Fortigate Firewall Packet Flow -Detailed -2020

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
is i'm Santosh Emma I welcome you to my youtube channel and also my website thank you for your calm so today I'm going to make the video on photogate packet flow and if you will search it is also called life of a packet okay and in that I explained you that when the packet is received in English interface and it is delivered to the egress interface between that there are lot of processes happens in the firewall like bar will has to check routing policy eutteum profile so how far will takes decision on these things okay and what another thing that I would like to discuss with you is when you serve it is life of Earth packet but as for my thinking is not life of Earth packet it's like four packets or you can say life of a session why that's so because when the funn receive same packet firewall perform actions which are different when Farrell receives in AK those on the cynic if I will perform different actions which are world not in the cynic which are less than which was performed in the same package okay sorry and then adverse index further performs direction and then your a certificate request comes the response comes and in that also different actions are performed because now it becomes application layer packets if you have applied the YouTube feature that will be applied and if it is a CD PS traffic then s makes it secure makes it in cryptid and in them obviously follow need to decrypt if you have applied the decryption so in that it will apply different actions okay so I think it's not life of a packet is like four packets or in one line we can say life of a session how a session is handle means in that session how different packets are handled by the Fargo okay so let's move into my screen I would like to request you if you like this video please press on the like button if you dislike please dislike the video if you don't like it and also give a comment why don't you like so I would like to improve in that okay and I also have my website table for you calm if you would like to join the paid course and you can see what are the content that we are covering and that's really very detailed is like high level you will always get in YouTube okay but if you want to do a deep dive on every topic policy nothing UTM then you can enroll the course okay let's continue so this is what we need to discuss today for ticket package flow and for ticket packet flow consists of four stages one is English deck and the last one is egress deck so these are easy to remember and in between that you have stateful inspection and then you have UTM inspection okay so it might be looking like very easy it's very easy like we can remember that but there are four the sub steps in these steps okay in these main steps so let's check what they are so in the increase these are the steps in all the four stages I will explain you one by one so this packet flow I have taken directly from 40 gates site and as per this packet flow this is how packet comes inside to one of the interface which is called ingress interface if your packet is received from LAN then it is called as increase interface if your packet is received from the when then then is called as an increase interface it means wherever the first packet is received that is called ingress interface okay so you have packet is received in the interface then it does further processing okay and this all so this might be looking like more details what I have done I have taken reference from this and I have made packet flow myself for photogate and this is how it looks like so I have what I have done I have taken the packet flow of Palo Alto and I tried their way of explaining the packet flow and accordingly I have put the things in that so it will become very easy for you like if you will compare now if you already know packet flow of Palo Alto then you it will be very easy for you to understand okay so let's understand from this okay ingress process when packet will come to your any of the interface maybe it's a LAN interface then what happens it will extract some information that is layer 2 layer 3 and layer 4 information okay and it also have the information on which interface that packet has been received okay so when you will check in this year lie so this is how it will look like it will give ID to that and this is the ID number okay so print packet detail line 3d land so this is a virtual domain LAN and receive the packet so it is saying it as received a packet proto 6 its a TCP ok so this is the source is a source for this is destination this is destination port from VLAN 1 double 0 1 and the packet is same packet ok so it is also having sequence number it doesn't have acknowledgement because yet acknowledgement has not come back if you already know three-way handshake ok so it has the window size so this all information is received in the English interface ok of the things like it check T tcp/ip stack if you have configured it does policy then it will check the doors policy if it will also check the IP integrity and if I beat integrity is not good it will discard the packet okay if your packet is IPSec VPN packet then obviously if it is a weekend it need to decrypt the packet so it will again go back here why it will again go back here because it means the original IP address your policies are made for original IP addresses okay not for the public IP that's why it need to decrypt and see what is inside what are the actual IP addresses okay so it will again come back like this way okay when your packet will reach here it will check these session table okay and it will check find an existing session okay and it will try to find existing session if it will not find an