FORTIGATE SYSTEM AND DIAGNOSTICS Mix

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
on our last part of knowing your processes we will see how we can in one cli command see the top most cpu demanding processes to get more easy setup tips for your 48 firewall subscribe now and don't forget to click on the bell notification and you won't miss anything one of the features that we saw using the dag system command is that we can list the most demanding processes either cpu and memory using the m and the p character when it is pressed now there is another command which is the get system performance top which lists only the most demanding cpu processes let's see it in action so we use the get sys sorry for that get assist performance top now you will see the most demanding processes the most cpu demanding processes at the second most right column that's the cpu column the most right column is as we know the memory column now you will see different processes such as the ips engine or the antivirus scanner new cli or even the sshd the ssh daemon now whenever a process is too demanding in terms of cpu you may need to kill that process and we saw how to do it using the diag cis kill with a signal level and the process id [Music] all right so here we are the top five diagnostics command for your 48 and we start with the first command which may look a bit simple which is the get system we get system status now this command is very basic but it gives you a lot of information gives you the virus and the ips database version gives you the serial number of your photogate you can tell if you have a hard disk or using only flash memory it also tells you are you participating in an h a cluster or not it gives you information of the operation mode are you working in a net mode or maybe a transparent mode are you using another virtual domain or are you using only one virtual domain so a lot of information in that simple command this second command is the get hardware nick and the interface name in our case let's look at the our web interface sorry it's one one and that tells you of each interface it's mac address does it support any uh hardware acceleration in our cases we support mp4 lite uh do you have any drop pack dropped packets in your interface is the status up or down are you working in a full duplex or maybe half duplex and what is the speed of your interface in our case it's one gig our third command is the get system performance status now personally i love that command since it tells you a lot of your 48 now at the top output you will see how many cpus your 48 model supports the following thing is the ram usage and at the bottom the output shows your network traffic uh the amount of average sessions per minute and so on so you have your cpu usage you have your ram usage and your network usage next up is probably one of the most known when you deal with the fortinet firewall and that is the diagnose debug flow which actually shows you the flow of your traffic from the cpu perspective so um you have to enable it let's enable and then you use the diagnose debug flow you use usually use filters since if you're not filtering your traffic there could be tons of traffic that will be shown on your command line and it won't be so easy to analyze so let's let's filter a specific address which is the 10.0.3.16 and now the next thing to do is to diagnose debug flow and trace and let's use a count of 10 10 packets to show and it shows us tons of information from the specific source host that we have chosen to just about anywhere that the traffic flows it shows us the source net and the destination net and it shows us the policy that is being used a great tool for debugging and troubleshooting all right now the next command is the diagnostic list which shows you the sessions the sessions that are being handled on your phone and that also shows us tons of information you can see the different protocols that are being used you can also use it using specific filters or wrapping different source address and that will show you a limited portion of the information that is relevant towards a specific host only and our last command is the dag system which is similar to the top command in linux and that shows you each and every process in your 48 it shows you the process name the process id it shows you its state is it a slip or maybe it is running it shows you how how much memory is being consumed and how much cpu is being consumed whenever you have issues with one of the processes in your 48 that is probably one of the first places to check and before we end this video please don't forget to subscribe [Music] alright so here we are the top 5 diagnostics command for your 48 and we start with the first command which may look a bit simple which is the get system get system status now this command is very basic but it gives you a lot of information gives you the virus and the ips database version it gives you the serial number of your photogate you can tell if you have a hard disk or are you using only a flash memory it also tells you are you participating in an h a cluster or not it gives you information of the operation mode are you working in a net mode or maybe a transparent mode are you using another virtual domain or are you using only one virtual domain so a lot of information in that simple command this second command is the get hardware nick and the interface name in our case let's look at the our web interface sorry it's one one and that tells you of each interface it's mac address does it support any uh hardware acceleration in our cases we support mp4 lite uh do you have any drop packet dropped packets in your interface is the status up or down are you working in a full duplex or maybe half duplex and what is the speed of your interface in our case it's one gig our third command is the get system performance status now personally i love that command since it tells you a lot of your 48 now at the top output you will see how many cpus your 48 model supports the following thing is the ram usage and at the bottom the output shows your network traffic uh the amount of average sessions per minute and so on so you have your cpu usage you have your ram usage and your network usage next up is probably one of the most known when you deal with the fortinet firewall and that is the diagnosed debug flow which actually shows you the flow of your traffic from the cpu perspective so um you have to enable it let's enable and then you use the diagnose debug flow you use usually use filters since if you you're not filtering your traffic there could be tons of traffic that will be shown on your command line and it won't be so easy to analyze so let's let's filter a specific address which is the 10.0.3.16 and now the next thing to do is to diagnose debug flow and trace and let's use a count of 10 10 packets to show and it shows us tons of information from the specific source host that we have chosen to just about anywhere that the traffic flows it shows us the source net and the destination net and it shows us the policy that is being used a great tool for debugging and troubleshooting all right now the next command is the diagsys session list which shows you the sessions the sessions that are being handled on your fortigate and that also shows us tons of information you can see the different protocols that are being used you can also use it using specific filters or wrapping different source address and that will show you a limited portion of the information that is relevant towards a specific host only and our last command is the diag system which is similar to the top command in linux and that shows you each and every process in your 48 it shows you the process name the process id it shows you its state is it a slip or maybe it is running it shows you how how much memory is being consumed and how much cpu is being consumed whenever you have issues with one of the processes in your 48 that is probably one of the first places to check and before we end this video please don't forget to subscribe let's create a denial of service policy and see how that looks in wireshark to get more easy setup tips for your 48 firewall subscribe now and don't forget to click on the bell notification and you won't miss anything in the following scenario we will use a denial of service policy we will try to create a denial of service attack towards our gateway interface and we will capture it using wireshark so we have one of our interfaces which is the marketing interface at the 10.0.4.0 subnet the gateway interface itself is 10.0.4.1 and our dhcp client which is the ubuntu device is a 10.0.4.1 so let's move to our ubuntu device all right let's just let's just clear that let's try to ping our gateway 10.0.4.1 everything goes well the um the rate is very slow using the uh casual ping command so let's uh stop that and now let's create our denial of service policy and then we will use the hyphen f using our pseudo credentials to create a flood of icmps um all right so policy and objects denial of service policy create new policy we are protecting our marketing uh subnet let's use for source we can use specific devices but let's use source and destination all service all and now let's move over to layer 4 anomalies icmp flowed there it is enable it block it and let's set the threshold to 20 icmp packets per second so what we will see um once we do it and try to ping a gateway interface is that only 20 packets will get a response back and the other ones not so let's move to our ubuntu device before that let's just start capturing easier i'm sorry for that capture using wire shark all right let's let's move now using the pseudo credentials with the ping command and the hyphen act dash f which is float we are sending hundreds of icmp packets towards our destination so let's just ping it as you can see it runs very fast let's wait a while and let's stop it now you can see that only 20 packets that's the threshold only 20 packets were received the other 96 packets were lost due to our denial of service policy now let's move to wireshark let's stop the capture now let's apply the filter ip.adr equals equals 10.0.4 and icmp we can see that we have a request and a reply for the first 20 packets following that we only have echo requests that were sent from our ubuntu device but they are not acknowledged and we don't have a response moving back to our 48 we can head to login report and look for anomaly and there we can see uh the record for our icmp flowed attack for our denial of service attack and we can see that we have an anomaly which is an icmp float with a threshold of 20 packets only clients in your land are opening hundreds of sessions every day using different applications now there are times when you need to limit the maximum concurrent sessions per ip address that is pair host how do you do it using traffic shaper coming up [Music] when we think of traffic shaping we usually think of limiting bandwidth to a specific ip or to an entire local area network but we can also limit the maximum concurrent sessions pair ip in traffic shaper policy so let's do it let's assume that we have our lan that is at the 10.0.4.1 and we have our ubuntu device which will be at the 10.0.4 so let's create a file address object for that specific ip address let's just name it ubuntu and let's let's make it at the 10.0.4.9 32 and interface will stay any okay so we have our new ubuntu address object and now let's move to our traffic shapers create new shaper now we can create a shared shaper and we can create a pair ip shaper and that's the one that we will use let's name it max con current and let's limit the maximum concurrent connections to only 100 that is it will not be able to create more than 100 sessions all right now once we configure the pair ip shaper let's just configure the traffic shaping policy all right let's name it max con current and now the source is our ubuntu device destination all service will also be all now we can apply that policy that traffic shaping policy only to specific application which may become handy but for in our case we will not limit it to a specific application now outgoing interface let's just apply any and let's use the pair ip shaper that we have configured before maximum concurrent clients in your lan are opening hundreds of sessions every day using different applications now there are times when you need to limit the maximum concurrent sessions per ip address that is pair host how do you do it using traffic shaper coming up [Music] when we think of traffic shaping we usually think of limiting