will say I configure NETpad support address translation paid a different thing and net is different thing. Here you have to modify layer three and layer four. Both means the port number will also work and port number is working on layer four. So you are jumping to two layer. So in port address translation we translate port as well. IP is already translated, but we convert port as well. So then we call them portrait translation. Then there is two main category of net source net and destination net.

If your sources change, so we call them source net. If the net change your source IP. So this type of net, we call them source net. If the net change your destination IP, so we call them destination net. Then if we come to FortiGate for one so there are two method to configure two method, two way, two techniques to configure net. I’m not talking about type of net. Two method to configure net. One is curl for wall policy net, which is in every policy you will find a net. We know this. And another one is central net. Normally we call them central SNET. So we can configure two way, the net and 48 firewall insert the policy and centralizedly, which we call them central net. And last time when we were doing Lab, we enable central net in one mode, do you remember? And policy and every policy I told you that we will discuss net. Now this is the day to discuss net and every policy there was a net concept and definitely then we will see two type of net.

So two type of net and firewall policy net and two type of net and central net. So it’s better to draw you the basic concept. So we have net. Forget about Palo Alto Farwell. Forget about Cisco SA firewall. Most of the student I have from two, three firewall like 10th and one of them here the far wall is totally different. Cisco SA I don’t know how many method I teach you in net, maybe twelve and 13 method was netted. They have different approach of net. Then we configure source and destination net and parallel to firewall. Now today we will discuss net and different way in FortiGate Firewall. So net is categorized in two main categories, source net and destination net. We know if the source has changed to source net. If the destination port and destination IP has changed to destination net, then source net can be configured in inside firewall policy.

In every policy we have net and if it is changed centrally, so we call them central net, then there will be no net inside the policy and the same case be in destination net, two way to configure, destination net inside the Firewall policy and centrally. Then source net can be configured three different way. Static net, dynamic net and central net. In the same case, destination net we configured in three different way, virtual IP, static virtual IP with services and virtual IP with port forwarding. But in sourcenet inside dynamic there are four methods to configure them. That’s the confusion part. Dynamic net can be configured for the source net. I’m talking about source net when we are changing the source IP. So dynamic net can be configured overload one to one fixed port range and port block education. And definitely central net is there, which is the third method to configure source net. And definitely destination net is also three way to configure.

So these are the just overview of net to configure. And we will do all these one by one. We will do central source net inside the policy. Then we will do source net centrally, but we will do source net. How many method? 123456, say one way, indirectly say one way, but it’s basically three way to configure. But in dynamic can be configured in four different method. And then we will do destination net with three different way. That’s the whole story. So this is called net. Most of the time we configure net with our inside user going to the internet most of the time, but it can be revert as well. Maybe you have some server in DMZ, so when the people from outside the user hitting your DMZ to XS, web server, email server, database server, then we need a destination net.

But when you are inside internal network user going to the outside. So this method we call them source net because source will be changed and outside IP will be used. So because source is changed we call them source net. But if the user is coming from outside to access your system, so it means source does not change, your destination will be changed, the Firewall IP will access the inside. So this we call them destination net inside the policy you saw this one here use outgoing interface address and using dynamic IP pool which I will show you. So outgoing interface means to use the public IP of the outside interface. So it’s basically paired, but we call them static net here in 40 gate for one.

And if you want to choose dynamic method, then it will show you four different method or load one to one fixed port and port block allocation inside the policy I’m talking about. But if you enable central net, which we can enable when you change from profile based to policy based, either you can enable directly as well, which we done in next generation firewall mode which we changed. So when you enable central net so in central net again, we have so many method to configure. Now coming to the source network address translation. As I told you, that SNET means source network address translation. When in net your source change either your source port exchange. So this type of net, we call them Source Net. And normally when you are private IP, just like in my case now I’m using Sourcenet inside I have IP this one. But when I want to access Facebook, my IP will be changed. I have 187, but when I access Facebook, facebook will see my public IP, not this IP. So Source is changing. So it means this is called Sourcenet. And if my port is also changed, also call Sourcenet.

It can be anything, it can be changed or IP either, it can be port. So I’m accessing Google. But Google don’t know about my this IP 87, they know only this IP what is my IP address which I show you IP chicken. So Google know this IP. This IP do communication to Google. Google responds to this IP, this IP give it to me. So this method, when we convert one IP to another, we call them net. And when the source is changed, we call them Source Net. But if somebody from outside want to access my inside system, this 87. So they will hit this IP and this IP will change the destination and will access me and will give it traffic to them. Then in that case we call them destination Net. Okay, so this is sourcenet. And normally you will see source Net. We are using destination net as well. But in most cases, in most organization, you will see this type source Net.

