Fortigate Firewall - Route and IPv4 Policy Configuration

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello girls welcome to this tech recession during these videos as I won't be showing you how to configure routing and visit ipv4 policy on for to get firewall rattle configure out in I'll go to network and under network you can see the rotten optional static policy here it will SP every IP multicast but for this video got one because of him oh SPF and they will look at our topology we are Beauty nurse we have process between the dams interviews on the far wall and he DMZ router so the DMZ segment we are building our OSP routing process so if I do that let me come here Yoshio IP interface brief wrapped our SPF one network time not 10 not 20 notes 0 white cat mask why cut math should be 2 should be T because his last 30 network so I gotta meet Lee does to find 5 minus 2 5 2 and it's gonna be night 0 oh they should I'm not creating loopback interface I will do that that we slashed 32 here are 0 in topless nubuck 1 IP address 1 1 1 1 255.255.255.0 5k down we are typing toughest breaker on section of SPF so I'll go back to my history about time I wrapped ID on Hugh still to that little tree my dad is gonna be zero Y zero is gonna be for Ted's okay I already have India he okay Aradia a bit here but Josie she art critic aunt Anita configure if you want there was a loser loser so now just click on okey so that's all and now for the network you need to occur to advertise will be in ela 0 also and our betaine detained or 22 0 / TT does my name's interface and I also like to advertise my inside network i we also like to advertise my outside network the 16th at the end of the row / 24 and now the interface that the process will be running on the RV denier interface doesn't interfere ally myself with us will be running on and now click OK and now apply she'll IP you SPF neva what's happening okay let me routing monitor the NEBOSH appeared - events yet k/d book me what could the problem be okay keep a copy SPF the ball up us we have pockets our debug IP we have this one more down to a treat I just say appears we have evolved to nothing now let me shoot look she can receive that load is my photogate sigh route I define the photogate interface was with interface we smash and Oprah meter from 1021 say the dead time is 40 in the end we stain go back from there click on edit yeah I know it ain't dead is 40 okay okay there's something two five two five two five two received it received subnet of these edges is 40 [Music] copy 40 okay but this is walking receive subnet of 255.255.255.0 interphase key to oh that's it's the interface is slash 24 but what is receiving from the adjacent interface with his opposite in the same subnet his large teddy so there's a mistake this supposed to be /dt I did it because I thought I have configured on my father Gandalf is also interface key to IP address then the 10.20 go to - 500 - 500 - 5.25 - so everything should be fine now Sherlock excellent that's it the boss he has reformed I wanted walk all shy PSP F never excellent show IP route I'll receive route 2 into the inside Network I received route to the outside router so that is fine so yeah I'll go to log reports let me see router Vince okay now so this is the network this is network at the DMZ router is advertising to me so I have route to the loopback interface one one one two it aims the router there's something definitely to shot that time okay what actually want to check his teeth there are events most without Ivan still have these routes their shoe repair out get up I'll be post on my router that's fine okay it's been 40 also that's fine think I suppose whoever events let me do those shots looking back to monitor okay that's okay we'll see about events if I can see my right ear okay let me go back I supposed to say that I've and we've gotten that out I just said she has been established fine there's something locked I went up to see veins he think let me see check okay fine exhaling this what I'm looking for cuz I know supposed to see art events NEBOSH absorbed neighbor she pees down whatever yes even the other time why we have an issue this should have been a point I also just like we can see on the route I went around Sherlock when I did walk a narrow shallow like we see what is happening also for me also AB deluxe II received aloof from one one one one dollar a tidy for the games errata fear ports TMZ ports and the IP address of the DMZ ports network much network mask meet mismatch so it received 24 while supposed to be touched at his coffee got here it's received 24 even this would have been a good pointer for us for then I have it on disk so it also meant inside to play it on memory so anything lock words on the memory so now I can see so this would have you know pointed also the issue on time so but well I'm glad we able to make that work and we can see it now the harrowed generated even with I know on this is Kurata are to run debug if I could see the arrow but ei although actually even with our own in debug single seat on Cisco router or it's just because I'm not looking to money does I have to go to Sherlock to see because I believe I'm looking to monitor I would have seen the arrow look on this is Kuroda also just like we can see from me so now we've configured our ways we have routes in everything is fine so on what they want to do to test our voice we have routing we are going pink now to be able to ping from here to here my PC digit of my pcs here and the firewall now knows about 1.1 o 101 so out of pink one dot one dot one dot one let me ping make it refers that's mine nothing okay the ping is not going why is a ping not going now if we click