NSE4_FGT-6.4 Fortinet NSE 4 – FortiOS 6.4 – FortiGate Firewall V6.4 Part 2

  • By
  • January 25, 2023
0 Comment

32. Lecture-32:FortiGate Firewall as DHCP Relay Lab.

Need to do go to node, I need window and XP light. By the way, mute this one. Okay, so this is my one client and let me go to nodes and go to the end. These are virtual PC. I need only three save. So two here and two here. Now what I need Windows Server. Go to Windows Server. Windows Server change from Console to RDP and that’s my server. Now I need two switches. So I will go to ILO and take two switches, change the name to SW and change the icon.

Okay, so this the two switches and the last thing I need 40 gate firewall and it’s okay, it’s done. Now connect them and yes, I need one. So it should be management and this should be internet. Okay, this topology we will use now do connectivity. So this is the server, this is the client, another client and it should be with port number two because port number one we will use for management and also for Internet support. Number one here and this one. Okay, and here. Okay, let me start don’t need this one right now, start, start and this one start and start. Okay, so when it start, let me go to tab 192, 168 20 which we decide to use for this site duplicate and let me create a new one and use them here one and let me duplicate. Okay, and here we have 1114 default route IP should be 1114 two. That’s it. And let me type until it will start. So this is DM, this one is N side either n is enough, just so you know that. Yeah. Okay, now what I need to do, I need to configure first two. So double click on this one.

Go to secure CRT admin, enter 123123 system interface, question mark, list the IP address of management, type them in your browser okay. And go to admin one, two, three okay, later we don’t need to change the name, so whatever we study in the first lecture. So what we need to do first, go to network, go to interface is basic configuration. We already know this one, port number one. So what is port number one? This one, this is our management and also when. So it’s better let me give them when and make the IP manual. So keep the same IP, it’s okay, everything is allowed. Okay. Because we want to use this one. So if I make them DHCP so this far one is working like a DHCP client. Now it’s getting IP from someone else. You can renew the IP as well and these are the expiry and acquire DNS as well. So it means one thing is proof that we can use 40 gate firewall as a DHCP client. This one DHCP client. And port number one is getting IP automatically from ISP either from any or your server or whatever, but I want to make them manual, you know, DCP client is so easy in 40 years just make them DSP and it will get an IP automatically.

Okay? So I just changed the name to Van just alias name so that we know port number two and our topology port number two is our insight so let me give them len and what IP? I will assign 192, 168, 100 with 24 subnet mask and just allowed ping. Let me copy this one. Okay, we already done one arm snipper and another one is DHCP and this one is manual. So three method we can apply IP address to the interface so land okay, now this one port number three will be DMZ so go to port number three. I’m doing quickly because we know this one, we’ve done it DMZ and put the IP 200 okay and ping is allowed and okay, this was the first thing to configure second thing we need to configure DNS so specify we already done DNS, so let me do it quickly. This one is one one one is when faster and this is the Google one and apply okay, so DNS done. Next we need to configure static route where are the traffic will go 192-1681, 114 so we already done static route as well. So let me do it quickly.

This one as well 11422 n VN interface, administrative distance we already done everything that said this was the basic thing to configure. Now I don’t have any IP address on my systems like an XP either in this one, okay? Neither in this side. So if I click on XP, open it. By the way I need to lock the lab now, so go to lock the lab. So if anything moves it will not. So if I come here, there is no IP address, this is my interface, it will get a PIPA, we know IPA if there is no IP, it will get automatic private IP addressing if I go to run command, okay? And if I check here IP config so it’s get a PPA address one six 9254 we call them apart means automatic private IP addressing. So if Windows system didn’t get anything, so it will assign automatically this IP to the interface which we call them a paper but it will not do any communication until analyst. On the other side we using the same subnet so I don’t have IP, so what I can do either we can assign statically or we can configure 40 gate firewall on each interface is a DHCP server. So let me go to port three first. So where is my port three?

