NSE4_FGT-6.4 Fortinet NSE 4 – FortiOS 6.4 – FortiGate Firewall V6.4

30. Lecture-30:FortiGate Firewall DHCP Server Theory.

Today our topic is THCP how we can configure THCP and 48 firewall. THCP means dynamic host configuration protocol. The name suggests dynamic means dynamically host means the device which connected to the network. And configuration means definitely it will configure. And protocol means set up rules and regulations. So it means this protocol will dynamically configure the system automatically and those dynamic configuration is reached. It can be IP address, subnet, mask, default, gateway DNS and so many other details which we call them option which we will come, these are DHCP option like 234567 and so many options you can configure like for NTP if you want to configure. So you can use option number 41. Okay, I told you in CCNP somewhere as well the student which they are in there. So basically DCP not only provide IP detail, but it can provide the gateway DNS, extra DNS and so many other detail like a TFTP, wireless land controller and so many things you can use DCP to provide to the host. And host is nothing but the device which is connected to your network. Okay? So this is DHCP. Now, everywhere you will find a DHCP from your home.

You know your WiFi that’s when you go to home you directly connected your device without any input of your IPS and anything. So how you are connected? Basically the device is using DHCP. So it means from home to enterprise network you will find DHCP server everywhere, okay? Normally. In Enterprise, you will see DHCP Windows Server, which I will show in Lab. Because in real world nobody is using FortiGate Firewall either in Palo Alto, Firewall, in any other Juniper or any other router as a DHCP server. But you can if you do have a small organization, then you can use, I’m not saying that you cannot, but in big organization you will normally find a DCP server either Linux one and most of the time 80% you will find Windows Server.

Even though you can make router as a DCP server, you can make switch as a DCP server, you can make any firewall as a DCP server, okay? And you can make Linux as a DHCP server. So this is dynamic host configuration protocol. Now, this DCP is UDP based. We know UDP based user datagram protocol two category normally one is UDP and the other is TCP. DHCP is using two port which I will show you if I remember through wireshark. Port number 67 and port number 68 they are using plant is using 68 and server is using 67. Normally, our application are using only one port. Source code is always random. But in this case they have two port number, most of it if you are accessing Http. So your source will be random and your destination port will be Lt, four, four, three and so on. Okay? Now with this DCP, basically we create pool and DHCP.

This is my pool. Apply this pool to host whatever who are connecting and when they request them, provide them all these details. So we call them a pool, which is nothing but arrange. Okay, DHCP is working on OSI model application layer which will call them layer seven. Okay, and what is okay, so 40 gate can be configured as a DHCP server, 40 gate Firewall can be configured as a DHCP client and 40 gate Firewall can be configured as a DHCP relay agent, which we will see all three. Okay, so you will see DHCP everywhere from your home to Tell, a big organization and not only domain name, gateway, subnet, mass, wind server, DNS, TFTP, wireless, land controller so many things you can apply through DHCP. Okay, so this is DHCP. Now why we need DHCP, this is the thing. So definitely your management will be easy. All the IP will be managed by DLCP rather than if you are going to every system and typing the IP address in every host, in every device, in every server, it’s a difficult task to maintain and as a human you can do a mistake and there can be error. And then there will be conflict between the IP address. It’s better to use DHCP to do everything for you dynamically. And this is a centralized system where you can configure even you can see who are connected to your system. What is the Mac address, what is the IP address assigned to them? You can reserve IP as well. You can renew IP as well. You can remove IP as well. You can block IP address, you can block Mac address based on Mac address. You can block by hostname so many things you can do by DSCP, which is very difficult to do it manually, to go to every system and reuse up IP address, you will see which IP has been used and since when it is used, you can renew the IP, you can release the IP and so many things. So that’s why we need a DHCP server to make the things easy for us. Okay, now coming to as I told you, 40 gate Firewall can be configured three different way as a DHCP server.

Then what is server? DHCP server means which giving IP addresses in all the detail which I mentioned above, so many details you can give through DHCP server to the client so the host will receive those details. So it means 40 gate for one is playing the role of DHCP server. We will configure DHCP in 40 gate and whenever somebody connected to any zone they will get their train IP automatically under the interfaces. Okay, so this is we call them DHCP server. Another thing is DHCP client. So we can make forgate Firewall as a client as well to retrieve and obtain the information from another DHCP server. So it means DCP can be configured as a server and client means it will retrieve the information from other DHCP and to configure their interfaces so they will play the role of client. And client is using port number 61. Okay? Then the third one is DHCP relay.