Then Source net can be overload. Source Net means to use one IP and everybody will use one IP. Just like in our home, like two IP which I show you my IP. So inside I have 18 system connected. They all are using only one IP to access the whole world. So this type of net, we call them overload, use one IP again and again. But in 40 gate firewall, one IP can support up to this type of number. 604161 IP can translate this much port number. So if you have so many people and they are going outside so if it is reached to 6416 session, I will say section session so that you can understand better. Because every session create a new port as well normally. So it will stop working if you say 60418. Because one IP can handle only this type of port. In most cases they are using outside interface.

So these are my inside PC 12345, just like my home. So when we are going so we are using two two IP here and they are doing communication and bringing back to give to them. So sources change, we call them Source Net and because we are using only one IP, so we call them overload Source Net they are just changing the port number same IP but changing the IP to distinguish them every packet. Another method for Source Net is Dynamic Source Net Institute suppose you have big organization where so many people so 60416 is not enough. So what you can do, you can use Dynamic Sourcenet instead of using one IP. What you can do in dynamic then you have so many method overload one to one fix port and port block allocation. So the first one is overload overload how many public IP range you want to use. The more you give the range, the more you multiply one IP. Suppose if you use two IP, before it was one IP only the exit interface so only this much was supported 60416. But this time you say no, I want to use two IP in one load you will type range.

Suppose two IPS or two IP means 60416 multiply by two if it is three IPSO three, so you have more choices, more people to connect. So this type we call them Dynamic Sourcenet overload another one is Dynamic Source Net onetoone we are still in the Source Net. Maybe you say no, I have only two people and two people want to go outside. So for that purpose you can use one to one to one net. Suppose if you have two inside internal IP, you need two public IPS. If you have three people and you have two IPS outside, so it will not work, one system will not work. So it’s like a mapping, static mapping and Cisco. So this type of net, we call them one to one mapping. Then there is Source Net fixed port range. You can fix the port number as well for specific IP. Then this IP can allowed up to date much port number. If one IP increase this port number, we will not give them any more connection.

So we can use for that purpose fixed port range. And the last method for the sourcenet we can use port block allocation. You can allocate the port block neuro block that. Suppose you have block size of 128 and eight user multiply them. I multiply somewhere because they have a huge farm on such type of thing, this one suppose total you give them block size 128, so that’s the support here, you know, their support can up to one IP can support 60416. So multiply by 128. So it means block size is four, seven, two and per user you can say that block per user can how much they can support. Suppose you say eight, so multiply by this one and divide this one by 128 by single one IP range which I told you. So 478 came from here and 1024. So this is your maximum size. When we do practical I will show you, but that’s the way it will work. Then we have a new concept which is called central net. Instead inside the policy, all these things we can do inside the policy, you can do it centrally from centralized location instead of going every policy and do net, net, net again and again in every policy. So if you have 100 policy, 100 times you have to repeat the concept. So there is a new way which we call it central SNET.

Central means central and S means secure network address translation. So in central net all the control will be with SNET centrally you can configure the policies there and it will check from top to bottom like a policy rules and just create it once it will be checked from top to bottom like a policy. And with the head is coming, it will check all the netted rule. When it is checked it will go there and this is a good way to do it. But central net is disabled by default, you have to enable it when you go to setting system setting and here you can enable central net which I showed you last time it was not enable. So this is another way to configure net. And the same way we can configure destination net as well. But destination net is different. Now the user will come from outside and will access our inside and from. So this type of thing we call them destination. Now the destination will be changed either the destination port will be changed either in the header destination will be changed. So now from users from the public network they will hit our inside server and DMG or maybe in our inside. So for destination net 40 gate is using the concept of virtual IP. Virtual IP is nothing, just the concept of destination net. So when we come to virtual net, so virtual net is nothing but a virtual addresses. So when the people heading from outside so they will assign IP from this pool, from this virtual IPS and how many we can configure. Okay, I did not mention here one to one and port forwarding which I told you here, this one, this one and destination net we can configure virtual IP with static means one to one. Virtual IP with services means with port number 2322-2225. This port number and port forwarding to forward from one port to another port. So you can configure destination net with three different ways. So if a user came from outside, they will get the same from this Ranger static IP to convert them and they will give the packet and the packet will be translated again and will return. But you can give them by specific source like a ten net and maybe he hit from outside 23, but it will be translated to our port forwarding to 23 23 maybe either they can access your services with 22 22, but inside it will be translated and port forwarding to 22. So this type of thing we call them virtual IP with port forwarding. Okay, so these are the favoritical thing of net.

• Category: Uncategorized