InterVlan routing on Fortigate Firewall | Lecture#5

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay today we're gonna be looking at intervention routing in terms of the fortigate firewall so you may have heard about a router on a stick right so now we're gonna do firewall on a stick in terms of the fortigate firewall now just a basic review of what we have done up until now is that we have configured the van interfaces uh so i have my primary isp and i have set the administrative distance for this isps default route to be four if i were to show you as right now the uh the distance is four and i also have the secondary isp up and running and it's at its default distance of five so this guy actually gets up in the routing table so we have that enabled over here so you can see the distance is four and this is in terms of our van side we haven't actually tested the failover as of right now in terms of the isp but we will do that in the next video for this video we are going to be super focused on interval and routing now um in terms of interval and routing you would remember that we configured two svis on this 40 gig firewall which were vlan 25 svi and vlan 35 svi so if i were to show you uh these were the suvis that were created with ip addresses of 192.168. 25.1 and 35.1 the third octet which i'm using is the vlan number uh which is a best practice you don't have to really do that but we are doing that um in terms of best practices now the two vlans even if they have ip addresses configured on them as you can see over here we have 25 and 35.1 and 25.1 both of the ip addresses have been configured but they cannot still communicate with each other so here is a diagram uh specifying the intervene and routing in terms of the 48 firewall so we have three vlans at our disposal and we will use which we will lose in this lab we then 25 35 and 199 25 is where i am at right now my computer on which i'm recording all of this i reside on vlan 25 and my ip address is 192.168.25 192.168.25.0624. so this is my exact ip address it's start five and i have a windows 2012 server residing on vlan 35 and its ip address is 35.200 and i also have a esxi server which resides on 199 100. specifically its management resides on that so as you know x is the vlan number so this is how it's all going and this is a core switch and the 48 fireball and in between them as you have seen in the last video it's a trunk link okay so if i were to jump on my computer and do a ping to my gateway which is 192.168.25.1 i can sure enough do that uh but i cannot actually ping 35.200 which is my windows server 2012 server now everything is up in terms of the layer 1 and layer 2 connectivity but there is some policy that is stopping that on the 40 firewall and if you were to jump on the policy and objects in the firewall policy you can see there's only one policy created that is set to allow and that is going from the suvi or vlan 25 going towards when one uh this was only hit uh when it's going towards the when one interface and apart from that everything is an implicit deny so everything is falling to this bucket hole as right now in terms of communication so that is why vlan 25 cannot communicate with 35 as of right now okay so now let's create a policy that will allow vlan 25 users to communicate with vlan 35 users so i hit create new and i could specify a policy named svi 25 to underscore svi 35 you should name this policy in terms what the policy will do so the incoming interface will be 25 sva25 right and the outgoing interface will be sva 35 so after that we need to specify what the source ip address or the source subnets will be and what the destination subnets will be so these are mandatory so you have to go in and it will pop up this select entries tab in which you have all of these objects that are pre-created already created okay so there are some addresses that you created when you were assigning ip addresses to the svis remember that uh if you don't remember that i will show you just in a minute but you could also create objects if you want to create new ones they could also specify the same subnets if you want just the name should be different so i'll just create an object for my subnet which is 192.168.25.0 on vlan25 so what i would like to do what i always like to do is to change the color so that i know this is the one i created uh when i'm looking at those objects so the type will be submitted you can specify a range for the wifi domain name max and all but we will only specify the subnet the subnet is 192.168.825.0 slash 24. and uh if you tie this to an interface for example if i tie this to only vlan 25 uh what will happen is that um it will only show for um hang on let me show you if i were to go to destination ip addresses destination objects you see that object is not showing up anymore because that is not exactly correlating with the outgoing interface right but it will show up for the source interface because that is correlating with the incoming interface you get it um and apart from that we had a static route configuration actually you can use this object once you're creating static routes normally when you're whenever you're creating stratigraphs you have to define an ip address and a subnet if you don't want to do that you could click this option and you can use this object this object name will pop up in the static routes configuration and you can specify based on that so it's your call if you want to do that so let's do that and we'll see that in the static route section soon that this entry will pop up so clicking on ok so i just click on one time and the object comes in in the source field now you can have