bandwidth to a specific ip or to an entire local area network but we can also limit the maximum concurrent sessions pair ip in traffic shaper policy so let's do it let's assume that we have our lan that is at the 10.0.4.1 and we have our ubuntu device which will be at the 10.0.4.9 so let's create a firewall address object for that specific ip address let's just name it ubuntu and let's let's make it at the 10.0.4.9 32 and interface will stay any okay so we have our new ubuntu address object and now let's move to our traffic shapers create new shaper now we can create a shared shaper and we can create a pair ip shaper and that's the one that we will use let's name it max con current and let's limit the maximum concurrent connections to only 100 that is it will not be able to create more than 100 sessions all right now once we configure the perip shaper let's just configure the traffic shaping policy all right let's name it max can current and now the source is our ubuntu device destination all service will also be all now we can apply that policy that traffic shaping policy only to specific application which may become handy but in our case we will not limit it to a specific application now outgoing interface let's just apply any and let's use the pair ip shaper that we have configured before maximum concurrent [Music] we've mentioned that our ips engine actually tracks the id of a specific application and if we head over to 40 guard labs application control we can see the specific unique id that each application has so in our case netflix has a unique id which is one eight one five five so let's block netflix in our 48 and let's see the session and the application id after it is being recognized by our ips so we move over to application control let's create a new security profile block streaming or block netflix in our case let's block the entire category which is video and audio and let's apply that security profile to our policy all right now the last thing to do is to open our command line and use the diagnosis session list which will allow us to see the different sessions that are running on our network and let's move over to our ubuntu host let's look for netflix web application and see what happens when we try to launch it it belongs to a blocked category now let's move back to our 48 and let's see if we can find that specific session where our ips engine actually recognized netflix as part of our traffic for that we will use the same command but this time we will also use the grub command to find that specific idd one eight one five five let me just check again that's it one eight one five five and yes we can see that our ips engine actually recognized that specific application from the list [Music] one of the coolest features of your 48 is its ability to pack and capture just about any traffic that flows from different sources towards different destinations now you can capture packets using two ways the first one is using the gui itself in network packet capture and you can enable different filters but the way that i like is the tcp dump weight that is doing it in the command line interface and i didn't mention tcp dumped for nothing the syntax is very similar now if you use the gui option you can import the results into a pickup file and then open it in wireshark but we will use the cli way as i find it much more quicker to analyze so the basic syntax for capturing packets is the diagnose command and then we use this sniffer and packet and now we will choose which interface to make the sniffing now we will not choose specific interface so we'll use the any interface we will not use any filter right now we will use it very soon the amount of verbosity the amount of details which we will use is 4 packet count will be 10 and we'll also use a time stamp using the a command now let's open it so we can see it much clearer and we can see that we have action in our when one interface with a source of 10.0.3.130 towards the 48 appliance itself which is in the 10.0.3.16 we have different tcp packets using different flags and we will use a specific filter that will define the uh if we can see any action that is being done using the icmp protocol if we will use the same command without the a at the end we will get the same results but without the timed stamp so use it when troubleshooting packets now if we want to use let's add the a if we want to use a specific filter as in the icmp protocol so we will see that once we enter the name of the protocol and take a good notice we have only 10 packets that are being shown we can also use 20 packets and we will have 20 packets we can use many filters in our command now you can look at the fortinet documentary to see which filters are available when doing packet capture but the most used are source and destination we can determine specific hosts and specific protocols so if we use the diagnose sniffer packet any we can use host 10.0.3.139 which is my mac and icmp as the as the protocol that i'm looking for and we will use the verbosity the level 4 verbosity which is the default verbosity [Music] whenever a ping an icmp request is being sent from one of your 48 interfaces or sources the defaults are five times that is the packet is being sent five times it has a data size of 56 bytes it is being sent in a one second interval and you have a two second timeout let's see how we can unleash your ping settings [Music] to get more easy setup tips for your 48 firewall subscribe now and don't forget to click on the bell notification and you won't miss anything using ping an icmp request is probably one of the most used yet simple network troubleshooting tools so let's unleash our ping setting and see what can be done we will start with the execute ping and then we will use the view settings so we can see what is our ping default settings so we can see that we have a repeat count of five times we have a data size of 56 bytes we have a timeout of two seconds currently the interface is auto which means that it actually goes to our routing table and this is the best trout out we have an interval of one second that is your ping will be sent one second after the echo response received you can use an adaptive settings which we will do very soon to see that you can actually send the second or the third icmp request immediately as the ping response uh comes back the time to leave is 64 hops let's see if we have any interesting more interesting stuff here no the second thing that we can do is to set the uh ping options and see what are the ping options and we can see that we can set an adaptive ping we can set different data size we can set df bit which is a parameter at the ip header we will look at it we can set the interface that the ping will be sent from um we will use our marketing interface and send ping from there we can set the hex format of the ping we actually can add different characters to our uh empty hex space in our ping we will look at it also and yes we can set the source the timeout time to leave and more so let's start with a simple ping towards towards google okay that's google.com that works now we'll use the same thing towards google dns server and see if we have a dns resolve that also works great now let's um let's close that for a minute let's move to my ubuntu device all right all right now my ubuntu device sits on the actually it sits on the marketing interface let's just get back let's log in all right all right so let's start by pinging my ubuntu device which is at the 10.0.4.9 everything goes well you can see that i have a very big icmp uh packet let's see what is the reason execute ping options you know what let's do another thing let's once you have um settings that are not your default settings remember the default settings is 56 bytes uh you can reset them using the execute ping options and reset now let's send the same ping again and let's see what is this side that's 64 bytes remember that your data size your icmp size is 56 bytes you have an 8 byte header for the icmp packet what you see here is actually the payload itself plus the header that is 56 plus the eight byte header let's um let's see again how we change the data size that's the way that we change the data size let's set it to 128 bytes and let's now um change another settings which is the adaptive ping your icmp request is being sent in an interval of one second now you can change it so that it will be sent immediately as soon as the icmp response gets back to do so you have to choose uh enable another setup is the df the df bit what is the dfb df stands for don't fragment that is don't fragment the packet even if it's bigger than the interface that is supposed to accept it so if you have on the other side an interface with an mtu uh of x values and your icmp packet is bigger than that so your icmp packet can actually be dropped so be careful how you use the df bit let's keep it at no now let's see what is the effect of adaptive ping versus the regular settings so let's just execute ping let's use a repeat count of 20 packets and let's execute our ping towards google sorry google.com all right so you can see that we have an interval of one second now if we will use the uh adaptive ping option let's just enable it let's send the same uh ping and you can see that you're actually having a sort of an icmp flute uh it's not hundreds of uh of packets a second but it is it is still much faster than the usual interval we can use the command line to diagnose and learn more of our st1 member interface coming up to get more easy setup tips for your 48 firewall subscribe now and don't forget to click on the bell notification and you won't miss anything we can use our command line while configuring sd1 for different tasks one of them is to use uh different protocols that will be used uh towards the server that was chosen in the health check so if we look at the performance sla let's choose one and we can see that on the graphical user interface we only have two options to actually to ping our server that is using ping and http now if we will use the command line config sys virtual when link config health check now let's edit the performance sla that we have chosen that is uh sip let's see what is chosen show full configuration and we can see that the protocol that was chosen is ping that's set protocol and now you can see that we have the ping option the tcp echo option the udp echo option http and twemp so that is something that is available on the command line and not on the gui interface another thing that we can do or actually see using our command line let's use the uh diag sys virtual when link let's choose um let's choose again let's choose the sip i can't see that way let's choose the um sip health check now we can see the status of each member in our sd-wan in our virtual sd-wan interface in terms of packet loss we can also see it on the graphical user interface but there is also a one way to look at the different members we can see that it is alive we can see that we have no issues currently with packet class and we can see the statistics for latency and jitter currently the other members are not alive uh since i have not enabled them on my photogate now whenever we use performance sla we are actually telling our 48 to probe different services we can configure up to two servers um that will be used as beacons we are doing that to check the status the health of the different members of the sd1 interface now whenever our fortigate probes that server it is actually using a route entry that is created let's see that route entry so we will use the get router info kernel and those entries are actually flagged they are created in the uh kernel they are called fib entries and they are flagged as proto 17 so to see them we will use the grep command and we will use the proto equals 17 and we can see let's make that a bit bigger we can see um the different routes they are being sent from the different uh interface gateway towards the different servers that we have chosen the first one was actually the google dns server which is eight eight eight eight and the second one is one one one one [Music] one of the major keys to understand how your 48 works is to understand how it handles session how it handles the dialogue between clients and servers now fortigate is a session aware firewall we all know the getsystem session list which gives us an overview of these sessions that are currently running on your photogate between different clients towards different destination we can also see the source net we can see which protocol is being used another