Fortigate Live Playlist

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
see the other 10 log events fortigate also shows you that you have 237 logs that are found and only 10 logs are returned 6.4 is one of the latest releases of fortinet and they're doing a great job from release to release adding new features and up until now there were dozens of videos all over describing the new features of 6.4 well i've decided to create one that will focus on the more friendly features of 6.4 so let's start [Music] the first feature friendly feature is the execute sp test that you can do on your one interface to do so you'll have to have the sd1 network monitor license once you have one you can jump up to your when interface and execute a speed test now when you do so the results will be added to your estimated bandwidth the estimated when bandwidth but you will have to be connected to 40 yards and to i believe google's or aws speed test servers the second friendly feature is a fantastic one i've been always asked when dealing with security profiles which feature is supported either in flow based inspection mode or in proxy based inspection mode and it seems that you up until 6.4 you had to remember which feature is supported and where so from now you can actually create a new security profile and if you wish to see which feature or which um capability is supported under the proxy inspection mode the only thing that you need to do is to click on the proxy based and there you will see that you can only use content disarm and reconstruction under the proxy based mode the same goes to web filter just click on the proxy base and you will see the features that are supported only on a proxy based inspection mode the next friendly feature is actually not a feature it is a way of describing things much more clearly so when you go to a network sd and you add up new interfaces to be part of the sd-wan interface and the next thing is to create an sla a performance sla where you configure the sla server and the sla target the next thing is to go to sd-wan rules now in sd-wan rules at the end you actually create your sd-wan strategy the st1 strategy can be manual best quality maximized bandwidth and lowest cost i can tell you that every student asked me what does it mean what is best quality what is maximized bandwidth so finally fortinet actually describes each strategy and what it does the next friendly feature is a cool feature which is the ip address tooltip whenever you hover with your mods over an ip address it will show up more information on that ip address so let's go to login report and application control and let's see what happens when we hover towards that ip address well we can see that the owner is google we can see their location which is england we can also see the latitude longitude and the running services let's go to another ip address and that ip address also is owned by google let's find uh an ip address which may not be owned by google all right so we have an ip address that the owner is amazon and it seems as the local syrian here in israel tel aviv another friendly feature is the add widget which is now much more organized than it was before you have dozens of widgets some of them are new i believe that the ipsec and the ssl vpn widgets are new and you have a bunch of wi-fi widgets that shows you the channel utilization of the access point clients per access point interfering access points and so on and the last friendly feature is the fact that you now don't have an ipv4 policy and an ipv6 policy you only have a firewall policy you can add up an ipv6 or an ipv4 address object to be added to the source and destination fields in your one policy you're a small business very small six employees six computers one switch one access point an isp router one subnet and a network attached storage that serves as a file server that's right no domain controller servers no clustering everything is flat and simple but you still want to protect your network assets you still want to be able to connect to your file servers from remote give permissions to the management to specific domains and you decided to buy a firewall a small firewall not too fancy so here are the seven things you must do in order to start and work with your firewall all right so the following is um are the basic steps that you as a small business will need to do once you get your 48 or any other firewall in your business now the very first thing remember once you uh configure your firewall you're the administrator of that firewall you're the super admin so you will need to hardening your account you can use two-factor authentication you can also use an email-based mean to get a token in your email i have done a video on that before and you can just click the link above and go straight to it another thing is trusted host you will need to configure either one two or three ip addresses that the admin can actually connect from to the management interface of your photogate so configure your office address configure your home address don't let anyone get into your photogate from outside the second thing that you can do is to segment your network now even if you have only six or ten employees and three of them are in the marketing department and four of them are doing sales create a new interface you have lots of uh switchboards on your 48 and even if you don't you can create virtual lens so let's create an interface let's just name our interface sales the role of that interface is local area network just assign specific um subnet to that interface this is a private ip address use for management https and ssh https to get uh to that interface through the gui and ssh is through the command line and just uh configure a dhcp server now you probably have only about five to six employees so don't use the full pool you can use uh if in our case it's 10.0.9.2 so let's use it up until dot 10. now um you can do many other things uh we will not get into it right now but this is the basics of just creating a new interface and be sure to connect those uh employees through their computers to that specific switch on your 40 gate either using a switch or