How to use Fortinet Zero Trust Network Access (ZTNA Demo)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys so today i'm a bad actor and i don't mean that in the way that you might think so i recently got hired at this company and i'm pretty sure the network is vulnerable and i'm going to try and infiltrate it and i'm going to bring you guys along to show you how i do that let's go so as you can see i think through this door i can actually get into the network and i'm not entirely sure how i'm going to do that but i think i can figure it out so let's try and get in um yeah door seems to be locked let's try something else yeah i don't think this is my door sorry okay guys so we're gonna try this again but this time i've took off my mask and i've got this white little tag on me i think i'll be able to get in this time let's try [Music] yeah this is definitely my door [Music] so hopefully you guys enjoyed that little dorky intro i know i'm not the best actor and i decided to have a little bit of fun with a green screen and hopefully you guys kind of can summarize what this video is going to be about today's video is going to be about ztna for fortinet now if you've watched my channel long enough you know that i love cisco pf sense etc but in a corporate environment that we have that i manage i use fortinet devices along with cisco a fortinet has something that's really unique with their ztna it's actually really easy to set up and i haven't seen a lot of videos on this so i decided to make one to kind of demo and hopefully i can do it a little bit of justice and how you can use fortinet's ztna let's get started so the first thing i'm going to do is head over to my fortigate just to show you guys how i have that set up now this is one of the branches um edge firewalls and we're going to head over to interfaces to just show i have a lan interface i have a ep lan interface so i'm inside of my firewall policy and my firewall policy out of the box is very simple i just have an inside to outside policy that allows traffic to pass from my inside lan interface to my outside lan interface now this is not a win interface this leads to our co-location so i just want to make that very clear that's why i'm not doing any nat or any security profiles i do all that on the co-location edge let's head over to ford client now for the clients ems is really cool because it lets us set up profiles that lets us set up rules and essentially this is think of it as an orchestration for our clients agents that we install on the computer where we can then specify rules so what we're going to do is come over here and create a new excuse me we're going to create a new tag and we're going to say zero trust tagging rules and we're going to click add and once i get these here i'm going to create a tag and i'm going to name it youtube and then from here this is where we actually create that tag and i already have one created which is youtube and i'm going to specify an optional comment and i do recommend this for administrative purposes we're going to say allow youtube and we're going to create a new rule now from here we can specify the os type for my case it's going to be windows and we're going to specify a bunch of different options here um in our case excuse me we can specify a bunch of different options but in our case we're going to do an ip range and i'm going to put in the ip address of the particular user that i'm going to allow to watch youtube so we're going to hit save but i do want to remind you here you can add more options so you can specify multiple rules to tag your endpoints so let me fix this right quick and we're going to hit save and so that's going to create a new tag of youtube and if we head over to zero trust tag monitor this is going to take just a second but it should populate here in a moment with that new tag once it detects that that user matches that tag so let's give it just a moment let's go ahead and refresh and sure enough it's detected that we have one user that matches that rule that we set up and now it's tagging them with a tag of youtube now you can have multiple tagging rules again you can have multiple tags assigned to a user so if this user worked in the it department we could also tag them there or if this user should have access to a web server we can tag them there so let's head over to the firewall we're going to go ahead and log in here and i've went ahead and created a policy on this firewall to block youtube so let me show you what we have so at the beginning of the video you saw i had the inside outside i had the outside inside and now i have a new rule that is the tna block so let me show you what that looks like so all i did was i just created a block all policy for a wildcard of youtube.com so all i did was i went over here and hit create and i created a new fqdn wildcard of youtube.com which is pulling all those addresses so i just hit deny click okay and i can see i've already got some traffic generated here let's head over and on this user's pc when i try pinging youtube it doesn't work as you can see the request times out if i come over here and try watching a video dismiss that you can see that the video is not loading we'll try going back to youtube here and you can see nothing's really working so i'm going to allow this user based on that new ztna tag that i set so you're going to want to make sure under fabric connectors that you have your ford client ems cloud synced up and with the latest information and then from there we're going to head over to policy and objects ztna vtna tags and under here you should see that new tag that we just created now in my case it's not showing up so it's likely not synced up with 40 ems so i'll be right back as soon as that pops up we'll continue going okay and we are back so that took a little bit i wanted to quickly go over on the issue that i had with my tag syncing because maybe someone else will run into this but what i did was as i came to the administration guide for 7.0.1 and i made sure everything was connected up but oddly enough for me everything was correct so what i ended up doing was i deleted the uh fortinet device the fortigate out of the fabric devices and reauthorized it and everything seems to be working i have that tag showing up on the root firewall so let's go into one of our branches and see if the tag is showing up under here because i deleted this one uh so let's see what happens yes so i don't have any ztna tags showing up so briefly let's go over how to do that so we're going to go to security fabric fabric connector and here we should see ford ems and it's not showing that it's working so we're going to go back to our devices over here and refresh and i see that the device is waiting to be approved