well-known command is the session list which we can also filter based on the host ip or destination ip but i would like to show you another command which i'm not sure that is that popular which is the get system session info full stat now let's make this screen a bit bigger now what we can see in that command is the session table size that is the uh current session table size the number of entries that is possible in the session table another thing we can see is how many sessions are being used right now in our case we have 64 sessions that are being used right now the session count is the number of sessions in the kernel now we can also see several more things we can see the memory tension drop that is the number of dropped sessions due to system that is running out of memory another very interesting information that we can find is the fm marrow which is actually a buffer that protects our table our session table from getting overloaded that is if a denial of service attack is happening now the first number is the amount of sessions that are in use the second number is the maximum number that is allowed now if we can if we see that uh both numbers are very close then there is a good indication that a denial of service is actually happening on your organization the other thing that we can see is the tcp sessions now looking at the tcp sessions we can see their state each session has a different state so we can see that we have 11 sessions in established state that is they have finished the three-way handshake connection the connection now is established and they can transfer data we can also see that we have one session that is in a time weight state now the time weight state is a special state that happens when a connection termination request is sent and our fortigate actually reserves some time to ensure that the remote side received the termination request when a user doesn't perform any action throughout a session this session will time out now each session and its protocol has a different interval on your photogate firewall a tcp session by default will timeout after 3 600 seconds but there are cases such as in the medical world where you need your services your sessions not to time out how do you do it using a policy and how do you do it using a custom service coming up [Music] all right so before we configure the session timeout we will configure it on port 443 uh let's take a look at our ubuntu device let's just resume it and let's refresh the page we're at youtube all right let's go back and let's just use the diagnosis session list all right and if we use the dioxis session list and we can take a look at sessions on that our tcp sessions we can see that we have an expiration time of 3600 seconds now let's configure a custom service that's just config firewall service custom let's edit um 443 let's set tcp port range to be 443 only 443 and let's set the session time to live to never now let's end it and you can also see the um the new yeah that's right we can also see the new service under the services tab uncategorized services that we have just created let's move back again to our ubuntu device let's resume and let's just play some uh video okay now let's get back to our 48 let's use the dioxis session list again and let's just look at the session itself protocol 6 is tcp and here you can see that the expiration is set to never the timeout is set to never so that is one way that you can actually configure a session time to live to never on a specific service that you might need [Music] welcome to our 48 top 5 tips and this time we are dealing with the ping command tip number one when we use the ping command we use the execute command so we'll use the execute ping and we'll choose our destination as 888 which is google's dns server now we can see that our ping size is 56 bytes and 48 sends five packets at a time now we can change the size of our ping how do we do it we use the execute pin options let's view the settings all right and now if we will use the execute ping options data size we can choose icmp packets to be in different size uh let's choose 90. so now our ping size is 90 bytes let's choose the same target execute ping towards 8a and you can see that our ping size is 90 bytes and to our second tip now if you do networking for a long time you probably send continuous ping packets towards different destination different interface so you have to change the amount of packets to be continuous or to be at a different size than the five packets that are sent by default how do we do it we use the execute ping options and we use a different repeat count currently the repeat count is 5. now let's change it to 15 and now let's ping again and let's pin the google dns server and let's see how many packets are being sent and we can see that we have 15 packets that are sent and now for our third tip let's clear that out now we have different interfaces in a 48 and sometimes we wish to send ping packets from different interfaces so how do we do it i have currently a an interface at the 10.0.4.1 so let's let's use the same execute ping options and now let's choose a different source in my case it's the 10.0.4.1 and now if i'll use the same ping command the packets will be sent from the 10.0.4.1 moving on to tip number four usually a pin command is being discarded after 64 hopes now we can choose a different integer we can choose an integer between 1 and 255 hopes how do we do it we use the same sorry for that we use the same execute ping options time to live and let's choose 220 hopes 220 hopes and now our ping packet will be discarded only after 220 hopes all right and now let's move over to our fifth tip sometimes as an administrator you use different settings let's change the settings of our ping command let's use a repeat count of 8 let's use a different data size let's make our pink size 80 bytes and let's use a different source all right let's use the as 10.0.4.1 source now if we will use the view settings we will see that our repeat count is 8 our data size is 80 and our source address is the 10.0.4.1 now you want to reset this those settings what do you do you use the reset command and now if we take a look at the view settings we will see that it all came back to the default settings which are five packets 56 bytes and the source is the according to the interface that you work within now if you like our channel please subscribe when you start to diagnose processes that are happening on your photogate you can use two commands the first one is dioxis stop let's just start it all right let's stop it and there's the diag systop summary what is the difference between the two which one is better and how can you sort processes by cpu or memory coming up [Music] before we begin let's just try to understand what is a process well you have your app it sits on the hard drive on the storage itself and when it loads into a memory it actually uses different processes to accomplish its task now a process is key to understanding what is happening on your computer what is happening on your photogate in our case now each process consumes cpu it consumes cpu and it consumes memory resources every operating system has what is known as a user process and a system process a user process is when a user actually initiates an app or at a service and the system process are actually processes that are done in the background now let's look at the diag system the direct system will actually list processes individually it would list all processes it will show up the process id the memory that is being consumed the cpu the dag system summary actually aggregates all the processes as you can see here to the right of each process you can actually see the amount of processes that the operating system actually divided the process itself to several processes and that is the case where your operating system makes multiple copies of a process in order to subdivide the load itself or to handle similar tasks all right so now let's try to sort our processes in a descending order and see who is consuming more memory so let's just stop it let's use the direct system summary all right let's show only five lines use the um sort command equals map that is memory and now we can actually see processes in a descending order that only shows the most consuming processes in terms of memory now here you can see that this is the process that is currently running here you can actually see how many processes that is user processes and system processes are actually running and here you can see to the right the amount of sub processes that is the same process but this could be the parent process and the child processes that are running that are actually running so here we can see that we actually have uh 11 https processors that are running all right so to compare and recap the direct system summary is different since it aggregates just about every child process and pairing process into one process and shows you the total cpu and memory consumption the dag system actually shows each process so it is better to examine the memory utilization or the cpu utilization but the dag system summary is better in my opinion if you need to adjust specific processes specific applications if you see that uh there is one process that is actually consuming your memory or your cpu utilization a good 48 admin must know it's way in wireshark here's how to get more easy setup tips for your 48 firewall subscribe now and don't forget to click on the bell notification and you won't miss anything wireshark actually gives you a broader view of your network now this following video is not um going to teach you how to use wireshark we will maybe do it in another video but it will give you the fundamentals to understand how sessions are starting within your 40 gate and how to see different elements of your network in a bit more detailed view so we have an interface that is connected to my ubuntu device let's move over to it and now let's um let's do a denial of service attack let's send hundreds of icmp messages ping messages toward my interface gateway and let's see how that looks in wireshark so let's move over to wireshark let's start capture the traffic let's get back and we'll use my root credentials we'll use the hyphen f that is the fluid switch and the ip address is 10.0 the 3.44 and now it starts pinging it actually sends hundreds of icmp messages toward my gateway let's stop it let's move over back to wireshark and stop the traffic now we are actually looking for two main things the first one is the icmp message we will write it down and the destination which is 10.0 the 3.44 and now if we will click on we will we can see the icmp messages being sent and you can see that i have a special column here it is actually the delta time displays which shows the interval between each message you can also use it go into preferences column add a column with the delta time displayed all right another one of my favorite wireshark filters is the tcp contains and the udp contains whenever user browsers to a specific url you can see the tcp syn session established towards that specific url and you can also see the dns queries so let's um move over to let's move to android central all right but we yep it's capturing data so let's move to android central all right so let's go back to wireshark and let's stop the capture now if i will use the udp contains android we can see the dns queries that are actually um being sent back once um my browser asked for the android central.com and he got back an a record with the ip address let's see if we can also see the udp tcp syn session so tcp contains android and yes we can see that's an https site so we can actually see the handshake itself now i could have used dns as the protocols and then filter out the specific host that was requesting a dns request but a simple way was to use udp contains dns is uh using udp port 53 the last thing that we will look into today is the tcp session itself now remember your fortigate is a session aware firewall so let's start by capturing the traffic let's connect open up firefox and let's move over to [Music] let's move over to youtube all right now let's go back stop the capture itself now we want to see the tcp session in its initial beginning so there are different methods to do so we can use the tcp dot flags dot sin now if we will click the tcp dot flags c equals equals one we will see different synth sessions now let's go to our host which is 192.168.6.3 click on it and then follow tcp stream let's close that and we can actually see the initial handshake which