on policy objects ipv4 policy by default we have implicit denied configured by default and you can see my ICMP is eating this policy this YT e value by T value fresh now it keeps increasing if you click on it they are going to see the each counts you can see it's not nice with each count is also increasing and now in order for me to be able to see this log yeah I should be able to see it from EA for more traffic as you be able to see it from here whenever for me to see it I have to log by default the implicit in night policy is not logging Sun logging so I will click on log fairly short language any block varnish on traffic and now click on ok that should do it audience when we go logging reports for more traffic I'm still not seeing the log my ping is still running so good log settings log denied unicast traffic let me just use other test I'll go back to for traffic still not logging oh memory excellent so that seats you can see the traffic coming from 10.0 1002 on Dredd that's my PC my lamb PC dizzy device because it is my PC name so farting it also gets that information and this destination you can see denied policy violation I'll do something let me go back to my log settings I'm not logging deny unicast traffic just want to prove something to us I'll go to forward traffic and I love to clearly okay okay this is recent log dating 31 15 circles second 15 does recent log let me refresh 55 okay so when I think the last log is on ten thirty to twenty ten thirty to twenty so I will start pinging again can see it's increasing again so it's login even without this so those also show you that you don't need is to log you deny traffic so it's log in it by default so now I'll go to policy so here I'm gonna show you how to configure simple ipv4 policy click on create new search with DMZ it's going to be coming from inside interface and it's gonna be going through going it will be gracing to the names interface and the sauce I'm going to create a dress just like we have it asked objecting LC inside network when you subnet attendant in obtain the 0/24 and can recolor them for something fancy that's one in address list and our view interface any if I select interface inside I can use it any way I want to I can use that address or the object anywhere else differ from the inside interface so she knows that so my sauce is going to be this inside you talk on the destination I'm going to create another IP address I would say web server Java is gonna be one dot 100 101 so I study - and that's is the dead only TMZ toughest our body tonight office lobby okay and the service for now is gonna be ICMP just work for our test and I'm are setting I'm not doing that and I will click OK I'm not signed I apply any security profile for now yeah I'm going to log all session and the policy Senegal that seats you can see Nadia Metacritic policy my pink is now responding because I've created the policy that allows the pink so let me refresh you can see traffic is not eating the policy I'll go to forty view ourselves you can see this area of forty view 1000 1000 1000 200 from the inside is the source objects in the society either the source objects this is a device visit destination the destination object the application which is ICMP source port destination ports right so hundra's you can also click on policy with these you can see even the bandwidth at each of your policies are consuming we can see the bandwidth for me so library sources destination unless like a sofa TV is just for you to check just from watching purpose to see your logs and rest like that that's all for TVs means for his work on memory as indeed the for traffic if you see is only showing the deny policy but here for the view I can see my sessions here although these are 40 view you are not going to see deny policy unequal see establish session I mean on also shows are only going to see you establish on e that's what I go see from here or from here I can always see whatever traffic that has been that is been denied so now our Latino lady shows quickly is now to the outside interface we've established routes between the inside and the outside what on the thought of outside what of DMZ to outside or inside to outside so what I'm going to do I'll go back to network and I'll click on my voice we have known at least amount on routes we'll see yeah how greedy for tryouts I can basically I can I can just create route to once okay for tastes i'll kriti loopback interface yeah which represents maybe the internet or whatever interface Lubeck rewards you back one IP address to to to to to 505 other two four five so that's gonna be that and now see we are going to one I mean - - - - / 32 she routed to the truth outside interface and the gauge is gonna be all sound 0 16 dot 10.2 Osman outta McDonough City distance 1 it's a new boot we also have a massive shop I'm living that Nam just gonna click okey now the firewall knows how to get this loopback IP address but mind you in the inside you will be able to get it hasn't even coming from inside follows my gt500 knows how to get it let's try that with my PC I will finish it pink - 22 - to see first thing we need to know to do have policy that permitted so how to create an ipv4 policy for it creates new go see inside to outside it's coming from inside into a sign source side network yes initial you'll see all she'd do that live on the policy to only be RT within certain time certain period of time that's why we click on share do so Leo for 4440 good policies I prefer policy you can she deletes they'll can you only positive active during this time of what is world of time on just like that force a visa Massey Hall whatever the services I'm not doing that for now