directly all right now once you've built the interfaces you can actually start to configure some rules let's just use basic rules for now uh we head over to policy and objects ipv4 policies create new and let's just create a sales policy now we're not limiting no one in our sales department so the incoming interface is sale the outgoing interface is our when interface the interface that is connected to our isp router as for source currently we will use all but we will um create a firewall address object uh very soon and we can actually use it in our firewall policies in terms of service we will allow any service any protocol to uh go through this firewall policy uh we will enable net we will not use currently our security profiles we will do it soon and we will log just about every session not only security events session all right so that's our sales policy let's create a new policy let's name it marketing and incoming interfaces are marketing outgoing is our win source o destination all service all let's just enable login for all sessions all right the next thing to do is to actually create a virtual lan for our access point now there are times when you need to create another broadcast domain which is on top of physical ports so if your photogate has eight ports you can actually create on top of each port vlans virtual lands that you can connect to that switch and from there to outsource employees or other employees so let's just uh use the sales port to create another interface which is our vlon interface let's name it outsource to and we will use a tagging of 300 let's also use it here and the interface as we said is the sales interface now let's configure an ip address as we do in just about every subnet every lan that we have so we'll use the 192 168.2.1 24 and we'll use administrative access https and ssh and we will actually list the full pool in our dhcp server we will not limit it to um only specific number of ip addresses okay now once we have that villain on our sales interface that's vlan 300 we need to create a policy a policy that will allow any traffic that is coming from that vlan to get out to the internet so we will again create a new policy let's name it outsource to the incoming interface is our vlon is outsource uh two and the outgoing is our when interface now anyone can connect to that feeling anyone can go anywhere anywhere but in terms of service we will not allow any service out there we will use https http all right and dns all right now let's just apply that and now we have a new policy that allows anyone that connects to it to get out to the internet only using http https and dns all right now let's create a firewall address object why do we need a firewall address object well sometimes we have different computers on our um on our subnet that we want to limit or to grant access to specific services and that's a good way to create a policy that is more granular so to create a file address object we'll go to policy and objects addresses now let's decide let's decide that our firewall address object will be uh for the marketing division that's at the 10.0.5.0 subnet and we know that we have a user that has the 10.0.5.3 ip address and we want to limit it from sending pings sending icmp protocol pings so how do we do that we go to the policy and objects addresses create new address now let's name our computer limited icmp that's a nice name let's use the ip range and let's use the 10.0.5.2 up to 10.0.5 the or have no we said that it will be 3. and the interface is the marketing interface okay we can also use static route configuration if we want to use it in a specific static rock but we don't need it for now let's just apply that and now let's create a new policy and in our new policy we will name it no icmp for that specific device so the incoming interface is marketing the outgoing is the web interface and the source is the new limited isp source that we have just created destination all service icmp we want to limit it from sending icmp ping so we'll choose oicmp and ping and in the action we will choose deny okay so now we have a policy that denies icmp or denies pings from that specific users now for that policy to work we need to actually move that policy before the marketing policy so our file will look at that policy will understand that uh that specific device which belongs to the marketing division doesn't have full access the same as the other user it limits him from sending icmp now the next thing you will need to do is to create a static route so that all packets from different interfaces will know where to go in order to get out to the internet so to do so you go to network static route create new static route now i have already created one here that's my static route the destination is all zeros that is every packet that is destined anywhere and doesn't have a route in the routing table will go through that static route you will need to choose the interface in our case that's the when interface which is connected to our isp router we will not look at the administrative distance or the priority of that route but know that you can actually prioritize different static routes on your photogate firewall all right so we actually reached our final step final configuration which is applying security profiles to your policies now you can find security profiles just beneath policy and objects and you have different security profiles each security profile have its own knowledge base and you you can find dozens of videos in my channel that explains how to work with antivirus web filter dns filter the idea here the idea is now you the idea is that you actually create a security profile and then you apply it on your policy so let's just open one policy let's edit it and here you can find the different security profiles once you enable it it actually scans the traffic and looks for viruses malware spam domains that are not permitted and other things application control is probably one of the most used security profiles out there now each application in the application database has its own unique id it can be teamviewer netflix amazon apps or any other application now