starts at the scene the cnac which the server responds with and the tcp with the ack flag set we can also see the following http get by using the http dot request dot method sorry for that um and ipa ddr equals equals which is our host 192 168.6.3 and there we can see the http get request that was sent from our host auditing your firewall is a major task that you need to do from time to time now there are companies that release tools that will allow you to audit your firewall but here is the 10 best practices that you can start with the following best practices are not in a specific order so just use them as you wish now another thing i'm showing it on a 40 gig firewall but you can also do it on checkpoint file on the palo alto firewall any next generation firewall quite obvious but we do it on any device any servers that we have on our organization be sure that your firmware is up to date always use the latest firmware usually the latest firmwares are much more secure your firewall vendor will always make sure that you have the latest patches on the latest firmware so back up your configuration look at the release path and update your firmware encryption and high encryption is fundamental in your file so be sure that you always use the strongest algorithms now it's not always possible but assuming that the other side all also supports the strongest algorithms just find out the appropriate cli command on your firewall and enable it so in a 48 firewall it is config system global now it may change from firm to firmware set crypto strong and just be sure to enable it always make sure that your administrator is connecting to your fortigate through a trusted host that is a trusted ip address as the ip address at its home or in the office now you can do it using the graphical user interface you can do in using the cli let's do it using the cli config system admin let's edit the admin and from here set trusted host and just write down the trusted ip address if possible on your web interface your external facing interface don't allow any administrative management so let's just use the config system interface edit port 1 which is my internet facing interface and unset allow access [Music] on your lan interface administrative access try always to use https and ssh that is https to the graphical user interface and ssh to the command line now try to avoid ping and try to avoid other protocols unless needed the following is probably one of the first audits that you need to do look for unused rules rules that were asked time ago and configured on your file look for them and if they're not relevant anymore just delete them now a side note document any rule that is asked document who asked the specific rule and the time that it was configured your administrator should always log into your 48 or any other firewall using https so be sure that even if it tries to do it over http your file will redirect the request over https so let's do it here config system global set admin https redirect another setting that you should be aware of is the admin lockout and the admin local duration now that should comply with your organization policy config system global and now let's set the admin you can set the admin lockout duration the default is 60 seconds but but you can set it to 5 minutes or more that should comply to your organization policy now another setting is the threshold itself that is the lockout threshold is actually the number of failed attempts the number of failed attempts when your admin tries to log into the system the default is tree and it is a best practice to keep it at three logs should be part of your auditing that is when you audit a firewall be sure that logs are there for at least seven days now look at the proper documentation of your firewall let's just do it here config log disk setting set maximum age now you can set it to seven days you can also set it to 30 days it depends a lot where you save the logs either on your hard disk or towards assist log or any other device that has a proper storage at last let's look at some more best practices to harden firewall one of them is when you have unused interfaces disable them disable them if you have interfaces that you want to disable different protocol so just disable them using config system interface edit the interface that you want to disable and there you can unset dhcp relay services you can unset pptp client up forwarding and so on um another thing that is uh quite common to any 48 out there and there is something that i'm not familiar with other firewalls which have maybe yes or no the same functionality is what is known as the maintainer account the maintainer account is actually a backdoor to your photogate if your admin has lost its password then it allows you to actually uh put into your photogate using what is known as the maintainer account which is actually the serial number of your 48 with the maintainer user so you can actually disable it in most 40 gates i believe that is it is enabled by default set admin maintainer account disable rebooting our devices our appliances is a maintenance step that we do from time to time either daily or weekly it helps with memory leaks it helps with buffering issues so what do you do you schedule a reboot either daily or weekly on your 40 gate how do you do it coming up [Music] to schedule a daily reboot we will use the command line to schedule a weekly reboot we will use the automation so let's start with a daily reboot we'll head over to our command line config system global and now set daily restart once you do so you set it to enable and then set the restart time to whatever time you want to daily reboot your 48 the second way to do so is to move to your dashboard security fabric automation now using the automation stitch you can create new stitches either scheduling a weekly reboot as we just aim to let's just execute reboot or you can actually trigger a reboot after uh an event such as your photogate entering a conserve mode so you'll do that by going to a trigger of type event log and the event will be conserve mode your photigate actually enters a conserve mode and by that you can trigger different events such as execute reboot or sending an email and other events so you browse the internet and everything seems just okay let's just head over to cnn.com see what's new it uploads well let's go to bbc.com and yep everything seems okay so but now you decide that you want ping somewhere just to check that there's no connectivity issues and it seems that you do not have a dns result so let's stop that and let's try to ping directly to google's dns server and yet again you have an issue with icmp so how do you get around with that and how do you diagnose the issue behind it [Music] so let's get back to our gate let's log in and probably one of the first things that i would have done is to diagnose sniffer packet any post let's just write down the ip address of our host and let's just see what happens all right let's just make that bigger and it seems let's stop that and it seems that i have an echo request but i'm not getting any echo response back only echo requests so that's not enough and it seems that packet capturing my traffic doesn't give me the solution to my problem so the next thing to do is to work at the kernel level and that is using the diag debug flow so let's just get back to our main command line let's clear this space here and let's direct debug enable diag debug filter now let's filter sorry debug flow filter let's filter our um source which is the 10.0 10.0.4.9 and let's diag debug sorry for that diag debug flow trace start so what i'm actually doing here is that i'm debugging the source address 10.0.4.9 i'm doing a trace only on the first 10 packets so let's see now what happens and let's just stop that and see if i have any clue that will resolve my issue and yes there it is denied by forward policy check policy number two so i actually have a policy that denies icmp let's get back to my 48 let's look at my policies and that's right i have a policy which is stop icmp from my dmz where my ubuntu device sits towards my when interface now this exercise is is good since sometimes we have dozens of policies that we do not have time to check maybe there are unused policies from some time ago so dag debug flow will work on the kernel level and will allow you to debug issues just like this one that i showed you now two minutes cli commands and this time the diag sniffer coming up [Music] dyke sniffer packet is one of my favorite comments why because it actually allows you to package capture the traffic sniff the traffic just as tcp dump or wire shark does so the syntax goes like that dag sniffer packet and then you need to include the interface so we will do any but you can choose port 1 or port 2. after that you actually filter filter the traffic you can filter it using the source destination protocol we'll use the host so we'll use the host 10.0.3.1 which is my gateway next comes the verbosity that is the amount of data that you want to include i will choose four and we can also add up the count that is the packet count so let's add up 10 packets and if you want a timestamp you can add the a letter so let's start and there we have it now you can play around with the different filters and the different verbosity levels do that if you want a packet capture not using the diag sniffer but using the graphical user interface you can do it in network packet capture and in packet capture you will find that you can choose the interface and use the different filters we have already learned how we can list system processes and show their output on the command line now on this video we will look at how we can kill different processes that consumes too much memory or too much cpu power and how we can list the highest demanding processes on our fortigate to get more easy setup tips for your 48 firewall subscribe now and don't forget to click on the bell notification and you won't miss anything so you're using a high level encryption in your vpn you're using ips to scan different patterns and anomalies you're using antivirus and you keep logging of just about anything well all of that consumes lots and lots of cpu resources and memory let's take a look at the diag system command let's make an interval of 20 and with 10 processes all right now using the m character you just need to type the m character we can sort of the processes that consumes the highest memory and in our case it is the dns proxy if we press the p character that p is for cpu we will see the different processes that consume the highest cpu resources and in our case it is https daemon now the next step is to kill the process that causes you lots of issues that is the last step before you reboot your 48 to let's do a ctrl c to kill a process you use the diagnosis kill now you enter what is called a signal that is a term that comes from linux and unix which is actually a light way to ask your system to stop the process and it can be a more aggressive way to tell your system it depends on the number to tell your system to kill the process now we can use different signal numbers we will use 15 which is an aggressive way to tell your system kill that process and we will list the process id now the process id as we know is the second column so let's use the dns proxy process which is 94. all right now we have just killed that process and here we can see that the dns proxy process has actually been terminated we saw that we can list processes sort them out and even terminate them whenever they demand too much resources on our last part of knowing your processes we will see how we can in one cli command see the top most cpu demanding [Applause] [Music] processes to get more easy setup tips for your 48 firewall subscribe now and don't forget to click on the bell notification and you won't miss anything of the features that we saw using the dag system command is that we can list the most demanding processes either cpu and memory using the m and the p character when it is pressed now there is another command which is the get system performance top which lists only the most demanding cpu processes let's see it in action so we use the get sys sorry for that get assist performance top now you will see the most demanding processes the most cpu demanding processes at the second most tried column that's the cpu column the most right column is as we know the memory column now you will see different processes such as the ips engine or the antivirus scanner new cli or even the sshd the ssh demon now whenever a