NSE4_FGT-6.4 Fortinet NSE 4 – FortiOS 6.4 – FortiGate Firewall V6.4 Part 8

43. Lecture-43:FortiGate Firewall NGFW Modes.

To next generation firewall mode. So 40 gate firewall as a next generation firewall can be deployed in two different mode as a next generation firewall mode, not as an inspection mode. And those two are profile based and policy based. The one which we discussed was flow based and proxy based. That was inspection mode. This is the mode of next generation. How we can deploy them not to check the policy in which mode. So two of them is one is profile based and the other one is policy based.

So what is profile base? If you deploy 40 gate firewall and profile based next generation firewall mode, so you have to attach all the profile here. Security profile has to be attached later. It means you create and here you attach them to locate guide when somebody is coming from, when to land and source is anything. Destination is anything. Always when you check out these things, please also check that file for antivirus, for web filtering, for DNS, for application control, for IPS, per filter and email filter and take deep inspection certificate and check them inside whatever they have and generate logs for meat that I can see.

So it means I have to create a policy. Then I have to let her attach the profile one by one. Why? Because I’m using profile base means profile has to be attached to the policy. Also another thing, in profile base, net is enabled in every policy. This is the one policy I created. Okay, let me go to another one again. There is a netting in this policy net is enabled that if any come from inside to outside, netted them. If I create a third policy again, I have to create enable net again. So in every policy you have to find out netted. Net we will do in next class.

So in every firewall policy you will find net again and again. Netted, netted, netted, netted, netted and every policy you have to attach security profile, security profile, security profile. Suppose this time I’m going from lane to DMZ. So I will say if somebody coming from lane, going to DMZ, source from lane is anything. Suppose and going to destination DMZ, anything all the time for all services except them. Inspection mode, I already told you.

Now we are talking about next generation firewall mode. So net them if you don’t want, disable them and check for antivirus, check for web filter, check for DNS, for IPS, file filter. I don’t have file filter and email filter we have, I think so we’ve done it. Yeah. And apply ulceration and done. So it means in every policy I have to attach all these profiles separately.

Here, then here, then here and also in all these three rules, net is already in every policy, not a centralized net, sir. But what is the use of this net if we are not making any net statement? I suppose like a lane to DMZ, maybe in that case you don’t need we will discuss this in that but I’m just telling you of disadvantages otherwise we will disable this net in real when we go to that part.

So this is called profile based and also the name suggests that in every policy you have to attach your antivirus, your wave filtering, your IPS, your every profile to the policy and also you have to enable source net enabled policy if required just like Chandana. So if required I will say like this and maybe it will give you unexpected result. So this is called profile based. Okay this is done. Now we know profile base, do we have any alternative? So that is called policy based net generation firewall. So what is the advantages? Rather than to attach net and every policy we can create central net either source net with separately rather than to attach in every policy one time creation in a centralized location. This is the first advantages. Second thing, I don’t need to attach all the profile again and again profile can be called inside the policy directly rather than to attach them.

And you can control single application through policy based as well and that 1 may have to create you know here suppose if I want to control any traffic so first I have to create web filter there which I recreated last time then I have to attach here, then it will start work. Do you have anything that I can call directly the application? Yes, then you can use policy based mode. I can control single application, I can control multiple application. I will call the application inside the policy which I will show you right now. Just give me two minutes after theoretically also through policy based we can control port hopping attack either port violation attack, we can control that one as well. This is also an advantage of policy base.

We can control services application URL it means URL will be called inside the policy rather than to attach them here we are teaching you now let’s change them so you will see the difference how we can change the mode? Next generation firewall mode, not inspection mode. I’m repeating again. So go to system, click on setting and go down. You will find here system operation setting say which next generation firewall mode you need profile based on policy based.

So I told you by default this is a profile based. The green one means selected one but no, I say no, I need a policy. But before applying the policy it will delete all the policies and it will bring to the central net. It will enable central Snat as well in real involvement how it operates profile based or policy based? Most of the time we are using policy based because three four guys are working also in a company we can ask them later on which mode they are using. Maybe they will share their experiences with in our infrastructure. We are using policy based. Okay sir but it depends again on requirement of organization.