your application sensor actually uses the ips engine that looks at the different protocols looks at the different traffic decodes the protocol looks for patterns and then when it knows that a specific application flows through the different interfaces it tells so in the session list so let's take a look at how the application unique id shows up in this session table [Music] alright so the very first thing that we need to do is to head over to 40 god labs threat lookups application control now here we can look at the different unique ideas that each application has let's look at teamviewer all right we have different vulnerabilities but we will look at the application category and here we have teamviewer and let's just press it and there it is that's the unique id of team viewer the second app that we will look is netflix there we have netflix and netflix has the unique id of one eight one five five all right so let's move to our ubuntu device and let's just enable teamviewer oh there it is all right and it is working so let's move back to our 48 let's just use the diagnosis session list and we see that we have dozens of sessions we cannot actually look at the different sessions so we will use the grab command and the very first app that we will look is the netflix app one eight one five five one eight one five five and there we have it we have a session that's the session id this serial is actually this session id and we have a session that actually the netflix app actually uses so that's the app id so let's get back to our ubuntu and let's look at the team viewer is working and there we have it that's the session id and that's the app the teamviewer app that actually uh initiated that session asymmetric encryption is being used just about everywhere let's look at the following scenario and then we will dive in and understand how it actually works so let's assume that eve wants to send a message to bob she writes down the message she encrypts it using its own symmetric key and then when it is all encrypted it is being sent to bob now bob knows the key it knows the symmetric key that eve used he uses it and by that he actually decrypts the message now if you think about it we actually achieved only one thing we encrypted the message but then again we have other challenges the first one how can we deliver the key between eve and bob let's assume that even bob doesn't live close by the second challenge is how can we tell that the message wasn't modified how can we tell that no one actually modified with the bits of the message itself and the third challenge how can we tell that the person who claims to be eve is really eve for that we have asymmetric encryption coming up [Music] when eve encrypted her message she actually used a symmetric encryption and the key that was used by the algorithm was known also to bob let's just take a look at the terminal and let's generate let's just make it bigger and let's generate a random key so we'll use for that open ssl rend which is a command that allows you to generate pseudorandom numbers integers let's use um a key in hexadecimal and let's use an 8 byte key and that is the key that is the key that could be used in a symmetric key encryption and that both party should be aware of so if we get back to even bob eve use this key with its algorithm it could be either aes it can be des it can be treated as any symmetric encryption algorithm and bob used the same key so both bodies has the same key they both know that the algorithm is either aes or trides and the message could be decrypted on the other side on asymmetric encryption eve actually generate two keys key pairs they may look similar but they are actually different mathematically related but different the first key is the private key the private key is actually the secret key that eve needs to keep in a secret place the second key is the public key and as the name suggests it is public everyone can use that key now when bob gets the key it can use it for asymmetric encryption and actually decrypt messages that were sent by eve it can also encrypt his own messages using the public key and from there just send it back towards eve and if can decrypt it so if we'll go back to openssl let's just write down open ssl jnrsa rsa is one of the algorithms of asymmetric encryption and we'll use the 2048 bit key and that's our private key that's our private key we can actually generate the public key from the private key that we have just generated but that's the private key that eve has actually generated and as we said it should be kept secret and there we have it eve generates a private key and a public key and sends the public key again to bob now bob gets its public key and from now on it can decrypt eve's messages now think about it the fact that only his public key can decrypt if's messages suggest that the message actually came from eve that's one way to authenticate the other side now in fact asymmetric encryption is not used to encrypt the session itself the data the payload that is being sent from eve to bob and vice versa for many reasons one of them is the size of the keys so what actually is being done is that the private and the public keys are being used to encrypt these session keys the symmetric encryption keys they are much smaller in size and they are being decrypted and encrypted much faster than asymmetric encryption keys so if can actually generate a random a key that is a symmetric key encrypted using its own private key bob can get the encrypted message open it with its own public key and now he knows what is the symmetric key that evil will use to encrypt the whole session auditing your firewall is a major task that you need to do from time to time now there are companies that release tools that will allow you to audit your firewall but here is the 10 best practices that you can start with [Music] the following best practices are not in a specific order so just use them as you wish now another thing i'm showing it on a 40-git firewall but you can also do it on checkpoint file on the palo alto file or any next generation firewall quite obvious but we do it on any device any servers that we have