existing session how it will come to know if there is existing session or not for this it should be matched with the session table okay so when it checked in the session table and it said okay I already have session I find I found an existing session and this is original direction and it will send the packet to the FASTA now here we have two paths slow path and FASTA okay so in photogate when we talk about fast path so there are two fast path info ticket for ticket has mentioned only one but I will explain you the second one also okay so when it is checked there is no packet let's consider it so first packet okay it's not existing packet so if it is not existing package so session will not be found and it will go here and say okay I don't find the session please allocate a new session so this is how you will see in this e Li it will assign some ID number trace ID number and in it IP sessions common this is okay so what is the message I locate a new session and this is the session ID okay so now your packet will enter in the flow path why we say slow path because these are the things that need to be checked it to a destination that if there is a D net or not if there is a routing or not if there is a policy if there is a source net so these all things need to be kept okay so this wastes some of the time of our work because it's a first packet so it's a mandatory but once these all things are checked and session is installed in the session table these checks not need to be checked again so that is the benefit of session table and that's why this is called flow path and this is called first part because remaining packets will be checked on the basis of session table okay if we if we discuss more about slow path definition that it is not mandatory like destination that should be there may be destination that is not configured and it is not required like it your traffic is going from lang to DMZ in that case destination that is not required land you can configure but it is not mandatory okay from land to when destination that is not required okay but from when to DMZ destination that is required okay so this is how it will check DD nut okay so let me also take you here so where we are right now we have discussed session tracking okay and we have discussed session tracking before destination that and before routing but if you will see the packet flow which has been given by forty gate they are saying destination that will happen routing will happen then stateful inspection will start like policy Luka will happen and after policy local session tracking will happen this really doesn't make any sense to me this is illogical if it will again and again check destination that routing policy and then it will check the session tracking then what is the benefit of session table but I guess wasting time then I also captured packets and in CLI and I came to know okay this is right really wrong that's not defined properly okay there is another thing which is not defined by for the gate before I forget to explain you is they have not defined anywhere where SSL decryption is happening okay so I will explain that enter this video okay so this is the packet flow destination that destination that if it is not available then it will go to the next step so let me show you another slide for the CLI how it looks like I think this one okay here here you see I was just maximize it okay this is first syn packet okay how I come to know the same packet this is like I have taken a packet capture and this is the flag shown here as is this flap one thin packet okay and acknowledgement is zero so it mean it's a first packet okay this is the same information like packet is received and it is proto 6 min it is TCP packet this is sold this is a destination okay so as per our packet flow what happens if it has it is not part of existing session it will allocate a new session so this new session is allocated after allocating a new session the first thing is destination that it will check the destination net and see incoming port to outgoing there is nothing outgoing and there is another message what this message say no match if you see a treat no match no match is found for the destination at this i probe dinner check so this complete line is for dinner and it says said that no matches found but AC T is equal to except action is accept so it has passed to the next step okay so the next step as per our packet flow maybe you need to remember it because I will keep on shifting the screen the next step is routing okay so what happens in the routing let's go back here in the routing you will see this kind of message this one one went to function we be if route input common messages find out so like photogate is commanding find out for this destination routing is always found for definition because if you have static routing or dynamic routing if you have policy-based routing then that is a different concept that's also so space policy base is a source routing okay find it out so it will find it out and it is found okay the Gateway should be this one so this is like I have done it in my lap so this is my van IP address and it said that okay it is going from port number five outside okay so it has found these routing now let's go back here there is a one cushion wire routing is before policy routing is before policy because it saves CPU or firewall policies can be five thousand ten thousand in a big environment and routing can be maybe fifty okay maybe twenty fifty or hundred means routing will always be less okay but policy will always be more so firewall has to check policies from top to bottom so it will utilize a lot of mind and after checking the policy there is no route it has to drop the packet because route is required okay so it's good