NSE4_FGT-6.4 Fortinet NSE 4 – FortiOS 6.4 – FortiGate Firewall V6.4 Part 7

41. Lecture-41:Security Profile File Filter.

Security profile is file filter is the name suggest to filter the file. Okay. There is no by default you can create your own. You can edit, clone and delete and search the same name. Commence and reference. So click on create give them suppose file filter. Okay. And this is scanned account five contents. You know the zip file, it will scan those as well. Features that we may want to discuss. This one. So leave it. This one. These are the rule to create, create new. And I told you, this is the common internet file systems and Fathom F 43 SMTP. I told you already in web filter. So just give them any name. Suppose MBC and traffic either incoming or outgoing or both.

So I say both traffic. Okay. Password protective, file type. These are the file type to stop them. Like a seven zip archive. Suppose you say that XD file is there or not. So let’s choose like jpg I want to stop this. BMP is also the picture one. Okay. Just need to see any exe file here. Zip tar file is also zip file. Suppose PDF as well. So these are the different dissonancy file type to block them. Action. These file type will be blocked. I don’t think so. We can enable from there. We have to go there somewhere to enable it. Let me see if it is here or not. Otherwise for this one we have to allow. Yes, here. So let me remove IPS and choose our file. This one. Because we want to test separately. This one. Okay, so now I say block those file which was the file name.

So let’s go back to security profile. Just 1 minute. This one I need to test the file which we block. Exe PDF is also there. Okay. So now let’s go to any PDF file, sample PDF, anything sample PDF. Let me search any PDF file to test them. Okay. And advance. My goodness. Let’s go back to this one, the other browser. And let me go to Google. com. Okay. And let me search any PDF either image even we block the images as well. Okay. So let’s try sample PDF. I just need any PDF file either image, either exe. I can download any link by the way. Okay, so yes, this is PDF. Let’s see, they can stop me or not. By the way, it is to stop me from downloading. Because I told them that these files are not allowed to download PDF, XZ images, BMP images, jpg, JP, GIF so many thing I give them.

So you can control the file as well through security profile. The file which you don’t need either you want to stop them. Okay. And even if you say exe file, it will be stopped. And how to check them if we go to logs and there is file filter. So look at it, say PDF it has been blocked because I was accessing this PDF. You know adu image default sample PDF so sample PDF is blocked because fault type was this one. And action is being blocked in such way you can block any images in everything whatever we mentioned here. So you can control everything. So let me go to security profile file filter and these are our file filter six things we deny exe, g, zip, PDF, tar and zip. So if you try to download this file, it will block you and you can see the result from here if you go to file filter and it will show you the result. So this PDF has been blocked. Okay, that said.

42. Lecture-42:FortiGate Firewall Inspection Mode.

First we will do inspection mode. What is inspection mode? Inspection means checking, examining something. We call them inspection. Normally we say inspect this thing is okay or not. So when we examine something, are we checking verify something. We call them inspection and 40 gate firewall. We have also inspection mode. Two type of mode we have and you know I told you I will show you later. If we go to policy and object firewall policy and old firewall. You will say I to a four policy. It’s here I say firewall policy. If I say create new, there is I left this one. I told you I will show you inspection mode. So when we configuring any policy suppose lane to when incoming interface is the lane my inside. It will go to when suppose and source is anything. Destination is anything. Schedule is all the time service is anything action. I want to allow this policy rather than deny. So after that you will find out. Inspection mode is it flow based either proxy based. So to examine something. Because this policy will examine and test something when coming from lane to win and going to win. So there are two possibilities. Flow based which is by default normally you will find out this one, flow base. So what is flow based? Flow base is basically taking a snapshot of the content.

So whatever is coming in this case from lane to when it will check them fast, it means faster response. It will give. If you are using flow based it requires low resources and check each packet which is send and receive. It means it will not wait for the whole packet to examine. But whatever is coming it will check in forward. Check in forward anything coming in small chunk. So it means it’s not waiting for the whole packet to come and examine and then forward. No. So we call them flow based. It means packet. By packet checking you can say so definite will be faster as compared to the other one. It’s required less CPU and Ram. Definitely if it is like anything coming it will check and process. Or definite rates require less CPU and Ram and definite rate will be faster as compared to the proxy one. But there is a chances that it will not check each and everything means false positive and false negative chances. Why? If somebody send a packet with viruses and any spyware and packet means separately. So it will not understand them. Because you divide them and send the viruses. So it will check the first packet. It will say the virus is a small divided them.

So it will say it’s okay this packet because the whole virus. Then they can understand that yeah this is a virus. So there is a chances of error which we call them false positive either false negative. So this is flow based but it depends on your environment, which environment you are using and which you want to utilize, in which you want to choose from these two. How you want to examine the packet which is coming from one zone and going to another zone from one interface and going to another zone. Which technique you want to use? You need a flow base either you need a proxy base. If you have an environment like this. Suppose you have an application server in DMZ, but you need a faster response to the user. Just given one example, there can be so many example. So if you are using flow based so the response will be faster. Because the first picket commit will check and forward to application server and return will go forward quickly rather than the user wait for a packet to examine the whole thing and then forward to the application server that yes we check everything is clear and take it. So picket by picket, it will check and forward them.