process is too demanding in terms of cpu you may need to kill that process and we saw how to do it using the diag cis kill with a signal level and the process id [Music] all right so here we are the top five diagnostics command for your 48 and we start with the first command which may look a bit simple which is the get system we get system status now this command is very basic but it gives you a lot of information gives you the virus and ips database version it gives you the serial number of your photogate you can tell if you have a hard disk or using only flash memory it also tells you are you participating in an h a cluster or not it gives you information of the operation mode are you working in a net mode or maybe a transparent mode are you using another virtual domain or are you using only one virtual domain so a lot of information in that simple command this second command is the get hardware nick and the interface name in our case let's look at the r1 interface sorry it's one one and that tells you of each interface it's mac address does it support any uh hardware acceleration in our case it's we support mp4 lite uh do you have any drop pack dropped packets in your interface is the status up or down are you working in a full duplex or maybe half duplex and what is the speed of your interface in our case it's one gig our third command is the get system performance status now personally i love that command since it tells you a lot of your 48 now at the top output you will see how many cpus your 48 model supports the following thing is the ram usage and at the bottom the output shows your network traffic uh the amount of average sessions per minute and so on so you have your cpu usage you have your ram usage and your network usage next up is probably one of the most known when you deal with the fortinet firewall and that is the diagnosed debug flow which actually shows you the flow of your traffic from the cpu perspective so um you have to enable it let's enable and then you use the diagnose debug flow you use usually use filters since if you are not filtering your traffic there could be tons of traffic that will be shown on your command line and it won't be so easy to analyze so let's let's filter a specific address which is the 10.0.3.16 and now the next thing to do is to diagnose debug flow and trace and let's use a count of 10 10 packets to show and it shows us tons of information from the specific source host that we have chosen to just about anywhere that the traffic flows it shows us the source net and the destination net and it shows us the policy that is being used a great tool for debugging and troubleshooting all right now the next command is the diagsys session list which shows you the sessions the sessions that are being handled on your photogate and that also shows us tons of information you can see the different protocols that are being used you can also use it using specific filters or wrapping different source address and that will show you a limited portion of the information that is relevant towards a specific host only and our last command is the diag system which is similar to the top command in linux and that shows you each and every process in your 48 it shows you the process name the process id it shows you its state is it the sleep or maybe it is running it shows you how how much memory is being consumed and how much cpu is being consumed whenever you have issues with one of the processes in your 48 that is probably one of the first places to check and before we end this video please don't forget to subscribe [Music] all right so here we are the top five diagnostics command for your 48 and we start with the first command which may look a bit simple which is the get system you get system status now this command is very basic but it gives you a lot of information gives you the virus and ips database version gives you the serial number of your photogate you can tell if you have a hard disk or using only flash memory it also tells you are you participating in an h a cluster or not it gives you information of the operation mode are you working in a net mode or maybe a transparent mode are you using another virtual domain or are you using only one virtual domain so a lot of information in that simple command this second command is the get hardware nick and the interface name in our case let's look at the our web interface sorry it's one one and that tells you of each interface its mac address does it support any uh hardware acceleration in our case we support mp4 lite uh do you have any drop pack dropped packets in your interface is the status up or down are you working in a full duplex or maybe half duplex and what is the speed of your interface in our case it's one gig our third command is the get system performance status now personally i love that command since it tells you a lot of your 48 now at the top output you will see how many cpus your 48 model supports the following thing is the ram usage and at the bottom the output shows your network traffic uh the amount of average sessions per minute and so on so you have your cpu usage you have your ram usage and your network usage next up is probably one of the most known when you deal with the fortinet firewall and that is the diagnosed debug flow which actually shows you the flow of your traffic from the cpu perspective so you have to enable it let's enable and then you use the diagnose debug flow you use usually use filters since if you are not filtering your traffic there could be tons of traffic that will be shown on your command line and it won't be so easy to analyze so let's let's filter a specific address which is the 10.0.3.16 and now the next thing to do is to diagnose debug flow and trace and let's use a count of 10 10 packets to show and it shows us tons of information from the specific source host that we have chosen to just about anywhere that the traffic flows it shows us the source net and the destination net and it shows us the policy that is being used a great tool for debugging and troubleshooting all right now the next command is the diagsys session list which shows you the sessions the sessions that are being handled on your fortigate and that also shows us tons of information you can see the different protocols that are being used you can also use it using specific filters or graphing different source address and that will show you a limited portion of the information that is relevant towards a specific host only and our last command is the diag system which is similar to the top command in linux and that shows you each and every process in your 48 it shows you the process name the process id it shows you its state is it a sleep or maybe it is running it shows you how how much memory is being consumed and how much cpu is being consumed whenever you have issues with one of the processes in your 48 that is probably one of the first places to check and before we end this video please don't forget to subscribe let's create a denial of service policy and see how that looks in wireshark to get more easy setup tips for your 48 firewall subscribe now and don't forget to click on the bell notification and you won't miss anything in the following scenario we will use a denial of service policy we will try to create a denial of service attack towards our gateway interface and we will capture it using wireshark so we have one of our interfaces which is the marketing interface at the 10.0.4.0 subnet the gateway interface itself is 10.0.4.1 and our dhcp client which is the ubuntu device is a 10.0.4.9 so let's move to our ubuntu device all right let's just let's just clear that let's try to ping our gateway 10.0.4.1 everything goes well the um the rate is very slow using the casual ping command so let's um stop that and now let's create our denial of service policy and then we will use the hyphen f using our pseudo credentials to create a flood of icmps um all right so policy and objects denial of service policy create new policy we are protecting our marketing subnet let's use for source we can use specific devices but let's use source and destination all service all and now let's move over to layer 4 anomalies icmp flowed there it is enable it block it and let's set the threshold to 20 icmp packets per second so what we will see um once we do it and try to ping a gateway interface is that only 20 packets will get a response back and the other ones not so let's move to our ubuntu device before that let's just start capturing user i'm sorry for that capture using wireshark all right let's let's move now using the pseudo credentials with the ping command and the hyphen act dash f which is a float we are sending hundreds of icmp packets towards our destination so let's just ping it as you can see it runs very fast let's wait a while and let's stop it now you can see that only 20 packets that's the threshold only 20 packets were received the other 96 packets were lost due to our denial of service policy now let's move to wireshark let's stop the capture now let's apply the filter ip.adr equals equals 10.0.4.9 and icmp we can see that we have a request and a reply for the first 20 packets following that we only have echo requests that were sent for our ubuntu device but they are not acknowledged and we don't have a response moving back to our 48 we can head to login report and look for anomaly and there we can see uh the record for our icmp flowed attack for our denial of service attack and we can see that we have an anomaly which is an icmp float with a threshold of 20 packets only clients in your lan are opening hundreds of sessions every day using different applications now there are times when you need to limit the maximum concurrent sessions per ip address that is pair host how do you do it using traffic shaper coming up [Music] when we think of traffic shaping we usually think of limiting bandwidth to a specific ip or to an entire local area network but we can also limit the maximum concurrent sessions pair ip in traffic shaper policy so let's do it let's assume that we have our land that is at the 10.0.4.1 and we have our ubuntu device which will be at the 10.0.4.9 so let's create a file address object for that specific ip address let's just name it ubuntu and let's let's make it at the 10.0.4.9 32 and interface will stay any okay so we have our new ubuntu address object and now let's move to our traffic shapers create new shaper now we can create a shared shaper and we can create a pair ip shaper and that's the one that we will use let's name it max con current and let's limit the maximum concurrent connections to only 100 that is it will not be able to create more than 100 sessions all right now once we configured the pair ip shaper let's just configure the traffic shaping policy all right let's name it max con current and now the source is our ubuntu device destination all service will also be all now we can apply that policy that traffic shaping policy only to specific application which may become handy but in our case we will not limit it to a specific application now outgoing interface let's just apply any and let's use the pair ip shaper that we have configured before maximum concurrent clients in your lan are opening hundreds of sessions every day using different applications now there are times when you need to limit the maximum concurrent sessions per ip address that is pair host how do you do it using traffic shaper coming up [Music] when we think of traffic shaping we usually think of limiting bandwidth to a specific ip or to an entire local area network but we can also limit the maximum concurrent sessions peer i p in traffic shaper policy so let's do it let's assume that we have our land that is at the 10.0.4.1 and we have our ubuntu device which will be at the 10.0.4.9 so let's create a file address object for that uh specific ip address let's just name it ubuntu and let's let's make it at the 10.0.4.09 32 and interface will stay any okay so we have our new ubuntu address object and now let's move to our traffic shapers create new shaper now we can create a shared shaper and we can create a pair ip shaper and that's the one that we will use let's name it max con current and let's limit the maximum concurrent connections to only 100 that is it will not be able to create more than 100 sessions all right now once we configure the pair ip shaper let's just configure the traffic shaping policy all right let's name it max con current and now the source is our ubuntu device destination all service will also be all now we can apply that policy that traffic shaping