Fortigate firewall training for beginners

Mar 21, 2024

To harden your

firewall

, one of them is when you have unused interfaces, disable them, disable them if you have interfaces that you want to disable with a different protocol, so just disable them using the configuration system interface, edit the interface that you want to disable and there you can disarm dhcp. relay services, you can disarm pptp client arp forwarding, etc., another thing that's pretty common for any 48 and there's something I'm not familiar with with other

firewall

s that have maybe yes or no the same functionality. Known as a maintainer account, the maintainer account is actually a backdoor to your photogate.

If your administrator has lost your password, then it allows you to log into your photogate using what is known as a maintainer account, which is actually the serial number of your 48 with the maintainer user, so you can disable it on most the 40 doors. I think it is enabled by default. Set the maintaining administrator account to disabled so you have your new four doors. How is it configured? Coming soon for more easy setup tips for your 48 firewall, subscribe now and don't forget to click the bell notification and you won't miss a thing, so you've got your new photogate and your new 248 firewalls, what do you need to do?

More Interesting Facts About,

fortigate firewall training for beginners...

You have probably connected your 48 using a network cable to your computer and configured it and the

fortigate

devices come with at least port one of the ports, which is usually port one that is already configured with the IP address of 192 168 199. You need to configure your PC's subnet to be on the The same subnet reaches the interface IP address of port 1 and from there you are starting to configure your 48. Now you can configure a photogate using the GUI which has many features, it even has a feature visibility feature. system settings so you can disable or enable new features that are not available here.

Now you can configure your Photogate using the GUI and you can configure it using the command line. Photogate experts use the command line almost all the time. We'll look at the command line but we'll work our way through using the graphical user interface. To get to the command line, you must click here. It's actually a JavaScript application that runs on top of the admin web application, probably the first thing you'll want. What you need to do is note down the status of the system so you can see its serial number 48, what assets, what accelerated hardware it supports, whether it is using a hard drive or flash drive, the current security profile database, etc. ., now you have entered the interfaces, you probably have an interface that you are connected to, which will be the management interface.

Now you need to connect one of your interfaces to your Internet Service Provider, either through a modern router or you can use your 48 as the router itself. each interface each interface has a physical control panel that you can connect to different subnets in your network now let's edit an interface see what's inside you can name your interface according to the subnet in your local area network suppose we have a management subnet, now you can define it as a specific rule, it can be a dmz, an indefinite rule or a when, so let's use the terrain, so now we know that we have a management plan connected to port 8 on our photogate. the addressing mode can be manual it can be dhcp let's use the manual option and set it to be 192.168. 2.1 slash 24 since we are using subnet um 24 now this address is the address of the gateway interface so any computer that connects to one of the ports 8 will get an IP address on that subnet which is the subnet 192.168.2.0 but your gateway address will be 2.1 now we will also open the dhcp server so whoever is connected there is a pool of IP addresses it will take.

We will see the dhcp server very soon before we need to configure administrative access, what protocol to support administrative access we will only use https and http for now we can also use ssh we can also configure it to support pings from the host on that subnet or from a 4d manager but no we will do it now ldp is a protocol that allows discovery between devices on the network, it doesn't really matter, you can disable it or keep it for now. Now we have a dhcp server, as I said, any client that connects to that port will receive one of the IP addresses from the pool that it doesn't have.

You don't have to use the entire group. You can use only 20 IP addresses. You can keep the DNS server the same as it is configured here or you can specify your own DNS server. Let's specify the Google DNS server. You can control the time of the list and whether it clicks. in the advanced, if you have a dhcp server that is part of your domain, uh, that is not your interface 48 or 48, you can configure its IP address here and then whenever a packet arrives on that interface, it will be directed to the server dhcp, but for now we use, we are using the gateway interface as a dhcp server, you can configure an mtp server, you can configure and this option is for more advanced users, dhcp scopes or options and you can assign different IPs to different devices depending on your mac address.

Another option is device discovery. Device detections allow your Photogate to detect which device and operating system devices on networks belong to. This is one of the things you should keep enabled. Don't bother with the explicit web proxy. You can enable it. a captive portal, so if you have outsourced employees and want to jump to a home page with user credentials, you can do that too, but we'll skip that for now, so this is the basic setup of the interface. Okay, now we have an administration interface. have another interface, which is the only interface that you connect, you connect it to your ISP router, we will call it when one, the role is, when we do it, we can use dhcp and if we want to make it more reliable, we will use a static IP. address, so my gateway interface is 10.0.3 and my router is actually 10.0.3.1.

I have enabled http and https and as you can see you don't have a dhcp server as long as your interface role is when that is one of the best practices to use an interface as an interface when okay so we have a management interface we have an interface when now we want to make our administrators uh and they are connected to that port, which is port 8 to go out to the Internet, so the next thing you need to do is configure a policy. Now we will configure a very basic policy which is a full access policy.

Let's call it Managers One and the incoming interface is management, which is our managers' LAN interface. The outgoing interface is when one. that's the interface that's connected to our ISP router, that's the interface that takes them off the ground and into the Internet. Now, as far as the source goes, let's go to this video, let's make it very generic, anyone can go, anyone, we can set up user groups. and different users we can also configure sets of parameters that control different users, but for now, as for the source, anyone can leave and for the destination, they can go almost anywhere, we can also create specific objects that will allow them go to specific places. but for now they can go almost anywhere, as far as scheduling we are not limiting them to specific times or days, so for scheduling again they can access the internet at any time of the day, as far as service we can deny them exit. on specific services like ftp, but for now, for our specific policy, we will allow them to use almost any service.

Now the action is to accept, we can also create a policy that will deny specific services or specific users from exiting or doing specific things to Now the action is to accept the inspection mode. Another topic that we will analyze is the inspection that is carried out on our networks when we use security profiles such as antivirus or ips. For now we will keep it in flow based mode. now we will use net net is the network address translation, which is our private IP address, which can be 192 168 2.6, it will be translated to your 48 or your ISP's public Internet address.

Now we won't use security profiles, you know, let's use antivirus. use the default profile the default antivirus profile we will use certificate inspection when we use certificate inspection your

fortigate

checks the different fields that come from the servers certificates um to see if they are valid, if they have no discrepancies, etc. The last thing is to use our logging options, we can log only security events, but we will log all sessions so that we can later look at the login report and see what our users or our host did right, so we have a policy of administrator. two interfaces, the one that connects us to the outside and the administration interface to which the managers of our company can connect and obtain their IP addresses, that was the second step, now the third step is to configure a static route, a static route is actually for our use there will be a default route I already set one up so let's look at it if you want to create a new one just create a new one so the default route will actually tell your photo that every time you see a package, whatever package it is. intended for anywhere that doesn't have a route in the routing table, it will route it to the interface when and the interface address when is 10. 0.3.1 remember my isp router has that address now you can use specific parameters like distance uh , you can use a priority, it just tells me that I already have that static route, which I do, and once we have a static crowd, a policy and interfaces configured correctly, we can now connect our host to the management interface and those hosts now can Go online, let's go to rcli and see how we configure the interfaces using cli.

For the sake of our purpose, let's configure port 7. So using cli we will use the configuration system interface, now let's edit port 7. as we said, let's configure its IP to 192.168.4.1 with a subnet of 24. let's configure management, the management protocols on http and https and what else we can use, many more if you look, let's finish now, I want to show something when you configure the system interface, let's go out here to configure the system interface and if we look at the ports, port one, for example, we can use show full settings and as you can see there are dozens of settings features you can add. for our sake, we have only enabled the IP address on that interface and let's see it, let's refresh our page four seven and there it is, now we can also configure the dhcp server and so on, we haven't done that in our cli. um the last thing I want to show you once you get into your 48, it's actually the 40 gate administrators, now you have two types of administrators, you actually have more than two types, but the two most common types are the super administrators, which are you have privileges for almost anything you can read and write and you can create another type of administrator which is the professional administrator and where you can enable different reading and writing privileges in the different places of your fortigate if you are going to visit it. to the cli and use the setup system administrator and you can edit the administrator name.

I have two administrators. I have one that is the super administrator and the second one that is the offer test, which is my second administrator. So now let's look at the different settings. that you can add to your admin again a lot of settings, that's not the only place where you can configure different things, you can also configure it globally, which is the global configuration system, but one of the things I wanted to show you is that you can strengthen your account administrator using a trusted host, so you can also see it here. Sorry, here you can configure a trusted host which is a trusted IP address that only your administrator can get so you can configure the IP address in your office at your work and you can configure another trusted host which is your home IP address, only from those two IP addresses your administrator can enter into Fortigate.

You can also set up two-factor authentication, which is also a very common security procedure that you can use. 40 token and you can also use your email as two-factor authentication. We'll just show you how to do it. Let's clear that up so we can use the setup system manager. Now let's edit the profile before and configure the two-factor email. Set up email two. and let's set it up on one of my Gmail accounts, let's finish and now if we go back to our administrator profile, look at it again and you can see that now you can use email based two-factor authentication, so let's create a system interface and a dhcp server using the command line the following is part of the basic firewall

training

we will configure an interface and a dhcp server let's do it on port 4 we will do it using the command linecommand so let's just use the configuration system interface, all right, let's edit port four, let's make it port four, let's set the ip to 10.0.7.1, bar 24 and let's set allow access to management protocol, access to ping http https, too we can set the weight for that interface, let's just hit it with a weight of 250, we can set different settings for that interface, but we'll end up with that one which will be our local area network interface for our finance department.

Now, the second thing we can do is configure the DHCP server on that interface. config system dhcp server let's edit that server, create an entry, a new entry and let's set the default gateway for that dhcp server to 10.0.7.1 and also set the interface we are creating to port 4 interface, now let's set the range of IP the set of IP addresses that will list for clients connecting through that interface and for that we will use the configuration IP range and we will also use edit one and we will set the start IP to 10.0.7.2 and let's configure the and ip210. 0.7.11 all good next and let's set the netmask 255 or 255 or 255.0 that's minus 24 and let's set the dns service as default, now let's finish and refresh our page remember port 4, let's refresh there it is and here we can see we have our LAN on port 4 that is our financial LAN, that is the ip of the lan gateway, that is the administrative access and here is our dhcp server that starts with 10.0.702 until 10.07.11 and the dns server is the same as this dns system two minutes cli comments and this moment when the diagnostic sniffer appears, the dyke sniffer packet is one of my favorite commands, because it actually allows you to capture the traffic, sniff the traffic just like tcp dump or wireshark, so the syntax is like that packet dag sniffer and then you need to include the interface, so we'll do either, but you can choose port one or port two, after that you actually filter, filter the traffic, you can filter it using source and destination protocol, we will use host, so we will use host 10.0. 3.1, which is my gateway, then comes the detail, which is how much data you want to include.

I'll choose four and we can also add the count, which is the packet count, so let's add ten packets and if you want a timestamp, you can add the letter a, so let's get started and there we have it. Now you can play with the different filters and the different levels of detail. Do this if you want a packet capture without using the diagnostic sniffer but instead using the GUI. You can do it. In network packet capture and in packet capture you will find that you can choose the interface and use the different filters. We have already learned how we can list system processes and display their output on the command line.

Now in this video we will see how you can kill different processes that consume too much memory or too much CPU power and how we can list the most demanding processes in our fortigate for easier configuration tips for your firewall 48, subscribe now and don't forget to click in the bell notification and You won't miss a thing, so you're using high-level encryption on your VPN. You are using ips to scan different patterns and anomalies. You are using antivirus and it keeps logging almost anything. All of this consumes a lot. of CPU and memory resources, let's take a look at the diag system command.