So policy based now I need to convert. But you will know you will lose all the policy. So you can take your breakup. Suppose if you don’t need either for some reason so all these things will be deleted. But before removing let me show you. You see all the profile are here. Keep in mind in net is here inside the policy. So let me take a bitter to take a snapshot. So when it’s changed so that I can show you the difference. So let me go to paint. Okay print screen in here for some reason it’s not working. Let me take a Snipping tool. So let me take this one.

It’s enough for us to now let’s go to system and change the mode setting and go back and change next generation for one to policy base and apply now it’s give you the warning. Whatever I say that we will bring everything to Snat will be enabled and all the policy will be removed. So we know that you will remove them. So whenever you’re converting from one to the other. So keep in mind all the policy will be removed. If you go to policy and security policy again nothing is there as we expected because this is the default one already there but everything is deleted now you will see the difference.

So we have the same name lane to when there is no such difference coming lane and going to when sources we done is in the last board as well. Destination is all. She devil is all. Yes services is here now it’s default either specify and also application it was not here. Okay. I didn’t snapshot of the up one. So application is now here directly in the policy and URL criticism is also here directly rather than as a profile wattage.

So from here they remove something antivirus is there with filter DNS is not there. Application control was before it was shifted here. It’s been here now IPS is here. File filter and email filter is ripped. But this one web is here now URL category. They give them URL category now an application is being changed from here to here now. And also services is called there directly more control. So this is called policy based mode. Next generation we change the mode of 40 gate to work as a policy mode. Now let me all session also. Yes the other thing net isn’t it is there before net was there? No, net is here now in the policy instead of this the same policy I’m creating.

But I cannot see the net now which was before like this one. Because central net is enabled here now look it before it was not here. Now I will create a net separately rather than to call enabled policy one change and yes another thing I left SSL inspection. It was under profile now it’s not more any there, it’s here now SSL inspection and authentication, it’s been separated these two tables being aided now before it was not there, application control was used to be attached. Now it’s directly here inside the policy width filter was used to be attached separately. Now it’s there and we have a control of services. I will give you one layer of services. What does that mean by default and specify and also SSL inspection is here now. What was net was called in every policy now is being separated and came as a central snate.

These are the difference between next generation for wall mode, profile base and policy mode. Now I will say I need to allow Facebook. Type Facebook here. Suppose I choose Facebook application only. So this policy will only allow Facebook either. You can deny it’s up to you URL category. You can type URL category like gaming, dating either we normally know social media, so let me go to social media. We have somewhere either web hosting, social media so it’s better to search it social networking so you can choose that one as well inside the policy now rather than to attach them. Yeah, still we have something to attach but we have controls here.

Now the policy has been different, the mode has been different. How we know now I need to create a central net. I will give you one layer but I’m just showing you so now rather than to insert a net to create there, we have to create separately net here. So this is called policy based mode and policy based mode. Okay, should I then either we need to start the labia slave then so this is the two mode and how we can change again. If you want, go to system setting. Suppose you want for some reason, but you have to take backup, otherwise you will lose everything. You can click on this one profile based and central net will be disabled automatically. When you click central net is enabled. When you profile base it will be disabled. Okay. And when you click so I don’t want to do because I want to give you one lamb and policy base either two three layers that’s exactly theoretical part of the next generation firewall mode.

44. Lecture-44:Policy-Based Mode to Block Facebook App.

So let’s do policy based mode and block a Facebook either any other website is up to you. But using policy based mode can we do such thing that we want to block Facebook only? So in policy based mode is so simple to block them our target is to block a Facebook so that nobody from inside go to Facebook. How we can do it? So let’s go to policy and object security policy. Let me delete this one. So we have only deny which can deny everything implicit deny which we cannot delete neither we can do most of the changes. So first let’s create a policy to deny Facebook deny Facebook. Okay incoming interface the traffic will come from our lane. They want to go to vein source from inside it can be any IP and they want to go we can put a Facebook as well. Anyway, I would say destination is all all the time they will go any application here I will type Facebook and such so choose a Facebook multiple. You can choose Facebook any application I want to deny I think so that’s the only thing we have you can like this is for messenger this one is the button, these are the chat room. There are the things you can allow Facebook and deny the videos and also the workplace and so many things you can do it. But anyway just to show you I want to deny them. This is policy based mode.