Let me go to interface and this is my port three DMZ. Click on this interface we already discussed. This is the name, this is the alias you can assign specific role. You can assign manual IP to this interface. You can do it through DHCP and one arm snipper we only did to capture the packet and forward to IDs IPS which we done the lab see country ID. If you want to configure more IP on the interface, it’s also possible you can configure more than one. And I show you some time as well. In my lupic I assigned to three IPS on the same interface and I can use all the IPS on the same time. So same concept is here. Administrative access we already done step by step. What is this part? Okay? And this one is a DHCP server which is disabled by default. So let me enable this DHCP server this range which we can assign when I click I can assign third range as well so maximum I can create three ranges but I don’t need I need one range is enough but it automatically removed the interface IP 100 and it’s create from one to 99. It’s enough. And if you want to change the post, if you say no, start from 200 and give the IP from 250. You can. Change it and you can create two more as well from the same range means the same subnet. This one is done this the range to assign this we call them pool as well.

So this is my pool to be assigned to the client which is connected to this interface subnet marks are netmas this subnet mark will be assigned to the client this my client which this client this subnet must it will assign now default gateway when you go to your system, there are so many things which assign by DHCP one of them is gateway. If I go to my this one is through DHCP so IP address subnet mask leads obtain lease expire default gateway and this is my DCP server as well. So the same thing I can do here so it will be the default gateway says same as interface IP this interface IP and it’s true? Yeah either I can specify it take the same one if you want to assign differently, you can put here then DNS server same as a system which I just configure here. So yes, it’s true either same as an interface IP means this IP will be like a DNS either you can specify you can specify here let me use same as a system DNS which is configured here eight, eight and eleven lease time which I show you here. Normally the wire one is different one and wireless is different one.

Okay, for how long? You want to assign this IP to the host in seconds so you can change them but no need anything click on advance so are you going to configure server or relay? We will do another layer so forget about this one type is regular or IPsec, so definite is regular I’m not using any dial up VPN client to make them IPsec NTP do you want to assign any NTP server? So I say local whatever I have either my system NTP if I configure it wireless controller so I don’t have any way I will say same as an interface IP time zone, same as a system whatever configure on this system either you can assign the time like any country on any zone. Next bootstrap suppose if this is not reachable so you can assign any other DSCP server. These are the additional DSCP option create. Okay, so if you want to assign in hills or decimal and fully qualified and either in string so many value you can assign and few of them is mentioned here. I removed that one. There are a full list of things so you can assign them through DHCP. Those option extra option two assigned to host and IP Address Assignment Rule. These are some extra assignment rule if you want like a create new. So suppose specific make address is XP in my case, what the Mac address of this XP? Git Mac.

Okay, so what is the Mac address? Okay, there are three Mac addresses so I need to go there to our disable. Okay, so this is the Mac address. Let me double verify so details. The Mac addresses is the correct one. So let me copy this Mac address. Okay, I cannot copy this because it’s through VNC so I need to type here. Okay, so suppose if you want this description, suppose XP and let me type make address. So make address is 500-0100 are XP. Suppose if I want to do some extra thing like assign IP means do men or means the normal activities list the criteria by Mac address. If I say assign IP, it means deal with normal whatever you do normal behavior. If I say block, it means never assign IP to this Mac address. And if I say reserve IP, I say that always give IP address two supposed 240 which is far away in our range. So I said reserve this IP, always give this IP to this Mac address. And this one will be discussion relay agent. So you can do three things with this assignment rule. Okay, so my rule has been created. You can create so many rule. If you want to edit the same rule, click on Edit and you can edit the rule either. If you want to delete the rule, you can delete the rule. And if you have so many rules, you can search here. This one is ed from DHCP client list. So if DHCP server assign IP address it will be shown here. Nothing is there because still we did not yet. Okay, so basically it will show you the binding what is being assigned to the client. So you can see that list here, even though you can see from here as well. But anyhow they have an option here. So IP Address Assignment Rule you can create so many rule which I told you and that’s addressed of the thing is not related to DHCP up to this one. This is related to DHCP range subnet mask default gateway DNS which mode we want. So now right now we need as a server wireless NTP bootstrap and IP address assignment and okay that’s it.