to check route first okay it will check her out and it will drop itself there it will not process further so it will save your utilization of the firewall so this is by design that is that is why it is before the policy okay now what is the next message it has found the routing hole - is incoming and port five is outgoing is here out okay so now let's go to the next message I Pro check one policy okay message check it a check the policy and policy is pork policy three okay read match action is accept if it would be drop it will drop the packet here itself okay so now let's go here so we have seen that after routing it has commanded to check the policy and policy message says that allowed by policy whatever policy is allowing it and after that if you don't have policy it will drop if you don't have routing it will drop but in case of destination adding if it is not available it will go to the next that's why I have not dropped it so netting is also not mandatory like if your traffic is going from land to ban in that case obviously you don't need so snotting okay you can configure but it's not mandatory so your packet should not be dropped if there is no source nothing okay so now it will check the source nothing so this is how it checks you will see this thing in the CL I find s net hi P so this is the IP from my people okay and it assigns one port number to it so this is IP of my outgoing interface because I have selected s net to be from outgoing interface so it has checked okay finding as net and it has already found from the I people okay so now there are two things here photogate has allocated a new session but when a session is allocated it doesn't mean it will show in this session table session table will be having sessions after crossing these all and after that sessions will be installed in the session table okay so it's not like that if a session is created you can find it in session table okay if the session is dropped it will not be in discussion table but there is a command where you can configure that your drop packet should also be in the session table what is the benefit of that like the benefit is that if your drop packet is also not also in this session table then your firewall doesn't need to do the checking again for subsequent packets it will match from the session table and it will say ok it is dropped here itself it will say ok it's job just it will discard the packet so it will not go here if you will add drop sessions also in this session table ok so you need to mention that commanded it and that is the one line command you can mention that ok ok no this thing is done and let me check if I miss something okay so this thing then your session is installed how does your session looks like in this session table so this is how your session looks like in the session table this is proto 6 and proto state 0 1 there are a lot of protesters for troubleshooting you know need to have no need to remember these states okay because since in AK Act it's very quick process and you will always see Gio 1:01 is when your connection is established okay then there is may dirty maitre d flag is when firewall has allowed like there is already policy layer 2 layer 4 policy is already there then the state is mentioned as a Maitre D' ok there is another thing there is another state dirty when that 30 states will come like if you have done any changes in the firewall policy or routing and that going ongoing sessions are part of that existing policy end sessions ok I will explain it again like suppose I have configured and to end policy and one user is using something ok so his session is already in the session table but I have done some changes in the policy maybe I opportunity you can profile something I have done so may dirty flag will change to the dirty so what it tells it tells to the firewall that now you need to do the inspection again check if there is a policy check all those things out there ok so that is the purpose so it's dirty flag is for re-evaluation ok and after 30 if there is a policy then it will again put the state has a Maitre D' ok so this is made a tea and dirty stages so after may dirty there is an PU natural processing unit natural processing unit will handle deep packet and that is also called fast bar you can say it as a second fast path in foot again first fast passes which avoids be net your source nak okay D net routing policy source net ok so it avoids that ok and that one is the second fast path which allows you to use the network processing unit what is n for you I will explain you ok what else you see in the session table you see pre and post hook okay so pre hook is this one this one is a pre Huck and this one is a Post Oak okay what else you see here you also see these routing okay so this origin this is for routing okay gateway to do this okay it says okay this is the routing this is the initial packet and this is the second packet okay did it's a lot of information in this session also like when you will see s net if there is s net is enable how the packet will look like if D net is enabled how the packet will look like in this session table okay but that's not today's discussion I want to tell you that in the session table you have this information you have the route and you have netting D netting information you have policy ID so in session you have all the information of slope ask all the information of slow path is in this session table that is the reason session tracking should not be after policy which is mentioned in in the packet flow of the photogate okay so let's be here okay so now session is installed in a session table now your session looks like this okay when the next packet will come it will check in this session table and this you will see this