Let's make a range of 20 and with 10 processes, now using the character m, you just need to type the character m, we can sort the processes that consume the most memory. and in our case it is the dns proxy if we press the character p that p is for cpu we will see the different processes that consume the greatest amount of cpu resources and in our case it is https demon now the next step is to kill the process that causes you many problems, that's the last step before restarting your 48 to do a check c to kill a process, you use the diagnostic kill now you enter what's called a signal, which is a term that comes from Linux and Unix, which is actually , it is a lightweight way of asking your system to stop the process and can be a more aggressive way of telling your system that depends on the number to tell your system to end the process now, we can use different signal numbers, we will use 15 .which is an aggressive way of telling your system to kill that process and we will list the process id now, the process id as we know is the second column so let's use the process dns proxy uh which is 94.

Very okay, now we just eliminated. that process and here we can see that the dns proxy process has actually ended. We saw that we can list processes, classify them and even terminate them whenever they demand too many resources. In our last part of knowing your processes, we will see how we can. in a cli command see the most CPU demanding processes for easier configuration tips for your firewall 48 subscribe now and don't forget to click the bell notification and you won't miss any of the features we saw using the dag command system is that we can list the most demanding processes, whether CPU and memory, using the m and p character when pressed.

Now there is another command which is get top system performance, which lists only the most demanding CPU processes, let's see it. in action, so we use get sis, sorry about that, get performance assistance, now you will see the most demanding processes, the processes that require the most CPU in the second most tested column, which is the CPU column, the column Farthest to the right is, as we now know, the memory column. You will see different processes such as ips engine or antivirus scanner, new cli or even sshd, ssh daemon. Now when a process is too demanding in terms of CPU you may need to kill that process and we saw how to do it using diag cis kill with a signal level and process id firewall rules are basically bread and butter of all the firewalls out there it doesn't really matter if your firewall is the next generation firewall every time you access the internet and you are using a firewall then you are required to follow the firewall rules what are firewall rules and how Are crated?

Coming soon for more easy setup tips for your 48 firewall, subscribe now and don't forget to click the bell notification and you won't miss it. anything, a firewall rule is nothing more than a set of criteria that your traffic must meet every time an ips session occurs on your network, a set of rules are compared against that traffic if your firewall does not find a match on the first rule then move on to the next rule the rules are handled from top to bottom now let's see how a policy rule is configured and what objects are used to create that match in each rule there is always the implicit deny rule that sits below all the other rules, i.e.

If your firewall does not find any match in the traffic, then the traffic goes to the implicit deny rule and is removed, so when we start configuring our file rule we have, as we said, a deny rule Implicit denial at the bottom and from there. we start setting up our different criteria that will be compared to your traffic now we start we start with the name of the rule itself, as for naming conventions, don't use too many characters, don't use spaces between words, try to use underscores. The second thing is the incoming interface, what is the incoming interface?

Well that's the interface your local area network is connected to your dmz is connected to whatever interface the traffic is coming from. The second criterion is the outgoing interface, so there is usually full access. rule for the access policy which is your interface when you configure your rule to allow traffic from the field to when and the Internet, but it can also be another segment of your enterprise, another LAN, it can be dmz, the incoming interface is known as the input interface, output interface, it is known as output interface, so we have two interfaces, input interface, output interface and from there we move to the source, which is the source that generates the traffic well , which can be your clients, which can be approximately any source which is any IP address or you can use what are known as firewall objects, a specific IP address within your local area network, it can also be a user or a group of users that is stored in the internal database of your firewall or a remote authentication server such as ldap or a Radius server, another criterion is the destination, what is the destination to which your traffic is directed?

It can be any destination i.e. any IP address, it can be a specific IP that you can configure or it can be a domain or maybe an Amazon Internet service, so make sure you are granular, don't just use any or all, be it specific if you are setting up a full access policy that will allow anyone to access the internet then it will probably be all if you do that. When reconfiguring a specific destination, make sure you configure them in advance and use them in your rule, next is scheduling: do you want your policy to work 24/7 or do you want it to work at specific hours, specific days, recurring days so you can There are probably cases where you will be asked to open a file rule for specific devices on your local area network.

It could be a backup device. It could be network attached storage. Make sure you know what times those devices need that firewall rule. is the service service, that is, what protocols are used in your firewall rule. Are you using only http https and dns i.e. port 80, port 443, port 53 or are you allowing your employees to access almost anywhere using any protocol available including ftp ssh etc., again be careful with the rights to use the service and the last thing is the action: are you denying or allowing traffic based on that match? Now, actually, this was just the first part of their policy or rule-making.

The next. once you have a match is going through the security profiles, going through the antivirus app checking ips etc. the other thing you will need to consider is if you are using network address translation, if you are recording all sessions. or just security events. If you watch my channel, you will find dozens of videos related to security profiles and other features of your firewall, so subscribe and see you soon. There are times when we need to customize our own IPs and application signatures. A quick guide to creating your own signatures will be published soon. Don't go anywhere to get easier configuration tips for your firewall 48.

Subscribe now and don't forget to click the bell notification and you won't miss a thing when we talk about intrusion prevention systems we talk about an engine that compares traffic with known threat signatures and anomalies now every time the ips engine alerts us it is our responsibility to block monitor or allow traffic signatures to allow us to identify malicious attacks and the question that arises why do we need to create our own custom signatures? Fortinet has already provided us with thousands of signatures. There are two main reasons: first, sometimes we use a specific application, we use our own toolset or our own custom topology for our needs and we need to create custom signatures that match and the second reason is for tracks that somehow don't have it yet. no signature, so how do we create one?

Let's go to the signature view of our ips sensor page and then create the following. The signature is probably the most basic. If you want more advanced signatures, please leave a comment on the comments page. Our first signature will allow us to block the cnn.com website. There are dozens of ways to do this using a web filter or application controls, but we're here to learn how we customize our own signature and that's a good start now each signature starts with a header the header of each signature starts with f s bid that's the header text and then we open parentheses in the parentheses inside them we enter the signature matching criteria the criteria of those signatures are described using a keyword and a value and different keywords if you are using different keywords you can use just one keyword and a value, it will split or separate different keywords using a semicolon, the first keyword is Usually the name of the signature we have to give our signature a clear description of the attack and then we define the signature that triggers what the active in the attack, what type of protocols we are analyzing, the flow of packets, the number of packets we are. looking for matches matches in the traffic itself, we match based on specific headers, specific pattern thresholds, like in rate based engines, for that we use keywords, two types of keywords, for example service and protocol, now in the service we determine, as in our case, what The service ishttp Since we want to block a website on protocols, we can specify whether we will use TCP as most websites use or perhaps we plan to block our site not only to users who use TCP in their browser but also to users who can connect to that website which uses different protocols like ftp each keyword should start with a couple of dashes another keyword is flow which is the flow of traffic, is it coming from the server towards a client or from the clients towards a server or such may be bidirectional in our In case we want to block any user, our clients cannot go to a web server which is cnn.com web server and there are many more parameters and patterns that we can add but this is the basic syntax that we use to personalize our signature. so let's try one right now, let's name our signature ips, let's add some comments, so we'll start with the dash f and open the parenthesis.

Now let's choose a name for the custom signature and our name will be block cnn.com. The next thing we need to do is add a pattern, we will use a regular expression pattern which is cnn.com and now our 48 will detect the URL and as we add the service which is http, it will know to only look for that. specific signature about the http protocol note that we divide the different keywords with a semicolon and now we will configure the protocol which is actually traffic type 48 it will only detect this signature in a tcp traffic, that is, if we send a mail to that url running via uh smtp or if we connect to that url via ftp it will not do anything it will just block the website via http traffic by default the patterns are case sensitive so so if we want 48 to block any attempts to To enter that URL using upper or lower case, we will use the hyphen without underscore and now limit the scan to only traffic that is sent from the client.

We can also use b directional, but in our case we will use the script, script flow from client and the last thing you need to do is add the host context script which makes the domain name appear in the host field while it is resolved by dns, for what that was our basic signature now if you want us to create a more detailed more complicated signatures just leave a comment on the comments page and I will do it in this video, we will show you the top 5 ips commands for your 48 and we are starting right now.

The inclusion of ips in your 48 is one of those things that makes your 48 and the next generation firewall deal with exploits. They deal with anomalies in ips. The engine is almost everywhere, so let's start with our first command, which is config ips global. There are about 48 models that also support the extended database which includes many more signatures so to check it configure the database and you can use the normal database and you can also use the extended one so if you have the extended , feel free to use it when we create or configure ips sensors, we must plan them carefully, because they consume a lot of resources of your photogate in terms of CPU and memory now every time you go to Go to your ips signatures page and add signatures.

Think about two main things: First, operating systems, if you are using a Windows-based network, don't choose any Mac OS or Linux-related signature. The second thing is the direction of the traffic now if you are protecting clients use only signatures intended to protect clients if you are protecting the server do the same the following command is for those running a 48 with multiple processors you can actually run multiple ips engines simultaneously, so how do I do it? you do it you go to your cli set ips global now set engine count now if you set the integer to 0 then 48 will choose how many engines will be used simultaneously but you can also change it according to your needs your ips engine needs like so much power As you can get, there are many 48 models that support hardware acceleration, either using np asic or cp asic.

Mine uses cp asic so why not give it to him? Use the global ips setting and then configure, in my case it is the CPU. set the cp acceleration mode to those that support np, just use the set np acceleration mode and set it to basic or none or in this case an advanced mode that supports more ips patterns. Its IPS engine consumes a lot of memory and CPU. cycles now if you see spikes on your 40 gauge due to high cpu usage etc you can diagnose the ips monitor from the test app and there you will see different tests that you can do on your ips engine you can disable it completely using the option two or you can toggle the bypass state which actually means the ips engine is working but not scanning the traffic so try those options whenever you have problems with your ips engine and before you finish subscribe for more videos like that so you have decided. to take the nsc 4 exam now what do you do how do you practice what do you need to know well in the next video we will see the best tips so that you are prepared below the first tip is to be practical, leave aside the dumps liver side these study guides go to a Fortinet support site download one of the VM images from the latest builds open it in the browser of your choice and start playing create new interfaces configure the different services on that interface create new policies even if I don't have any other machines with the one to play, think or dream about different use cases, like anyone on your land is prohibited from using ftp traffic next to a specific device, how do you configure that policy?

How do you create a firewall object for that device? So think. explore and play with different use cases the third thing play with security profiles configure new profiles understand how they work and apply them to your policies apply them to your policies and understand how they actually work, whether in a flow-based inspection or in proxy mode , the theory behind those two is crucial to understanding how security profiles work. The second tip is to understand the terms. Go to the list of diaxis sessions on your command line. Once you do this, you will see so many terms in the result that may seem scary at first. first time what is proto number six what is state number six what does source modeler mean what is the series of that session what is an npu understand the terms understand how sessions work on your fortigate your 48 is a session where the firewall and just understand the different numbering for different protocols tcp protocol is protocol number six udp protocol is protocol number 17 icmp is protocol number one each has different states to understand the numbering and you will see more terms like fail to open or dirty many terms that You need to consult the Fortinet documentation to understand, as in the exam itself you will probably see results with the following terms.