So Dhcps configure so easy to configure DHCP and 40 gate firewall under interface. Everything is available under interface. So if I go back to the client okay, so what I need to do either I need to disable enable this interface and either what can I do before doing that? Let me if I can capture there is a capture here port number three I don’t know capture is working here or not. I’m using so stone key and Keshe. Yes. So it’s okay at least asceniable it’s been ages. I never use eve. I’m using JNS three which is difficult to be honest, but I’m used to that one anyway, let me start so that I can show you the Dora process as well. So just wait a minute. Okay so at least showing traffic, remind me later. And now let’s go to XP and here I will say Ipconfig release. Okay, it will request now and renew. So let’s see if everything is okay. So it’s get 240. Why is gift 240? Our range is starting from 200 but it’s because I reserve this IP. You remember an option. So that’s why it gives this IP and this the gateway. These are the detail and let me show you here the door of process.

So type here DHCP and filter them. So the first packet is DHCP discover, then offer, then request and then acknowledgement. But it’s been done from another system as well. So release, discover, offer, request and acknowledgement. So the packet size is this 1342. I told you the normal packet size is three four two length discover which we call him and Dora. And this packet is broadcast. If you see the packet is broadcast then offer again is a broadcast packet, then DHCP request is also a broadcast and then acknowledgement is also broadcast. So it means DHCP is sending all the messages and broadcast. So that’s the issue because I’m showing you this for another layer. And this is the Mac address which I show you that broadcast always use this Mac address if and why. If you convert this to it will give you this if and DCP is user datagram protocol. So that’s why user datagram protocol and source code is 68 and destination is 67. So they have their own source port and destination port very few protocol which they have their own application, they have their own source code and destination most of the time.

You will see here random port from 1023 to onward and definitely destination every application and have their own port number. But in this case they have their source port and destination. And this is discover packet which I show you here. And these are the more detail if you want to go in more detail and packet size and zero the client IP and every detail but anyhow my main purpose was discover, upper, request and acknowledgement. So this PC get that. What about this one? So let me double click on this one. Okay. And here, because this is VPC, just type IP DHCP so it will show you Dora. If it is showing Dora it means it’s working. If it is not, so it started your Dora. Dora means discover, upper, request and acknowledgement and it get the first IP which we configure but in XP because we reserve that IP. Okay, so it gets the IP and how we can check show IP to see. So it get this IP, this gateway. Look at the DNS eight, eight and eleven which we configure system one. This is the DCP server IP DCP list which when we configure in second this make address of this one and port. So I hope so it will be reachable to the internet without any issue. Yeah, one thing we didn’t do, it will not reachable policy. We forgot to configure policy. So go to policy and object and configure policy. I just realized we forgot the policy. So when DMZ two? When now we have two things. Okay? So DMZ two when the picket will come from DMZ port three, it will go to when source. We already discussed these things so let me do it quickly. I believe yesterday we done and services can be anything and all session and okay, so let’s go to VPC pinga. So I hope it will work. So DNS is working and even if I ping Yahoo, so it has to work. So it’s preserving and pinging@yahoo. com and if I go to XP and browse anything so it will also work straight away. So let me go to XP. Okay, let me type and till that time, what can I do? I need to show you the logs. So let’s go to auto view and source.

Only one PC go out so it will show that IP 200 and 240 will go now. Yeah. So let’s see browser is enabled so it’s sending something. So if I go to Google. com yeah, so it’s working, it’s getting everything automatically through DHCP and it’s going outside. So we can see and also we can see from our session these are 240, which is our XP and the other system. And if we go to monitor and there is a DHCP monitor, it will show you the IP detail. That an interface port number three, DMZ two, PCR connected VPC S one and client one which is XP. These are the Mac address and look at it says reserve. Somebody reserved this Mac address to give them all the time. This IP. It’s very easy from here as well. If you click there is reserve. By the way, it should be created CP reservation and it will be done in 1 second rather than to type make address all the time either here from here create and it will reserve this IP and this Mac address. So the green one, it means reserve is not reserved. This the IP address, this the host information expiry and lead status.