on our organization be sure that your firmware is up to date always use the latest firmware usually the latest firmwares are much more secure your firewall vendor will always make sure that you have the latest patches on the latest firmware so back up your configuration look at the release path and update your firmware encryption and high encryption is fundamental in your file so be sure that you always use the strongest algorithms now it's not always possible but assuming that the other side all also supports the strongest algorithms just find out the appropriate cli command on your firewall and enable it so in a 48 firewall it is config system global now it may change from firm to firmware set crypto strong and just be sure to enable it always make sure that your administrator is connecting to your fortigate through a trusted host that is a trusted ip address as the ip address at its home or in the office now you can do it using the graphical user interface you can do in using the cli let's do it using the cli config system admin let's edit the admin and from here set trusted host and just write down the trusted ip address if possible on your when interface your external facing interface don't allow any administrative management so let's just use the config system interface edit port one which is my internet facing interface and unset allow access [Music] on your lan interface administrative access try always to use https and ssh that is https to the graphical user interface and ssh to the command line now try to avoid ping and try to avoid other protocols unless needed the following is probably one of the first audits that you need to do look for unused rules rules that were asked time ago and configured on your file look for them and if they're not relevant anymore just delete them now a side note document any rule that is asked document who asked the specific rule and the time that it was configured your administrator should always log into your 48 or any other firewall using https so be sure that even if it tries to do it over http your file will redirect the request over https so let's do it here config system global set admin https redirect another setting that you should be aware of is the admin lockout and the admin local duration now that should comply with your organization policy config system global and now let's set the admin you can set the admin lockout duration the default is 60 second but but you can set it to 5 minutes or more that should comply to your organization policy now another setting is the threshold itself that is the lockout threshold is actually the number of failed attempts the number of failed attempts when your admin tries to log into the system the default is tree and it is a best practice to keep it at three logs should be part of your auditing that is when you audit a firewall be sure that logs are there for at least seven days now look at the proper documentation of your firewall let's just do it here config log disk setting set maximum age now you can set it to seven days you can also set it to 30 days it depends a lot where you save the logs either on your hard disk or towards assist log or any other device that has a proper storage at last let's look at some more best practices to hardening your firewall one of them is when you have unused interfaces disable them disable them if you have interfaces that you want to disable different protocol so just disable them using config system interface edit the interface that you want to disable and there you can unset dhcp relay services you can unset pptp client are forwarding and so on another thing that is quite common to any fortigate out there and there is something that i'm not familiar with other firewalls uh which have maybe yes or no the same functionality is what is known as the maintainer account the maintainer account is actually a backdoor to your photogate if your admin has lost its password then it allows you to actually uh put into your photogate using what is known as the maintainer account which is actually the serial number of your 48 with the maintainer user so you can actually disable it in most 40 gates i believe that is it is enabled by default set admin maintainer account disabled so you've got your new 48 how do you configure it coming up [Music] to get more easy setup tips for your 48 firewall subscribe now and don't forget to click on the bell notification and you won't miss anything so you've got your new photogate and your new 248 firewalls what do you need to do you have probably connected your 48 using a network cable to your computer and configured it and fortigate appliances comes with list port one one of the ports which is usually port one that is already configured with the ip address of 192 168 199 you need to configure your pc subnet to be on the same subnet get to the ip address of the interface of the port 1 interface and from there you're actually starting to configure your 48 now you can configure a photogate using the graphical user interface which has many features it even has a feature visibility feature in the system settings so that you can disable or enable new features which are not available over here now you can configure your photogate using the graphical user interface and you can configure it using the command line photogate experts use the command line almost all of the time we will look at the command line but we will make our way using the graphical user interface to get to the command line you need to click here it is actually a javascript app that runs on top the admin web app probably the first thing that you want to do is to write down get system status so you can see uh your 48 serial number um which essex which um accelerated hardware does its support are you using a hard disk or a flash drive uh the current security profile database and so on now we went into the interfaces you probably have one interface that you're connected to which will be the management interface now you need to connect one of your one interface um to your isp either through a modern router or you can use your 48 as the router itself each interface each interface has a physical switchboard that you can connect to different subnets in your network now let's just edit one interface let's see what's inside you can name your interface according to the subnet um in your local area network let's assume that we have a management subnet all right now you can define it a specific rule it can be a one dmz an undefined rule or uh a when so let's use the lamp so now we know that we have a management plan connected to port 8 on our 40 gig now the addressing mode can be manual it can be dhcp let's use the manual option and let's configure it to be 192.168. 