These are the basics, understand them as you will probably have some questions related to those topics on your exam. Face some network troubleshooting questions, so look very closely at the topology and also some available ones like diagnostic debug flow or direct trace packet, analyze what is the reason why it may be a network problem. network, it may be a policy issue, it may simply be that there is no static crowd at the destination, so look closely and understand the topology before responding. We tend to forget it, but your photigate can work in transparent mode and act as a switch.

A device with a single broadcast domain and its management IP. You can configure the operating mode to either nac, which is a layer 3 device, or transparent, which is a layer 2 device. You will be asked questions about two VLANs. You will be asked questions about the virtual wire pair. questions about your 48 as a device that sits between two network segments, it doesn't do any routing it just scans the traffic passing by so know your way when your 48 works in transparent mode only as a layer 2 device u48 is part of a security fabric with multiple components that are in the network itself.

You won't have to answer questions about 40 analyzers or 40 administrators. Those are different components and have their own certification, but you will need to understand how load balancing works. sd1 is software defined when, how to prioritize traffic based on load balancing algorithms or based on different service level agreements slas that you create, you will also need to know what an h a an h is. High availability is how you actually create a redundant 40 gate. along with its main door 40, you can create it in active active mode or active passive mode. Understand the priority of creating a master and slave photogate.

Understand how sessions are distributed among those components. Remember that your photogate is a network device and, as this way, you will have your redundancy and load balancing algorithms implemented, which you need to excel in. One of the main rules or main jobs that your fortigate does is to authenticate users. while they enter the network. Now you will need to understand how a user is created. To connect to air remote authentication servers like ldap or radios, what is single sign-on? How do you create a proxy? What is an explicit proxy and what is a transparent proxy? How do I transfer proxy settings using a package file? authentication rule understand the purpose of authentication understand what it takes to authenticate different users using passive authentication or active authentication will probably be asked throughout the exam.

Make sure you fully understand the entire nature of authentication every time a ping is sent from an ICMP request. one of its 48 interfaces or sources, the default values are five times, that is, the packet is sent five times, has a data size of 56 bytes, is sent at an interval of one second, and has a timeout of two seconds, let's see how we can free your pink settings for easier configuration tips for your firewall 48, subscribe now and don't forget to click the bell notification and you won't miss a thing. Using ping and an icmp request is probably one of the most used and easiest network troubleshooting solutions. tools so let's free up our ping settings and see what can be done we'll start with running ping and then we'll use the view settings so we can see what our default ping settings are so we can see we have a repeat count of five .

Sometimes we have a data size of 56 bytes we have a two second timeout currently the interface is automatic which means it actually goes to our routing table and sees the best outbound route. We have a one second interval that will be your ping. sent one second after receiving the echo response, you can use an adaptive configuration that we will do very soon to see that you can actually send the second or third icmp request immediately when the ping response returns, the time to exit is 64 hops, let's see If we have more interesting interesting things here, no, the second thing we can do is configure the ping options and see what the ping options are and we can see that we can configure an adaptive ping, we can configure different data sizes. set the df bit which is a parameter in the ip header, we will see that, we can configure the interface where the ping will be sent from, we will use our marketing interface and send the ping from there, we can configure the hexadecimal format of the ping that actually Can I add different characters to our empty hex space in our ping?

We'll look at that as well and yes, we can configure the source, exit timeout and more, so let's start with a simple ping to Google, okay, that's google.com. that works now we will use the same with google dns server and see if we have a dns resolution that also works great now let's close that for a minute let's move on to my ubuntu device okay now my ubuntu device is actually found , it's in the marketing interface, let's go back, let's log in, okay, so let's start by pinging my Ubuntu device, which is on 10.0.4.9. Everything goesgood.

You can see I have a very large uh icmp packet. let's see what is the reason for running ping options, you know what, let's do something else, once you have a setting other than your default settings, remember the default setting is 56 bytes, you can reset them using run options of ping and reset now, let's send the Do the same ping again and see what this side is that has 64 bytes. Remember your data size um, your icmp data size is 56 bytes. It has an eight-byte header for the icmp packet. What you see here is actually the payload itself plus the header. 56 plus the eight byte header, let's see again how we change the data size, this is how we change the data size, let's set it to 128 bytes and now let's change another setting, which is the adaptive ping that your icmp request is sent. at a one second interval you can now change it to be sent immediately as soon as the icmp response comes back, so you have to choose to enable another setting: the df bit df what does dfb df mean?

Don't fragment that, don't fragment the uh packet even if it's bigger than the interface that's supposed to accept it, so if you have on the other side an interface with a mtu uh of x values and your icmp packet is bigger than that, then your icmp packet can actually be dropped, so be careful how you use the df bit, let's keep it to no now, let's see what the effect of adaptive ping versus the normal setting is, so let's just run ping, let's use a repeated count of 20 packets and run our ping to google, sorry, google.com, okay, so you can see now we have a one second interval, if we're going to use the adaptive ping option, let's enable it, let's send the same ping and you can see that you're actually having some kind of fluid icmp, it's not hundreds of packets per second, but it's still a lot faster than the usual interval, so you've got your new 48 and you need to configure it, so here's a quick setup. guide your new fortigate comes with a preconfigured port at IP address 192 199 so you can manage your photogate using the command line or using the graphical user interface.

We will do this using the graphical user interface with a web-based administrator. so take your client which is your PC or your Mac change the subnet to something on the 192.168.1 subnet it could be 1.10 1.11 connect your client to your port 1 on your 48 and just open your web browser at the 192 168 199 address when will you do that let's go ahead and see what happens so go into your browser type in the address the IP address of port one and enter your admin credentials now if you have an older model you would just use admin as a username no password on newer firmwares you will need to enter a password and I already entered one so let's enter r48 and from here move on to system settings the first thing you need to do is change your hostname now it may not seem important , but if you have multiple photogates, one of them protecting your data center and the other blocking users in another department, you'll need to know which fortigate did what, so let's just name our Photogate marketing so we know it protects our marketing division.

The second thing we need to do at system time. Best practice is to use 40 guard ntp so that all devices sync. Now you can configure different manager settings such as http.port which will probably keep on port 80 and https which is 443. The other thing you can do is customize. You can change your language um to English, French, Spanish, etc. and you can also change the theme of your 48. See the different theme change right away, now let me use this one as it looks much more modern in my opinion, no we'll go into ngfw mode, whether it's profile based or policy based, that will have to wait for another video, um, let's move on to the email. service, you can use the custom configurations which are Fortiguards smtp email server or you can use your own smtp server or whatever server you will use and you will find that you will use your smtp email server more and more as you practice your photogate.

The other thing. What you can do is go to forty yards and forty guards and in the antivirus and ips updates enable the acceptance of push updates so that you do not miss any signature sent by the 40 guards servers. The other thing you can do is the server. location use lower latency locations it is good practice to do this if you are not in the US ok those are the default settings now if you move to admin remember you are the admin of your fortigate you can edit your administrator profile. add your email add two factor authentication and you can also add what is known as a trusted host which is only administrators who connect to the fortigate management interface through one of those IP addresses that you will configure will be able to log in so that You can configure your trusted host with your IP address at work and your IP address at your home location.

You can also set up a new manager and in fact you can add a professional manager who will take care of the different areas of your photogate once you set it up. your settings and your admin profile you can add more interfaces, the ones that are connected to your when interface and to your other lens. I have a bunch of videos that will show you how to do it and the other thing you'll need to do is to create a static route, a default route that will connect the traffic, the packets that need to go out to the interface to your gateway, which is the interface. that is connected to your interface when, well, this was a quick configuration guide from there, you will probably move on to policies and objects create your own policies, customize your interface, customize your configuration, your logs and reports, create security profiles , etc., this video is about setup tips for your fotogate and we are starting right now to get easier setup tips. for your firewall 48, subscribe now and don't forget to click the bell notification and you won't miss a thing.

One of the most common questions I get every time is how do I configure my fortigate. Currently I'm not interested. any intrusion prevention system sensor i am not interested in ipsec vpn. I just have several interfaces connected to different clans and I need to configure my fortigate for really basic operation, so in this video we will look at the basic basic configuration like You know on my channel you have tons of videos that cover different aspects of your 48, so The first thing is to configure your administrative profile. You're probably the top administrator on your Fortigate, so make sure you're connecting through a trusted host. you need to set up a new administrator, perhaps a professional administrator who will be responsible for another virtual domain or different aspects of your photigate, do that, so the next thing you need to do is move on to the network interfaces that you probably have different clans connected to. interfaces in your 48 on each interface don't forget to write an alias, this will help identify which LAN belongs to which interface use specific rules for specific interfaces use administrative protocols carefully don't allow anyone to ping from that interface if so no need to use the dhcp server and use the dhcp server scopes so you can create different dhcp options for that local area network.

You can block specific mac addresses from receiving IP addresses and use device discovery and active scanning. If you want to know which devices initiate traffic on that interface. Now the next thing you need to do is create or configure a static route that will take you to your ISP. Now it is usually created using the default route, which actually means any packet that is destined anywhere and has no entry in the route. the table should be directed to the specific gateway, which is usually the only gateway. The next thing to do is policy and objects, which are the bread and butter of your firewall 48.

It's where you create rules that match any traffic coming in or going out. of your door 40 assuming it matches the traffic, you have two decisions, the first is to accept the second is to deny, now you can create different policies according to different topologies, the basic one the basic policy is the full access policy that allows the local area the network to exit to the Internet through the interface when, so the incoming interface can be almost any LAN on your network, the exit is the source of the interface when it can be different user devices, but suppose we deal with almost any destination can also be specific. destination, but let's assume that any destination is allowed.

You can configure different schedules and services. Now again you can deny specific protocols, but for our case we will allow any service. Now learned politics is another topic that I've made a video on specifically about that, but. That's not the problem right now, as long as 40 doors match traffic, the next decisions are: we're going to block traffic, we're going to block traffic and that's also very, I would say it's not difficult, but it is a difficult topic to understand and then it involves these security profiles which can be antivirus web filtering IPs etc. and your last configuration is actually go to the login report and see what happens on your 40.

Now a lot of things happen every time traffic comes in. every time an administrator logs into one of the interfaces, every time there is a vpn tunnel that starts or stops working, you need to maximize your understanding of what is happening on your network and the best thing you can do is look at the login and understand your network baseline, your connection starts with a dns request, a dns response and the tcp three way handshake arrives and when it finishes it sends an http get request, the basic attack Denial of service works on TCP three way handshake which starts when the client sends a TCP scene, the server sends a TCP CNAC and then again the client sends a TCP packet with the acknowledgment flag on now, upon a denial service, a hacker sends a TCP scene, the server returns a TCP cnac and the hacker does not return the TCP acknowledgment.

That connection is known as a half-open connection. Now you have limitations in terms of time. It has limitations in terms of server buffering, but when that happens pretty quickly our server won't accept any more connections. Then what do you do? do and how to protect your servers from floatless attack having connections open all the time can happen due to congestion in the network due to poor connectivity, it even happens due to different applications behaving like this, but you can limit the timers how long your server will wait for a tcp sync confirmation so let's see how we do it, we go to the rcli global configuration system and now you can set the tcp close timer and the half open timer, the close timer actually tells you to our photogate.

You can terminate sessions that are waiting for TCP packets with the end flag which is on now, the half open timer is what we just saw. Our photigate actually waits for the tcp act coming from the client and it is actually the last step in the three way handshake so you can set different timers according to your network behavior another thing you can do is go to policy and to ipv4 denial of service policy objects, just choose your interface, it will probably be the interface when and there it will be. you can set the tcp syn float rate which sets the maximum rate of synchronization packets for one second currently the threshold is 2 000, you can set it to 1 000 packets, you can set it to 500 packets, you can set it to more, it all depends on the behavior of your network about the behavior of your server, you know better than anyone.

