NSE4_FGT-6.4 Fortinet NSE 4 – FortiOS 6.4 – FortiGate Firewall V6.4 Part 11

  • By
  • January 25, 2023
0 Comment

49. Lecture-49:Policy,Source,Interface Overload NAT Lab.

So first we will do policy. Source interface overload net means we will do source net inside the policy and we will use the interface overload method. This is the first one which they forgot for what they call them static net. It’s very upward name. They give them static net. Static net. In Cisco and other firewall we call them when we translate one IP to another, we call them static net. Unfortunately, 40 gate firewall call it static net and other terminology we call them overload either paid. So static net is just like source net or what? Yeah, this is source net. But actually they give them the name static net to this method. Let me show you this method you already study n, two, three firewall. There are one in 14. I’m finding it very difficult. Yeah, it’s very difficult.

Suppose these are my inside PCs. They all will be translated to this one IP. Suppose I have 100 IP on my exit interface, public IP, they all will be translated to one IP. So in Cisco essay we call them paid port address translation means we are loving only one IP and changing the port. And also in Palo Alto firewall we have this concept. But here I will tell you in the other terminology I will also call it overload here, so that you are not confused. But for the interview purpose they will call you what is static net and 40 gate far one. So don’t confuse the one which we have static net and Cisco essay and Paul Wall two far one here static net. The paid they call them static net, unfortunately. Anyway, it’s not a big issue. So these user will be translated in one IP. The IP address of exit interface which is a public IP. All the user will be translated in the same as your home label. Like in the one case. I show you my one.

Now I have 18 system connected inside. All 18 is translating in one IP, which is two IP which I told you from the chicken website. So here 48 call it overload net either static net, unfortunate liability, escape static so that you are not confused. They call them interface overload means we are using only one and that’s what we are using at every home. All the user. This is your mobile phone, this is your another mobile phone. This is your wife mobile phone, this is your kid iPad. All of them existing outside internet. So they will be translated in one IP, which is on our exit modem, IP connected to or ISP. So we are doing the normal net, but we are translating our source because source will be changed 192, 168 will be changed to 100 and 221-921-6812 will be changed to 122. Three will be changed to 122, four will be changed. So source is changing. So that’s why it’s a source net we are doing. So first we will do all the label related to source net. Then we will do all the lab to destination net. But we will use this topology. Then we will for destination. We will use this method to come here to access this server. Now all the system is going outside to the internet. So this is called sourcenet. But sourcenet can be configured in so many ways. Say one different way. So the first one is to translate all the inside PC to one IP. In this method we call them overload. And because we will use this policy.

Sorry this net inside the policy. So we call them policy. Source interface means we will use and apply this net inside the policy not the central net. Because there are two way. Remember this again where is the basic this one. So we are using we discuss net. Now we are doing source net and source net. We are using four wall policy net. And for wall policy net we are doing the first one static net which we call them a load net. Then we will jump to this one. So we are doing in source net static net static net and firewall inside the policy one. And this is our topology. We will take few system. And then we’ll be sent them to the internet. How that will work? This is our topology for the day. So let’s go to labs to show you. So what I need first I need one firewall. Okay let me take this firewall. Now I need two switches. You can take demi switches either. Let’s take this one.

So this is S one. And here we have s two. Then I need few client to connect inside. So I will take web term as a client. This is my client one client two client three. Suppose and I will take one as a router. So that we can make them as a server later in the course in the net. So I take one router as a telenet and SSH server. And let me take one server as well. So we can use toolbox as a server. Okay let me take this one. This side. These are in far. By the way either take ten or 20 is the same thing. So this is my PC one PC two server one. And this one will be our ten lit NSS server. Okay. And this side let me take one as a client and web server here this side. Suppose this is a web server in the internet. Okay. So this web server. And this is client. And let me take cloud. Now net cloud. So this is my internet. Okay let me on this one. So it will on because it will take time.

