NSE4_FGT-6.4 Fortinet NSE 4 – FortiOS 6.4 – FortiGate Firewall V6.4 Part 15

57. Lecture-57:Addresses Objects in FortiGate Firewall.

Addresses object what is address is object every time when we are creating any policy okay? Any policy will be creating. You have to be more specific. Suppose if somebody is going from lane to vent source. We always use source all. What is all is nothing but anything, any interface and any IP which is not a good practice you will allowed everyone you have to be more specific to create a policy and allow specific subnet specific IP more control man more renowned policies so that you can allow the specific thing what we want to more control. But here, all the time I use all, and all is nothing.

But there is a zero zero. And this showing me addresses in the same cases, in destination addresses. And this is what I want. To show you addresses object so I can create my own addresses, which I can reutilize again and again. It can be a single IP, it can be a range of IP, and it can be a subnet, and it can be a fully qualified domain name. So whenever I need, I will reutilize this object. That’s why it’s called Address Object. In programming, we also have object to call them again and again just like a container which whenever we need, we can reutilize them every time rather than to type IP address and range of IP and subnet and fully qualified domain name again and again.

Why not create them once and call them again whenever we need? Like all and these are some default from here it’s coming only nine addresses showing me and some group. Basically it’s here. If we go to policy and object here is addresses. It’s coming from here. So these are the addresses. All which we use here is been used four times showing here reference. But here it was showing me nine. And it’s showing here eleven. Why? Because some of them is hidden. I shane, don’t show me the hidden policy. So when you choose hidden, it will be not showing policy.

Let me open this policy in new window to show you. So when we creating policy some object will not be showing here if I say source like let me create here suppose if I want to create address group but before that, let me explain you this one so these are the name of addresses. This is the type which I show you. These are many type single IP range, subnet and fully qualified domain name. These are the type.

These are the detail which you put inside and which interface visibility to show. Here either not to show and how many times has been used. You can view them by another way to view them and return because these are the default one, we cannot delete them and you can clone the same. Policy to create the same policy like this one. Suppose cologne and clone for all give them any names. Suppose clone for all end. So this my new policy I create with the same cologne. This one I can delete because I created the default one, I cannot delete them. And such a few have so many and you can create your own click create new addresses and give them the name. Suppose my lane subnet what subnet I’m using my land 192 168 is my land subnet. So whenever I need lens subnet so I will use here len subnet. You can give them a color which will be shown here. These are color. They all have a blake color. So let me change the color suppose to orange. So I said subnet. These are the things which you can support subnet IP range, fully qualified geography, dynamic and device. I will show you all. So I say subnet and this my Subnet for which interface? Normally I will say from lane. But anyway you can say any. You can use them anywhere. Show an address list, just the question and static route configuration. If you want to put them in static route configuration, same subnet, I will show that one as well. And comments. Suppose they say this mylan Subnet.

Just a comment, anything and okay, so my land segment object is created if I go here and now this time refresh and source you will see that one. Okay I need to refresh to show land segment. If I say source now, okay, I need to give them a lane to win. And now source. So lane segment is here. Because I say only for lane show. So that’s why. So it’s a lane segment. Okay. And here is my land segment 1921-6810 whenever I need my land segment I can call this object anywhere. That’s the beauty of addresses. But it’s the color. So now the color is clear to you. And land segment is showing me here. If I say land segment and I say show an address list. No, don’t show this one an address list. So if I refresh this one, it will be not showing here. NFI choose anything from lane to lane NFI says source. So it’s not showing here. Why? Because I said hidden. Visibility is hidden.

We are in the policy and everywhere in address less. Now if I say okay. And if I say refresh so I need to refresh here as well. Now it will be showing here again. Give them any name and from lane to lane if I say source it will be visible. Now it’s visible and you can edit on this pencil as well. It will go to there the same way where we create them. And you can edit here as well. It will go to the same place which we just created both way. So now let’s go back here. So this is my land subnet and let me create sorry not edit, let me create a new address this time single IP. Suppose my inside IP which is my PC IP PC one IP. Give them any color you want subnet. But there is no IP. Single IP. This subnet can be used for both things. Type here 109, 216814, N, 32. I’m using this for this R one suppose. So let me make them R one suppose and it will be from any interface suppose and show here. I told you this one. Okay. Now if I refresh here, I need to refresh, it will show or not. So I need to refresh in all way. And if I click here you will see the single IP as well. This is R.