What is DHCP relay? It’s like an agent whenever there is a layer three device. So always layer three device divide and it will not, you know, forward broadcast packet every layer three device, it can be a router, it can be a firewall, it can be anything like layer three switch as well. So whenever anything coming as a layer three between DHCP and host, so your DHCP packet will never reach to the client. Why? Because all the three device not forwarding broadcast packet. Now from where broadcast packet came in the story, all the packets dora process which is due by DHCP server Dora Vikasim Dora discover offer request and acknowledgement which we will see in the wireshark. All these four packets always broadcast client also request is a broadcast and server also gives the IP detail and broadcast. So switch can forward broadcast packet. Hub can forward broadcast packet. Any other device can forward broadcast packet. But when there is a lattery device like a 40 gate, like a Palo Alto, like a Juniper, like any other firewall and as a router it will terminate the broadcast there. So in that story, then we need to configure their device as a DLCP relay agent. So it will make broadcast as a unicast and will forward to the host.

Then it will take a broadcast to make them unicast and give it to the server which we will see again in wireshark. And I show you in Cisco SA firewall as well. And I show you in Paw Wall to firewall as well. Those students which are my old students, so they know already. But anyway, I will show you here as well. So this we call them DHCP relaying. Now coming to those four packets which I was talking about. So when client requesting, when you connect a client and make as a DHCP client, so what they do, they will send and receive packets and they will exchange some information and messages. Those four messages we call them Dora dora DA discover means the client will discover they will send a broadcast packet. Is there anyone to give me IP and the details like a DNS domain, Windsor or any of those stuff, anybody is there to give me all these details. So this packet will be broadcast. This is the Mac address. Broadcast packet is always in this one. I show you as well.

If we go here and say broadcast this broadcast. So you can see the Mac addresses broadcast packet always if you convert this from Hexa DC to decimal, so it will become 255255 if you convert this one from decimal to Hezer decimal. So that’s why the broadcast make address means media access, control, physical address, okay? And the picket size is normally this one. Again we will see from the wireshark because source has nothing. The system has nothing, no IP. So it will show they will broadcast using this IP. If there’s anybody is there to give me the IP and the details, then the server will reply. So we call them offer message again. This packet is normally the three four two byte with broadcast Mac address and broadcast IP. The server will say yes, I can offer you the IP address. So this is called offer. Okay? Then the client will send a request that yes, I agree again the client don’t have IP yet, he just offer them, not give them yet, they just deal with them and again it will be a broadcast and the Mac address will be broadcast. Why I’m showing you this. Because of Relay Agent So. When we do Relay Agent So, you will see this packet will not pass the firewall. So that’s why so after request, the server will say acknowledgement. It will say yes, let me give you the IP and the detail so this is called acknowledgement message so altogether we call it Dora discover, offer, request in acknowledgement. And this way, after four messages, the client will receive the IP addresses and the detail.

Okay, so how we can configure them? Under interface there is a DCP server we will assign range here which range we can assign? You can create three range differently when you click on plus button, so it can come two times more. So you can create three different range. Netmas definitely is the subnet mass which gateway you want to assign. So it can be interface IP. Whatever interface IP you configure either you can specify which DNS server you want to assign same as a system DNS either IP addresses a DNS, either specify it’s up to you least time is for how long second this IP will be with the host when this second is completed so it will be renewed automatically. Okay, if the system is not there, it will be washed out and will be given to someone else so this we call them and DHCP lease time. Okay then there is some extra step as well which mode you want to use? Because this mode can be a server or relay which we will do both but right now I’m using 40 gate firewall as a DHCP server. Okay, so there are two mode relay which I told you and server type regular or IPsec. Normally you will see a regular IPsec is normally for dialup VPN.

This IPsec. Not for IPsec. VPN. There is a dial up which we go to VPN. So I will show you there. So that one is for IPsec dialup client NTP network time protocol. If you want to give time as well through DHCP, which I told you so many things, you can configure wireless Len controller again, you can specify either the interface IP as a wireless Len controller, time zone which time you want to give. And next boot strap server means any backup DHCP server.

