• Tidak ada hasil yang ditemukan

Perkenalkan FortiGate Firewall

N/A
N/A
Info
Unduh - Bebas
Ahyal Husna

Academic year: 2024

Membagikan "Perkenalkan FortiGate Firewall"

Copied!
22
0
0

Memuat.... (Lihat teks lengkap sekarang)

Unduh sekarang ( 22 Halaman )

Teks penuh

(1)

FortiGate

FIREWALL

(2)

LAB in VMware ESXi

ESXi installed on hardware and on ESXi, we configure multiple VMs. Before installing ESXi on the server, make sure the version of ESXi is compatible with the server hardware. Search

“vmware esxi compatibility”.

This is our game plan for this series.

We have 4 FWs in our scenario. FW1, 2, and 3 are in the same subnet connected through a switch and IP used for this connection is 10.123.0.0/24. FW1 will have IP 10.123.0.71/24 on interface 2, FW2 will have IP 10.123.0.72/24 on interface 4, FW3 will have IP 10.123.0.73/24 on interface 4.

For public facing interface 4 on FW1 and FW4, we’re gonna use 23.1.2.0/24 subnet. 23.1.2.71/24 will be on FW1 and 23.1.2.74 on FW4. For MGMT subnet, we will use 192.168.1.0/24 subnet and interface 1 will be used from every FW in our scenario for MGMT purposes. 172.16.1.0/24 IP subnet will be used for DMZ nodes.

When we bootup FW, the username is admin with no password.

• Get system interface physical

(3)

This command will show the IP addresses configured on each port of FW. We can see the DHCP is configured on port 1 of FW.

• Config system interface

• Edit port1

• Set mode static

• Set IP 192.168.1.71 255.255.255.0

• Show >> it will show the detail of port 1

• By default, in Evaluation license, FW doesn’t support https, so, we must configure the http.

• Set allowaccess ping http ping https ssh fgfm

• End

After logging in to FW, here, we can see the IP address on port1.

After selecting the interface, click on edit. We selected port 4, configured alias, addressing mode is manual, IP address and configured the administrative access as ping.

(4)

We have configured a default route toward the 23.1.2.1, which is the next-hop of external router.

Now, we can ping the google DNS with command execute ping 8.8.8.8.

(5)

We have configured the IP address on Port 2 and DHCP server configuration as well.

We also have configured a policy which allows traffic from port 2 to port 4 traffic with all services and NAT is also enabled.

(6)

Network Fundamentals

We can operate our FW in two modes.

• Transparent – As sort of bridge, but still, we can use a lot of policies

• NAT Mode – Layer 3 Interfaces Factory reset

• Execute factoryreset-shutdown

By clicking on Static & Dynamic Routing, we can see the complete routing table.

To enable IPv6, click on the feature visibility under system.

(7)

We have configured the four interfaces of FW1 as can see in above snapshot.

We can see in routing table now; we have 4 direct routes. We will add the default route to go to any network that is not directly connected to FW.

To add the default route in FW, go into Network > Static Route.

If we have multiple default routes in our FW, then FW will choose the route based on the AD.

• Get router info routing-table all

Using this command, we can fetch the complete routing table from CLI.

• Execute traceroute 8.8.8.8

(8)

From here, we can configure the DNS address.

While configuring the policy, make sure the Log allowed traffic is set as All sessions.

It will help us to troubleshoot things in case of any issue.

After this, configure FW2 and FW3 in the same way as we did FW1 and set the default route towards the FW1 Port 2 IP address (10.123.0.71).

Also configure the FW4 with basic L3 connectivity and add default route towards the 23.1.2.1.

Check the connectivity by giving the command #Execute ping X.X.X.X.

FortiGate IP Routing

Firewall uses three methods to learn routes and to forward the traffic.

• Directly Connected

• Static Routing

• Dynamic Routing Protocol

To see the routing table in FG FW, go into Dashboard > Network and click on the widget.

(9)

Here, we can adjust the default timeout of the telnet session.

• Get router info routing-table all

• Get router info routing-table database

• Get router info routing-table details X.X.X.X

(10)

All we need on this FW to configure the RIP is define the subnet that you want to advertise, and FW will advertise it to all interfaces if we don’t configure any specific interface.

OSPF in FG FW

We will configure the OSPF area 0 on these FWs and interfaces included in this domain will advertise its subnets.

(11)

Configure the router ID and area 0.