policy only to specific application which may become handy but in our case we will not limit it to a specific application now outgoing interface let's just apply any and let's use the pair ip shaper that we have configured before maximum concurrent we've mentioned that our ips engine actually tracks the id of a specific application and if we head over to photigatlabs application control we can see the specific unique id that each application has so in our case netflix has a unique id which is one eight one five five so let's block netflix in our fourier and let's see the session and the application id after it is being recognized by our ips so we move over to application control let's create a new security profile block streaming or block netflix in our case let's block the entire category which is video and audio and let's apply that security profile to our policy all right now the last thing to do is to open our command line and use the session diagnostic which will allow us to see the different sessions that are running on our network and let's move over to our ubuntu host let's look for netflix web application and see what happens when we try to launch it it belongs to a blocked category now let's move back to our 48 and let's see if we can find that specific session where our ips engine actually recognized netflix as part of our traffic for that we will use this same command but this time we will also use the grub command to find that specific idd181 let me just check again that's it one eight one five five and yes we can see that our ips engine actually recognized that specific application from the list [Music] one of the coolest features of your 48 is its ability to pack and capture just about any traffic that flows from different sources towards different destinations now you can capture packets using two ways the first one is using the gui itself in network packet capture and you can enable different filters but the way that i like is the tcp dump weight that is doing it in the command line interface and i didn't mention tcp dumped for nothing the syntax is very similar now if you use the gui option you can import the results into a picker file and then open it in wireshark but we will use the cli way as i find it much more quicker to analyze so the basic syntax for uh capturing packets is the diagnose command and then we'll use this sniffer and packet and now we will choose which interface to make the sniffing now we will not choose specific interface so we'll use the any interface we will not use any filter right now we will use it very soon the amount of verbosity the amount of details which we will use is four packet count will be 10 and we'll also use a time stamp using the a command now let's open it so we can see it much clearer and we can see that we have action in our when one interface with a source of 10.0.3.139 towards the 48th 48 appliance itself which is in the 10.0.3.16 we have different uh tcp packets using different flags and we will use a specific filter that will define the if we can see any action that is being done using the icmp protocol if we will use the same command without the a at the end we will get uh the same results but without the time stamp so use it when troubleshooting packets now if we want to use let's add the a if we want to use a specific filter as in the icmp protocol so we will see that once we enter the name of the protocol and take a good notice we have only 10 packets that are being shown we can also use 20 packets and we will have 20 packets we can use many filters in our command now you can look at the fortinet documentary to see which filters are available when doing packet capture but the most used are uh source and destination we can determine specific host and specific protocols so if we use the diagnose sniffer packet any we can use host 10.0.3.139 which is my mac and icmp as the as the protocol that i'm looking for and we will use the verbosity the level 4 verbosity which is the default verbosity [Music] whenever a ping an icmp request is being sent from one of your 48 interfaces or sources the defaults are five times that is the packet is being sent five times it has a data size of 56 bytes it is being sent in a one second interval and you have a two second timeout let's see how we can unleash your ping settings [Music] to get more easy setup tips for your 48 firewall subscribe now and don't forget to click on the bell notification and you won't miss anything using ping an icmp request is probably one of the most used yet simple network troubleshooting tools so let's unleash our ping setting and see what can be done we will start with the execute ping and then we will use the view settings so we can see what is our ping default settings so we can see that we have a repeat count of five times we have a data size of 56 bytes we have a timeout of two seconds currently the interface is auto which means that it actually goes to our routing table and sees the best trout out we have an interval of one second that is your ping will be sent one second after the echo response received you can use an adaptive settings which we will do very soon to see that you can actually send the second or the third icmp request immediately as the ping response uh comes back the time to leave is 64 hops let's see if we have any interesting more interesting stuff here no the second thing that we can do is to set the uh ping options and see what are the ping options and we can see that we can set an adaptive ping we can set different data size we can set df bit which is a parameter at the ip header we will look at it we can set the interface that the ping will be sent from um we will use our marketing interface and send ping from there uh we can set the hex format of the ping we actually can add uh different characters to our uh empty hex space in our ping we will look at it also and yes we can set the source the timeout time to leave and more so let's start with a simple ping towards towards google okay that's google.com works now we'll use the same thing towards google dns server and see if we have a dns resolve that also works great now let's um let's close that for a minute let's move to my ubuntu device all right all right now my ubuntu device sits on the actually it sits on the marketing interface let's just get back let's log in all right all right so let's start by pinging my ubuntu device which is at the 10.0.4.9 everything goes well you can see that i have a very big icmp packet let's see what is the reason execute ping options you know what let's do another thing let's once you have um settings that are not your default settings remember the default settings is 56 bytes uh you can reset them using the execute ping options and reset now let's send the same ping again and let's see what is this side that's 64 bytes remember that your um data size your icmp size is 56 bytes you have an 8 byte header for the icmp packet what you see here is actually the payload itself plus the header that is 56 plus the 8 byte header let's um let's see again how we change the data size that's the way that we change the data size let's set it to 128 bytes and let's now um change another settings which is the adaptive ping your icmp request is being sent in an interval of one second now you can change it so that it will be sent immediately as soon as the icmp response gets back to do so you have to choose enable another setup is the df df bit what is the dfb df stands for don't fragment that is don't fragment the packet even if it's bigger than the interface that is supposed to accept it so if you have on the other side an interface with an mtu of x values and your icmp packet is bigger than that so your icmp packet can actually be dropped so be careful how you use the df bit let's keep it at no now let's see what is the effect of adaptive ping versus the regular settings so let's just execute ping let's use a repeat count of 20 packets and let's execute our ping towards google sorry google.com all right so you can see that we have an interval of one second now if we will use the uh adaptive ping option let's just enable it let's send the same ping and you can see that you're actually having a sort of an icmp fluid uh it's not hundreds of uh of packets a second but it is it is still much faster than the usual interval we can use the command line to diagnose and learn more of our sd1 member interface coming up to get more easy setup tips for your 48 firewall subscribe now and don't forget to click on the bell notification and you won't miss anything we can use our command line while configuring sd1 for different tasks one of them is to use uh different protocols that will be used uh towards the server that was chosen in the health check so we will look at the performance sla let's choose one and we can see that on the graphical user interface we only have two options to actually to ping our server that is using ping and http now if we will use the command line config sys virtual well link config health check now let's edit the performance sla that we have chosen that is sip let's see uh what is chosen show full configuration and we can see that the protocol that was chosen is ping let's set protocol and now you can see that we have the ping option the tcp echo option the udp echo option http and twemp so that is something that is available on the command line and not on the gui interface another thing that we can do or actually see using our command line let's use the uh diag sys virtual one link let's choose um let's choose again let's choose the sip i can't see that way let's choose the sip health check now we can see the status of each member in our sd-wan in our virtual sd-wan interface in terms of packet loss we can also see it on the graphical user interface but there is also a one way to look at the different members we can see that it is alive we can see that we have no issues currently with packet class and we can see the statistics for latency and jitter currently the other members are not alive uh since uh i have not enabled them on my photigate now whenever we use performance sla we are actually telling our 48 to prob different services we can configure up to two servers um that will be used as beacons we are doing that to check the status the health of the different members of the sd1 interface now whenever our fortigate probes that server it is actually using a route entry that is created let's see that route entry so we will use the router info kernel and those entries are actually flagged they are created in the kernel they are called fib entries and they are flagged as proto 17 so to see them we will use the grep command and we will use the proto equals 17 and we can see let's make that a bit bigger we can see um the different routes uh they are being sent from the different uh interface gateway towards the different servers that we have chosen the first one was actually uh the google dns server which is eight eight eight eight and the second one is one one one one one of the major keys to understand how your 48 works is to understand how it handles session how it handles the dialogue between clients and servers now fortigate is a session aware firewall we all know the getsystem session list which gives us an overview of these sessions that are currently running on your photogate between different clients towards different destination we can also see the source net we can see which protocol is being used another well-known command is the diagnosis session list which we can also filter based on the host's ip or destination ip but i would like to show you another command which i'm not sure that is that popular which is the get system session info full stat now let's make this screen a bit bigger now what we can see in that command is the session table size that is the uh current session table size the number of entries that is possible in the session table another thing we can see is how many sessions are being used right now in our case we have 64 sessions that are being used right now the session count is the number of sessions in the kernel now we can also see several more things we can see the memory tension drop that is the number of dropped sessions due to system that is running out of memory another very interesting information that we can find is the fm marrow which is actually a buffer that protects our table our session table from getting overloaded that is if a denial of service attack is happening now the first number is the amount of sessions that are in use the second number is the maximum number that is