2.1 slash 24 since we're using um 24 subnet now this address is the gateway interface address so any computer that will connect to one of the to the to port 8 will get an ip address in that subnet that is the 192 168 2.0 subnet but its gateway address will be 2.1 now we will also open the dhcp server so anyone that is connected there's a pull of ip address that it will grab uh we'll look at dhcp server very soon before that we need to configure administrative access which protocol will support administrative access we'll just use https in http for now we can also use ssh we can also uh configure it to support pings from host in that subnet or from a 4d manager but we will not do it right now ldp is a protocol that enables discovery between devices in the network it doesn't really matter you can disable or keep it for now now we have a dhcp server as i said any client that connects to that port will receive one of the ip addresses from the pool you don't have to use all the pool you can use only 20 ip addresses you can keep the dns server the same as configured here or you can specify your own dns server let's just specify google's dns server you can control the list time and if you click on the advanced if you have a dhcp server that is part of your domain which is uh not your 48 or your 48 interface you can configure its ip address here and then whenever a packet arrives on that interface it will head over to the dhcp server but for now we were using the um gateway interface as the dhcp server you can configure an mtp server you can configure and this option is for more advanced users dhcp scopes or options and you can assign different ips to different devices based on their mac address another option is device detection device detections allows your photogate to detect which device and which operating system uh devices on the networks belongs to this is one of the things that you should keep enabled don't bother with the explicit web proxy you can enable a captive portal so if you have outsourced employees and you wish to um jump a landing page with user credentials you can also do that but we will skip it for now so this is the basic configuration of the interface okay so now we have a management interface we have another interface which is the one interface that you connect it uh you connect it to your isp router we will call it when one the role is when we will uh we can use dhcp and if we want to make it more reliable we will use a static ip address so my gateway interface is 10. 0.3.75 and my router is actually 10.0.3.1 i've enabled http and https and as you can see uh you don't have a dhcp server whenever the role of your interface is when that is one of the best practices when using an interface as a when interface okay so we have a management interface we have a when interface now we want to make our managers that are connected to that port which is port 8 to get out to the internet so the next thing to do is to configure a policy now we will configure a very basic policy which is a full access policy let's name it let's name it managers one and the incoming interface is management that's the lan interface of our managers the outgoing interface is when one that is the interface that is connected to our isp router that is the interface that takes them outside of the land towards the internet now when it comes to source let's for this video let's make it um very generic anyone can go anyone we can configure user groups and and different users um we can also configure sets of parameters that control the different users but for now as for source anyone can get out as for destination they can go just about anywhere we can also create specific objects that will allow them to go to specific places but for now they can go just about anywhere as for scheduling we're not limiting them to specific hours or days so as for scheduling again they can get out to the internet any time of the day as for service we can deny them from getting out in specific services such as ftp but for now for our specific policy we will let them use just about any service now the action is accept we can also create a policy that will deny specific services or specific users from getting out or from doing specific things for now the action is accept inspection mode is uh is another topic that we will look into that is the inspection uh that is done to our networks when we're using security profiles such as antivirus or ips for now we will keep it at flow based mode now we will use net net is network address translation that is our private ip address which can be 168 2.6 will be translated to your 48 or to your isp public internet address um now we will not use security profiles you know what let's use antivirus let's use the default profile the default antivirus profile we will use inspection when we use certificate inspection your fortigate checks the different fields that are coming from um servers certificates to see if they're valid if it doesn't have any mismatches and so on the last thing is to use our logging options we can log only security events but we will log all sessions so later on we can look at the login report and see what our users or what our host did okay so we have a managers one policy we have two interfaces the when one which connects us to the outsides and the management interface which managers in our company can connect to and get their ip addresses that was the second step now the third step is to configure a static route a static route is actually uh for our usage will be a default route that is i've already configured one so let's just look at it if you want to create new you just create new so default route actually tells your fortigate that whenever he sees a packet uh any packet that is destined to any place which doesn't have a route at the routing table it will route it towards the when interface and the when interface address is a 10. 