I'm going to logo session module security Vince and I think they'll be home I will click on ok critter to policy to allow that so I love my ping from inside to outside you can see there's an increment but the pink I've seen are receiving equal reply Michael Quest is going I'm not even a koala fly and the reason should be because the outside layer is not having any doubts IP routes debug IP ICMP Sherlock we're gonna see that okay don't let me waste time with nights on debug all should I peel out so I'm Josie IP routes who want to do it for well if you point it to the far wall or the normally in real world life scenario you me between that before the sick of this lab so I configure 84 out on the outside light other points back to the inside I mean to devour so those for these sick of this lab one six dots 10.2 lovely families one so I should get my cordon line now can see it's now responding out of the policy coffee God I have Nereids configured that's fine but now for the DMZ for the DMZ router should IP routes aye-aye route to it and I don't want to create static clouds on my DMZ router so what I'm going to do is this I'll go to Network OSPF and I will redistribute static so let me read this was static into my West VF process so now let's see what we got you can see now I have right now I'm redistributing static routes that are configured on this device and bridges rebooting them into my ways we have process so now dmz knows how to get to the outside network through the redistribution can see energy the know-how so my damn Xena has a path to get to the outside world so what I'll do now I'm hoping to to to to see camping don't forget we don't have policy for it yet so I'll click on policy on object ipv4 policy and after great policy for it also and that's going to be coming from TMZ I'm going to outside my source address let me see source of World War one only want affirmative observer and he's going to all and I don't want you to go to hall nothing go to to to to to address we just see I lost name it is easy to its new to to 2/32 I'm not going to bind it to any particular interface I'm gonna leave at any so should I be my destination so that means the traffic should be social one I want one I'm - - - - and the service is UV ICMP am i setting log you know and I'm thinking okay I'm not doing not for now I will talk about nuts later the name is going to be DMZ house click ok so I have now I have every segments taking care of basically inside to outside inside to James he have DMZ to outside but I don't have them sitting inside like me about the only that I just wanna show you how to create basic IP for policy and I've been able to show you how to do that something yeah it's only logging for security event sounds low for session another security events fine so now I should be able to ping now I need to saw the ping from one one one one before he could walk because as a source IP which is permitted pink tutu tutu source one one one one can see it's now walking throughout the beach and yeah so if I go to for to view all sessions able to see on my sensors I can see the one from inside that of the web server will click on policies you can see two policies that are active inside Josiah policy and mg2si policy consider bandwidth the consumption under a select add sources destinations and boundary to each of the destination counselor do we are going to same destination so that way I'm gonna stop this video I have sure knows how to configure ways behave how to configure static route and how to configure basic ipv4 policies and there's one thing I also like to quickly show you before I wrap up this video something I'd like to do I was topped the distribution of static routes I will stop that I will apply Pingree stopping time I'll go to static routes also I did this to any any so whatever that is if you are going to any whatever the father whatever subnet or network if our world is not aware of let's push it outside the cab default routes hey if I one knows how to get in actually but for the DMZ rtems even no longer because I'm no longer you distributing its static routes I can't be gone if I walk to the US we have process who the dmz no longer droughts 2008 or two three two two door to door to door to so what the file ad inside also we see be able to get in because if our us see lousy routes so when I'm changing into default route C okay so anything any way you are going any unknown just point you to this guy I will now go back to my recipe of process click on advanced injects default routes I'll click always or you can see regular areas and if I have any passive interface so for now even for example passive in tough is my inside I'm Nora Nene voiceover man inside his passive I'm nine years we have on the outs yeah oh yeah boot passive interfaces so I'll click on apply so I'm injecting the fourth route now so my DMC should get the roots back to to door to door to door swing go to whatever outside world so let's wait awhile for that you can see so my DMZ now gets the route back so I'll stop the pink I'll show IP route and you can see now default route has been injected by the photogate into the DMZ router that's it so during this video I've shown you how to configure OSPF passive interface how to register was starting to as well process how to inject the water out from the photogate into your race we have process how to configure basic IP for policies are to configure default routes out of configure static routes thank you very much for watching this video

Info

Channel: Ayo Kush

Views: 3,694

Rating: undefined out of 5

Keywords: yt:quality=high

Id: DellzWyXihE

Channel Id: undefined

Length: 38min 26sec (2306 seconds)

Published: Wed Apr 24 2019