Click on two minutes and this time how to configure your interface using the command line that appears. This is probably one of the most used commands, which is my most used command now config system interface. Actually configure the physical interfaces or the virtual interfaces on your 40 gigs. You can do it in the GUI and you can also do it on the command line and that's exactly what we're going to do now, so let's use the configuration system. interface the second thing you need to do is select the interface, the port number you want to configure currently my virtual machine has only 10 ports so let's use port 3.

Now from here you can configure the different parameters of your interface so we will start with mode will get its IP address from the dhcp server or maybe we will configure it statically so let's use static now once we use static we can configure the IP itself so let's use 10.0.5.6.6 and slash 24 since we are using a class 3 IP address, now the other thing you will need to configure is allowing access i.e. the protocols you will useto manage its interface, so we will use http and https. You can also use ping, which is not good practice. unless you need it for different purposes but the most used is https and ssh ssh to enter your interface through the command line https to enter through the graphical user interface the next thing you can do is set the mac address of that interface.

In fact, you can configure the Mac address for that interface yourself. You can also use mtu override. Currently the mtu is 1500 bytes which is the standard so don't change it unless you really need it, but if you do you can configure mtu override now. Also use a weight set from 0 to 255. The weight is used in different scenarios such as load balancing and preference of one path over the other. You can also use uh. You can also configure your interface for a specific video and currently our video is the root video. just finish it and let's refresh the page and there we have it portrait with the new configuration one of the techniques to block applications like tick-tock is to get ips that are related to tick-tock or list of domains that are related to tick-tock and block them in your dns filter, how do you do it?

Tick tock has gained a lot of attention recently due to the fact that it probably takes over your private and sensitive data. Now I'm not taking any position. Whether you do it or not, but if you want to block, then one of the techniques you can try and block any domain or IP that is related to tick tock is the following: Start with a text file where you enter all the IPs that are related to ticktock just google tick tock domains ips how to block and you will find a list of ips that are related to tick-tock once you do, save your text file, place it on a web server in a place that is accessible and return to your photogate in your photogate panel fabric connectors create a new threadfits type connector ip address now name your connector let's name mine tik tok and enter the address of that text file so I'll use an address that actually does not exist, but for our purposes if you need to authenticate you can enter your credentials in the following fields, if not just disable it.

Now once you have a new threadfit with a list of tick tock related ips move to your security profile dns filter create a new dns filter let's just name my dns block external ip blocklist and add the sources of external threads. Okay, now move on to your policy and objects and in your policy simply enable the tick tock lock security profile. Now this is not bulletproof and ips change frequently, but this is a method that can help when you need to block ticktack connection with clients that are connected to your network and monitored by your firewall 48.

Welcome to our 48 top five tips and this time we are dealing with the number one tip of the ping command. When we use the ping command, we use the run command, so we will use the run ping and choose our destination as 888, which is Google's dns server. Now we can see that our ping. The size is 56 bytes and 48 cents, five packets at a time. Now we can change the size of our ping. How do we do it? We use the run pin options. Let's look at the configuration. Now, if we will use the ping execution options.

Data size. we can choose the icmp packets to have different sizes, uh, let's choose 90. So now our ping size is 90 bytes, let's choose the same target, let's ping towards 888 and you can see that our ping size is 90 bytes and our second tip now is if If you network for a long time, you probably send continuous ping packets to different destinations, different interfaces, so you need to change the number of packets to be continuous or a different size than the five packets being sent by default, how do we do it? If we use the ping run options and use a different repeat count, currently the repeat count is five, now let's change it to 15 and now let's ping again and ping Google's dns server and see how many packets are being sent and we can .

Let's see we have 15 packets being sent and now for our third tip let's clarify that now we have 48 different interfaces and sometimes we want to send ping packets from different interfaces so how do we do it? I currently have an interface. on 10.0.4.1 so let's use the same ping execution options and now let's choose a different source, in my case it is 10.0.4.1 and now if I use the same ping command the packets will be sent from 10.0.4.1. Moving on to tip number four, a ping command is typically discarded after 64 waits. Now we can choose a different integer. We can choose an integer between 1 and 255 hopes, how we do it we use the same, sorry, we use the same ping execution options, it's time to go and let's choose 220 hopes, 220 hopes and now our ping packet will be dropped only after 220 hopes, okay and now let's move on.

Let's move on to our fifth tip. Sometimes as an administrator you use different settings. Let's change the configuration of our ping command. Let's use a repeat count of 8. Let's use a different data size. Let's make our ping size 80 bytes and use a different font. use 10.0.4.1 as our source now, if we will use the view settings we will see that our repeat count is eight, our data size is 80 and our source address is 10.0.4.1. Now you want to reset these settings. What are you doing? You use the reset command and now if we take a look at the view settings, we'll see that everything is back to the default settings, which is five 56-byte packets and the source is based on the interface you're working on?

Now, if you like our channel, please subscribe. The following video is dedicated to

beginners

who are just starting to manage their fatigue. This is a free 15-minute masterclass, so let's get started. Here we have administrator page 48. You can configure the different settings either by using the GUI or by using the command line, we will combine the two. I can tell you that using the command line you will have access to much more advanced settings now, as for the methodology, we will start with the administrator account that we will move to. creating new interfaces creating a static route creating a policy a policy that matches the traffic and we will choose to deny the traffic or allow it then we will move on to our security profiles we will see how we can configure the web antivirus filter application control, etc., and From there we will move on to different settings that will make the configuration much stricter in our purposes, so let's start right, the first thing to remember is that you are the administrator and you have many responsibilities that start from backing up the settings and create policy interfaces different configurations different authentication rules for your users now if you are going to move to system administrator the first thing you will need to do is harden your account to be much stricter using either a 40 token and a trusted host so you can configure specific IP addresses that you will log only from there.

You can do this using the GUI or by entering the command line. Here we will use the configuration system manager and just edit. the relevant profile which is admin now here we can set different settings for our admin profile if we use show full settings we will see the full settings either setting up a trusted host or even setting up two factor authentication using an email account which is only possible in the command line, then we have our administrator account, so now let's move on to the network interfaces and this is the topology we need to configure.

This is a very basic smb topology. You have your LAN that is connected to an interface. your 48 and you have your dmz where your server switches, which is connected to another interface, and you have your isp router, which is connected to your only interface on your 48, which is this interface, so let's start by configuring the lan interface and the interface dmc. so choose the interface you prefer, now edit the name of your interface, I will name it lan and choose its function. Different functions mean different configurations, but currently they are Islam. We will configure the IP address of the gateway, which is 10.0.4.1, slash 24.

Another thing we need to configure is administrative access, we will use https to connect to that interface, we will also allow ping and we need a service, a dhcp service that will run on our interface so that hosts that will connect to our interface can ask. for IP addresses and we will apply that using the pool which is currently up to 254, we will set it to just 50 IP addresses. You can go to the more advanced DHCP server and assign scopes, assign specific IPs to match your host's MAC address, but we won't, device discovery allows your 48 to actually detect the type of devices running on Your network, be it an Android computer, Windows PC, Mac computer, etc., does this by looking at your Mac address, user agent, TCP fingerprint, and others.

The methods you can also enable captive portal on your interface won't do it so that's it for our LAN interface and now let's configure our dmz interface so let's edit it name it dmc now the role will be dmz and once you do that, you will see that. you don't have a dhcp server on that interface as as a best practice don't allow dhcp service on your dmz so let's set your ip address 10.0.5.1 5.1 24 we will just use https as our administrative access and that's it now we have two interfaces, one is dedicated to our LAN and the other is dedicated to our dmz.

Our when interface, let's just edit and name when, so it will be easier when we configure our policy later. Okay, so now we have our interfaces configured and The next thing you need to do is manually configure a route entry that will allow all packets to flow to the gateway interface uh which is our when interface and from there to the Internet, so we'll move on to the static route of the network. Let's configure a new default route. Our gateway interface is located on interface when and its IP address is 10.0.3.1. We can determine the priority of our static crowd and its distance using the following settings, but we won't go into it.

You can see that I have dozens of videos that are dedicated to the different routing attributes of your 48. Okay, now we have a static route that actually tells different packets that if you want to go to almost any destination that doesn't have its own entry routing in the routing table, move to the gateway in the 10.0.3.1 using the when interface and now we're going to move and see our new entry, our new route entry that we just configured, we'll do it using the command line , although you can also do it using the GUI, so get router info routing table and there you will see that you have a new static route that actually points to the default route via IP address 10.0.3.1, like this that we have our interfaces, we have a static route and the next thing we need to do is actually create the policy itself, that policy that will allow packets to flow from one interface to another by matching the traffic and seeing if it is denied or allowed, like so that to create a policy we will go to the ipv4 policy and policy objects and create a new policy that What we want to create is a policy that will allow everyone on our land to access the Internet using any service at any time, so let's name our full access policy.

The incoming interface is our LAN interface. The outgoing interface is our When interface. The fountain. We won't throttle, we won't throttle users, so we'll just allow anyone to exit, of course, if you need more granular control over your policy, you'll create firewall address objects and define which ones can exit and which ones can't. We can also create user groups and user destinations. We are not limiting traffic to a specific location. Anyone can go anywhere. Always scheduling the service again. We may limit it to specific protocols, but we will maintain it across all. Now the action is to accept the other.

What must be taken into account is the inspection mode that we will see when we create security profiles. We want our traffic to be logged, that is, our traffic currently occurs on our private IP addresses, but when we go out to the public Internet we need to translate. our IP addresses to the public front interface of our photigate, so that's what we'll do and we can configure the different security profiles. We will do it very soon. In terms of logging, we don't want just security events to be logged, we want all of them. Sessions will be logged, so we will enable all sessions.

Well now we haveour first policy, which is the full access policy. Now let's create our second policy for DMZ and from the DMZ point of view let's simply allow the traffic to arrive. from the internet to the dmz for our purposes, let's do it from anyone, but in your environment just configure it based on your needs, security policy events, etc., on a destination, we can all of course configure a specific, you know what that we are going to configure. an address for our server, suppose we have a web server that anyone can access using http and https, so let's call it web server, we will use the dot 10.0.5 for the slash 32, so we will point exclusively to that web server now the service can only be http and https we will use the different security profiles and log all the sessions so we have a second policy which is towards our dmz but now the traffic is coming from outside towards a specific web server and we have only allowed the http service and http now once you are done with your different policies you will need to apply the different security profiles, for that you will move to the security profiles, choose the one that suits your security needs, you will probably choose anti-virus web filter maybe application control if you want to control the applications your users use and once you create a security profile and give it a name you can enable it in your policy by going to the policy page and selecting which profile is needed at the moment.

The last thing you need to do is go to your system settings and choose the appropriate settings that will make you feel good while managing your photigate, whether in terms of how long you want your downtime to last, how you want to customize the appearance of your photogate and you want to use some other email service other than the bodyguard email service to be able to do all that. Now we've looked at the basics of placing your 48 in a typical scenario if you want to learn. more, subscribe to my channel. I regularly upload two or three videos every week. 6.4 is one of the latest releases from Fortinet and they are doing a great job from release to release adding new features and so far there were dozens of videos everywhere.