0.3.1 remember my isp router has that address now you can use specific parameters as distance uh you can use a priority it just tells me that i already have that static route which i do and once we have a static route a policy and interfaces that are configured correctly we can now connect our host to uh the management interface and those hosts can now get onto the internet let's just move to the cli and let's see how do we configure um interfaces using the cli so for the sake of our purpose let's let's configure port 7. so using the cli we will use the config system interface now let's uh edit port 7 as we said let's set its ip to 192 168.4.1 uh with a subnet of 24 let's set the management the management protocols to http and https and what else we can use many more if you will look at the let's end it now i want to show you something when you um when you config system interface let's just get out here config system interface and if we look at ports port one for example we can use the show full config and as you can see there are dozens of features of configurations that you can add for our sake we have only enabled the ip address um on the on that interface and let's look at it let's just refresh our page four seven and there it is now we can also configure the dhcp server and so on we have not done so on our cli um the last thing i want to show you once you get into your uh 48 you're actually the 40 gate administrators now you have two types of administrators on actually you have more than two types but the two most common types is a super admin which is you you have privileges to just about anything you can read and write and you can create another type of administrator which is the professional admin and where you can actually enable it different read and write privileges on the different places on your 40k if you will head over to the cli and use the config system admin and you can edit the admin name i have two admins i have one which is the super admin and the second one which is offer test which is my second admin uh so now let's look at the different configurations that you can add to your admin again lots of configuration that's not the only place where you can um configure different things you can also configure it on it globally which is the config system global but um one of the things that i wanted to show you is that you can strength your admin account by using a trusted host so you can also look at it here sorry here you can configure a trusted host that is a trusted ip address that only your admin can get from so you can configure the ip address on your office at your work and you can configure another trusted host which is the ip address at your home only from those two ip addresses your admin can get into the fortigate you can also configure two-factor authentication which is also a very common security procedure you can use 40 token and you can also use your email as a two-factor authentication um let's just show you how to do so let's clear that out so we can use the config system admin set now let's edit the profile before and set two factor email set email two and let's set it to one of my gmail accounts let's end it and now if we'll go back to our admin profile uh let's view it again and you can see that you can now use an email-based two-factor authentication when you configure a captive portal to one of your lan interfaces you can change and customize the look and feel of it coming up so we have our lan interface which is connected to my ubuntu device so let's just open up the interface itself and in network security mode let's just choose captive portal and let's choose a group that it is associated with it now you can choose your guest group your outsource employee group just about any group you choose all right now when we head to our device so let's enter firefox and that's what we get we got the fortinet logo and the background is great now we want to change it so let's see how we do it let's just get back to our 48 now to do so you need to go to system replacement messages now you have two views the simple view and the extended view we'll use this simple view authentication login page edit here you will see the image itself and the html part now we will not get into the different text that are in the login page you can change it but let's see how we change the image from fortinet to 40 tip all right so to do so we'll head over to manage images let's create new image let's name it 40 tip and let's upload the image that we have already prepared you need to have an image which is less than 24 kilobytes all right so that's the image that's the name of the image let's name it 40 tip once since i already have a 40 tip image all right so here is 40 tip 1 and 40 tip now let's get back to our login page let's edit let's just scroll the html page and let's find the logo part here's the logo part currently it is uh with a background a gray background so let's change it to all apps that is white in hexadecimal values and let's just change the image to 40 tip one there we have it now let's just save it and now we have a new login page a new html page with our new image so let's get back to our ubuntu device so let's start firefox again and there it is the new logo 40 tip logo and again you can change the background as i did you can change the different text that is within the login page you can do many things with the login page there are times when you need to backup your configuration and send it via email to another compliant photogate now there is one thing that you need to add up to your backup configuration file coming up [Music] so there's our use case we have another 40 gig and we want to send it our primary 48 configuration now the other 48 must be compliant but we will not get into it so let's look at the uh configuration file that's the configuration