FortiEMS | FortiGate | Security Fabric Integration | FortiClient Host Compliance | Zero Tagging

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Applause] good morning welcome to network 360 channel in this video we are going to cover security fabric integration with between 40 client and 4d our main agenda is restrict network access based on the net domain membership using the 40 client uh like the based on the domain membership we want to restrict the user traffic in the policies you using the 40 client and for the ems and this feature the this feature we can utilize not only domain membership we have a lot of options i'll go through that and as well as we can restrict in on-premises clients as well as vpn clients if you want to restrict vpn clients only connected using the domain membership or the specified domain laptops only we can we can we can create the rules based on that okay we will go through the detail step infrastructure devices we are going to use perimeter firewall on premises we are using old fortigate 5.2 firmware and in azure cloud we will use the firewall 6.4.6 40 ems 6.4.2 in the on premises this is infrastructure devices and one of the four declined it's for declined in on premises and the 40 client is 6.4 part 6.4 version all the configuration all the all the configurations uh all the configuration on premises and cloud we will we will do it we will mainly we will focus on the integration part the fortigate on-premises and azure cloud for fortigate we already built a tunnel ipsec tunnel and from from local to cloud and cloud to local or all traffic is allowed the in the the the video is covered in mainly six steps all the six steps is first of all the for the integration between the 40 client and 40 gate host tagging feature we we are using host tagging feature or zero trust feature for uh to get dynamically ip address from the 40 ems to 40 gate dynamically we will get the ip address and that dynamic ip address we will utilize for the firewall policy mainly we we divided all the process in six steps first step is certificate certificate we have to establish secure connectivity between the 40 gate as well as 40 ems 48 and 40 ems we can we can use we have we have the options we can use the microsoft certificate server it's a freely available you can download the services in the microsoft server and we can utilize or we can use open ssl sorry microsoft certificate server is not freely but most most of the infrastructure devices infrastructure having the microsoft environment you can activate that service you can utilize in this video i'm going to use open ssl open ssl same software same same function we can create and we can delete and we can manage all the certificate and open ssl is inbuilt with 40 ems i already created server and ca certificate but server and cs certificates server certificate for the ems ca certificate for the for the ems server as well as fortigate i already created if if you want to if you want to know more about the how to create using openssl certificate and how to how to get the certificate in the fortigate please do comment i'm happy to do the same video in another video i am happy to do the video in another another another another video okay this is the certificate we can use for the ssl dssl or ssh deep inspiration or our vpn vpn termination ssl vpn well the client certificate also we can use it that we have to create the client certificate okay we will go through the we will go we will go to the video we will do the walkthrough step by step in my infrastructure i am using the hyper-v and one permiss okay this is my [Applause] cloud firewall this is my 40 ems the first step we have to we have to uh we have to use our uh created certificates on both the fortigate and for the ems certificate location in the ems server installed for folders program files 14 nand for declined ems apache it's apache server actually 40 client is a purchaser inside the bin inside the bin you can see open ssl software yeah here open ssl using open ssl we created certificates we created a ca certificate and and the server certificate we already created so so this is the location program file for dinette for dems apache bin in the ems go to system settings and ems settings based on the custom host name we can normally we will create the we will create the certificate server certificate in my case i am not using the host name i am using the the ip address ip address as a custom host name based on the custom host name i created the certificate ssl certificate server certificate in the production environment normally here it will be the customer host name uh the dell from the dns dns server like emsdap dot lab.local or whatever it's it's a public dns server or internal dns server we can here where it is used based on that you can make a custom host name and see and the subject name should be this one which one the host name fully fully qualified austin we have to okay we will go to the ssl certificate certificate is not imported here we have to use pfx certificate so c colon program files for dna for decline dms apache 24 bin this is the file where mk so this is the pfx you can see the information pfx and once we created the pfx we should have the the password test okay so the certificate is okay save the server will need to restart for changes to the following okay yes meanwhile what we are going to do we have the ca certificate we have we have to import into the we have the we have the cs advantage we have to import the emsl steps is here go to computer account finish open certificate store because it's a windows machine third party root certificate authorities certificate here we are going to import same bin file okay we're going to select all the files and i created as a pem file lab ca root pam file then we can see lab ca we can see the details qlab ca and labca.local this is subjects okay done so ca is imported pfs is imported into the uh into the our ems server once you go we can see pfx is updated and the expiry it's a one year certificate once this part is done next next step is we have to we have to create we have to import the see certificate certificate in the fortigate file upload we can use the same file csr lab.local ict okay this is the one so but now now the first part is done we created we expo imported the certificate in the 40 gig as well as 40 client ems apache server as well as in the in the in the ems server in ems server sorry a trusted root certificate lab so road certificate in the in that that particular road certificate and