One single IP. But this time is showing me and Lane is not showing. Lane will be shown because I told them show only for Lane port when somebody choose lane port. So if I say outgoing interface when and source lane then the other will be visible Lane. But if I remove this one, it will be not showing. Now R one is showing because I say any interface. Okay. So these two things are clear. Subnet can be used for single IP and it can be used for the whole subnet. Let me create a new thing. So subnet, you can give a range as well. Suppose if you say 192, 168, 1192, 168, 1254 the whole range I think. So I give them. And if I say range and in interface I show you what is the difference between that and okay, so this is the range one and let me create a new thing. Another thing is fully qualified domain name. Suppose if I want to create for Facebook fully qualified domain right down here, facebook. com for any interface and okay, so your fully qualified domain name is also unresolved, but we’ll reserve them after a while if you want.

So fully qualified domain name is addresses create which you can call them here as well. Again, if you refresh and your source either destination is that Facebook? So you can call them as well. Where is the Facebook? It should be this one. It’s the one which I create now. It resort to the IP address automatically subnet. Now there is a juror in Europe means the countries. These are the countries. Suppose if I say Pakistan, just type the country and create Pakistan or whatever and okay and the same thing when you refresh. So country wise, if you want to allow the policy to create anything, it will be available here there is a Pakistan now is address object. And the other thing which we have a dynamic dynamic when we do later on fabric can also single on like Active Directory. So it will use to show you those details. Right now we haven’t done all these. So forget about this one. We can call Active Directory, user everything here as well. We don’t configure yet. So that’s why it’s not showing. And the other thing is device makers. You know, when we create one policy as a make address, suppose if you want to allow this. What the makers of this device? Suppose R one make address show interface e zero slash zero. This is the makers of this device. Let me copy this one. If I want to allow to leave this one. But here the policy is after two dot there is a colon in every device. It will be different digits is twelve. We know this twelve digit. So now I make them like this. And it can come from anywhere. So I will say R one make address. And if you want to give them any color okay. And if you refresh here.

So by make address if you want to allow it and create any policy. So it will be visible here r one mac address. There is a Mac address the subject whenever you need them you can call it. So this is the addresses. Yeah. This show I clear already. Static route configuration. If you want to configure static route directly from this object, suppose R one and configure static route as well. Okay. If you go to static route where we created last time network static route. Okay. And the object will be available here. So if you need them here for steady crowd purpose. So we just allowed only one which is visible here. So you can do it this way as well. Let me go to policy and update again addresses. So these are the addresses. But there are some addresses group like for Microsoft Office and G suite something they have default one. And this microsoft is showing here as well. This one address group g Suite and Microsoft if I need as a group as well. So you can create an address group as well. Click on this one. And suppose web group anything I don’t know what to give them.

And again change color whatever you want and make a member. Like I sell land range, land subnet, facebook this is a different one. That’s why. So let me make them this one. Because some of them we use them for different. It will be the same range. So suppose I list my web group. It will be web group. You have to create a service like that one again the same story show an address group static route and comments. So I have created my own group. So whenever I need these two things. I can call this web group rather than to call two things. And if I go back here. So whenever I need and policy these two things, okay. And source. So you will see here is web group two thing is inside and call them. So rather than to put one by one. I will make them as a group. And I call the head here. So it’s reutilization of thing. So with an IP subnet we can create a whole subnet. We can create a range which I show you the range. We can create a fully qualified domain name.

We can create any country and dynamic which we don’t have right now but you can create with clear pass is also a dynamic feature when we’re done I will show you single sign in an address group I create an address group for anything. You can create for anything and you can exclude as well because in address group there was exclude as well. So if I click on this one there is okay, the exclude one is removed. From the new version and new old version it was there so it’s not any more solid and we can call them here from address group not anywhere it can be called in anywhere but normally we use them in security policy to call these things so this was address group a small thing but reutilization and it will clean up your policy and it will be easy to troubleshoot so that’s why it’s very important otherwise it’s a small.