file let's just open it and there it is now we don't want no one to tamper with our configuration file to get into the file itself and change things how do we do it we make a checksum we make a hash value of the configuration file and add up the hash value to our mail so to do so i'm using a mac terminal but you can use powershell you can use just about any tool with the hash commands available so in my case it is sha sum hyphen a now we need to um choose the type of hash function i'm using 256 but you can also use one in our case it doesn't really matter now let's just drag the file to our terminal and there we have it that's the hash value that's the hash value of our configuration file so the next thing to do is to copy it open our email and just be sure to add up the hash value of our configuration file now the other side that gets the configuration file itself just grabs the file makes the same operation which is sha 256 sum and the file path it should get the same hash value if it doesn't get the same hash value then someone tampered with that file there are different ways that you can prioritize your cloud apps over the other apps one way is to use a traffic shaping policy here's how [Music] the following scenario is quite typical for many businesses now if you're using more than one one interface you can use static route create different static route to each one interface and prioritize different internet services you can also prioritize the interfaces you can even use sd-wan rules and performance sla now we will look at a case where we have only one one interface and we will do it using the traffic shaping policy so the very first thing that you will need to do is to move over to your policy and make sure that application control is on the second thing you'll do is to move to security profile application signatures and there we will create an application group for the cloud applications that we used most often so let's just name it cloud apps and from here we can actually use the category which can be cloud id or we can actually select our applications so let's use the aws which we used often let's add up salesforce all right and let's add up office 365. there we have it now let's just save our application group we can see that we have a new application group that includes all of our cloud apps that our workers uh use most often the third thing that you will need to do is to create a traffic shaping policy now if you remove the traffic shaping policy under policy and objects you will see that you have two main traffic shapers one is the high priority and the second one is the low priority both are in the shared ip share pair so let's move to traffic shaping policy let's create a new traffic shaping policy let's just name our traffic shaping policy cloud apps the source can be all destination all service all in application now here is the place where we actually use our application group so just look for the cloud apps that we have just created that's our application group and here in the uh shaper we will actually apply let's just add up the one interface and here we will apply the high priority shaper we will apply it in both shared shaper and reverse shaper so that will have also the downlink and the uplink with high priority okay so we have a policy we have a traffic shaping policy for cloud apps so let's create another traffic shaping policy for any other apps all right again source all destination all service all now you you can choose the applications but you don't have to and here in the traffic shaping place let's just use the low priority both in the shared shaper and in the reverse shaper and now we actually have two traffic shaping policy if you enable application control on your policy your application control sensor will actually notice whenever you use uh salesforce or other cloud apps and your traffic shaping policy will actually prioritize it over the other your 48 firewall is a session aware firewall it has its own session table which can be seen using the get system session list and there are cases when you need to tear down a specific session or the entire sessions that are on your 48. you do it coming up [Music] your photigate is a session aware firewall it holds information on session table and keeps looking at its session table every time a packet goes out through a different interface or gets in into another interface your session table actually holds much more than this session itself it holds the route that is whenever a packet whenever your photogate does a route lookup it saves the information in the session table now let's look at our session get system session list and we can see that we have dozens of sessions some of them to the same destination i currently have a ubuntu device which is at the 10.0.5.4 and uh let's assume that i need to clear up the whole session so the command for that is taxi session clear don't do that don't do that it's quite dangerous to clear out all sessions that are happening on your fortieth uh instead we will use the filter option now you can use you can filter out different session either by source interface destination interface source and even protocol which is quite interesting now we will use the source so let's use this source which is the 10.0.5.4 and the next thing to do just after that is the diagnosis session clear once you do so just press the enter and specific sessions the sessions that you have filtered will be terminated your 48 uses its memory for the different processes either ips antivirus or general functionality now when it reaches your memory threshold it gets into what is known as a conserve mode how do you control it and how do you decide which operations takes place when you enter conserve mode coming up [Music] getting into a conserve mode is not a desirable thing now there are actually three thresholds that you can actually configure by yourself and those thresholds determine when you enter a conserve mode when you exit from a conserve mode and when the sessions are being dropped as you're entering an extreme threshold so let's take a look at it let's just stop our diag system and let's configure system