and in the fortigate server certificate inside the 40 client ems server next step we will create the security fabric on the fortigate firewall fabric connectors create new ems my local ip lab dot local normally this field will be the name in my case i am using the ip 191681 dot 2 is the 10 0 1.4 is our azure assort glide as for uh azure firewall from azure firewall to uh on premises for dms we are doing the fabric integration we have to do one more step in in here because we have to go to the cli and we have to specify the source ap from 100.1.4 because because i am used i the 48 firewall in the cloud so the source ipv we have to specify if in your in in your premises if if the server and fortigate are on the same premises then i don't think it's required so we got it it's it will be the red because i know it will be failed so in order to do that one we have to go to the client config endpoint control fct ems ucdms we can see this is our uh security fabric connection i'm going to specify 10.0.1.4 okay we will see so we specified the source ip double click so connection should be yeah once the connection is okay fortigate is not authorized so we have to we have to authorize it in the in the for decline declined from here also certificate is not all the rest okay we will see okay one we are getting some certificate error we will see all the recession is required so in order to get the authorization we have to go out and login from the for ems okay this is the serial number of our 40 gate and the ip for the race we'll do the other race and so the rest we will check here okay we got the certificate this is a one daughter to our certificate server certificate which we imported in the ems lab.local this is the details and we have we we already uploaded the ca in our 40k accept okay done certificate is authorized now it's communication part that's also done okay done so security fabric integration is done we should see the green sign okay we are good to go now [Applause] now on the 40 40 client ems the second part second part also is done now we we can verify this zero trust before it's a host tag zero trust tax the if you go to the oh my god you can see okay zero trust monitor nothing is here okay we will do one more time sign out and sign in we have only one client we have only one client which is ad based okay so we'll go to 6.4 we the next step is the step number three is compliance verification compliance verification we will go to the zero trust tax zero truck stack rules here we will create the tag rules here we will create the tag rules based on the tag rules we can the dynamically object will be updated in the 40 gig and that dynamic object we can utilize in the firewall policy there is a lot of options is available we will walk through first the only the rule applied in six to forty client six two one version above that the 40 client version should be 6.2 able now domain lab dot lock okay i created lab dot local and here is the rules here we have a lot of options windows mac linux ios android in windows because we have the windows client but i am going to do logged in domain lab dot lock save we created the rule if we want okay d group based we can use mainly eddy group ways we will use for the uses you know they're using the ssl vpns and we want to control the devices the laptop desktop which is provided from the organization that we can do from here itself there is a lot of options same steps okay so lab.local we created now we will go to the monitor we can see or not okay no not yet tagged on it we don't have so what we will do we will go to that machine and we will do one more time because lab.local is in my hyper-v [Applause] after the security fabric integration we have to wait for some time because in my setup it is it is a lab setup so it's one of the virtual machine windows 10 endpoint and administrator and the details everything we got it and we did the tagging of lab.local the same thing the tagging information and dynamic object we will get it here in the address dynamic address critical high low medium array and lab.look lab.local we created other all is created and we can see the sold ip address normally we will get here resolved ip address in my case i am using the lab setup which is some limitations so that's why we are not getting the ip address in the real world you will get properly ip address we can verify using the diagnose message in the firewall diagnose firewall address no dynamic list we can see the list so the lab dot local is already is there now we can see how we are getting the 40 cloud same way we can see it here the our lock light address so once we got it we can create the policies lab.local same way you can do for the ssl vpn also ssl vpn you have to create the one one for the user group and one for the address list so address list you can you can call you know if you are creating your ad group waste tagging then you can call from on the policy you can create the the group waste source then then the user when the user is connecting from the from home or from outside using his assigned laptop then only he will get because we are we are controlling the ad membership any membership of the the the device not the user normally uh ssl vpn based on the user if you want to do the restriction based on the device level we can utilize the tag feature of the ems and we can create the policies it's the same like all the policies and we can create the policies in in production you can see here the eyepiece in my lab setup i have some limitations so that's why we are not able to see so we are concluding we did the we did the security fabric integration between the 40 client and 40 gig and dynamically we will get the details of the endpoints in 40 gate based on that details that is a tag feature based on the tag feature we we are creating the policy same this same feature we can utilize for the 40 knack also for dna also we will do the same tagging instead of 40 client we can because that is in the uh that's a different part for the knack also using the same way so dynamically tagging and the tag rules we can create so we are concluding thank you for watching if you want more video about the mentioned features or 14 ack you can you can do comments i will i will create the video thank you thank you for watching thank you for your time bye
Info
Channel: Network 360
Views: 723
Rating: undefined out of 5
Keywords:
Id: E7wvvI7WRNI
Channel Id: undefined
Length: 25min 32sec (1532 seconds)
Published: Fri Jul 23 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.