When describing the new features of 6.4, I have decided to create one that will focus on the friendlier features of 6.4, so let's get started. The first friendly feature is to run sp test which you can do in your only interface to do it. You will need to have the um sd1 network monitor license once you have one you can jump to your when interface and run a speed test now when you do the results will be added to your estimated bandwidth the bandwidth estimated, but you will have to be connected within 40 yards and I think Google or AWS speed test servers.

The second friendly feature is fantastic. I've always been asked when it comes to security profiles that are supported in stream-based inspection mode or proxy-based inspection mode and it seems like until version 6.4 you had to remember which feature is supported where, so that from now on you can create a new security profile and if you want to see what feature or what capability is supported in proxy inspection mode, all you have to do is click on the proxy base and there you will see that You can only use content disassembly and reconstruction in proxy-based mode. The same goes for the web filter, just click on the proxy base and you will see the features that are only supported in a proxy based inspection mode, the following friendly feature is actually not a feature, it is a way to describe things much more clearly, so when you access a network sd-wan and add new interfaces to be part of the sd-wan interface and the next thing is to create an sla, a performance sla where you configure the server sla and the destination from sla, the next thing is to go to the sd-wan rules now in sd-wan rules at the end, really create your sd- wan strategy the st1 strategy can be manual better quality maximized bandwidth and lower cost I can tell you that every student me asked what does it mean what is the best quality what is maximized bandwidth so finally fortinet describes each strategy and what does it do in the following friendly The feature is a cool feature that is the IP address tooltip every time you pass the cursor with your mods over an IP address, it will show more information about that IP address, so let's go to the login report and application control and see what happens when we get close to that.

IP address, well, we can see that the owner is Google, we can see its location, which is England, we can also see the latitude, longitude and the services running. Let's go to another IP address and that IP address is also owned by Google. Let's find an IP. address that may not be owned by Google, so we have an IP address owned by Amazon and it appears to be the local CDN here in Israel, Tel Aviv. Another friendly feature is the add widget, which is now much more organized than before. I have dozens of widgets, some of them are new.

I think the ipsec and ssl vpn widgets are new and you have a bunch of wi-fi widgets that show you the clients channel utilization on a per access point basis interfering with access points etc. on and the last friendly feature is the fact that now you don't have an ipv4 policy and an ipv6 policy, you only have a firewall policy, you can add an ipv6 or ipv4 address object to add to the source and destination fields in your unique policy is a small business, very small, six employees, six computers, a switch, an access point, an ISP router, a subnet and a network attached storage that serves as a file server, that is, without controller servers domain, no clustering, everything is flat and simple, but you still want to protect your network assets, you still want to be able to connect to your file servers remotely, you grant permissions for specific domain management and you decided to buy a firewall, a small firewall, not too sophisticated, so here are the seven things you need to do to get started and working with your firewall, so the following are the basic steps that you as a small business will need to follow once you get your 48 or any other firewall in your company.

Now, the first thing to remember once you configure your firewall you are the administrator of that firewall you are the super administrator, so you will need to reinforce your administrator account. You can use two-factor authentication. You can also use an email-based medium to get a token in your email. I made a video about that before and you can just click the link above and go straight to it. Another thing is the reliable host. You will need to configure one, two or three IP addresses from which the administrator can connect to the management interface of your 48. so configure your office address configure your home address do not allow anyone to enter your photogate from outside Second thing you can do is segment your network now even if you only have six or ten employees and three of them are in the marketing department and four of them are doing sales create a new interface, you have a lot of switch ports on your 48 and even if you don't you have, you can create virtual uh lenses, so let's create an interface, let's just name our interface sales, the role of that interface is a local area network, just assign a specific subnet to that interface.

This is a private IP address used for https and ssh https management to access that interface through the gui and ssh is through the command line and just set up a dhcp server. Now you probably only have five to six employees, so don't use the full group, you can use it, if in our case it's 10.0.9.2, so let's use it up to point 10. Now you can do a lot of other things, we won't go into that. right now, but these are the basics of just creating a new interface and making sure you connect those employees through their computers to that specific switch on your photogate, whether using a switch or directly, all now, once have created the interfaces that you can actually Let's start configuring some rules, let's use basic rules for now.

We turn to politics and objects. Create new ipv4 policies and let's create a sales policy. Now we're not limiting anyone in our sales department, so the inbound interface is sales. The outgoing interface is our interface when, the interface that is connected to our ISP router as a source, currently we will use all of them, but we will create a firewall address object very soon and we will be able to use it in our firewall policies in terms of service that we will allow. any service, any protocol, to go through this firewall policy, we will enable the network, we will not currently use our security profiles, we will do it soon and we will log almost all sessions, not just security event sessions, okay, so That is our sales policy. let's create a new policy, let's call it inbound marketing and interfaces, our outbound marketing is our winning source or destination, all services, let's just enable logging for all sessions, okay, the next thing we need to do is create a virtual LAN for our endpoint access now.

There are times when you need to create another broadcast domain that is above the physical ports, so if your photogate has eight ports, you can create above each port a virtual lens VLAN that you can connect to that switch and outsource employees from there . or other employees, so let's use the sales port to create another interface which is our vlon interface, let's call it outsource and we will use a labeling of 300, let's use it here as well and the interface, as we said, is now the sales interface. We're going to set up an IP address like we do on almost every subnet on every piece of land that we have, so we're going to use the 24 192 168.2.1 bar and we're going to use https and ssh administrative access and we're actually going to list the entire group in our dhcp server we will not limit you to a specific number of IP addresses.

Well, once we have that villain in our sales interface which is vlan 300, we need to create a policy that allows any traffic coming from that villain to come through. to the Internet, so we will create a new policy again, let's call it outsource the incoming interface, it is our VLAN that is outsourced and the outgoing one is our interface when, now anyone can connect to that strand, anyone can go anywhere except in Terms of Service. We will not allow any services we will use https http okay and dns now let's just apply that and now we have a new policy that allows anyone who connects to access the internet only using http https and dns.

Okay, now let's create a firewall address object. Why do we need a firewall address object? Well, sometimes we have different computers on our subnet and we want to limit or grant access to specific services and that's a good way to create a policy. that's more granular, so to create a file address object we'll go to policies and object addresses. Now let's decide that our firewall address object will be for the marketing division which is on the 10.0.5.0 subnet and we know we have. a user who has IP address 10.0.5 and we want to limit sending pings to sending pings of icmp protocol, so how do we go to the addresses of pulsating objects?

Create a new address. Now let's call our computer icmp limited, that's a nice name. let's use ip range and use 10.0.5.2 up to 10.0.5.2 or not we said it will be 3. and interface is marketing interface okay we can also use static bar configuration if we want to use it on specific static rock , but we don't need it for now, let's just apply it and now create a new policy and in our new policy we will call it no icmp for that specific device, so the inbound interface is marketing and the outbound interface is web. interface and source is the new limited isp source we just created, destination for all icmp services, we want to limit sending icmp ping so we will choose all icmp and ping and in action we will choose deny, okay now we have a policy that denies icmp or joined pings from those specific users.

Now, for that policy to work, we need to move that policy before the marketing policy so that our file parses that policy and understands that that specific device belongs to the marketing division. He does not have full access like the other user, it limits him from sending icmp. Now the next thing you'll need to do is create a static route so that all packets from different interfaces know where to go to exit. to the Internet, to do this, go to the network's static route and create a new static route. Now I have already created one here, that is my static route, the destination are all zeros, that is, every packet that is destined to anywhere and does not have a route in the routing table will go through that static route,you will need to choose the interface, in our case that is the interface that is connected to our ISP router.

We won't look at the administrative distance or priority of that route, but know that you can actually prioritize. different static routes on your Photogate firewall, so we come to our last configuration step, which is to apply security profiles to your policies. Now you can find security profiles just below the policy and objects and you have different security profiles. Each security profile has its own knowledge base. and you can find dozens of videos on my channel explaining how to work with antivirus web filter dns filter the idea here the idea now is you the idea is that you actually create a security profile and then apply it in your policy so let's just open a policy, let's edit it and here you can find the different security profiles, once you enable it, it actually scans the traffic and looks for viruses, malware, spam, domains that are not allowed and other things.

Auditing your firewall is an important task to perform. should do from time to time, there are now companies releasing tools that will allow you to audit your firewall, but here are the 10 best practices you can get started with. The following best practices are not in any specific order, so use them as you wish. I wish now something else: I'm showing it in a 40 git file, but you can also do it in a checkpoint file in palo alto fire or any next generation firewood. It's pretty obvious, but we do it on any device and on any server we have in our organization, make sure your firmware is up to date, always use the latest firmware, usually newer firmware is much more secure, your provider Firewall will always make sure you have the latest patches on the latest firmware, so back up your configuration, check the release path and update your firmware, encryption and high encryption are critical in your file. , so make sure you always use the most powerful algorithms.

Now it's not always possible, but assuming the other side also supports the more powerful algorithms, just look for the appropriate cli command on your firewall. and enable it so that on a firewall 48 it is a global configuration system now you can change company to firmware configured as strong crypto and just make sure to enable it always make sure your administrator is connecting to your fortigate through a trusted host that is trusted ip address like the ip address in your home or office now you can do it using gui you can do it using cli let's do it using cli configuration system manager let's edit the manager and from here let's configure the trusted host and just type the trusted IP address, if possible, into your web interface.

Your external interface does not allow any administrative management, so let's use the configuration system interface, edit port one, which is my Internet facing interface, and let's disable, allow access on your administrative LAN interface. access, try to always use https and ssh, i.e. https for the GUI and ssh for the command line. Now try to avoid ping and other protocols unless necessary. The following is probably one of the first audits you should perform. for unused rules, rules that were requested a while ago and configured in your file, find them and if they are no longer relevant, just delete them now. a side note. document any requested rules. document who requested the specific rule and the time it was set, your admin should always log in to your 48 or any other firework using https, so make sure that even if you try to do it over http, your file will redirect the request via https, so let's do it here config system global set admin https redirect other configuration What you need to keep in mind is the admin lock and the duration of the local admin.

Now you need to comply with your organization policy, global configuration system and now let's configure the administrator. You can configure the administrator lock duration. The default value is 60 seconds, but you can configure it. to five minutes or more that should meet your organization's policy now another setting is the threshold itself, which is the blocking threshold, which is actually the number of failed attempts, the number of failed attempts when your administrator tries to start session in the system, the default value is tree and It is good practice to keep it to three records. It should be part of your audit.

That is, when you audit a firewall. Make sure the logs are there for at least seven days. Now consult the appropriate documentation for your firewall. Let's do it here. log disk settings set the maximum age now you can set it to seven days you can also set it to 30 days it depends a lot on where you save the logs either on your hard drive or in the attendance log or on any other device you have adequate storage in Finally, let's look at some best practices for hardening your firewall. One of them is when you have unused interfaces, disable them, disable them if you have interfaces that you want to disable with a different protocol, so just disable them using the configuration system interface, edit the interface you want. to disable and there you can disarm the dhcp relay services, you can disarm the pptp client arp forwarding, etc. another thing that is pretty common for any 48 and there is something I'm not familiar with with other firewalls, which maybe yes have it. or not, the same functionality is what is known as a maintainer account.

The maintainer account is actually a backdoor to your photogate. If your administrator has lost your password, then it allows you to log into your photogate using what is known as a maintainer account, which is actually the serial number of your 48 with the maintainer user, so you can disable it on most of the 40 doors. I think it is enabled by default. Configure the maintenance administrator account to disable it so you have your new four door, how do you configure it? Upgrade to get easier setup tips for your 48 firewall, subscribe now and don't forget to click the bell notification and you won't miss a thing so you have your new photogate and your new firewall for 48, what do you need?