we're going to authorize it and now when i go back over here and refresh it should start working so initially my issue was i had each one of my devices synced up to the root fabric device which is this device here and this device wasn't able to communicate and because of that i wasn't able to pull those tags in so i should be able to now so let's go up to policy objects dtna and ztna tags and here in a moment this should refresh and i should have all those tags back let me go back and make sure that we are synced and ready to go it's loading and this message was really helpful because it's telling me that it's pulling my settings from the route 48 device and when i saw that one wasn't connected that was when i knew what my issue was and we are set up so let's go see if those tags have filtered through dtna tags still so far we're not seeing anything let's give it a little bit and there we go so it took a little bit to load those tags in but we do have those now so you can see we have that youtube tag and so now what we're going to do is create a policy to allow that tag so we're going to do ctna allow and we're going to tick ztna and we're going to do ipmax filtering and here we're going to specify that tag with ip and we're going to say the incoming interface is once again our lan the outgoing interface is our outside to eplan we're going to say this source for this we could do a user group or an address in this case we're just going to hit all because what we're doing is matching on that tag so the source could be coming from anywhere going to the destination of all um here we're going to specify the service that we are going to allow which would be youtube and here the service we could say all or we could be specific in this case i'm just going to say oh we're going to take nap off and we're going to enable the policy so now what's going to happen is we're going to drag this up above so we should have an allow policy that's going to filter or the tag and it's going to allow to youtube and if it doesn't have that tag it's going to hit the next policy which blocks altogether so we're going to head back over to our endpoint and we should be able to watch youtube now so there we go let's go ahead and search for my channel see if i can find myself if i can spell my name and i'm the first thing that pops up but again you can see that it is now allowing us to watch youtube and just to prove that that policy is working i'm going to pause that we're going to go back over here to the allow we're going to edit and we're going to scroll down and disable the policy click ok and now we're going to go back and try watching this video so let's refresh the page and you can see it's just going to sit here and spin but as soon as i go back over here and allow the policy again so we're going to go back and hit edit and we're going to enable the policy this video should now load and start playing so as you can see that's pretty simple i'm a really big fan of this i can also come back under here and update the statistics and once the firewall starts realizing that that policy is being ticked and the user is watching these statistics should start updating so it's very simple to set up i'm going to put in the description box several of these articles because it's really easy to set this up and if you guys want to get this going and maybe let's say a lab environment it's really easy to do so what you can do is you can head over to fortinet's website so we'll go to fortinet.com and once we get here you will see a bunch of different things but zero trust access and then ztna so this does require a license but it's really really cost effective depending on the amount of users that you're going to have and because it works really well it's really easy to understand how it works and you can even get further in depth than what i did here using proxies and whatnot so this again is just a quick and easy dirty example but if you guys want to get some hands-on experience learning this what you can do is you can head up to their website at fortinet.com and once you get under here you can take a look at the ztna this will explain a little bit about uh how it works and you can see here through this documentation you can learn a little bit more about it but what's really nice is florida ems comes with a 30-day free trial so let's search 440 ems and here we should find it so you can sign up for the 40 ems free trial i think you get 30 days or actually i stand corrected here it says the trial version is not time limited and you can let it manage up to three clients so i'm guessing if you have um you know less than three clients you could probably use this long term instead of even buying a license which is pretty neat i may be wrong there i would recommend contacting the fortinet reps and finding that out but again you do get a untimed license for up to three clients and this is some of the stuff you can do and one of that is endpoint integration with the security fabric which will allow you to do the ztna like i just did the only difference is this would be installed on a windows server i think they have a minimum os requirement of at least windows 2012 server or i think windows 7. i may be wrong there but i think i tried setting up the on-prem version on a windows server that was older than windows 2012 and i couldn't get it to work so make sure you check out what the requirements are for the os to get this set up but anyways you would set that up and then you would set up your fabric connector to point um to the florida ems that is on prem instead of in my case i set mine to point to my cloud instance so that's going to wrap it up for this video i know this was a quick and easy video i didn't get too in depth of how the protocols work or how any of it works and i do apologize about that but i did wanted to make a short demo video of ztna from fortinet because i think it is a powerful solution to specify policies based on tagging rules that you specify so that you can allow certain users to access certain server groups you can block certain users from accessing certain websites or you can do a quick and easy policy like i did if you just want to play around in a lab environment that's going to do it for this video guys i greatly appreciate each and every of you watching everyone who comments and reaches out to me daily i really appreciate that if you're new to the channel please consider subscribing or leaving a comment down below with any questions and i'll try and get with you as soon as possible thank you
Info
Channel: Chad Emery
Views: 1,451
Rating: undefined out of 5
Keywords:
Id: qWD3P22soF4
Channel Id: undefined
Length: 16min 11sec (971 seconds)
Published: Sat Oct 02 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.