Then we will configure rest of them. So let me put here this is internet. Internet okay. And now let’s bring them here to make them an in line as well. Okay. So connect this one to this here to switch and disable this port because it will make so don’t need this one and here okay any port here we will use port one because I will use this port one as a management as well. So this is internet as well and port one is the management as well. Port two is my inside and inside I have PC one, PC two and I have inside one server and I have one router as a server, later we will use them right now maybe we will not but later it will work for us okay so that’s it. Okay let me on the switches as well, maybe it takes some time so let me on this and now I need to configure IP. This side we will use the net Cloud I range, we have no choice to use our own range so because net cloud will use this range.

So what is my range? Let me show you, I know my range but just to show you in your catch it will be different. So whenever you are using net cloud you have to come here and find out your range. Either you can go to interfaces so net we are using 109, 21681, 114 and gateway is all the time it will be two. So let me come here to type two. This is the next hob it’s ICP IP and now let me type the 109, 21681, 114, 24 this is my outside range and inside is my own choice so I will use one range, it’s up to you, you can choose any range and let me duplicate this one. So PC two will be two. Okay let me make them two. PC one will be one okay and let me make them as a three server three will be three and let me duplicate and this will be four. Okay this is the outside IP and what about this one? So let me assign here ten to server and 22 system this one and as we know we will assign 100 to both side of firewall as we know from the last left.

So this side will be 1114, 100 and either by DHCP this will be 100 this is port two, this is port one and also I’m connected through here so definitely I can access the far wall graphically as well. So I’m using this interface for management and when both and let me type by the way when as well. So basically this is when and this is our lane. Okay. Now, I need to assign this IP to Dockers. So let me select all these three. Right click edit configuration. Edit Configuration. And change this to one. And this is PC One. To make them, one gateway will be 100 per wall. And it is must. You have to type here eight because they will go to Internet. And from auto, remove this one, this remove this one, this one, this one and this one. Keep in mind it should be start from auto to remove not the first one copy this one so it will be easy for you save the other will be open automatically. Server one is open. This one. So. Server one IPS three, control A control V and change the IP three save.

This time, PC two is open. So control A control V and change this to two and save. So this IP is done and on them come to this one server two here we don’t okay this enable arms it’s okay we will restart the server go to edit configuration control A, control B. But change this to one one four and this one 1114 and keep the DNS. It’s okay but this IP should be ten because we have to keep the same control c save and rightclick on this one go to edit configuration control A. Control B. Just change this last stages to 20 and because it was enabled it will not work. So top them and start again. Okay these two because docker has to be enable and then you can assign the IP start and then you can start now. So IPS has been assigned this is our IP schema everything is ready. Okay now coming to firewall DHCP is enabled on this interface so it will get automatically IP from the internet cloud so right click here, go to console and let’s check the IP address then we will use that IP in the browser and will access this firewall graphically.

Okay so it’s come up now admin there is no password enter 123123 CTRL Q clear the screen shows system interface question mark and this the IP they get them and go to browser because this net is my system interface so it means I can access the firewall through net. Okay so it’s when and both management is the same okay so don’t be confused in this one otherwise you can attach another cloud and make them net and connect so it’s better to use them like this. Okay so let me type the IP enter to access the firewall. Now if I try from this docker it will not reach the internet because there is no such route and no nothing is configured.

Okay so let’s go here admin and password is one, two three it will ask to change the host name so we will change the host name. Okay it will come up after a while so let’s change them now otherwise they will us again and again it’s g. Okay so we will start from the scratch and we know the scratch. What we have to do, we have to configure the basics of interfaces DNS route then we will go to policy and then we will configure net which is our topic today. So you have to always start like this way what we need now we need to go to network interfaces we are using only two interfaces port one outside and put two inside so it’s better to give them a proper name. So what we can do, click on these interfaces, click on port one, which is our management as well by the way. Okay, let me disable my intuiress take time for some reason. Okay, so I will type here when okay, this is my vein and it’s getting the IP from DHCP.