So you can put that as a backup DHCP server in case this DCP server is down. And these are the additional DHCP option, which is a huge list. Suppose if you want to give FTP server so the IP phone can get the details, the ringtone and everything. So then you have to configure what is there is FTP TFTP? Yeah, this one. So 66. You have to type 66 option. So DCP has so many options. It gives you more variety to configure and give it to the client. So you can configure from additional DCP, create new and you can put the detail which we will see in the later. Besides this DCP has more any other option. Maybe you want to filter by make address reservation to block someone and so things so you can do extra stuff. By the way, that can be from here, not here. It’s the option command. Okay, so you can do it from here. I paid this assignment rule. You can do so many things from here. So I already told you all these things. So you can see from here, here. So let’s do it from the name today.

31. Lecture-31:FortiGate Firewall as DHCP Server Lab.

Do DHCP relay how we can configure 40 gate for one to one is a DCP relay. What is DCP relay? When your DCP server is available in another subnet and your host is available another subnet. So what will happen? DHCP server sending all the packet in a broadcast, which we saw, by the way. It’s still there. All the piccatan in broadcast and none of the device which is layer three device. It will not pass the DCP these messages to the host because all these are in broadcast. So it will be destroyed here. So what we need to do, we need to configure this for tiger firewall as an agent that look at when you are agent between the host and this DCP server, okay? You cannot take broadcast but you can convert them to unicorn and give it to the host and take the detail and give it to me like a broker. So we call them a DHCP relay agent. This is the job they will do. So, if you have a scenario and your DHCP server is available in another subnet like in this topology, we will use my DHCP server is in lane inside which are connected 192, 168, one range but my client is available in DMZ. I want to configure this TCP to give IP to all these zone like a DMZ one, maybe DMZ two, DMZ three, maybe some other zone. So yes, it’s possible configure scopes here in this DCP for every subnet differently for this subnet two for other subnet, three, four, five and real what this scenario?

Okay, here I’m giving you one example, but there it should be many example, there are many zones and the CP is one. So what they will do, we will configure this 40 gate firewall as a relay agent it will take the CP packet and will distribute to the proper zone by using the IP address to distinguish them because we will put that IP here as a gateway. So keep in mind, so let’s do it soon we’ll follow the same topology which we configure DHCP but this time we will remove DSCP. So DSP is enable on port three and port one. This time I want this my DCP Server, which is windows Server, it can be Windows Server 2003 windows Server 2008 windows Server 2012 windows Server 2016. Either Windows Server 2019, which is the latest one and it can be a Linux and it can be a router, it can be a layer three switch and it can be anything. But most of the time you will find as a window server. So before configuring this one, let me remove the DHCP which we configure in last layer admin one, two, three, okay? So on two interfaces we enable DHCP, we will keep rest of every detail the same. So let me go to DMZ and let me remove the DCP, okay? And let me go to lane and uncheck this one that’s it again now I don’t have any IP on the client side if I go to XP, okay? And go to CMD, which everything was working before. And if I say Ipconfigrelease and if I say renew, nothing will be assigned a peepa.

Is we expecting because there is no DCP to give IP. After a while it will show a PPA IP one six, 9254. This is the range of PIPA, so let’s wait for a while and let me close this one, okay? And if I go here as well until it take time, we can check from here as well as the interface so zero zero IP still, it means releasing it will show a peep after a while anyway, when it show, nothing will be assigned and also if you check the other house, there will be no IP. Suppose this one as well if I go there and do the same thing which I done before in DHCP so it’s showing me a dora yeah if I do again, it will not show dora. Do you discover? Discover discover. It says nobody is there to give me IP it’s discovering, but nobody is there rather than to use a door process so it’s not working differently so it cannot find any DHCP server definitely there is no DCP server. Let’s configure DHCP server inside and inside subnet. We have a DCP server. Let me click on DHCP server. Okay. And what is the password for this one? I think so. Test, one, two, three. Because it’s been ages. I never use them, but it’s okay. Test one, two, three. By default. Okay, so now I’m here in DHCP server. First of all, I need to assign any IP.

So what I need to do, I need to go to control panel interface. This is the DCP server. Okay? So network and sharing center and what I need to do go to change adapter this interface the first one so it’s gitip one one three anyway, we will assign our own IP so let me assign 192 168 one suppose 110 because we are using this our inside server I always have static IP this one okay? So what I need to do this the IP one 10 and the gateway will be the firewall IP 100 and DNS will be eight eight and also their own DNS if this server suppose either leave it this eight, it is enough the other one is one one one suppose before why stake IP? Because I own the DSCP server, you know, I own this server and DHCP was enabled so that’s why stake 103 IP. So don’t worry. You will say from where it takes the IP I just removed the SAP, but I enable this server before so don’t mind if maybe you are thinking from where state the IP. I don’t need IPV. Six. So I disable IPV six and then assign static IP to this server. 10 IP. That’s the first step. So let me write down I need to unlock duplicate so this might DHCP server. Why? Because later on we will type this IP here, okay? And log the lab again. It’s the IP.