58. Lecture-58:Services Objects in FortiGate Firewall.

Service means any TCP and UDP port number and we always call services and policy as well whenever we are in policy and we are creating any. So here we have our services. You know, normally we use this and we always say all means anything. And there are 67 port we can use like a telnet, Http, Https, SSH, RDP and RSTP all those things we call them as services and we always call them here. But if you want more control, you can put you which services you specifically want to allow. So for that purpose we can create a services object for TCP and UDP and you can create a category, you can create a service group and you can create services separately. Three things you can do, but there are some deferred category when we go to policy and object. And here is services. Look at journal, web access, email and so on. Like in journal they have put all these things in web access, web related Http and Https file access file related services email, email service like IMF, Pop, three N, SMTP, network service, network service related thing, an authentication related thing like LDAP and all those are authentication remote SS, RDP, SSH, ten, net all these are remote services.

So they have their own default category. Some of them they already have done for us. Which is a good thing and good sign. But if you want you can create your own. You can category sitting. It will show you in another way in simplest way. Click on again, it will show you in difficult way like this one. So these are the services name, these are the detail IP and fully qualified. It show and which service list and where it is used. Again you can search, you can clone, you can delete and you can edit. And you can create three things your own services for specific port, your own group and you can create a new category like this one. This is journal category network category another thing.

So how we can do first let’s create a services. So click on services. Suppose telnet I want to create telnet services SRV suppose I say SRV whatever you give them comment again if you want to give color in which category you want to again this one show and service list here. So when you click on service, it will show here. So I say just show them there in which category you want to put. These are the default category. We will create our own as well. So I say telenet, let me put them in network services. By the way it has to come in remote but let me put them in network, it’s my way. Protocol type it is coming under which protocol definite is coming under TCP IP range. If you want to allow them for specific IP and destination port is definitely 23 and low is 23 because tenant is using this port. And you can add more thing as well, if you want to put them more port.

Source port is always random, we know, so no need to spur some port, maybe like a DNS, sorry, DHCP. Then you can put a source code, but in this case I say telnet server N-O-K. So my services is ready, but I don’t know where I put so let me search them telnet. So there are two telenet, one was already there, the one which I created, Telnet’s SRV. So my one I put in Network Services and the one which is already created is in Remote Access. So the one I my one is N network Services and I can call them here as well if I refresh so in Service tab, now I have an object.

So whenever I need a telnet, I will type here telnet service and two are there, but the one which I have, this one is using but a similar thing, if you see a similar so this is the services to create. And you can create so many services you can put in your specific category. It can be TCP, it can be ICMP, but ICMP is using a type and code. They have specific code for ICMP, for eco and ecoreturn and eco they have. So then you have to put their time. And for IP you can put any protocol number from one to 255. Like six means TCP, like 17 means UDP. We know, I show you this and you can use TCP, UDP and SDP and then you can put the port number. So services were so easy to create. Now another thing is service group, because there is some service group as well, whereas the service group let me go to Firewall. So inside Firewall group they have some service group, not a category. Category is Firewall group, but they have email, so email is different web access, they have DNS, Http. Let’s create our own web access, so I can create a group of services as well. So click Service group and name them. Suppose web SRV and whatever color you want to give and remember is I say Http http. That’s two only, that’s what I need as a group. So there will be another group which is web SRV.

So whenever I need Http and Http services, I can click on here and I can call the Service group. Service group will be here. The one which I created is not showing, so just refresh them. So rather than to call them individually, now you can call them in a group, so better to search them. So this is my one web server where two things are one is the default on which DNS is also included. So whenever I need a specific only Http and Http, I can give this one. So this is a group of services. And the last thing which you can do here to create your own category like this category click on category and give them suppose my category and commits anything and okay and this way if you go back my kit will be there which is not here. Why? It will not show either. Change them here.

It will show here my kit. But when you go to the another way it’s not showing because you need to put something in my kit then it will show. So let’s go to the ten net which I use, let me put that one. So let me click on my category, my ten net and put them in my kit because now my kit is showing here and okay now you will see my kit there before it was not showing here which has one services. So you can create your own different category as well for it maybe for HR or someone other maybe some other protocol maybe mix up of these protocol.

So you can create your own category and put them and you can create your service group to call them at once and it will work stateaware rather than to call many services one by one. So this is called they have some default which we check uncategorized. There was journal, there was web access, email authentication for voice and web proxy in something very category. We can create our own category and we can give them a color services and everything we can put them and we can create a protocol type, we can create TCP UDP which I show you and IP we can put and we can service screw and we can call them and verify as well.

• Category: Uncategorized