If you want to make them manual, it’s better to make them wear. And we decide to hunter. So let’s give them 100 by the way. OK, it will give you a warning that you will be disconnected. I know. Okay, so now I need to type 100 to access. Okay. And now I will access them through 123. Okay, so the outside interface IP has been done, which we decide this 101, 1400 and also we assign them the name as well, which is when okay, now this is when now coming to port two. So port two we decide this will be len. So give them len and static IP 192, 168, 124 and enable ping so that we can ping the IP and it’s it this was 100. So this one is done. Second thing we require a DNS. So click on DNS and use the DNS eight and one one DNS and apply. Okay, so after a while it will be reachable to eight, eight and one one one it will show you here. Okay, so if reachable it is here at me is working. So still it’s not reachable but it’s okay after a while. Now the third thing we need to configure static route. So click on static route. Click create new. I say any destination. My gateway addresses 109, 2168-1142 from where I know 1142. As I told you this one and I found out from there. And this to an interface administrator is everything, you know, click. OK, now let’s go to DNS if it is reachable or not. Still it’s for some reason it is saying let me refresh again one is about to reach 160 but it’s slow. Okay, anyway it will work. So interface is done, DNS is done. Now this one is okay. Now what we need, we need a policy.

That’s what we do normally. So go to policy and object IP four policies because by default everything is disabled. Create new and here we will say allow all suppose either land to when incoming is from land going to when source is anything from inside going to anything. Services is anything and it accepts them inspection mode. Now we know flow base, either proxy base. And this is our topic net inside the policy. If I say net disable it will not work. The PC will not go outside because we are using here local IPS private range and private range is not accessible on Internet. Don’t worry about this one. Consider them as a public because when they go there, they translate it to our public IP. So it’s double native. But anyway, here we will say this 192, 1114 is a public IP here. Consider them and consider this one is a private range, so it require native. Then it will work. Now policy is there, IP is there, DNS is there, everything is there. Do I need anything so that I can reach to internet PC two from inside? Am I going to Facebook? So it’s not working because net is important.

And this is my source. My source is going to outside. I need source net so that somebody translate these sources which is not allowed to go outside and behalf of these IP they do communication outside and bring the packet back to them. So who will do this jobs? We call them source net because source will be changed. So Firewall say I can do this one, go to policy and enable this one now firewall and net reduction network address translation IP pool configuration. They say which type of method you want to use. Use outgoing interface address. What is my outgoing interface? 109, 216811, 400 this is what they mean. And this is our first source net topic. Then forget about this use dynamic, we will do a bit later. Then you have so many options, but I say use outgoing interface. Preserve source port means keep the source ports the same, whatever the source user. But if you say no it’s okay, it will change. This is the net option. Now I configure an okay, so this is what we call them source net inside the policy which overloading the net using one IP address.

And this is configured now if I check now, Facebook was not going. Try again, it will work now. So now it’s going. And if I go to another system on the same time PC one it will also reachable. Let me send this one to Twitter. com and let me try from server. From server let me ping any other website like@yahoo. com it will work. So three system at the same time is working and we have only one IP. And even this router I did not configure. If I configure the router it will also go. So let me stop. We have some type of traffic now. So three devices is going outside. When the traffic came here in the same policy they translate them to one IP and they go. When they come, they give it to these guys. So outside their source is not used. This IP has been used, so they won’t win to Twitter. So Twitter know that a guy 1921-6811 400 hit me, the other guy went to Facebook.

So Facebook said that this guy hit me. So they don’t know the source, the actual source. Because we are using net, this is called source net and because we are using only one IP so it’s called static net 40 get actual name, how we can verify? So let’s go to 40 view and R session. Here you will see all these three IP will be translated in one. So that’s the source IP one, one two and it should be one three as well. First they went for DNS. So they are using UDP. Port number 53 protocol is UDP and source code is random. I didn’t say to preserve which. I said that keep the source port. Destination port is definitely it will be 53 because DNS is using 53 port. But our thing is the net. So it’s not showing here. I need to enable here. Is there any net thing here? So this is source net. Let me enable and source net so that I can see. You can enable so many things from here and now let’s go to it’s better to remove all other things. We don’t care. We just care about this time. So I don’t need the sources. Okay. I don’t need the device either. Keep the device. Device is nothing because our device is not recognized. We don’t need application. Keep it source byte. No need. Packet, no need.

