How to Configure FortiGate Firewall NAT- SNAT Policy with Failover (Part 5)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi guys this is the Igor attack today I will show you how to configure the fortigate firewall snat or sourcenat policy also I will show you how the failover works make sure you check the previous parts of this video for you to get along snat is an abbreviation for Source Network address translation it is typically used when an internal or private host needs to initiate a connection to the internet it changes the private IP address of the source host to a public IP address [Music] in the previous video I showed you how to configure the LAN vlans and Wan interfaces now we will focus on the firewall policy go to policy and objects firewall policy by default there's a configured firewall policy which is internal to Wan 1. what we are going to do is we will delete this policy and I will explain and show you how to create a new policy before we proceed let's do a test first since we successfully configured the when interfaces then this device should be able to access the internet we can verify that by opening the CLI console run the command execute ping 8.8.8.8 you can see this device is connected and can access the internet however if we test from the device connected to this 40 gate LAN we cannot access or even ping the Google DNS this is because there's no configured policy or Source Network address translation configured to create a policy click on create new for this first policy we are going to allow this admin or internal Network to access the internet via the WAN 1 which is our primary Wan link since this is for the admin policy then we are going to give a name of admin to internet to make it simple for the incoming interface we will choose the admin or internal you can verify by checking the IP address and also the interface members you have the option to directly edit here if you want click on it to select for the outgoing interface we have three Wan links which are isp1 isb2 and isb3 we have to choose the primary link which is wan 1 or isp1 for the source we must choose the network address for this interface if we check back the admin or internal interface a network address object has been automatically created named internal so we are going to find the internal address and select it as our source you can also verify from here by checking on the subnet for the destination since this is a basic policy then we will choose all this means anything from the internet schedule to always this scheduling will be on a different topic services to all this means we are allowing all services for this policy action should be accept if you choose denied that it will deny all the traffic from the selected source to destination next is the NAT make sure this option is enabled if not then you cannot browse the internet for the IP pool configuration you only choose this option if you want to Nat the source to different IP address this would be on different topic we will use outgoing interface address for this demo next is the security profiles for this security profiles you can find all these options on security profile category we will open a new window so that we don't need to redo the policy here you can view all the security profiles for this demo we will use all the default profiles we will dive deep into this topic in a different video we need to enable them one by one tick on it to enable now expand the down arrow then choose the profile you want to use again we will use all the default profiles for this demo to explain this briefly the antivirus examines Network traffic for viruses worms Trojans and malware web filter is the feature to control web traffic of firewalls by using block or allow action this is where you block or whitelist websites DNS filter blocks access to resolving known bad sites so you can't even get to them if they are part of a malicious Network application control is where you monitor block or allow applications on the devices connected to this network IPS or intrusion prevention system protects against known threats including malware and underlying vulnerabilities file filter provides the email filter profile with the capability to block files passing through a 40 gate based on file type SSL inspection inspects the traffic for malicious content since this is all to all policy then we need to enable all the security profiles available for better security for the logging options it's highly recommended to enable this option for log checking and troubleshooting purposes we have two options security events records Only log messages relating to security events caused by traffic accepted by this policy another option is all sessions which records all log messages relating to all of the traffic accepted by this policy comments is optional make sure the enable policy is enabled then click ok to apply the changes we can now see the newly created policy this is a very basic policy this means we are allowing all the internal Network to access the internet without any scheduling no restrictions and allowing all services now if you look at the bytes counter it's zero because there is no traffic running through this policy yet let's open back the command prompt hit the up arrow on your keyboard then hit enter notice that we can now ping the Google DNS since we enable the NAT then we should be able to browse the internet as well we can open a new tab and browse any websites we can now browse the internet as well let's go back to the firewall policy again notice the counter is zero if we refresh the page then we can see that we have now traffic running through this policy this is the traffic for accessing the website and also the Ping to Google DNS now if you want to add more columns click on configure table choose the available options you want to add for this demo we will add the ID now click apply to save the changes you can see the ID column which has been added we can rearrange the columns hover your cursor into it then click and drag where you want it to be notice the policy ID is one now for better security and for better management this all to all basic policy must be avoided it's always best to create a per service policy instead first is we will create a policy for HTTP and https traffic since we already have the created policy then we can just simply clone and modify the policy it would be very easy and very quick to do this right-click on the policy click copy now right-click again on the policy and we have the option to paste above or below if we choose above then it will be on the top of the original policy or the source policy if you notice the policy ID it's too because the policy ID is following the sequence from number one going up so if we create another policy then it would be policy ID of 3. now let's edit the Clone policy since this policy is for HTTP and https Services then we will give a name of HTTP https for our reference everything will be the same except for the service and security profiles let's check first the service we can use the search bar to search for the service click on HTTP in HTTPS to add next is the security profiles we will enable only the needed ones and disable the unneeded profiles if you cloned a policy then you will see this in the comments you can modify or remove the comments make sure to enable the policy then click ok to apply the changes you can create more policies for each service we will do one more policy for the DNS we can clone and modify again any of the created policies notice the policy ID is three as it follows the number sequence policy ID is also useful for troubleshooting now we will edit the Clone policy since this policy is for DNS then we will give a name of DNS again we will change only the service and