allowed now if we can if we see that both numbers are very close then there is a good indication that a denial of service is actually happening on your organization the other thing that we can see is the tcp sessions now looking at the tcp sessions we can see their state each session has a different state so we can see that we have 11 sessions in established state that is they have finished the three-way handshake connection the connection now is established and they can transfer data we can also see that we have one session that is in a time weight state now the time weight state is a special state that happens when a connection termination request is sent and our fortigate actually reserves some time to ensure that the remote side received the termination request when a user doesn't perform any action throughout a session this session will time out now each session and its protocol has a different interval on your photogate firewall a tcp session by default will time out after 3 600 seconds but there are cases such as in the medical world where you need your services your sessions not to time out how do you do it using a policy and how do you do it using a custom service coming up all right so before we configure the session timeout we will configure it on port 443 uh let's take a look at our ubuntu device let's just resume it and let's refresh the page we're at youtube all right let's go back and let's just use the diagnosis session list all right and if we use the dioxin session list and we can take a look at sessions on that are tcp sessions we can see that we have an expiration time of 3600 seconds now let's configure a custom service that's just config firewall service custom let's edit 443. set tcp port range to be 443 only 443 and let's set the session time to live to never now let's end it and you can also see the um the new yeah that's right we can also see the new service under the services tab on uncategorized services that we have just created let's move back again to our ubuntu device let's resume and let's just play some uh okay now let's get back to our 48 let's use the dioxis session list again and let's just look at the session itself protocol 6 is tcp and here you can see that the expiration is set to never the timeout is set to never so that is one way that you can actually configure a session time to live to never on a specific service that you might need [Music] welcome to our 48 top 5 tips and this time we are dealing with the ping command tip number one when we use the ping command we use the execute command so we'll use the execute ping and we'll choose our destination as 888 which is google's dns server now we can see that our ping size is 56 bytes and 48 sends five packets at a time now we can change the size of our ping how do we do it we use the execute pin options let's view the settings all right and now if we will use the execute ping options data size we can choose icmp packets to be in different size let's choose 90 so now our ping size is 90 bytes let's choose the same target execute ping towards 88 and you can see that our ping size is 90 bytes and to our second tip now if you do networking for a long time you probably send continuous ping packets towards different destination different interface so you have to change the amount of packets to be continuous or to be at a different size than the five packets that are sent by default how do we do it we use the execute ping options and we use a different repeat count currently the repeat count is five now let's change it to 15. and now let's ping again and let's pin the google dns server and let's see how many packets are being sent and we can see that we have 15 packets that are sent and now for our third tip let's clear that out now we have different interfaces in a 48 and sometimes we wish to send ping packets from different interfaces so how do we do it i have currently a an interface at the 10.0.4.1 so let's let's use the same execute ping options and now let's choose a different source in my case it's the 10.0.4.1 and now if i'll use the same ping command the packets will be sent from the 10.0.4.1 moving on to tip number four usually a pin command is being discarded after 64 hopes now we can choose a different integer we can choose an integer between 1 and 255 hopes how do we do it we use the same sorry for that we use the same execute ping options time to live and let's choose 220 hopes 220 hopes and now our ping packet will be discarded only after 220 hopes all right and now let's move over to our fifth tip sometimes as an administrator you use different settings let's change the settings of our ping command let's use a repeat count of 8 let's use a different data size let's make our ping size 80 bytes and let's use a different source all right let's use the 10.0.4.1 as our source now if we will use the view settings we will see that our repeat count is 8 our data size is 80 and our source address is the 10.0.4.1 now you want to reset this those settings what do you do you use the reset command and now if we take a look at the view settings we will see that it all came back to the default settings which are five packets 56 bytes and the source is the according to the interface that you work within now if you like our channel please subscribe when you start to diagnose processes that are happening on your 48 you can use two commands the first one is diag system let's just start it all right let's stop it and there's the diag system summary what is the difference between the two which one is better and how can you sort processes by cpu or memory coming up [Music] before we begin let's just try to understand what is a process well you have your app it sits on the hard drive on the storage itself and when it loads into a memory it actually uses different processes to accomplish its task now a process is key to understanding what is happening on your computer what is happening on your photogate in our case now each process consumes cpu it consumes cpu and it consumes memory resources every operating system has what is known as a user process and a system process a user process is when a user actually initiates an app or a service and the system process are actually processes that are done in the background now let's look at the diag system the direct system will actually list processes individually it would list all processes it will show up the process id the memory that is being consumed the cpu the dag system summary actually aggregates all the processes as you can see here to the right of each process you can actually see the amount of processes that the operating system actually divided the process itself to several processes and that is the case where your operating system makes multiple copies of a process in order to subdivide the load itself or to handle similar tasks all right so now let's try to sort our processes in a descending order and see who is consuming more memory so let's just stop it let's use the direct system summary all right let's show only five lines use the um sort command equals map that is memory and now we can actually see processes uh in a descending order that only shows the most consuming processes in terms of memory now here you can see that this is the process that is currently running here you can actually see how many processes that is user processes and system processes are actually running and here you can see to the right the amount of sub processes that is the same process but this could be the parent process and the child processes that are running that are actually running so here we can see that we actually have uh 11 https processors that are running all right so to compare and recap the direct system summary is different since it aggregates just about every child process and pairing process into one process and shows you the total cpu and memory consumption the diag system actually shows each process so it is better to examine the memory utilization or the cpu utilization but the dag system summary is better in my opinion if you need to adjust specific processes specific applications if you see that uh there is one process that is actually consuming your memory or your cpu utilization [Music] a good 48 admin must know its way in wire shark here's how to get more easy setup tips for your 48 firewall subscribe now and don't forget to click on the bell notification and you won't miss anything wireshark actually gives you a broader view of your network now this following video is not um going to teach you how to use wireshark we will maybe do it in another video but it will give you the fundamentals to understand how sessions are starting within your photogate and how to see different elements of your network in a bit more detailed view so we have an interface that is connected to my ubuntu device let's move over to it and now let's um let's do a denial of service attack let's send hundreds of icmp messages ping messages toward my interface gateway and let's see how that looks in wireshark so let's move over to wireshark let's start capture the traffic let's get back and we'll use my root credentials would use the um hyphen f that is the fluid switch and the ip address is 10.0 the 3.44 and now it starts pinging it actually sends hundreds of icmp messages toward my gateway let's stop it let's move over back to wireshark and stop the traffic now we are actually looking for two main things the first one is the icmp message we will write it down and the destination which is 10.0.3.44 and now if we will click on we will we can see the icmp messages being sent and you can see that i have a special column here it is actually the delta time displays which shows the interval between each message you can also use it going to preferences column add a column with the delta time displayed all right another one of my favorite wireshark filters is the tcp contains and the udp contains whenever user browsers to a specific url you can see the tcp synth session established towards that specific url and you can also see the dns queries so let's move over to let's move to android central all right but we yep it's capturing data so let's move to android central alright so let's go back to wireshark and let's stop the capture now if i will use the udp contains android we can see the dns queries that are actually um being sent back once um my browser asked for the android central.com and he got back and a record with the ip address let's see if we can also see the udp this tcp syn session so tcp contains android and yes we can see the that's an https site so we can actually see the handshake itself now i could have used um dns as the protocols and then filter out the um specific host that was requesting a dns request but a simple way was to use udp contains dns is using udp port 53 the last thing that we will look into today is the tcp session itself now remember your fortigate is a session aware firewall so let's start by capturing the traffic let's let's connect open up firefox and let's move over to [Music] let's move over to youtube all right now let's go back stop the um capture itself now we want to see the tcp session in its initial beginning so there are different methods to do so we can use the tcp dot flags dot sin now if we will click the tcp dot flags dot seen equals equals one we will see different synth sessions now let's go to our host which is 192.168.6.3 click on it and then follow tcp stream let's close that and we can actually see the initial handshake which starts at the scene the synap which the server responds with and the tcp with the ack flag set we can also see the following http get by using the http dot request dot method sorry for that and ipa ddr equals equals which is our host 192. 