multiple objects here it kind of like acts as an ore statement then if you have multiple objects but for us there's only one subnet residing on this interface and the outgoing object will be 192.168.35.0624 subnet uh we don't have that created as of right now and um let's create that so let's create that object group obg and 192.168.35 dot zero size 24 change the color so that i know that that i created this one and 192.168.35.0 slash 24. you could be really specific if you want to and specify only ip addresses but um i'm not going to do that in this lab so i'm going to make it kind of like a router scenario where everything was allowed between the subnets so in your organization it may be a little different because this is a home network that i'm deploying this on so i don't have any problems doing this uh so do sure to check out the compliance of your uh of your organization and then apply these policies accordingly so clicking on ok and as you can see i've got the object created now and just click it and there it is we've got that destination object inside of the policy now there's a schedule as we discussed in the previous lecture if you want specific times that pulse should be in place which i will do because my kids actually actually use youtube a lot so i need to block them from using youtube for a specific amount of time we'll do that later and then we have service these are the tcp ip and ip protocol a full ip stack protocol sorry in which you have ip protocol numbers like ospf uses 89 si portable numbers or if you want to be specific for http or anything you can do that for this instance i'm going to allow the full ip stack so i'm going to be clicking all sorry and action is set to accept or deny if these policies match in one way or the other what will be the action if you want to accept the packet obviously you will hit accept and you want to deny them you can hit deny and everything else is grayed out you can see so we'll just accept that inspection mode we will check that out later because it correlates with the security profile as you can see we have some other filters coming out like the video filter we will look at that later okay the other thing is nat should be disabled at all costs because not at all costs it actually depends on your scenario uh because i want this pc to communicate to my server with its original ip address of 192.168.25.5 there could be a case where you don't want that to happen you could enable that so the packet will go from my pc towards the gateway and vlan 35 will not it as in the server will see an ip address so 192.168.35.1 which is the svis interface over here on p935 so that could be a case if you want to do that you can enable that on it but usually you don't do that when you're doing intervention and routing on a router or on a layer 3 switch um apart from that everything we will leave as default we will check all these options don't worry a lot of good stuff is coming your way in this series and we're gonna test each of them out so hitting okay and as you can see the policy has been created now let's see if i can now ping this guy so sure enough i can ping this guy let's do an rdb session to it let's do remote desktop 1916635.200 and we're inside the server now so communication is happening now let's try to actually ping the host which is me on vlan 25 sitting on the 35 vlan so it's going to be 25.5 which is my ip address and as you can see i'm getting blocked i cannot access 25 subnets now why is that well for that i made a slide let me just minimize this now how this works with a firewall in between is that vlan 25 hosts can talk to vlan 35 hosts because the firewall actually creates a session table in which it knows okay uh 192.168.25.5 was talking to 192.168.35.200 so i will create a session table for the return traffic in no way will the firewall allow the initial packet coming from 192.168.35.200 in this case to be to be routed to words 192.168.25.5 because it violates the rule and there is no rule over here specifying if the source interface and subnet is 35 what will be the case so there is no rule so it's hitting the implicit deny rule over here so if we want to allow vlan 35 to actually access the hosts on vlan 25 uh what what can we do over here is we have an option uh that we just right click over here and clone reverse so it will create a reverse entry like that in a disabled state so you can actually go ahead and edit whatever you want to edit so let's go into that entry so as you can see everything is kind of reversed now so the incoming interface it has been changed from 25 to 35 the source has been changed from 25 to 35 and vice versa for the outgoing interface and the destination ip addresses so we will just say svi we just named that 35 to svi 25 oops 25 uh we'll hit ok and the rule is disabled by default now if i were to go to [Music] the remote desktop over here let's do a ping 225.5 with a continuous ping and let's minimize that for a minute and let's just enable this policy set status to enable now let's go to our as you can see and now pings have started to work now we have a full two-way traffic back and forth if you have only one policy it will only facilitate one side of the session it won't facilitate the other side it's it's normal actually uh firewalls do that have been doing that for a lot of uh time so this is how you create an inter-vlan kind of a style firewall on a stick approach if you have this kind of a design

Info

Channel: Doctor Networks

Views: 36,533

Rating: undefined out of 5

Keywords: Fortigate InterVlan

Id: LbDfiwbiN6Q

Channel Id: undefined

Length: 14min 50sec (890 seconds)

Published: Mon Dec 13 2021