If it is the old method then I have to create a profile first. Then I have to come here and attach here. Now I’m cutting directly this the beauty a policy mode. So Lane, Wayne and Rather in action to accept I want to deny end log violation. Log violation traffic. If somebody violated this rule, generate a log so that we can see logs means this is logs and enable this policy and don’t need up comments if you want to put up comments and okay, so my rule is ready, which will deny any Facebook related application. This application and this the action is denied. But what about the other traffic? So let’s create a new policy and allow everything traffic will come from land, they will go to land. Source can be anything, destination can be anything. It will go always application will be anything. So let’s just leave it and URL will be anything in action will accept and we don’t want to attach any profile. We will do protocol option later. So forget about this one in logs we want to generate our session that we can see comments and we want to enable this policy and okay so we created two policy.

Now the question is deny has to be on the top because I told you in policy it’s checking from top to bottom. So first it will check anybody going anywhere. If the application is Facebook, deny if it is not Facebook, it will jump to the last one it will accept. So beside Facebook everything will be accessible. So our policy is ready. Do you think it’s enough? No, because we need to create a central net. Before it was used to be called inside. Now I need something. So I will. Come here. So forget about net. We will do and detail the net. So I will create a central net and I will say if any traffic coming from lane and they are going to win. And source is anything destination is anything netted them. Use the outside interface. What is our outside interface?

I need to go to network and the exit interface. Just use network. We will do net in detail like what is any, what is TCP UDP and use dynamic. But right now I say use the outside interface and netted them port mapping. We will do again and netting in more detail. Commits and enable. So my net policy is created. No need to create again and again in every policy. One time is NFRS if anything coming from lane and going to lane let me check our DNS as well. Just for the safe side, we configure them before what has to be verified. It’s okay. And check the static route.

So we have a route to go outside. And let me show you my interface. The netted interface. I told them anything coming from 192, 116, 100, translate them to 11413. So we created net. Now let’s test them. So from inside I have an XP. So this is the NSI XP system IP config which is 1921-6812 and 100 is my inside. This 1100 is my inside. So this become like a gateway for me. How we can test them? So open any browser and let’s browse the Facebook first and then any other website. So if we go to Facebook and the other way, let’s go to LinkedIn. So LinkedIn we did not block it will follow the second rule and it will open. So LinkedIn is open if I go to Instagram, so it has to be open and if I go to Twitter it will work. So Twitter is working, LinkedIn is working, instagram will work but if I click on a Facebook so it’s not working. It has to show me the banner but unfortunately it will not reachable. But anyway we can verify, don’t worry. So I say the site cannot be reached. It’s okay but LinkedIn is reachable. This one Instagram will be reachable and Twitter is reachable. How we can verify? So go to Logs and report. Go to Vlog application inside the policy.

So click on application control. Look at it, say that these two has been passed. What is the Facebook? So Twitter has passed this. The Facebook today is 29 is the time. This one 1 minute before they blocked Facebook. And we click on detail. Okay. So it will say social media Facebook and we have a policy inside. So they block them because we call them inside their policy. So everything is passed, but Facebook is blog. Twitter is passed this one and also we can see from forwarding traffic as well. Forwarding traffic LinkedIn should be Facebook somewhere. Okay, so here it’s not coming up here by the way, it will show you deny here and forwarding traffic as well for some reason it still may be some take some time either. But you can verify. Yes, come up now just have to refresh. So it’s a Facebook deny policy violation if you want to check the policy violation.

Okay, so you can see more detail. Here is the more detail. So that’s being denied from forwarding traffic and also from top there is so many other options to verify and if you say that it is blocked by that policy, you can verify from here if you are not sure. So let’s go to dashboard and there is a policy which policy deny them. So we have only two policies allow everything. Okay? And the other one is block Facebook. So you can see the station is for all traffic, Facebook station and everything station. This first session not related to that by the way, just to show you.

Okay, so let me see if I missed something. So what we’ve done basically we create and we deny Facebook and we create a net policy because we need net from land to land and we verify go to BBC and a website, it will be accessible. But when you go to Facebook it will be blog and the traffic can be seen from logs and report application control either web filter, you can see from there as well. Okay, that’s it. So we created this policy using policy based mode and if you go to security policy, see, so now we are using OSC based mode. It’s different. Everything is changed now. Before it was made here and everything now application is here, services is here, URL category is inside rather than to attach nothing is there. Okay, that’s done.

• Category: Uncategorized