You've probably connected your 48 using a network cable to your computer and set it up? Fortigate devices come with at least port one of the ports, which is usually port one which is already configured with the IP address of 192 168 199. configure your PC's subnet to be on the same subnet, access the IP address of port 1 interface and from there you will start configuring your 48. Now you can configure Photogate using the graphical user interface which has many features. It even has a feature visibility feature in system settings so you can disable or enable new features that are not available here now you can configure your photogate using the graphical user interface and you can configure it using the command line 48 experts use the command line almost all the time we will see the command line, but we will make our way using the graphical user interface.

To get to the command line, you need to click here. It is actually a JavaScript application that runs on top of the admin web application. Probably the first thing you want to do is note down the system status so you can see your serial number 48, what accelerated hardware it supports and what you're using. a hard drive or flash drive, the current security profile database, etc. ., now we get into the interfaces, you probably have one interface that you are connected to, which will be the management interface, now you need to connect one of your interfaces, um to your ISP either through a modern router or you can use your 48 as a router.

Each interface has a physical control panel that you can connect to different subnets on your network. Now let's edit an interface, see what's inside. You can name your interface according to the subnet in your local area network suppose we have a management subnet now you can define it with a specific function it can be a dmc or an undefined rule or a when so let's use the ground like this which now We know that we have a management plan connected to port 8 on our port 40. Now the addressing mode can be manual, it can be dhcp, let's use the manual option and configure it to be 192.168. 2.1 slash 24 since we are using a 24 subnet now this address is the address of the gateway interface so any computer that connects to one of the 2d to port 8 will get an IP address on that subnet which is the subnet 192 168 2.0 but your gateway address will be 2.1 now we will also open the dhcp server so whoever is connected there is a pool of IP addresses it will take.

We will see the dhcp server very soon before we need to configure administrative access, what protocol to support administrative access we will only use https and http for now we can also use ssh we can also configure it to support pings from the host on that subnet or from a 4d manager but no we will do it now ldp is a protocol that enables discovery between devices on the network, it doesn't really matter, you can disable it or keep it on for now. Now we have a dhcp server, as I said, any client that connects to that port will receive one of the pool IP addresses that you do not receive. you have to use the whole pool, you can use only 20 IP addresses, you can keep the DNS server the same as configured here or you can specify your own DNS server, let's specify Google DNS server.

You can control the time of the list and if you click on the advanced, if you have a dhcp server that is part of your domain that is not your interface 48 or 48, you can configure its IP address here and then every time a packet arrives to that interface, it will go to the dhcp server, but for now we use, we are using the gateway interface as a dhcp server, you can configure an ntp server that you can configure and this option is for more advanced users, dhcp scopes or options and You can assign different IPs to different devices based on their mac address another option is device discovery.

Device detections allow your Photogate to detect which device and operating system devices on networks belong to. This is one of the things you should keep enabled. Don't bother with the explicit web proxy. You can enable a captive. portal, so if you have outsourced employees and want to jump to a home page with user credentials, you can do that too, but we'll skip that for now, so this is the basic setup of the interface. Okay, now we have one management interface and we have another one. interface, what is the only interface that you connect it to, you connect it to your ISP router, we will call it when one, the function is when we can use dhcp and if we want to make it more reliable, we will use a static IP address. so my gateway interface is 10.0.3.75 and my router is actually 10.0.3.1.

I have enabled http and https and as you can see you don't have a dhcp server as long as your interface function is that. It's one of the best practices when you use an interface as an interface when okay, so we have a management interface, we have an interface when now we want to do our managers uh and they are connected to that port which is port 8 to go out to the Internet, so the next thing you need to do is set up a policy. Now we will configure a very basic policy, which is a full access policy, let's call it administrators and the incoming interface is administration, which is the LAN interface of our administrators.

The outgoing interface is when one is the interface that is connected to our ISP router, that is the interface that takes them out of the ground and onto the Internet. Now as far as the source goes, let's go to this video, let's make it very generic, anyone can go, anyone we can configure. groups of users and different users we can also configure sets of parameters that control different users, but for now, as for the source, anyone can leave and for the destination, they can go almost anywhere, we can also create specific objects that will allow them to go. to specific places, but for now they can go almost anywhere, as far as programming, we are not limiting them to specific times or days, so, for programming again, they can access the Internet at any time of the day, and for service, we can deny them. to leave on specific services like ftp, but for now, for our specific policy, we will allow them to use almost any service.

Now the action is to accept, we can also create a policy that will deny specific services or specific users from leaving or doing specific things for now the action is to accept the inspection mode. It is another topic that we will analyze and it is the inspection that is carried out on our networks when we use security profiles such as antivirus or ips, for now we will maintain In flow-based mode,now we will use net net is network address translation, which is our private IP address, which can be 192.168. 2.6 will be translated to your 48 or your ISP's public Internet address.

Now we won't use security profiles, you know what, let's use antivirus, let's use the default profile, the default antivirus profile, we will use certificate inspection when we use certificate inspection, its photigate checks. the different fields that come from the server certificates um to see if they are valid, if they have no discrepancies, etc., the last thing is to use our registration options. We can only log security events, but we will log all sessions. Later we can look at the login report and see what our users or our host did right. So we have an administrator policy, we have two interfaces, the one that connects us to the outside and the administration interface that the managers of our company can. connect and get your IP addresses, that was the second step, now the third step is to configure a static route, a static route actually, for our use, it will be a default route, I have already configured one, so let's look at it. if you want to create a new one, just create a new one, so that the default route will actually tell your fotogate that every time it sees a packet, any packet that is destined for anywhere that doesn't have a route in the routing table , will route it to the interface when. and when the interface address is 10. 0.3.1 remember that my ISP router has that address now you can use specific parameters like distance uh you can use a priority it just tells me that I already have that static route that I have and once Yes we have a static crowd, a policy and interfaces configured correctly, we can now connect our host to the management interface and those hosts can now access the Internet.

Let's go to the cli and see how we configure the interfaces using the cli. For the sake of our purpose, let's configure port 7. So using the cli we will use the configuration system interface. Now let's edit port 7 like we said. Let's set your IP to 168.4.1 with a subnet of 24. Let's set up management. management protocols for http and https and what else we can use, many more if you look, let's finish this now. I want to show you something when you configure the system interface, let's go out here let's configure the system interface and if we look at port one, for example, we can use show full configuration and as you can see, there are dozens of configurations features that you can add by our okay, we've just enabled the IP address on that interface and let's look at it. let's refresh our page four seven and there it is, now we can also configure the dhcp server etc., we haven't done that in our cli um.

The last thing I want to show you once you get into your uh 48, there's actually the 40 gate administrators now you have two types of administrators, you actually have more than two types, but the two most common types are the super administrators, which is you , they have privileges to almost anything they can read and write and they can create another uh. type of administrator, which is the pro administrator and where you can actually enable different read and write privileges in the different places in your 40k if you go to the cli and use the configuration system administrator and you can edit the administrator name that I have. two administrators, I have one that is the super administrator and the second one that is the offer test, which is my second administrator, so now let's look at different settings that you can add to your administrator again, many settings, that's not the only place where you can set up.

You can also configure different things in it globally, which is the global configuration system, but one of the things I wanted to show you is that you can harden your administrator account using a trusted host so you can also see it here, sorry. here you can set a trusted host which is a trusted IP address that only your administrator can get so you can set the IP address in your office at your work and you can set another trusted host which is the IP address only in your home. from those two IP addresses, your administrator can log in to 40.

You can also set up two-factor authentication, which is also a very common security procedure. You can use the 40 token and you can also use your email as two-factor authentication. Let's show you. how to do it, let's clear that up so we can use the configuration system management set. Now let's edit the profile before and set up the two-factor email, let's set up the email in one of my Gmail accounts, let's finish and now we will do it. Return to our administrator profile. Let's look at it again and you can see that you can now use email-based two-factor authentication, so let's create a system interface and a DHCP server using the command line.

The following is part of the basic firewall.

training

we will configure an interface and a dhcp server let's do it on port four we will do it using the command line so let's use the configuration system interface, okay, let's edit port 4. let's do it on port four, let's configure the ip to 10.0.7.1 slash 24 and let's configure allow access to management protocol access to ping http https we can also configure the weight for that interface, let's give it a weight of 250, we can configure different configurations for that interface, but we will Let's get it over with, that will be our local area network interface for our finance department.

Now the second thing we can do is configure the dhcp server on that interface, so configure the system dhcp server, let's edit that server, create an entry, a new entry and let's set the default gateway for that dhcp server to 10.0.7.1 and let's also configure the interface we are creating on the port 4 interface. Now let's configure the IP range, the pool of IP addresses that will list for connecting clients. through that interface and for that we will use the configuration IP range and we will also use uh edit one and let's set the start IP to 10.0.7.2 and let's set the end IP to 10.0.7.1 all below and let's set the netmask to 255 for 255 to 255.0 that's minus 24 and let's set the dns service as default now let's finish and refresh our page remember port four let's refresh and there it is and here we can see we have our lan on port 4 that's our financial land, that is the ip of the land gateway, that is the administrative access and here is our dhcp server starting with 10.0.702 until 10.07.11 and the dns server is the same as the dns system two minutes cli command and this time the diag sniffer that appears in the dike sniffer package is one of my favorite comments, because it actually allows you to package, capture the traffic, sniff the traffic just like tcp dump or wireshark does, so the syntax is like that dag sniffer packet and then you need to include the interface, so we'll do anything, but you can choose port one or port two, after that you actually filter, filter the traffic, you can filter it using this source and destination protocol, we'll use host, so we'll use host 10.0.3.1, which is my gateway, then comes the detail, which is how much data you want to include.

I'll choose four and we can also add the count, which is the packet count, so let's add 10 packets and if you want a timestamp, you can add a letter, so let's get started and there we have it. Now you can play with the different filters and the different levels of detail. If you want a packet capture, do not use the diagnostic sniffer but the graphical user interface. you can do it in network packet capture and in packet capture you will find that you can choose the interface and use the different filters. We have already learned how we can list system processes and display their output on the command line.

Now in this video we will do it. See how we can kill different processes that consume too much memory or too much CPU power and how we can list the most demanding processes in our Fortigate for easier configuration tips for your firewall 48. Subscribe now and don't forget to click on the notification bell and you won't miss anything, so you're using high-level encryption on your VPN, you're using ips to scan for different patterns and anomalies, you're using antivirus and you're still logging almost anything, all of that. consumes a lot of CPU and memory resources, let's take a look at the diagnostic system command, let's make an interval of 20 and with 10 processes, right now using the character m, you only need to type the character m, we can sort the processes that consume the most memory and in our case it is the dns proxy if we press the character p that p is for cpu we will see the different processes that consume the greatest amount of CPU resources and in our case it is the https daemon now the next step is to kill the process that causes you many problems, that is the last step before restarting your 48 to do a control c to kill a process you use the diagnostic kill now you enter what is called a signal which is a term that comes from Linux and Unix, which is actually a simple way to ask your system to stop the process and can be a more aggressive way to tell your system that depends on the number to tell your system to kill the process.

Now we can use different signal numbers. We'll use 15, which is an aggressive way of telling your system to kill that process, and we'll list the process ID. Now the process id, as we know, is the second column, so let's use the DNS proxy process which is 94. Okay, now we have just closed that process and here we can see that the DNS proxy process has actually been finished. We saw that we can list processes, classify them and even terminate them whenever they demand too many resources. In our last part of knowing your processes, we will see how.