168.6.3 and there we can see the http get request that was sent from our host auditing your firewall is a major task that you need to do from time to time now there are companies that release tools that will allow you to audit your firewall but here is the 10 best practices that you can start with the following best practices are not in a specific order so just use them as you wish now another thing i'm showing it on a 40-git firewall but you can also do it on a checkpoint file on the palo alto file or any next generation file quite obvious but we do it on any device any servers that we have on our organization be sure that your firmware is up to date always use the latest firmware usually the latest firmwares are much more secure your firewall vendor will always make sure that you have the latest patches on the latest firmware so back up your configuration look at the release path and update your firmware encryption and high encryption is fundamental in your file so be sure that you always use the strongest algorithms now it's not always possible but assuming that the other side all also supports the strongest algorithms just find out the appropriate cli command on your firewall and enable it so in a 48 firewall it is config system global now it may change from firm to firmware set crypto strong and just be sure to enable it always make sure that your administrator is connecting to your fortigate through a trusted host that is a trusted ip address as the ip address at its home or in the office now you can do it using the graphical user interface you can do in using the cli let's do it using the cli config system admin let's edit the admin and from here set trusted host and just write down the trusted ip address if possible on your web interface your external facing interface don't allow any administrative management so let's just use the config system interface edit port 1 which is my internet facing interface and unset allow access [Music] on your lan interface administrative access try always to use https and ssh that is https to the graphical user interface and ssh to the command line now try to avoid ping and try to avoid other protocols unless needed the following is probably one of the first audits that you need to do look for unused rules rules that were asked time ago and configured on your file look for them and if they're not relevant anymore just delete them now a side note document any rule that is asked document who asked the specific rule and the time that it was configured your administrator should always log into your 48 or any other firewall using https so be sure that even if it tries to do it over http your file will redirect the request over https so let's do it here config system global set admin https redirect another setting that you should be aware of is the admin lockout and the admin local duration now that should comply with your organization policy config system global and now let's set the admin you can set the admin lockout duration the default is 60 seconds but but you can set it to 5 minutes or more that should comply to your organization policy now another setting is the threshold itself that is the lockout threshold is actually the number of failed attempts the number of failed attempts when your admin tries to log into the system the default is tree and it is a best practice to keep it at three logs should be part of your auditing that is when you audit a firewall be sure that logs are there for at least seven days now look at the proper documentation of your firewall let's just do it here config log disk setting set maximum age now you can set it to seven days you can also set it to 30 days it depends a lot where you save the logs either on your hard disk or towards assist log or any other device that has a proper storage at last let's look at some more best practices to hardening your firewall one of them is when you have unused interfaces disable them disable them if you have interfaces that you uh want to disable different protocol so just disable them using config system interface edit the interface that you want to disable and there you can unset dhcp relay services you can unset pptp client arp forwarding and so on another thing that is uh quite common to any 48 out there and that is something that i'm not familiar with other firewalls which have maybe yes or no the same functionality is what is known as the maintainer account the maintainer account is actually a backdoor to your photogate if your admin has lost its password then it allows you to actually put into your photogate using what is known as the maintainer account which is actually the serial number of your 48 with the maintainer user so you can actually disable it in most 40 gates i believe that is it is enabled by default set admin maintainer account disable rebooting our devices our appliances is a maintenance step that we do from time to time either daily or weekly it helps with memory leaks it helps with buffering issues so what do you do you schedule a reboot either daily or weekly on your 40 gate how do you do it coming up [Music] to schedule a daily reboot we will use the command line to schedule a weekly reboot we will use the automation so let's start with a daily reboot we'll head over to our command line config system global and now set daily restart once you do so you set it to enable and then set the restart time to whatever time you want to daily reboot your 48 the second way to do so is to move to your dashboard security fabric automation now using the automation stitch you can create new stitches either scheduling a weekly reboot as we just aim to let's just execute reboot or you can actually trigger a reboot after an event such as your photogate entering a conserve mode so you'll do that by going to a trigger of type event log and the event will be conserve mode your 48 actually enters a conserve mode and by that you can trigger different events such as execute reboot or sending an email and other events so you browse the internet and everything seems just okay let's just over to cnn.com see what's new it uploads well let's go to bbc.com and yep everything seems okay so but now you decide that you want ping somewhere just to check that there's no connectivity issues and it seems that you do not have a dns result so let's stop that and let's try to ping directly to google's dns server and yet again you have an issue with icmp so how do you get around with that and how do you diagnose the issue behind it [Music] so let's get back to our fortigate let's log in and probably one of the first things that i would have done is to diagnose sniffer packet any post let's just write down the ip address of our host and let's just see what happens all right let's just make that bigger and it seems let's stop that and it seems that i have an echo request but i'm not getting any echo response back only echo requests so that's not enough and it seems that packet capturing my traffic doesn't give me the um solution to my problem so the next thing to do is to work at the kernel level and that is using the diag debug flow so let's just get back to our main command line let's clear this space here and let's debug enable diag debug filter now let's filter sorry debug flow filter let's filter our source which is the 10.0.4.9 and let's diag debug sorry for that debug flow trace start so what i'm actually doing here is that i'm debugging the source address 10.0.4.9 i'm doing a trace only on the first 10 packets so let's see now what happens and let's just stop that and see if i have any clue that will resolve my issue and yes there it is denied by forward policy check policy number two so i actually have a policy that denies icmp let's get back to my 48. let's look at my policies and that's right i have a policy which is stop icmp from my dmz where my ubuntu device sits towards my when interface now this exercise is is good since sometimes we have dozens of policies that we do not have time to check maybe there are unused policies from some time ago so dag debug flow will work on the kernel level and will allow you to debug issues just like this one that i showed you now two minutes cli commands and this time the direct sniffer coming up [Music] dike sniffer packet is one of my favorite comments why because it actually allows you to package capture the traffic sniff the traffic just as tcp dump or wire shark does so the syntax goes like that dag sniffer packet and then you need to uh include the interface so we will do any but you can choose port one or port two after that you actually filter filter the traffic you can filter it using this source destination protocol we'll use the host so we'll use the host 10.0.3.1 which is my gateway next comes the verbosity that is the amount of data that you want to include i will choose four and we can also add up the count that is the packet count so let's add up ten packets and if you want a timestamp you can add the a letter so let's start and there we have it now you can play around with the different filters and the different verbosity levels do that if you want a packet capture not using the diag sniffer but using the graphical user interface you can do it in network packet capture and in packet capture you will find that you can choose the interface and use the different filters we have already learned how we can list system processes and show their output on the command line now on this video we will look at how we can kill different processes that consumes too much memory or too much cpu power and how we can list the highest demanding processes on our fortigate to get more easy setup tips for your 48 firewall subscribe now and don't forget to click on the bell notification and you won't miss anything so you're using a high level encryption in your vpn you're using ips to scan different patterns and anomalies you're using antivirus and you keep logging of just about anything well all of that consumes lots and lots of cpu resources and memory let's take a look at the diag system command let's make an interval of 20 and with 10 processes all right now using the m character you just need to type the m character we can sort of the processes that consumes the highest memory and in our case it is the dns proxy if we press the p character that p is for cpu we will see the different processes that consume the highest cpu resources and in our case it is https demon now the next step is to kill the process that causes you lots of issues that is the last step before you reboot your 48 to let's do a ctrl c to kill a process you use the diagonal kill now you enter what is called a signal that is a term that comes from linux and unix which is actually a lightweight you ask your system to stop the process and it can be a more aggressive way to tell your system it depends on the number to tell your system to kill the process now we can use different signal numbers we will use 15 which is an aggressive way to tell your system kill that process and we will list the process id now the process id as we know is the second column so let's use the dns proxy process which is 94. all right now we have just killed that process and here we can see that the dns proxy process has actually been terminated we saw that we can list processes sort them out and even terminate them whenever they demand too much resources on our last part of knowing your processes we will see how we can in one cli command see the top most cpu demanding processes [Music] to get more easy setup tips for your 48 firewall subscribe now and don't forget to click on the bell notification and you won't miss anything one of the features that we saw using the dag system command is that we can list the most demanding processes either cpu and memory using the m and the p character when it is pressed now there is another command which is the get system performance top
Info
Channel: Forti Tip
Views: 206
Rating: undefined out of 5
Keywords: forti tip, fortigate basic configuration, fortigate, fortinet, training, fortinet firewall, fortigate firewall training, fortinet firewall tutorial, fortigate installation, fortinet firewall videos, fortigate firewall configuration step by step, fortigate cookbook, basic setup, fortigate cli commands, top 5, basic fortigate configuration, basic fortigate setup, firewall policy, firewall rules, fortigate how to, configuration how to, 2019, Beginners tutorial, checkpoint, palo alto
Id: 2pS_aPwGLKM
Channel Id: undefined
Length: 197min 23sec (11843 seconds)
Published: Wed Dec 02 2020
Related Videos
Complete IT Security Course By Google || Cyber Security Full Course for Beginner
Geek's Lesson
573K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
FortiGate 60F HA Cluster Build
Fortinet Guru
1.9K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Kubernetes Crash Course for Absolute Beginners [NEW]
TechWorld with Nana
272K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Firewalls and Network Security - Information Security Lesson #7 of 12
Dr. Daniel Soper
420K
Jnana Yoga: The Path of Knowledge | Swami Sarvapriyananda
Vedanta New York
375K
Networking basics (2020) | What is a switch, router, gateway, subnet, gateway, firewall & DMZ
IT k Funde
1.9M
How To Connect Two Routers On One Home Network Using A Lan Cable Stock Router Netgear/TP-Link
Richard Lloyd
4.3M
HOW TO MAKE A SUPER EXTENSION CORD! (Perfect for Christmas!)
Stud Pack
1.1M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.