Destination is okay. Yeah, these are enough. So it will become closer. Duration. Let me remove duration as well. Where is the duration? It’s showing me duration as well. This one. Now it’s okay. So this is my source IP one, PC one, PC two. They are going to it. So there has been translated source net address. Look at this one. Let me bring them here. So my source at one one. The source net is translated to one 1402 is also translated to one 1403 is also translated. What is the PC? Three. I sent traffic from PC three as well. This one. It’s also translated to one 1400. Who the hell is one 1400? This one. This exit interface. So this is called a source net. Yes. Basically here Pad is happening, right? Yeah, Pad is happening. Yes, that’s what I’m saying. But unfortunately they call them state Ignet. They say that one IP is used. So 40 gates say we call this technique static net. But this is not stating that which we discuss in Cisco SA and Paul Alto, we call them state port address translation. Yeah. And also we call them overloading as well in Cisco router, when we configure, so we call them overload.

We put the command overload. Command means use this IP again and again. Just change the port number. So the source code is s 143544 and the source net code is also this one. Anyway, they are using only one IP. So this method we call them inside the policy overload net which is using one IP. And this is what we discuss here the first one and source net. The first one we discuss this one over load source net. But how many? We can configure this because we are using only one public IP. This might IP this so they can support up to their much port number 60416. Let me type here. 64106, because I can’t remember this. 1604-1660. What the hell? 6041 is better to copy from here. This one because we are using only one IP. So this one IP can support up to date much port number, that’s the only issue. So if I have so many user and they are doing so many communication, a time will reach when this will be exhausted. This the disadvantages. These are port number, a time will reach which these port will be exhausted. So one IP can only support 60416 port number. In other words, I will say that much station like one is created how many station? One one IP.

Let me type here by source IP how many source IP they created, how many? Look at 123-456-7891 twitter I visit and they open so many port, 123-45-6789 port. So if one user is going so many places and the other user and so on and we have so many user, a time will come that these port will be exhausted. So then you have to clear this on this session, right click and add all session. Then it will be started from the basic again you have to do such things, then it will work, otherwise it will be exhausted. So what we can do, we have another method but anyway, this was the first method. We call them load source net because we change the source IP, so we call them source net. The IPS is changed from source. You know, from here they are going to Google but here Google don’t know that 182-1681 is hitting me. They say that 11140 hitting me.

You can capture the picket as well and I show them from here as well. To show you from here as well. It was translating to one IP, so source is changed to sourcenet, source code is changed to sourcenet. And because you are using only one IP so we call them overload. So all become altogether has become overload sourcenet and the last thing it used the outgoing interface IP. And the disadvantages we can use up to 60416 port available. This is called uber layout source net and this is done.

50. Lecture-50:Policy,Source,Overload NAT Lab.

If we are using so and we are creating so many sessions and we have so much user inside and all the time they are generating and creating sessions so do you think this is enough, this method? No because it will be exhausting 6016-0416 so we have another method for sourcenet inside the policy we call them dynamic source Net where is this dynamic source net? So let me go to policy because this is insert the policy we are still talking insert the policy and this is my policy. There is a net we’ve done. This one here is used dynamic IP pool but there is nothing. They are not showing anything. There is a plus icon so it’s asking me to show me the pool. So I can create from here to click and create new dynamic IP pool either I can do this job from here. Here is IP pool. Go to policy and object down there is IP pool. So either click from here either come here directly. It means for dynamic first I have to create my pool and I’m here. There is no pool. When I say create new oh my goodness. There are so many other thing now. So let me give them name over Lord and commence anything.

Now, in dynamic, which I told you in Dynamic this one is redone the interface which we use, the exit interface which we use, we call them static net, unfortunately. But here, I told you this overload. This is the actual overload now so in dynamic then we have four different method. So first we will do the first method which they call them overload and we come here. Yes in dynamic IP pool we have 1234 method first one is overload this one so now we are in source net we are in the policy inside and we are doing dynamic net using the first method overload. What is overload? Overload means if you have much IP, the more you have IP public IP, the more you will be poured 60416 per IP. So if you are using two IP here this one if I say my external IP is 192-16-8114 dot 101 9216-8114 dot 1110 how many IP? 100 to 110. So I have ten IP ten multiply by 6416. So that much port I have now instead of one one IP gave us only 60 4116 if I use two public IP pool of IPS so I will get multiply by this now I set ten IPS I have from 100 IP to 1110 so multiply by this one. So that much port I have. So this type of method and dynamic we call them source Net dynamic overload and we will configure it.