Okay? And you can refresh and you can revoke as well. And the same thing can be done from there as well. So if I go to network interface so DMZ DHCP if I click on DHCP and where is the option here advance I told you you can verify from here. So click on here it will show you two system sorry one because the other one is reserved so that’s why it will not show here. So it’s showing here that there’s the device, there’s the Mac address, IP address and expiry. So you can reserve IP from here as well. Again very easy. You can search here if you have so many system connected, so you can search as well. Okay. And the other thing was suppose if I click edit so assign IPM is normal, make them like a normal so you will say why you want to type here. Sometimes some system are not still reaching to DHCP server for some reason make address issues. So you can type Mac address here and then you can say either reserve, either deal them normally, whatever like a normal system and definitely if I said block so this Mac address will be blocked and DCP will not assign any IP address. You can test yourself. If any issue, let me know. Okay so this is DCP.

Now let’s go to the other side. Can we configure DCP on this side as well the same way? Yes click go to interfaces and this time go to lane interface and click on DCP server let me use this range which starts from 10 one I don’t care, it should be from anywhere I already told you DHCP DNS, lease time advanced setting is a server what? It will be everything DCP option and done. So now DHCP is enabled on this port also in this port if you have so many zone you can do it on each and every interface even if you configure VLAN which we done on the third class so again it will assign different to this interface. Okay so now let’s check out so click on this VPC inside entire IPT so if it’s showing dora then it’s working otherwise we need to test them again. So I start here dora and it will get from one range keep in mind so let’s get 10 one how we know? So we have two way. Either go to monitor DHCP monitor and this TV PC on their side lane. This is the lane one. So let’s get one range and the other two are the two range. Okay. And let me quickly do it. This one to show you quickly. Then we will finish this one here. So let’s see if it is getting dora or not. So it’s also working. Okay, it’s good. 10 two. And let’s verify. Just refresh 101102. And these two are from 222. Okay. And definitely Internet and everything will work because we already configured default and everything. So if I say@yahoo. com so, it has to go straight away to DNS, which we are using. The system is disconnected. So let me go to@yahoo. com okay, what the hell is this one? Pingandwwoogle. com. So it’s working, by the way, it says just to work on the Lane side. Okay. Yeah, lane site is not working because we don’t have a policy here. IP they will get, but they will not work, you remember? So let me go to policy and object and create a new policy. This time lane to win another policy because it’s a different one.

So Lane to win and go to source all destination all and this one is all and allow all sessions so that we can see the traffic and okay, and now let’s go back to any of this PC. So let me go to VPC three. So it’s not going to connect. So let me stop them and start again. Okay. And let me on them first. IP THCP it will get IP from one range. So it’s done, it’s showing dora, you can capture the picket as well. And if I shipped ping Google. com, so it has to work here. So it’s working now due to that policy, for some reason it was not showing up. Okay, so we will reply. Let me see if I miss something, maybe some show command or something. Normally basic configuration, we done and default out. We done. Definitely is required and then we client configure because I’ve done it and there’s one N verification. So we verify from here. DCP monitor and top lens n definitely you can verify from there as well.

33. Lecture-33:FortiGate Firewall License Activation.

Before doing security profile, let me show you how we can license our FortiGate firewall. So admin and my password is one, two, three, it’s a fresh firewall. Okay, and what is the IP show system interface question mark. So 114133. So let me go to browser. I just configure basic stuff. Nothing is configured in this bar. One, so one 9216-811-4133 it was. Yeah. So, you know, I’m using Http after apply the license, I can do by Https as well. So admin one, two, three is the password which I said, okay, even though in 14 day license you can do so many things. The one which you got this one. So we have VM evaluation license, which is for 14 days, but so many things are missing, like when IPA is not showing me, okay. And this 40 gate server is not reachable 40 guard, I will show you what is 40 guard. And also so many things are disabled if you can see, okay, and also when we do security profile, like we’re filtering, so some of them, they require a license to work properly even though you can still but it’s still like the device is not licensed for 40 guard web filtering.