We can, in a cli command, see the most CPU demanding processes for easier configuration tips for your firewall 48. Subscribe now and don't forget to click the bell notification and you won't miss any of the features we looked at. Using the dag system command is that we can list the most demanding processes, whether CPU and memory, using the m and p character when pressed. Now there is another command which is get top system performance which lists only the most CPU demanding processes. Let's see it in action, so we use get sys, sorry, we get this superior performance.

Now you will see the most demanding processes, the processes that require more CPU in the second most tested column, that is the CPU column, the rightmost column is what we know. memory column now you will see different processes like ips engine or antivirus scanner new cli or even ssh sshd ssh daemon now whenever a process is too demanding in terms of CPU you may need to kill that process and we saw how to do it using diag cis kill with a signal level and process id file rules are basically the bread and butter of every firewall out there.

It doesn't really matter if your firewall is the next generation firewall every time you access the Internet and you are using a firewall then you are required to comply with the firewall rules, what are firewall rules and how are they created? You won't miss anything A firewall rule is nothing more than a set of criteria that your traffic must meet every time an IP session occurs on your network, a set of rules are compared to that traffic if your firewall does not find a match in the first rule, then move on to the next rule, rules are handled from top to bottom now let's see how a policy rule is configured and what objects are used to create that match in each rule, there is always the implicit deny rule found below each rule. other rules, that is, if your firewall does not find any match in the traffic, then the traffic goes to the implicit deny rule and is dropped, so when we start configuring our file rule we have, as we said, a deny rule implicit deny at the bottom and from there we start setting up our different criteria that will be compared to your traffic.

Now we start, we start with the name of the rule itself, as for naming conventions, don't use too many characters, don't use spaces between words, try to use underscores the second thing is the incoming interface what is the incoming interface? Well that's the interface your local area network is connected to your dmz is connected to whatever interface the traffic is coming from. The second criterion is the outgoing interface, so typically in a full access rule for the access policy that is your interface when you configure your rule to allow traffic from the LAN to when and the Internet, but it can also be another segment of your company, another LAN, it can be the DMZ, the incoming interface is known as the ingress interface, the outgoing interface is known as the egress interface, so we have two interfaces, the ingress interface, the egress interface and from there we move to the source, what is this source that generates traffic well, what can be its clients? almostany source which is any IP address or can use what is known as firewall objects, a specific IP address within your local area network, it can also be a user or a group of users which is saved in the internal database your firewall or remote authentication. server like ldap or a spoke server another criterion is the destination, what is the destination your traffic is going to? it can be any destination i.e. any available IP address, it can be a specific IP that you can configure or it can be a domain or maybe an Amazon internet service, so make sure you are granular, don't use just one or all, be specific if you are setting up a full access policy that will allow anyone to access the internet then it will probably be all if you are setting up a specific destination then make sure you set these up ahead of time and use them in your rule next is scheduling if you want your policy work 24/7 or you want it to work on specific hours, specific days, recurring days, so you will probably have cases where you will be asked to open a file rule for specific devices on your local area network.

It could be a backup device. It could be network attached storage. Make sure you know what time those devices need that firewall rule. Next is the service, that is, what protocols are used in your firewall rule. Are you using only http https and dns i.e. port 80, port 443, port 53, or are you allowing your employees to access almost anywhere using any protocol? there including ftp ssh etc., again be careful about the service usage rights and the last thing is the action: are you denying or are you allowing traffic based on that match? Now, actually, this was just the first part of their policy or rule-making.

The next thing, once you have a match, is to go through the security profiles, that is, go through the antivirus application's control IP addresses, etc. The other thing you'll need to consider is if you're using network address translation, if you're logging everything. sessions or just security events, if you watch my channel you will find dozens of videos related to security profiles and other features of your firewall, so review, subscribe and see you soon. There are times when we need to customize our own IPs and application signatures. The quick guide to creating your own signatures is soon to be published.

Don't go anywhere to get easier configuration tips for your firewall 48. Subscribe now and don't forget to click the notification bell and you won't miss a thing when we talk about intrusion prevention system we talk about an engine that compares the traffic with known threat signatures and anomalies now every time the ips engine alerts us it is our responsibility to block monitor or allow traffic signatures to allow us to identify malicious attacks and the question is The question that arises is why do we need to create our own personalized signatures? Fortinet has already provided us with thousands of signatures.

There are two main reasons: first, sometimes we use a specific application, we use our own toolset or our own custom topology for our need and we need to create custom signatures to match and the second reason is for tracks that somehow don't have it yet. no signature, so how do we create one? Let's go to the ips sensor page signature view and then create a new one. The next signature is probably the most basic. If you want more advanced signatures, please leave a comment on the comments page. Our first signature will allow us to block the cnn.com website.

There are dozens of ways to use our web filter or application controls to do this. but we're here to learn how we customize our own signature and that's a good start now each signature starts with a header the header of each signature starts with f s bid that's the header text and then we open parentheses in the parentheses inside them we enter the signature matching criteria the criteria of those signatures are described using one keyword and one value and different keywords if you are using different keywords you can use only one keyword and one value it will split or separate different keywords using a semi column the first keyword is usually the name of the signature, we have to give our signature a clear description of the attack and then we define the signature that triggers what activates it in the attack, what type of protocols we are analyzing, the flow of packets, the amount of packets we are looking for matches matches in the traffic itself, we match based on specific headers, specific pattern thresholds, like in rate based engines, for that we use keywords, two types of keywords, for example, service and protocol, now in the service we determine, as in our case, which The service is http since we want to block a website on protocols, we can specify if we will use TCP as most websites use or maybe we plan to block our site not only to the users who use TCP in their browser but also to the users who can connect to that website which uses different protocols like ftp each keyword should start with a couple of dashes another keyword is stream which is stream of the traffic, is it coming from the server to a client or from clients to a server or maybe it is bidirectional in our In case we want to block any user, our clients cannot go to a web server which is cnn web server. com and there are many more parameters and patterns we can add, but this is the basic syntax we use to customize our signature. so let's try one right now, let's name our ip signature, add some comments, we'll start with the dash f and open the parenthesis.

Now let's choose a name for the custom signature and our name will be blockcnn.com. What we need to do is add a pattern, we will use a regular expression pattern which is cnn.com and now our 48 will detect the URL and as we add the service which is http, it will know to only look for that specific pattern. signature over http protocol note that we divide the different keywords with a semicolon and now we will configure the protocol which is actually traffic type 48 it will only detect this signature in a tcp traffic, that is, if we will send a mail to that url running via smtp or if we connect to that url via ftp it will not do anything it will just block the website via http traffic by default the patterns are case sensitive so If we want 48 to block any attempt to enter that url using upper or lower case we will use the hyphen dash without underscore and now let's limit the scanning only to the traffic that is sent from the client we can also use b directional but in our case we will use the hyphen dash client flow and the last thing you need to do is add the script script host context which makes the domain name appear in the host field while it is resolved by dns, so that was our basic signature now, if you want us to create a more detailed the more complicated signatures just leave a comment on the comments page and I will do it.

In this video we will show you the top 5 ips commands for your 48 and we are starting right now. The inclusion of ips in your 48 is one of those things. that makes your 48 and next generation firewall deal with exploits deal with anomalies the ips engine is almost everywhere so let's start with our first command which is config ips global there are about 48 models that also support extended database which includes many more signatures so to check it configure the database and you can use the regular one and you can also use the extended one so if you have the extended one don't hesitate to use it when we create or configure ips sensors we should plan them carefully why , because they consume. many resources of your 48 in terms of CPU and memory now, every time you go to the ips signatures page and add signatures, think about two main things: the first, operating systems, if you are using a Windows based network, do not choose none. signatures that are related to mac os or linux, the second thing is the direction of traffic now, if you are protecting clients, only use signatures that are intended to protect clients, if you are protecting the server, do the same, the following command is for those running a 48 with multiple processors, you can actually run multiple ips engines simultaneously, so how do you do it?

Go to your cli configure ips global now set engine count now if you set the integer to 0 then 48 will choose how many engines should be used simultaneously but you can also change it according to your needs. Your ips engine needs as much power as it can get. There are many 48 models that support hardware acceleration, either using np asic or cp asic. Mine uses cp asic, so why not give it? For it use the global ips setting and then configure it, in my case it is the cp, set the cp acceleration mode. Those that support np, just use the np acceleration mode and set it to basic or none or in this case an advanced mode. which supports more ips patterns, its ips engine consumes tons of memory and cpu cycles now, if you see spikes in your 40 gauge due to high cpu usage etc., you can diagnose the test app ips monitor and there you will see different tests that what you can do on your ips engine, you can disable it completely using option 2 or you can toggle the bypass state which actually means that the ips engine works but does not analyze the traffic so play with those options whenever you have problems with your ips engine and Before finishing, subscribe to receive more videos like that, so you have decided take the nsc 4 exam now what do you do? how do you practice? what you need to know well in the next video we will see the best tips to prepare.

The first tip is to be practical, leave out live dumps. Aside from these study guides, go to a Fortinet support site. Download one of the VM images from the latest builds. Open it in the browser of your choice and start playing. Create new interfaces. Configure the different services on that interface. Create new policies even if you don't have them. I don't have any other machine to play on. Think or dream of different use cases, like anyone in your country is prohibited from using ftp traffic next to a specific device. How is that policy configured? How do you create a firewall object for that device?

So think carefully. and play with different use cases the third thing play with security profiles configure new profiles understand how they work and apply them to your policies apply them to your policies and understand how they actually work, whether in a flow-based or proxy-based inspection mode The theory behind those two is crucial to understanding how security profiles work. The second tip is to understand the terms. Go to your command line. Access the list of sessions. Once you do, you will see in the result so many terms that can be scary. first time what is proton number six what is state number six what does source modeler mean what is the series of that session what is an npu understand the terms understand how sessions work on your fortigate your 48 is a session where the firewall and just understand the different numbering for different protocols tcp protocol is protocol number six udp protocol is protocol number 17 icmp is protocol number one each has different states to understand the numbering and you will see more terms like fail to open or dirty many terms that You need to consult the Fortinet documentation to understand, as in the exam itself you will probably see results with the following terms.

Understanding the basics actually means that you need to know how the different components of your photogate actually work if you play. with an antivirus, you have different databases, just clean the screen, configure the antivirus settings, now you can configure the different databases using the command line. Are those databases downloaded locally to your Photogate or are they using some cloud repository? The same happens. web filter if you are creating a new profile, you have the filter based on the bodyguard category, it is a database being downloaded or it is a cloud repository. Another example is the routing table if you look at the routing table using the cli with get The router's IR table takes precedence over the policy route or maybe the policy route has presidents over the normal routing table so These are the basics, understand them as you will probably have some questions related to those topics in your exam and you will probably face some. network troubleshooting questions so look very closely at the topology shown look at the different IP addresses look at these subnets look at the classes try to understand if that topology makes sense you will probably also face some results like diagnostic debug flow or tracking packetdirect analyze what is the reason it may be a network problem it may be a policy problem it may be that you just don't have any static crowd at the destination, so look around closely and understand the topology before answering, we tend to forget but your photigate can actually work in transparent mode and act as a switch, a device with a single broadcast domain, its management IP, so you can set the operating mode to either nac, which is a layer 3, or on a transparent one, which is a layer 2 device, you will be asked questions about two VLANs, you will be asked questions about the virtual wire pair, you will be asked questions about your 48 as a device that is between two segments of the network, it does not do any routing but only scans the traffic that passes through, so know your way when your 48 works in transparent mode as a layer 2 device, only your 48 is part of a security fabric with multiple components that are On the network itself, you won't have to answer questions. regarding parser 40 or manager 40, those are different components and have their own certification, but you will need to understand how load balancing works, what is an sd1, is it software defined, when, how to prioritize traffic based on balancing algorithms load or according to different slas service level agreements.