security profiles for the service we will remove the HTTP and https and change it to DNS enable again the needed profiles and disable the unneeded ones change or remove the comments now click ok to apply the changes we can enable the policy from here right click on it hover your cursor to set status then choose enable to rearrange the policies hover your cursor on the eight dots icon until you see the drag sign you can now drag and drop where you want it to be since this is for DNS it should be at the top the policy role as top comes first this means the traffic will hit first the DNS and then goes down to http https all the remaining Services which we haven't configured or specified will pass through all to all basic policy you can keep on creating per service policy and then observe this all to all policy if no traffic hits this policy then you can delete or disable this policy to delete a policy you can right click on it then choose delete or click on the policy to select and then tick delete at the top if you have a bunch of policies then you can use the search bar to find a policy you can also change the view by sequence the default is interface pair View I prefer this option since you can see the source and destination interface now since we allow the admin or internal Network to access the internet we will now proceed with the vlans we can allow this guest or server to access the internet via wan1 Wan 2 or Wan 3. since the process is all the same for this demo we will just allow This Server VLAN to access Internet through Wan 1 which is our primary we will do the same process again we will clone and modify any of the running policy for the server we will just create the basic policy which is all too also we will clone this all to all policy we will give a name of server to internet for the incoming interface we must change it to the server VLAN interface you can verify by checking the IP address and also the VLAN ID which is 100. the outgoing interface is our primary Wan connection which is the Wan 1. for the source address we must change it to the server's address if we go check back the server VLAN interface it automatically created an address object named server address Now look for the server address and set it as the source address remove the internal address because the source is the server VLAN interface we must choose only the address which is within the same subnet as the source interface the rest should be the same since this is all to all policy modify the comments if you want make sure to enable the policy then click ok to apply the changes you can now see the newly created policy which is server to Wan 1. you can do the same process for the guest or if you have different lands or vlans configured since we have policies for admin to win one and server to win one what we are going to do now is create also policies for when 2 to backup when one in case it fails or has some issue we will create only all to all policies for this demo just to show you how the failover works we will clone again any of the current policies we can give a name of admin to internet backup for our reference no need to change the incoming interface since this policy is for the admin or internal we will only change the outgoing interface to WAN 2 which is our backup when connection the rest would be the same modify or delete the comments enable the policy then click ok to apply the changes we have now the policy for admin or internal to WAN 1 and also policy for admin to win too next is the policy for server to win too same process again we will give a name of server to Wan 2. everything would be the same except for the outgoing interface we need to change it to WAN 2 which is the backup connection for Wan 1. modify or delete the comments enable the policy then click ok to apply the changes we have now the policy for server to WAN 1 and server to Wan 2. now we will test the failover assuming the WAN 1 has some issue or down then the WAN 2 should take over all the traffic since we created also the policy for it before we proceed we will open the command prompt to monitor also the connection to the internet we will do a continuous ping to Google DNS you can see the connection is stable I already turned off my Wi-Fi so that we will use only the Lan which is connected to the fortigate admin or internal port now let's disable the primary connection which is the Wan 1. to do this right click on it hover your cursor to set status then choose disable notice that the Ping to the Google DNS is still going through this is because we configured when 2 to be the backup and also created a policy for it we haven't even encountered any request timeout during the failover if we go back to the firewall policy you can see the yellow exclamation mark if you hover your cursor onto it it says that the policy has some issue which is the destination is down this is because we shut down or disabled the destination interface which is the Wan 1. if you notice the admin to when to policy it has now some hit counts this is because the traffic is now going through this policy to verify you can open a new window and go to whatismyip.com and you will see the IP address of Wan 2. alternatively we can also clear the counters if we want to monitor the policy right click on the bytes choose clear counters now it's back to zero we can do it to all of the policies now we can browse the internet just to initiate some traffic you can go to any websites you want let's now go back to the firewall policy again notice the bytes are all zeros let's refresh the page you can see that all the policies to when one are still zeros we only have the traffic for Wan too what we are going to do now is enable back the Wan 1. assuming the connection issue has been restored or recovered the internet traffic from Wan 2 should fall back to the primary connection which is the Wan 1. let's monitor the connection to Google DNS as well now let's enable back the WAN 1 interface in some cases the pppoe connections take some time to reconnect notice that we have one request timeout this is expected if the traffic is falling back to the primary connection let's check back the firewall policy we're going to clear the counter from admin to WAN 2 which is for the backup policy we can test browse the internet again just for us to monitor which policy is being used now let's refresh the page notice that all the traffic fall back to WAN 1 which is our primary connection you can see the admin to when 2 has a zero hit count this means this policy is not being used currently because the WAN 1 which is our main connection has been restored for the failover method we need also to configure the SL link monitoring this measures the health of the WAN link specially the primary connection that would be on different topic where you can check the link on the description below well that's all for today's demonstration and I really hope you like this video if you are new to my channel please don't forget to like share subscribe and click on the notification Bell for more amazing tutorials thank you and see you in the next video

Info

Channel: IgoroTech Official

Views: 15,219

Rating: undefined out of 5

Keywords: how to configure fortigate firewall policy - google.com, how to configure fortigate firewall policy - youtube.com, how to configure fortigate nat poilcy - youtube.com, how to configure fortigate nat policy - google.com, snat policy, source nat, fortigat snat, fortigate nat policy, fortigate snat, fortinet, nat policy, nat policy configuration, snat policy configuration, dnat policy, fortigate dnat policy, port forwarding, fortigate port forwarding, virtual ip, fortigate, interface

Id: WDu1uHnFLio

Channel Id: undefined

Length: 17min 12sec (1032 seconds)

Published: Sun Mar 26 2023