So this thing will not work. Also in DNS and application and so many things in security profile, it will not work properly because of license. Okay? So as I told you, I got 60 day license. You can apply that license 60 days. So you can apply from so many places here, just click on here. Either go to system and click there. Either click here so it will take you to the same place. Okay. It’s asking me that you can only use one CPU and twoGB only because of license. And also my management is through Http connection is not secure because of license. After that I can log in through Https as well. And so many things are missing by the way. But anyhow still there are so many things you can do without license. So don’t worry that if you don’t have a license, so don’t say that that I can now do. So you can still do all your lab, maybe two or three lab which is without license, not possible. So click on upload. Okay, and I have a license file, I think, so I download them. Yeah, this one. So I upload that license. Okay, let me show you. If I go to support, I told you, you can send them the email. Not support, not support. Paul Alto. Okay, let me go there. By the way, gateway downloads, it will take me to the website. Okay, this is the customer support fortinet. com login with your username, okay, when you apply for a license, so the email you mentioned there, you have to log in with that email. I use my local email this time. Last time I used the company one, but I log in through this email. So click on login. I already saved my username and password. Okay, and if you go to SS I think so I already first time user to do some basics. They will send you in the email the steps to follow. Okay, so let me go to download VM not download, I need to see my assets so it’s not showing me by the way, maybe I did not register them. Yes, only registration step so it will not show me. So what you need to do first you have to log in there if I have the document which they send me and you have to follow these tips if I go to document? Yeah, this one.

So this is the documentation they send me 48 okay, so I use my company detail as mentioned here and this the license two quantity you can use them and also they give them the other two license for other analyzer as well and you can use them virtually. They have another document to step by step how to log in and how to do it first time. So I already done those tips. Okay, I think it should be somewhere so I got the license. Then you have to download your license. Maybe it’s mentioned somewhere for some reason I cannot see register and activate manage brought it. Okay, this one maybe I will see here. Yeah, this one so this is the one which I register them and you can download this license. Okay, so I already downloaded this one license download, download this license and then which I am here, I upload the license and okay, so it will reboot the system and let me show you. I just click on this file, there is a small file to download the license. Yeah, this is such type I already have so it will do it as a two year one LIC license. Okay, so first time you have to register them. They will send you step by step log in to your device, do that step and generate a license. Download a license and then you can go to their place which I went and upload the license. Okay then they will reboot the device and they will register. So it’s rebooting just to show you that how we can do it.

The same processes for original license, the one which we normally first time when you deploy your device, how you can license them so that’s the way similarly request from my Gmail ID it will work. Yeah, you can request them, but actually they will ask you why you need. You have to provide them a justification that’s the only thing is the deal with them. If you satisfy them now, they will call you and my last best they call two student and they say why you need this? They give them good justification that I want to test I am in the company and then I will recommend them and this blah blah blah and they say okay, so they give them normally they have by the way, it’s totally the communication. When you are doing with them, they are getting free 60 day license. So why not they will give you try them. There is no such thing. Try if they not give you, so it’s okay otherwise. But yes, in last page they give them using their personal email. Use the personal email. I will share their detail by the way. Okay, so it will reboot after a while, taking some time. I believe it’s done. I think so. Admin one, two, three CTRL shows system interface, same IP, but this time I can use Https.

So let me make them Https. Yeah, now I can you know, first lecture nabil, I believe he asked me. So now we can do it through Https login, because now it’s a license one. So look at now it’s Https. And now you will see so many things is enabled. There is no warning, no more warning of license. And you see this, my public IP now showing my Sonia when all this thing has been enabled now license. And now it’s showing me my license. Now I can increase my CPU. In the document evaluation license they say you can increase them up to four, sorry, eight CPU. So if you want to test them more, you can increase eight CPU. But anyway it can work on two and one as well. Next time I will increase my CPU to work faster. So this one CPU can be increased. The license thing is available. When IP is available, this thing will work, which we will discuss later in the course. And those things which was not working before. Okay, so let me close here.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img