Net Worker World

 The device has physical interfaces (Data 1/Data 2 and Management). Some devices only Data 1 and Data 2, like C160. You can create IP interfaces, which are logical interfaces. You can create more than 1 IP interface per physical interface. Something like: esalab.cisco.com> interfaceconfig Currently configured interfaces: 1. InternalNet (10.97.14.35/24 on Data 1: esalab.cisco.com) 2. Management (192.168.42.42/24 on Data 2: ironport.example.com) 3. SecondLogicInterface (10.97.14.36/24 on Data 1: esa.cisco.com) As you can see, I have the IP interfaces named "InternalNet" and "SecondLogicInterface" binded to Data 1 Physical Interface. Then using one Logic Interface named "InternalNet", I have two listeners (one for inbound other for outbound): esalab.cisco.com> listenerconfig Currently configured listeners: 1. IncomingMail (on InternalNet, 10.97.14.35) SMTP TCP Port 25 Public 2. OutgoingMail (on InternalNet, 10.97.14.35) SMTP TCP Port 2525 Private ====

 1. What is ESA cluster A cluster consists of a set of machines with common configuration information.  Within each cluster, the appliances can be further divided into machine groups, where a single machine can be a member of only one group at a time.  Clusters are implemented in a peer-to-peer architecture - with no primary/secondary relationship.  You may log into any machine to control and administer the entire cluster or group.  This allows the administrator to configure different elements of the system on a cluster-wide, group-wide, or per-machine basis, based on their own logical groupings. 2.Requirement 2.1 Must same version 2.2 Cluster communication can use on port 22 (SSH) or 2222 (CCS) 3. Create the Cluster 3.1 On the first appliance ironport.lab> clusterconfig choose "Create a new cluster", give cluster a name, choose SSH on management interface or 2222 (CCS) on other interface. 3.2 On the second appliance ironport.lab> clusterconfig Choose join an

  =======Active Authentication========== 1. local user and group 2. Server-based password authentication Create a local user account, and specify the server to verify password Create a Firewall type group, add local users or map it to a remote LDAP group. 3. MFA      two free tokens      User & Authentication > Fortitoken      For administrator, assign a token to an administrator, an email with barcode will be sent out, open Fortitoken mobile app, scan the barcode. User group Types: Firewall Guest - wireless guest  FSSO  - AD/LDAP RSSO  - Radius Protocol trigger active authentication: http/https/ftp/telnet Active authentication is intended to be used as a backup when passive authentication fails. ========Passive Authentication========== 1. FSSO and DC agent This is used to get user/IP mapping from AD, so FW knows which user owns a session. Domain Controller (DC) agent Citrix/Terminal Server (TS) agent Collector agent (CA) FSSO mode: # DC mode: DC Agent is installed on each domai

1. Virtual IP Mapping a specific IP address to another specific IP address is usually called Destination NAT (DNAT). When this central NAT table is not used, FortiOS calls this a Virtual IP address (VIP). DNAT, or VIP, is are used to map an external IP address to an IP address or address range. The mapping can include all TCP/UDP ports or, if port forwarding is enabled, it only refers to the specific configured ports. As the central NAT table is disabled by default, the term VIP is usually used. VIPs are typically used to NAT external or public IP addresses to internal or private IP addresses.   2. Profile-based NGFW vs policy-based NGFW Profile-based mode is the traditional mode where you create a profile (antivirus, web filter, and so on) and then apply the profile to a policy. In policy-based NGFW mode, you allow applications and URL categories to be used directly in security policies, without requiring web filter or application control profiles. In policy-based mode: Central NAT is

  Entry-level models port1 is LAN, mid-range and high end models has MGMT interface,  with default IP  192.168.1.99 User: admin Password:  blank super_admin Prof_admin   (vdom admin) super-admin provides full access to the device globally. prof_admin provides full access to a VDOM but not globally. Fortiguard 1. Package updates: antivirus and IPS    (update.fortiguard.net) 2. Live queries: Web filter, DNS filter,  antispam      service.fortiguard.net   -- Proprietary protocol on UDP 53 or 8888     securewf.fortiguard.net   -- HTTPS over 443, 53, or 8888 FortiGate-VM virtual appliance evaluation license The FortiGate-VM virtual appliance includes a limited 15-day evaluation license that supports: diag debug vm-print-license After license expired:    exe factoryreset   or  exe factoryreset2 (keep vdom, interface and route settings)     1 CPU maximum     1024 MB memory maximum     Low encryption only (no HTTPS administrative access, 7.2 has  HTTPS access  )     All features except FortiG

  1. Change both ASA to multi-context mode ciscoasa(config)# mode multiple  2. Configure failover  2.1 on the primary unit failover lan unit primary failover lan interface FO Ethernet2 failover link FO Ethernet2 failover interface ip FO 172.16.1.1 255.255.255.0 standby 172.16.1.2 2.2 On the secondary unit: failover lan unit secondary failover lan interface FO Ethernet2 failover link FO Ethernet2 failover interface ip FO 172.16.1.1 255.255.255.0 standby 172.16.1.2 3. Configure failover group on the primary unit Specify group 1 active one primary unit and group2 active on secondary unit, specify active delay to 1 minute. failover group 1   primary   preempt 60 failover group 2   secondary   preempt 60 4. enabled failover on both units ciscoasa(config)#failover from now on, failover is up, configuration continue on the active ASA: 5. create resource class: class gold   limit-resource VPN Other 3   limit-resource ASDM 5   limit-resource SSH 5   limit-resource Telnet 5   limit-resource Mac-