message find an existing session original direction okay okay so okay so I want to show you this one okay as I told you initially like it's not a life of a packet its life of packets or its life of session okay the session which has been assigned so because syn packet is treated differently syn ack is having different packet flow now cynic what will happen with the cynic CNET will not go through all the other things okay so this is your second message what you see here this was a part of first sin request okay how I come to know about that is you see here one one two so it's also here one one two so this is first packet and in that first packet I forgot to show you like how it find these s net it just come and find s net so this is it found from thy people and at the last it just mapped okay this IP will be a snag to this IP okay all right so this is your syn ACK okay did you see that packet and how I come to know this in act you see your flag is s and if flag is ask God then it is sin acts like it second thing is it was one one two now it became one one three okay the ID beginz one one three if you see this ID will remain all the same okay to 0:08 why i think this is a model specific all words and specific because i have seen in many models this idea remains same okay so received a packet now the packet is received like the initial packet went from land to van okay now packet is coming back from the well so this is beauty of stateful firewall like it already have a state it already have a session okay received a packet this is the packet from port number five syn ack sequence acknowledgement this one okay message find an existing session okay so it has try to find an existing session and you will see here 0 4 1008 7b for 10:08 seven before so it has found an existing session okay so this is Dean at this one this one so this D net is part of the session which was created earlier if you will see the session table in that session table when the syn packet goes it automatically creates the net even though D net is not required from for land to van but it's a reply direction that's why it's called a dinner when the reply will come back then to whom that reply should go so that is already in the session table okay so from the session table these things are checked okay find the route okay see these all things are checked and packet is deliver outside okay okay I hope this thing is clear so let's go here one question for you before we proceed you can pause the video you can tell me what are the steps in the slow part just stop the video and type your question answer in this comment okay and also comment why routing is before policy okay okay so now your packet comes in the fast part before explaining this packet flow I will take you to the for tickets packet flow in for tickets packet flow so we have passed this thing okay these are all things has been passed and now you are indeed UTM okay so we are in the UTM so session tracking traffic shaping user authentication SSL VPN management traffic session helper there is no where it is mentioned as a decryption okay Kling if you have enabled the decryption then when it will happen so this should be mentioned somewhere I have also not mentioned it here I need to modify this but I will explain you now okay let me take a pen so now question to you when fireball 48 firewall will identify the application when FortiGate firewall will identify these web stream means perform the web filtering okay so only based upon these things and then SSL handshake will happen sorry SSL decryption will happen okay so I already answered when SSL handshake will start during that time your decryption should happen because it will just end keep the packet and firewall would not be able to see the packet so what happened this is your client and this is your server on the cloud and your client is sending packets here you have enabled the decryption okay so you have installed self-signed certificate here or you have taken a certificate from CA okay so your communication is from here to here this is thinking that he is going to the Google but actually is not going to the Google what is happening your firewall is sending this is any same packet to the firewall fire relation in same packet to this one server Google maybe okay and fire is getting reply back and firewall is sending final acknowledgement so firewall is initiating connection on behalf for client and then firewall is replying back to D client also okay so what is happening when the packet is coming here firewall is just opening a packet okay because I will have the certificate certificate is a different thing maybe you you may get confused in that so may avoid that just try to understand what I am saying okay so firewall will again in keep the packet with its own certificate and sent to the client so this is how it works so if I talk about when firewall refined application and when firewalls will and do the web filtering okay so let's talk about web filtering first so they're filtering when web filtering is applied when you're HTTP GET request will go and your response will come back in the response your web filtering is applied okay but if you have not enabled the ich SSL deep inspection in that case will your web filtering not be applied know that your web filtering will be applied because you have client hello in clientele you have SNI in sni value it goes a domain name okay domain name goes in that okay so there is alternative for that but other things doesn't work properly if you have not applied decryption okay so suppose we have applied the decryption and we know that HTTP GET regress will go and response will come back okay so response came back and firewalls when the response came back if I will also got rating rating