So my overload name I gave them this name with the same name so that we can understand this is Overload and my range public IP, the exit interface range I will buy more IPS public for this purpose and our reply means to ARP request if you want to enable or not and done. So my pool is created. But it will not work like this. You have to go back to your IP pool policy allowed all policy which we created for this purpose rather than to use exit interface I will say use dynamic and click on plus icon. It will show you here overload and choose so this overload is nothing but from 100 to one 10 public IPS range. And now we have many port number and we can create many session as compared to the one interface IP. Now consider them ten interfaces. Before it was one interface IP. Now I have ten interface so I have ten times ten times I forgot this digital ten times 60416. So let me multiply it’s better to multiply rather than to say again and again what is this four one six and multiply by ten. Now I have that much, so it’s more than this one. Okay, just the only difference between this one and this one. Keep in mind you will not feel the difference because I don’t have that much system to generate the traffic and done. Everything will again work. If I go to PC one, it will work the same way like before.

But now the IPS will be assigned differently on first come, first basis. So now I went to Twitter from this one go to PC two and visit to Facebook and visit to some other place, maybe Amazon. It will work and go to server three and ping@yahoo. com everything will work the same way.

But before it was used only one IP showing me one IP. Now it will be from ten range. How we can verify go to 40 view all session. This time you will see a difference. The IP will be changed. Look at one two has been assigned, 110-2103 is assigned 10 three and we have third system 10 one, sorry yeah, 10 one is assign 10 one by nature is made. By the way, it will be first come, first basis. It can be any IP from there ten IPS. Let me do the other one as well. Let me quickly configure R one as well in R one configure interface e zero slay zero IP address 192 168, 100 firewall IP and do right, that’s it. If I ping eight, it will ping and it will be here as well if I refresh so one dot four will be assigned one dot four. So it’s bitter to source IP, check them by source source IP address and the IP is four. So four has been assigned one four. Okay. So let me repeat this 100 times and I enable on server as well. I think so yeah. So server is also going and let me refresh this one and let me refresh this one as well. Anyhow let me see the three. So three has been assign 10 three. If I check 10 one so 10 I’m just filtering to show you 10 one is assign 114101. My main purpose to show you what is the difference between the last one and this one. The only difference again is a source net.

Source is changed but the only difference is last time it was using only one IP to translate them. Now they are using pull up IP to translate control C. And I don’t need control C. Okay. And we can see from here sourcenet is source net again that’s the destination they are going. And source port is five 1116 and source net port is also five 1116. They keep the same port number. If you don’t want, you can preserve there. So let me go there if I miss something. So we don’t do net and source net here for verification. Normally I just want to see. Okay, just me test so we can verify from Alsession. Okay. Yeah, we can verify from command as well. So if I go to 40 gate firewall admin one, two, three suppose if you don’t want to graphically. So this is the command to see from here as well. So many picket we have. So it’s better get system session list. So this is the port number UDP expire. And this is the source IP. One two is my inside IP address. The source port. And this is the source net is converted into 1211 is translated to 10 one and one. What about the three? No, where is two? I need to look for another one. We have three four system. So 12112, it should be at the end somewhere.

Okay, it’s expire that one. So I need to regenerate some traffic from R one. It will come here now. Let me go back to 40 gate control C clear and you will see four. Now here 182-1684 is translated to 10 four and it’s going to eight. Destination here is written as well. Source net destination and destination net look destination. net is nothing because we haven’t done yet destination net. We are doing source net. So you can verify this one from this command as well. Get system session list either the best way is to verify from here our session let me go. If it is can verify some other places. These two are the best way to otherwise from forwarding you can also see if we go to logs from forwarding traffic, you will see also. So source and I need to enable. This one is good for destination net. There is no source net detail. So when we do destination, we will come here. This destination is written here. So no, you cannot verify from here. These two places are good to verify. Okay then this was the second.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img