Again, no need to configure the interfaces, it will automatically advertise the subnets towards the directly connected FWs.

• Get router ospf BGP in FG FW

We have configured the AS 123 on FW1 and AS 456 on FW2. We will form the eBGP neighborship between FW1 and FW4.

(12)

While configuring the Neighbors, always check the box of graceful restart for updates.

• Get router info bgp network DHCP

A process of DORA to get an IP address from DHCP server.

Here is the widget, where we can see the assigned IP and clients.

(13)

We can also create the reservation in DHCP. We will bind the IP with client MAC address and client will get the same IP address every time.

FW as a DHCP client. #Get system interface physical.

DHCP Relay

When we have dedicated DHCP server in our network then FW will work as DHCP relay. It will forward the DHCP discovery request from one interface to another interface where the server is located.

(14)

FG NAT/PAT

The above picture represents the concept of source NAT.

For destination NAT, when any public user wants to access the server behind our FW having private IP address then we perform DNAT. Where we swap out the public address with private address.

Another concept of NAT is Static NAT or 1 to 1 map. Dynamic NAT is where we have a pool of public addresses and FW assign these IP’s dynamically to the clients or PAT is another concept where we translate many IP addresses to a single IP address but with ports number.

We also have an option of centralized NAT instead of specifying the NAT configuration in every single rule, the same as in Palo Alto FW.

(15)

Two methods for the configuration of NAT.

• Rule by rule in security policy

• Centralized NAT

We have specified the incoming and outgoing interfaces, source IP address (10.0.0.0/8) and for destination, we have selected any IP address with any services and action is permitted/accepted.

For NAT configuration, we will use the Dynamic IP Pool (23.1.2.208-23.1.2.209). We can also enable the preserve source port and it will use the same port for source traffic that the inside client is using.

• Get system session list

It will give the list of all sessions running on the firewall.

(16)

We need to enable the central SNAT under system > setting.

• Diagnose system session clear It will clear all the session running on FW.

From here, we can configure the central SNAT.

Static one-to-one NAT policy session picture is shown above.

(17)

For one-to-one NAT configuration, we will configure a new IP pool with IP range and select the type of one-to-one.

Destination NAT

We need a virtual IP address to configure the DNAT and it will be a public address based on the scenario. Secondly, we need the actual IP address of physical server.

We also need a policy to allow outside the traffic to DMZ zone.

(18)

A policy has been configured to allow the traffic from outside to DMZ.

• Incoming Interface > Outside

• Outgoing Interface > DMZ

• Source > All

• Destination > here we will call the virtual IP

• Services > All

• Action > Permit

This was the example of rule by rule DNAT policy and now, we will investigate central DNAT.

Most importantly, if we’re using the rule by rule SNAT or DNAT then firstly, we will disable it then we will go for central SNAT, otherwise, it will not work.

A policy is defined here to allow the traffic from outside to DMZ (DMZ Server Actual IP which is 172.16.1.100).

(19)

Virtual Networking and Trunking

We will configure port 5 as trunk. We will create sub-interfaces that will support VLAN 10, 20, and 30.

We will connect FW1 with a switch, all the SVI will be configured on FW against VLAN 23, 123, and 172 VLANs. Then, further connectivity will be established through this switch towards the external router, FW2, FW2 and DMZ server.

To create a VLAN interface, go into Network > Interface. Click on create new and then interface.

(20)

We also have configured the DHCP server on this VLAN. Using the same method, we will configure all the SVIs on FW.

After creating these VLANs, make sure all the routes, policies and NAT rules has the correct interfaces along with IP addresses. By migrating these interfaces from L3 interfaces to SVIs, we can easily migrate our services from VM FW to actual hardware appliance.

Physical HW appliance of FG. The default IP on FW port 1 is 192.168.1.99.

To reset the HW appliance > Execute factoryreset Username is admin with no password.

(21)

We have configured the MGMT IP on FW1. A built-in switch is already there in the FW which only has one port at this time but by default, we can see all ports here in this switch.

We’re configuring the VLAN interface in FW. Select the interface as we have specified the alias on port 5 as Trunk.

Also configure the default route towards the next-hop of outside router. A policy and central SNAT rule should also be configured to allow the inside traffic to outside world.

(22)

Make sure we have enabled the log traffic on implicit deny rule so we can have hit count for this rule.

Referensi

Unduh sekarang ( PDF - 22 Halaman - 3.74 MB )

Dokumen terkait