global and in cons in config system global you can actually set the different thresholds now the extreme threshold is actually the threshold or the percentage of total memory when your 48 starts to drop a session you can also set the green thresholds which is the thresholds where your photogate exits from the conserve mode and there's the red threshold that is the thresholds when your 48 enters conserve mode now when your 48 enters conserve mode something happens the first one your photogate doesn't accept any configuration changes the second thing it doesn't execute any quarantines now there are other things that you can configure as sessions on your ips engines and anti-virus so let's just get out of the different thresholds config ips global set fail open now you can decide either to enable fail open or disable if you enable ips fail open packets will still flow will still go through the different interfaces but with no ips inspection if you choose to disable it the packets that require ips inspection will be dropped now if you want to check if you're in the conserve mode or not you can just use the die hardware sysinfo conserve if you do so you can see that you're currently not in a conserved mode if you were in conservation you will see the on instead of the off and you can also see your total ram and the memory that is being used you can also see that the threshold for the red x3 mode is actually 95 of total ram you will enter conserve mode at 88 percent of total memory and you will exit from conserve mode when you get down the threshold of 82 how do you control data consumption and bandwidth when everyone is at home coming up to take control over data in kobe 19 times we can use the traffic shaping policy in our photogate so let's move to policy and objects traffic shaper create new shaper now we can use a shared shaper or we can use pair ip shaper so let's use pair ip shaper let's name it kobe 19 streamer so we'll know that it is for our streamer device now the maximum bandwidth we will limit it to 30 megabits and let's save our shaper the second thing to do is traffic shaping policy let's move to traffic shaping policy name our policy covid 19 now the source we will need to create an address object for our streamer so let's just do it let's streamer one since i already have one 10.4.10.0.4.9 32. okay so we have our streamer devices our source destination is all now we can use specific applications such as netflix and so on but we do not want to limit our streamer device only to streaming applications we want to limit the traffic as all so we will not use the application or the url category but we will use an outgoing interface the wen interface and now we'll use the pair ip shaper select your traffic shaper that you have just configured and that's about it crypto mining malware or crypto jacking is a form of a malware that actually uses your own resources to mine cryptocurrencies now the attack vectors the way that the crypto miners gets into your organization can be either from botnets it can be from malwares it can be from javascript that runs on your browsers now as we've seen in the last several years it can run on your routers it can run on your pcs on your android smartphones or on your servers how do you protect your organization from crypto mining malwares coming up [Music] crypto mining software comes in many forms and can actually get into your resources from different locations so how do you block them well there's no one recipe you will need to apply different security profiles the first thing to do is to apply the anti-virus security profiles in your policy why because fortinet has actually included different signatures for crypto mining software so if you're using either the normal database or the extreme database just apply them to your policy the second thing is to block different crypto botnets and there are dozens of crypto botnets out there so be sure to block botnets on your botnet package the third thing to do is to block different applications applications that are related to cryptocurrency how do you know which applications to block well you can head over to the fortiguard labs and just look for cryptocurrency there you will find different applications that actually tries to mine different cryptocurrencies so the thing to do is to open your application control and in the application override just find the different signatures and block them the other thing as we said there are different javascripts that run on your browser and you will also need to block them using your ips signature which signature is that so again move to your 40 god labs look for the different cryptocurrencies signatures but if you want to be just a little bit more precise look for javascript dot crypto currency and there you will find different generic javascripts that can run on your browser and you need to block them so just copy this one and block it on your ips engine on the following scenario i will use the the author microcontroller after connecting through it through the pawned ssid and the authenticate send the authenticate and the associate frames towards an access point now do it on your own risk do it only on equipment that you're allowed to do so probably your own equipment this demo is for educational purposes only all right so to connect to the the author page we will head to the pond ssid just type 192 168 4.1 and here we have several sections the first one is the scan section where your
Info
Channel: Forti Tip
Views: 121
Rating: undefined out of 5
Keywords: forti tip, fortigate basic configuration, fortigate, fortinet, training, fortinet firewall, fortigate firewall training, fortinet firewall tutorial, fortigate installation, fortinet firewall videos, fortigate firewall configuration step by step, fortigate cookbook, basic setup, fortigate cli commands, top 5, basic fortigate configuration, basic fortigate setup, firewall policy, firewall rules, fortigate how to, configuration how to, 2019, Beginners tutorial, checkpoint, palo alto
Id: OeXlONip_Rw
Channel Id: undefined
Length: 82min 32sec (4952 seconds)
Published: Thu Dec 10 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.