Whatever you believe, you will also need to know what a h a an h is. A high availability is how you actually create a redundant photogate along with your main door 40. You can create it in active active mode or active passive mode. Understand priority. To create a master fotogate and a slave fotogate understand how sessions are distributed between those components remember that your fotogate is a network device and as such it will have its redundancy and load balancing algorithms in place which it needs to excel In one of the main rules or the main tasks that your fortigate does is to authenticate users as they enter the network.

Now you will need to understand how a user is created. How to connect to remote authentication servers like ldap or radios. What is single sign-on? How is it created? a proxy, what is an explicit proxy and what is a transparent proxy, how proxy settings are passed using a packet file, what is an authentication rule, understand the purpose of authentication, understand what is needed to authenticate different users using passive authentication or active authentication. You will probably be asked throughout the exam. Make sure you fully understand the full nature of authentication every time a ping and icmp request is sent from one of your 48 interfaces or sources.

The default is five times, that is, the packet is sent five times. A data size of 56 bytes is sent at an interval of one second and has a timeout of two seconds. Let's see how we can free up your ping settings to get easier configuration tips for your firewall 48. Subscribe now and don't forget to click. in the bell notification and you won't miss anything using ping, an icmp request is probably one of the most used but simple network troubleshooting tools, so let's free up our ping configuration and see what can be done, we'll start with running ping and then we'll use the view settings so we can see what our default ping settings are so we can see we have a repeat count of five times, we have a data size of 56 bytes, we have a timeout of two seconds , currently the interface is automatic, which means it actually goes to our routing table and this is the best trout.

We have an interval of one second, that is, your ping will be sent one second after receiving the echo response. You can use an adaptive configuration which we will do very soon to see. which you can actually send the second or third icmp request immediately when the ping response comes back, the time to exit is 64 hops, let's see if we have more interesting interesting things here, no, the second thing we can do is configure the uh options of ping and see what the ping options are and we can see that we can configure an adaptive ping, we can configure different data sizes, we can configure the df bit, which is a parameter in the ip header, we will see that, we can configure the interface that the ping will be sent from we will use our marketing interface and we will send the ping from there.

We can configure the hexadecimal format of the ping. In fact, we can add different characters to our empty hex space in our ping. We will also see it and yes. we can configure the source, exit timeout and more, so let's start with a simple ping to Google, okay that's google.com, the one that works now we'll use the same with Google's DNS server and see if we have a DNS that solves that. It also works great now, um, let's close that for a minute, let's move on to my Ubuntu device, okay, now my Ubuntu device is in the marketing interface, let's go back, let's log in, okay, so let's start by pinging my ubuntu device which is on 10.0.4.9 everything is going fine, you can see I have a very large uh icmp packet, let's see what is the reason for running the ping options, you know what, let's do something else, once you have the configurations that are not your default setting, remember the default setting is 56 bytes.

You can reset it using the ping and reset now options. Let's send the same ping again and see what this side is that has 64 bytes. Remember your data size, your icmp size is 56. bytes, you have an 8 byte header for the icmp packet. What you see here is actually the payload itself plus the header which is 56 plus the eight byte header. Let's look again at how we change the size of the data, this is how we change the data. size, let's set it to 128 bytes and now let's change another setting which is adaptive ping, its icmp request is sent in one second interval.

You can now change it to be sent immediately as soon as the icmp response arrives. to do it again you have to choose uh enable another setting is the df the df bit what is the dfb df means do not fragment that is, do not fragment the packet even if it is larger than the interface that is supposed to accept it then, if you have in the other side an interface with a mtu uh of x values and your icmp packet is bigger than that then your icmp packet can be dropped so be careful how you use the df bit, let's keep it to no now let's see what is the effect of adaptive ping compared to normal settings?

So let's just run the ping, let's use a repeat count of 20 packets and run our ping to Google, sorry, google.com, okay, so you can see we now have a one second interval. If we're going to use the adaptive ping option, let's enable it, let's send the same ping and you can see that you're actually getting kind of icmp fluid, it's not hundreds of packets per second, but yeah. still much faster than the usual interval, so you've got your new 48 and you need to set it up, so here's a quick setup guide. Your new photogate comes with a preconfigured port at IP address 192 168 199 so you can manage your photogate using the command line or using the graphical user interface.

We'll do this using the GUI with the web-based manager, so take your client, which is your PC or your Mac, change the subnet to something on 192.168.1. subnet could be 1.10 1.11 connect your client to your port 1 on your 48 and just open your web browser to the address 192 168 199 when you do, let's go ahead and see what happens to get it to your browser. type the address, the IP address of port one and enter your administrator credentials now. If you have an older model, I would just use admin as a username without a password on newer firmwares, you will need to enter a password and I already entered one, so let's go into our 48 and from here move on to system settings.

The first thing you need to do is change your host name. It may not seem important, but if you have multiple photogates, one of them is protecting your data center and one of them is blocking users in another department, you will need to know which fortigate did what, so let's just name our photogate marketing so we know that protects our marketing division. The second thing we need to do is best practice. is to use fortiguard ntp to make all devices synchronize. Now you can configure different admin settings like the http port which you will probably keep at port 80 and https which is 443.

The other thing you can do is customize and change. your language whether to English, French, Spanish etc. and you can also change the theme of your 48 and you will see the different theme change immediately. Now let me use this one since it looks much more modern in my opinion, we won't go into it. ngfw mode, whether profile-based or policy-based, will have to wait for another video. um, let's continue with the email service. You can use the custom configuration which is Fortiguards SMTP email server or you can use your own SMTP server or the one you will use. and you will find that you will use your smtp email server more and more as you practice your photogate.

The other thing you can do is head to 40 yards and at 40 guards and in antivirus and ips updates enable the option to accept push update. No signature sent by the 40 guard servers will be lost. The other thing you can do is server placement, use lower latency locations. It's good practice to do this if you're not in the US so those are the default settings now if you go to admin remember you are the admin of your fortigate you can edit your admin profile add your email add two factor authentication and you can also add what is known as a trusted host which is just administrators connecting to the fortigate management interface through one of those IP addresses that you will configure will be able to enter so you can configure your trusted host with your IP address at work and your IP address at your home location.

You can also set up a new administrator and you can add a professional administrator who will take care of different areas in your photogate. Once you configure your settings and your administrator profile, you can add more interfaces, the ones that are connected to your when interface and your other lens that I have. There are a ton of videos that will show you how to do it and the other thing you'll need to do is create a static route, a default route that will connect the traffic, the packets that need to go out to the interface with your gateway.

It's the interface that's connected to your interface when it's fine, so this was a quick setup guide from there, you'll probably move on to policies and create your own policies. Customize your interface Customize your settings Your logs and reports, create profiles security etc, this video is about setup tips for your photigate and we are starting right now to get easier setup tips for your firewall 48, subscribe now and don't forget. to click the bell notification and you won't miss a thing one of the most common questions I get every time is how do I set up my 40.

I'm currently not interested in any intrusion prevention system sensors that I'm not interested in. ipsec vpns i just have several interfaces connected to different clans and i need to configure my fortigate for really basic operation so in this video we will look at the basic basic configuration as you know on my channel they have tons of videos that goes into different aspects of your 48, so the first thing is to configure your administrative profile. You are probably the super administrator of your Fortigate, so be sure to connect through a trusted host if you need to set up a new administrator, perhaps a professional. administrator who will be responsible for another virtual domain or different aspects of your fotogate, do it so the next thing you need to do is move on to the network interfaces.

You probably have different clans connected to different interfaces on your 48 on each interface, don't forget to write an alias, this will help identify which land belongs to which interface use specific rules for specific interfaces use administrative protocols carefully don't let anyone ping from that interface if not needed use dhcp server and use dhcp server scopes so you can create different dhcp options for that local area network. You can block specific Mac addresses from receiving IP addresses and use device discovery and active scanning. You want to know which devices initiate traffic on that interface. Now the next thing you need to do is create or configure.

The static route that will lead to your ISP is now usually created using the default route, which actually means that any packet that is destined for anywhere and does not have any entries in the routing table must be directed towards the specific gateway that Usually when you gateway the next thing you do is the policy and objects, which is the bread and butter.butter your firewall 48, is where you create rules that match any traffic coming in or out of your gate 40, assuming it matches the traffic. you have two decisions the first is to accept the second is to deny now you can create different policies according to different topologies the basic the basic policy is the full access policy that allows the local area network to access the Internet through the moment interface, so that the incoming interface can be almost any LAN in your network, the output is when the source of the interface can be devices of different users, but suppose we deal with almost any destination, it can also be a specific destination, but suppose it is allows any destination.

You can configure different times and services now again, you can deny specific protocols, but for our case we will allow any service now, learned policy is another matter. I've made a video specifically about that, but that's not the problem right now when it's 40 gate. matches the traffic, the next decisions are: we are going to block the traffic, we are going to capture the traffic and that is also very, I would say it is not difficult, but it is a difficult topic to understand, and then it involves these security profiles that they can be antivirus, web filtering, ips, etc. and our last configuration is to move to the login report and see what happens in your 40.

Now a lot of things happen every time traffic comes in and out every time an administrator Log in to one of the interfaces. Whenever there is a VPN tunnel that starts or stops working, you need to maximize your understanding of what is happening on your network and the best thing you can do is look at the login report and understand the baseline of your network. Your connection begins with a DNS request. response and the tcp three way handshake comes and when it finishes it sends an http get request, the basic denial of service attack works on the tcp three way handshake which starts when the client sends a tcp scene, the server sends a tcp sync and then again the client sends an acknowledgment, a tcp packet with the acknowledgment flag set.

Now, when faced with a denial of service, a hacker sends a tcp sync. The server returns a TCP sync and the hacker does not return the TCP acknowledgment. That connection is known as half open connection now it has limitations in terms of time it has limitations in terms of server buffering but when that happens quite quickly our server will not accept any more connections so what should you do and how to protect your servants of floating sin? Open connection attacks happen all the time. It can occur due to congestion in the network due to poor connectivity.

It even happens due to different applications behaving like this, but you can limit timers how long your server will wait for a TCP sync confirmation. so let's see how we do it, we go to the global rcli configuration system and now you can configure the TCP half close timer and half open timer. The half close timer actually tells our photogate that it can terminate sessions that are waiting for TCP packets with the end flag that is on now is the half open timer, it just waits for the TCP advertisement coming from the client, the last step of the three-way handshake so you can set different timers depending on your network behavior. another thing you can do is go to the policy and ipv4 denial of service policy objects just choose your interface it will probably be the when interface and there you can set the tcp rate syn float which sets the maximum packet rate without for one second currently the threshold is 2000, you can set it to 1000 packets, you can set it to 500 packets, you can set it to moritz, it all depends on the behavior of your network, the behavior of your server, you know it better than any two click minutes and this.

Now how to configure your interface using the command line that appears, this is probably one of the most used commands, it is my most used command now, config system interface actually configures the physical interfaces or the virtual interfaces in your 40, you can do it in the graphical user in

Watch Video & Subscribe

If you have any copyright issue, please Contact