So this mode is called flow based mode which you can find here. Inspection mode. Flow based. Sir, I have one question. Suppose we have applied one policy and we applied the profiles also. Some profile like antivirus and traffic is coming from outside towards our DMG server. So that time inspection will happen for the antivirus profile also. Yes, because it’s checking all the things from here to end. Security profile is different thing which we can attach to this policy. Check the traffic from lane to when. Suppose it can be from when to lane as well as you say. Yes. So from when to lane the traffic is coming, source is anything, destination is maybe in our DMZ we can give them a range which I will show you today. How we can configure time. If you want to put a time interval data, this time only the services will be available. Which services? You can put this specific services as well. Http, https either FTP or email. Whatever you have in action, you want to accept them. But inspection mode you want to allow flow based. So it means, it doesn’t mean that this flow base will check fully that the traffic is from when to let know. Anything you apply is a security profile. It will take like this. So if somebody send the viruses in part, so definitely a device will not recognize them. You are a Ndirus profile here, so it will say okay just part by part it’s checking. So there is a chance that the viruses can come to your infra just like maybe in your DMZ, but it’s faster.

As I say, this is the only thing advantage is a flow based file. No, let me tell you because we have other option as well. Today it will clear to you how it is working because we will discuss so many more. One of them is inspection mode. So now it’s checking every packet by packet, everything, anything and security profile, it will check by step by step. As well. If you are using inspection mode like Flowbase, the only advantage I can see is faster and require less resources and response time will be quicker. And I give an example application server, which is not more danger. And you put the flowbased so a net user can quickly access this one and they can forward the traffic and that’s it. Now coming to the other inspection mode which is a proxy based mode as the name also suggests it’s like a proxy between the two zone or interfaces.

What they will do, they will say no, you cannot go individually, just wait here, let me search you for each and everything I will take time but I want to check you so it’s slower than the other one flow based but when the whole packet reach it will examine the each and everything. When everything is clear as a whole they will process them it’s okay, now you can go. Also in this way, they will know. And you know, last time when we were doing so many profile so normally, sometime I can see the banner and sometime it was not showing me the banner because we were using profile base. Sorry? Flow based. So in flow based sometime the banner was not showing. They consider them a negative. So they say sometimes. We did not get properly, by the way, to summarize them in flow based normally, I did not receive the banner on time because it was checking packet by packet. Sometime they missed them. But in proxy base, if I make them proxy based and test each and everything which we had done last time antivirus. And all those profile test time it will show you the banner each and every time because they are checking and later then they take a decision rather than to come and go basis.

So in proxy based inspection mode they will examine the whole packet and then they will forward them so that’s why it will show the and will generate error page properly which was not showing us last time. Most of the time we did not receive the banner and that’s why I’ve done it again and again I show you the banner also in these two mode some feature is missing in one mode and some feature is missing in the other mode it’s also a possibility so then where we can use a proxy based mode? If data leak prevention either you have sensitive data you don’t care about the speed but you care about the data then use proxy based mode suppose you have internal email server either you have something external either internal and DLC. Whatever. It can be anything.

But you are more worried about your email server that nobody can attach and no virus can come inside by any chance then make your inspection mode to proxy base. Yes user will get some slowness as compared to the flow base, but it will examine each and everything by antivirus email filtering. IPS IDs whatever we study last time, each and everything will be checked one by one. And then they will say, okay, now you are clean. You can go. Also data leak prevention. We have also that one to check for any data not to go outside to your environment sensitive data. So in that case, it’s better to use proxy. Based mode. So this is the only difference between these two. And how we can do it is so simple. Okay? You can create one policy separately and another one like inspection mode, flow based. Another policy proxy base is up to you. Like from when to lane, I make them proxy based. Proxy based? And it’s okay. I’ll session if you want to record an okay. Done. Maybe you are thinking that can I create another policy separately? In. Another yes now I want to create len to suppose because I give them the same name here lend to win sorry lend to when source can be anything destination can be anything just for this purpose it will be and this time I want to say Flow Base.

I want to record all the station whatever is going and okay. Did I leave something? Yes okay, so one policy is flow based and the other is proxy based you can do it in such ways as well, it’s up to you and it depends on your environment and topology and maybe your requirement, company requirement, there is nothing to do more that’s the only thing, flow based and proxy based and you can just enable and disable them and you will feel the difference when you are accessing some services so there is no such protocol that I can show you.

The only thing is flow based will be a bit faster and proxy based will be in this case it will be same because we are using virtual environment if I test something so I cannot feel the changes so that’s why I cannot show you anything but just to tell you so flow base is packet by packet and also is taking a snapshot and when picket is coming, examine and test and forward and proxy base will examine the whole thing then it will forward and it will follow all the things some feature can be disabled, some like some security profile may be available here but it may not be available in flow based although I will share with you this is also another difference between these two, I think. So there is no such thing.

• Category: Uncategorized