I assign IP to this DHCP server now, second thing is I need it’s better to do communication with the firewall IP 192, 168, 100 can I ping? Yes, I can. Ping. So it’s okay. Communication is okay. Now click on this one server Manager what I need to do, I need the services role. Which role I need click on add role click Next I need DHCP. There are so many things active Directory, fix server, DNS file server, HyperV web server anyway, right now I just need DHCP server. So I click the root DHCP server. Next next is my default IP I assign just to this one and domains should be let me type test local suppose DNS is the alternative DNS which we just assign wind server I don’t need okay. I don’t need to create a scope here I will create later on. Click Next. Do you want to enable? I don’t need DHCP for IPV six and install this. The way to configure is almost similar in 2019 as well and also 2016 just the way is different but installation in every method is almost similar. So don’t worry if I am doing in 2008 so you can do it in 2012 and 16 and 19 as well. So I install the feature is install and close now, so my DCP server is install services go to start Administrative Tool and here is DHCP.

Click on DHCP. So this is my DHCP. Click on IP four I don’t need IPV six. They say create a scope. Scope is nothing to the range you need to assign. So click on IP four and here is scope. Click Next. So DMZ score this IP will be assigned to the DMZ side. What will be the start IP? So now this is the question. You have to be careful which range I will assign to DMZ two. So what is the start IP 109, 21682, 200 suppose and what will be the end? IP 192, 168, 250 suppose keep in mind I’m creating this code for DMZ and Next now say do you want to exclude any IP? Suppose if you don’t want to give them anyone, I say no, I don’t want to exclude any IP. If you want, you can next they say for how long you want to lease this IP? This eight days. If you want to minimize, you can do it. Do you want to configure option now? I say yes. This quote that’s another thing to remember. Keep in mind some student asking me how they recognize to give two range to this one and one range to this side and three range to another zone and four range to another zone. I’m repeating due to this IP, this very important, you have to type 192, 168, 200 what is 200 200 is the DMZ interface IP. This one just the DMZ gateway interface IP. This will be the recognition. This to keep in mind and add now next which DNS to definitely aid it in one. One is enough for me. Any win server. So I don’t want to assign any Win server.

Do you want to activate this scope? Yes, I want to activate and finish. This scope is ready for outside DMZ. The one this one. But I want to configure for my own inside as well. So create a new scope. Let me quickly create a new scope. Right click on IP four click new scope next and this time I say Len score. What is the description? If you want start IP 192, 168, 1240 suppose whatever then this is the submit mass. And this is the other format. Crdr notation and proper notation. I don’t want to exclude anything this field time duration I want to activate and this is the gateway important point. This time I will say 100 which is my inside firewall interface IP port number two, I believe. And next DNS the same. I don’t need when server and activate and next and finish two scope has been created differently. One and two. Right now my own target is 21, which is the other side. Is there any lease IP? So not yet. There will be no IP. Should I try from here? There is a DCP server now. Do you think it will get IP? No, it says Discover discover discover is sending. Do you think if I capture packet here, there will be DCP packet? No, the packet is reaching here. DCP packet is reaching here discover but they will destroy it. Look at me. You are sending broadcast packet. And I cannot pass broadcast packet to anyone else. That’s why I’m still not reachable. And look at so many discover and still sending this discover if I do again. So packet number 3659 let me do it again. Look at discover discover this my side and 12344 discover but nothing is there even though DHCP is configured. Now if I can capture this side let me show you. I don’t know here.

I’m not used to put number two. There will be no DHCP packet. That’s for sure. Because dead packet is not reaching this side. It’s been destroyed by this firewall due to layer three. Now I want to make this firewall as a relation. Then it will work. So this side is nothing here DHCP. Nothing is here this side. So the packet is here even. Let me send maybe you say this time no picket is sending. Nothing is coming here this side but this side look at I’m here. It will increase if I do again. Okay, still running. Now it’s clear to you that the packet is not reaching here for some reason. And the reason is nothing only gocast packet. So how I can configure? I will go to DMZ port where it’s hitting? Where it is hitting this port number three. I will go to port number three which is DMZ. Click on DHCP server and click on advance. This time I will say no, you are mode or not server. You are playing role of agent. Click relay. And who the hell is DHCP server IP. So that’s why I written here. This the iPad. So I will type 192, 168, 10 test the DCP server to reach him. That’s it.