is live queries if I will got the rating for that URL if it is under which category information category or under malicious category and then it will check your URL filtering profile if informational is allowed or blocked and from there it will apply the action okay so for this for reply packet your your decryption should happen before so your decryption will happen first as itself I will remove this all so here when packet is sent here for the first part your SSL decryption will happen first okay SSL decryption happens and now question is that when application control happens okay so application control is where your application is identified whether it is youtube.com or it is a facebook.com okay or inside a Facebook it is a FB chat I think that's a more good example what it is if these are also in a URL so we Wells will be identified by the first filtering and it will check the filtering will check obviously what it what is inside that then after checking website and why it will check the application control okay so application control is always checked first there is another like explanation for that like application control is I think just name but it is handled by the IPS engine when any packet is received maybe your a certificate regresses to see your three way handshake need to be processed for application control to come in the picture okay so a three-way handshake game happen and that now your HTTP GET request came to the firewall so there is a mount of data almost 2,000 bytes of data has already been exchanged and now the packet came to the firewall firewall application control what happens it gives the packet to the IPS engine IPS engine will check in its database okay because IPS in your application can work on different protocol different port numbers okay so IPS is the only signature which can identify application whether it is working on a different port number like your peer-to-peer application works on a different port number so that is the reason I PS then application because application is depended on IPS and eyepieces the only UTM feature which gets triggered on syn packet okay for your other UTM features to get triggered it need to complete three-way handshake now your understanding like your packet flow for every packet is - ok now you have a certificate request your IPS was already triggered because it also comes first in the picture and the second thing is your IPS is always flow based even if you configure your firewall to be proxy based your IPS is always working as a flow based ok so your IPS has take which application it is and then it has forwarded the application to the web filtering and then we're filtering we'll check your URL your domain name and it will do some of the checks in that also there is a static URL flow of the filtering static URLs will be checked first then it will check the category okay indi we're filtering so it has it has checked all these and if it is allowed it will send to further if we talk about DLP if you talk about antivirus let's talk about antivirus so antivirus is why after we're filtering because once you need to open any website and then you will download something from there and in that file there will be something malicious packet and that malicious packet is whatever however it is configured it will be block there is also limit like May 10 MB is default limit and if your file size exceeded from 10 MB then it will not be checked by the firewalls and if I have to give you an example of that if you have ever downloaded anything from the Chrome and if the if it increases from the certain size it will say okay cannot scan it you will get here some notification you want to keep it or you want to discard it okay so this is how it happens okay second thing when I say you like IPS gets triggered in the same packet what does it mean like if you know DDoS how DDoS is central your IPS handle Ct dose so DDoS works on the basis of same packet only like attacker is sending a lot of sin takers okay and firewall is sending back cynic obviously the client is also sending to the firewall and this attacker will never reply the final acknowledgment so what happens firewall will be having a lot of open connections okay so this is DDoS attack what firewall does I will take you to the slideshow you I will just give you the highlight okay so this is as yourself D does not SSL ddos handling okay this happens in d3 handshake syn packets game is a spooked cynic and AK what happens like firewall does detox e firewall does the proxy and firewall will not create a session until complete reply will not come back okay like here Act came it is it is sending the packet to the client but in this case fiber will not send packet to the server until client will not complete the three branches okay no since segment ever seen by listener packet will be dropped by the firewalls so these all things are handled by the IPS engine okay okay so this is okay this is here same proxy and IPS subtype and no Millie okay so IPS is here so this is your for your same attack so this information is taken maybe if you're interested you can study that but my purpose of saying was that IPS gets triggered first okay even if it is a same packet okay so let's go back again here another thing if we talk about fast but I told you that and before Firefall 40 good firewall support ASIC and that's really very beautiful thing ASIC is hardware acceleration it increases the speed of your firewall okay how it increases the speed of your firewall let's again go back to the presentation and here okay when we talk about ASIC we have a three different kind of processor one is CP when it's SD when it's NP NP its network processor which deals with network related tasks routing switching these all things are handled by the NP this is connected to the interface SP is also connected to the interface but what SP does SP does IPS scan now you understood like packet is received since packet is received in the interface and at the interface level there should be some kind of engine which can check T packets so IPS scan is happened by sv there is another processor which is CP content processor the task of content processor is it checks the antivirus attack detection encryption decryption so these all things are done by the content processor when we say content our content goes in the application layer because when you download a file that should be checked by antivirus when you do encryption decryption that should be checked okay so these all things are checked by these CP okay so okay so this is fully gates architecture when I was telling you about the different processor so this is how they are connected okay so this is your interfaces all the interfaces are connected to integrated switch fabric this is very fast so they can communicate with each other okay and this is the flow just try to see this flow all this all seep and the processes are connected to the CPU okay and p6 CP 8 & 9 ok so what happens here I will explain you that like first pack it is always ended by CPU and if CPU checks that okay if there is a policy what CP will do CPU will just copy the session key to NP you any of them view NP safer and P 1 NP 6 0 or 1 wherever your interfaces ok so it says that check the policy ok or float the session now your session is offloaded and keys are copied to the NP 6 now your packet will go to the server the subsequent packets are handled by NP 6 they will never go to the CPU so this will make the processing very fast so that's why it is called fast path ok for the best practice I always put your English and EJ's interfaces in the same NP 6 ok so this example is I think it is also yeah package show for that so like NP 6 has done its thing and keys are copied ok three-way handshake happened now your encryption and decryption or your currency piece of your content processor so content type of things happen antivirus will happen obviously encryption decryption is also part of that so it will happen so that will be handled by your CP 8 so CPU will keep the packet 2 CP 8 but packet has to go from the CPU like this way how I have explained it so this is how internally they are connected even if CPU has to handle the first packet and P 6 will give that packet to the CPU like what happened you have a manager and this some new task game ok so what you will say you will give that task to your manager you will tell the manager ok sir I got this new task what should be done your manager will check ok ok this is how he will do interpretation he will check the policies and then he will say ok this task can be hunted by you ok so you can keep on handling the stuff so this is how it works so CP will do the initial checks and then you will say ok you can handle it and then it then the rest of the package will be handled by NP 6 for CP 8 obviously the packet has to come through the CPU encryption/decryption antivirus all the content related tasks will be handled by CP there is another processor SP security processor that does IPs but I have not mentioned it here so it should be here it should be here it is also connected to the your interface ok one more thing in the session like in this session if you see post one minute I think I'm not able to show here okay post if you see post in Assen at suppose this means something happened after ok so that's why it is a post here ok so post means that source now will become this one okay that's why post is here if it is a land to dmz traffic and you have not done any source not denied then it will be pre here okay pre here free here okay so that was one point okay so packet flow is done and at the last year packet is lever to the egress interface where if it has done decryption in the starting for IPSec vivianne it will do the encryption it will apply the traffic shaping then optimisation and all those things will happen and packet will be delivered to the outside interface so this thing was important this thing was important so for troubleshooting these things are really very important okay there is a one scenario-based example I will tell you like I have got issue and that issue was related to one of the site was blocked by our antivirus but it was not being blocked by our web filtering okay so for this you should be aware how the flow works okay if you know okay three-way handshake will happen first and then as you get request will come and get reply reply of get request will come when the reply will come at that time your vessel drink will work so you should be aware of that but if you want to block 3-way handshake also so you need to apply DNS filtering okay so maybe there malicious sites and you want your photogate to do not process even three-way handshake so you can do that okay so if you know the packet flow then troubleshooting becomes very easy for you okay so before closing I would like to ask you a question what is the difference between allocating a new session and installing a new session okay the second question is when decryption happens in for a gate okay so answer that in the comment I hope you liked my video if you do not like please do dislike and also do comment why don't you like I would like to improve that and maybe I will try to make another video for that okay thank you bye
Info
Channel: Technical_Scoop
Views: 14,629
Rating: undefined out of 5
Keywords: fortigate packet flow, packet flow fortigate, packet flow
Id: vJjVQdwruG0
Channel Id: undefined
Length: 44min 37sec (2677 seconds)
Published: Fri May 22 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.