And now it’s become like a DCP relay. That’s the only thing you need. Now you will see if I do on this side you will see picket but not in broadcast. Now the picket is broadcast yet it will be unique as so let’s do it again. DHCP locate is it broadcast? No. And it get the IP 200 gate. Everything is okay, internet will work, everything will work@yahoo. com. Rest of everything is the same. But these are the unicast packet on this side and this side it sent the first picket in broadcast. But when it’s receiving it’s receiving as a unicast discover was in broadcast. So it sent the picket, it hit by this firewall. What is this firewall? This one. So when it received okay he said I am an agent, okay I will pass your message to this guy but I will convert the message normal agent do the same thing. They will say okay, I will buy this house for you. So they will say we’ll buy this house for you on suppose £2000. So when they’re passing this message to here they will say no, I am selling this one for you and maybe 15,000 pound. And this is what they do here they receive the packet as a broadcast, they make them unicast and send it to DCP server and then make a unicast and give it to that guy. That’s the job of agent.

And now if I go back to the XP, please get 240 automatically this time okay. And everything will be working. And if you check the internet, definitely because we allowed everything so all the stuff will work. And again you can verify from server. Not this time DCP client from here. Because the ACP is now server. Okay. Now let’s see in this side their side no issue. But the gateway is this one. So you can configure lane as well as the agent as well if you want, otherwise it’s directly connected but anyhow let’s do it quickly, no need but in case for some reason so what I need to do change the role to this one and 192, 168, 10 is our DHCP server IP. That’s it. And if I go back here and click on this one so definitely it will also get but from one range so IP, DHCP so it will process dora process okay. And definitely it will get from one range and also it will be reachable to any yahoo, gmail, facebook and whatever because everything is ready for them. And the same thing it can be so many zone again no issue. The only thing is you need to go to here now. Okay? Let me show you the IPS. It will be release, okay? It has to show me here. I need to refresh, okay? Just give me 1 minute for some reason it’s stuck, so here it will show you. Release IP. Okay, just give me a minute. For some reason it stuck, so okay, still stuck. So let’s wait, because we need to verify from here and also the IP, which reserve there. So you can reserve here now? Yeah, it’s okay now. So these are the reservation if you want to reserve. And these are the extra scope if you want to configure to give to the client. And you can assign filter to allowed and deny the same thing which was here. Okay? Now lease. These are the two IP.

It’s giving to two clients and also for the scope, one landscape and I believe one IP. Has been given. So let me give to this client as well. So it will become two. Okay? This PC has got some issue. I need to start and stop. So stop and start. And if I go come back again here and now enter an IP address THCP so it will get through Torah process. And if I come back and refresh so it will see two IP now. Okay. It’s stuck again anyway for some reason. So that’s the way to verify and you can filter, you can reserve and you can assign so many things normally in many organization you will see this type of thing but the only changes is this one is you remember the second class, which we done. So this is a trunk and there are so many villain configure inside. I show you that one. So take the topology as an example. And you can every VLN have different IP, remember? So DCP will recognize by this interface IP. I’m repeating again. So many students are requesting how they know to give two range to this range and one to this one. How they know? They just know by this port default IP.

So if you configure this is a trunk, which we’ve done in second or third class, I can’t remember. And we create so many inside villain, so every villain will get different range and every villain have a default gateway, so that gateway will be set here and then you can create so many scope here. I created only two scope, but you can create as many you want. Okay, so this is a DCP relay, which we done. Let me go quickly if I missed something too. This is the thing lend to end policy which we done in last lecture and just the verification we can see from here and also definitely you will see the traffic from here. So no need to verify because we are not going to verify. I just need to see that it is working or not. So if I go to 40 view in all sessions so the user which visit it is showing here all the details. And also you can verify from dashboard top usage lane and DMZ. So we have both lane as well and DMZ as well. Okay. And also you can see from logs and report forwarding traffic. So these are the forwarding traffic. And also you can see so many things from verification that’s it.

• Category: Uncategorized