Net Worker World

1. Topology 2. Overview     GetVPN is on private IP Transport, tunnel-less, has header preservation. 3. Basic architecture Step 1: Group Members (GM) register via GDOI with the Key Server (KS) •KS authenticates and authorizes the GMs •KS pushes down a set of IPSec SAs for the GM to use Step 2: Data Plane Encryption •GM exchange encrypted traffic using the group keys •Traffic is forwarded using IPSec Tunnel Mode with Header Preservation Step 3: Periodic Rekey of Keys •KS pushes out replacement IPSec keys before current IPSec keys expire; this is called a Rekey 4. GetVPN Deployment 4.1 On KS generate RSA keys which is required for rekey authentication •RSA public key distribution from KS to GM: –Public key sent to GM at GDOI registration –The rekeys are signed by the private key of the KS and GM verifies the signature in the rekey with the public key of the KS •Exporting RSA Key between KSs: –One of the KSs in the redundancy group should generate the ex

 Explicit Proxy 1. Enabled explicit web proxy, indicating interface listening on. 2. Create Authentication Scheme, choose from Form-based, FSSO, RSSO, NTLM etc. 3. Created Authentication Rule, specify source IP,  link the scheme 4. Create proxy polices: Type: Explicit Web, Server: webproxy  5. Configure client's browser Transparent Proxy 1. Create regular firewall policies, Enable  http-policy-redirect  on firewall policies (CLI only). 2. Create Authentication Scheme and Rule. 3. Create proxy polices: Type: Transparent Web, Server: webproxy 

 1. Configure WAN interface IP addresses, remove all other interface related configurations,  ref should shows "0". 2. There is a default SDWAN zone called "virtual-wan-link" (older version called SD-WAN interface), navigate to Network > SD-WAN Zones , Create New > SDWAN Member Verification: Network > SD-WAN Zones Verification: Network > Interfaces 2. (optional) SDWAN load balancing mode SD-WAN Implicit Rules 3. Set default route using SD-WAN interface. 4. Add firewall policy 5. Verify routing: Local-FortiGate # get router info routing-table all ... Routing table for VRF=0 S*      0.0.0.0/0 [1/0] via 10.200.1.254, port1                   [1/0] via 10.200.2.254, port2 C       10.0.1.0/24 is directly connected, port3 Dashboard > Network > Routing 6. Create SD-WAN rules      Manual      Manually assign outgoing interfaces. Best Quality The interface with the best measured performance is selected. Lowest Cost (SLA) The interface that meets SLA targets

Link-Monitor will remove only the Static and Policy Route, not the Directly Connected Route. FortiGate # config system link-monitor  FortiGate (link-monitor) # edit 1 new entry 'port1-monitor' added FortiGate (port1-monitor) # set srcintf port1 FortiGate (port1-monitor) # set gateway-ip 10.200.1.254 FortiGate (port1-monitor) # set server 4.2.2.1 FortiGate (port1-monitor) # set protocol ping FortiGate (port1-monitor) # set update-static-route enable  FortiGate (port1-monitor) # end FortiGate # config system link-monitor  FortiGate (link-monitor) # edit 2 new entry 'port1-monitor' added FortiGate (port1-monitor) # set srcintf port1 FortiGate (port1-monitor) # set gateway-ip 10.200.2.254 FortiGate (port1-monitor) # set server 4.2.2.2 FortiGate (port1-monitor) # set protocol ping FortiGate (port1-monitor) # set update-static-route enable  FortiGate (port1-monitor) # end FortiGate # show system link-monitor  config system link-monitor     edit "1"         set srcin

  ! define ISE server tacacs server ISE address ipv4 x.x.x.x key *******   !if you don't define an AAA server group for ISE, the default tacacs AAA group called tacacs+ !ISE defined above will be added to group tacacs+ automatically   !use default keyword in AAA commands, refer default tacacs group tacacs+ aaa new-model aaa authentication login default group tacacs+ local aaa authentication login NOAUTH none   aaa authorization exec default group tacacs+ local if-authenticated aaa authorization commands 1 default group tacacs+ local if-authenticated aaa authorization commands 15 default group tacacs+ local if-authenticated aaa authorization config-commands   aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+   !!When use default key word in above AAA commands, you don't need specify AAA in line VTY configurat

 EAP-FAST is a Cisco proprietary EAP authentication method EAP-FAST is a flexible EAP method which allows mutual authentication of a supplicant and a server. It is similar to EAP-PEAP, but typically does not require the use of client or even server certificates. One advantage of EAP-FAST is the ability to chain multiple authentications (using multiple inner methods) and bind it cryptographically together (EAP Chaining). Cisco implementations use this for user and machine authentications. EAP-FAST supports PAC-less and PAC-based conversation. PAC-based consists of PAC provisioning and PAC-based authentication. PAC provisioning can be based on anonymous or authenticated TLS session. outer identity can be faked: anonymous use PAC (Protected Access Credential) to authentication credential PAC is shared secret between supplicant an authentication server authentication server creates PAC for each supplicant, by using username and private secure key. PAC uses symmetric encryption PAC is basic

1. Firewall policy SNAT      only in NGFW profile mode. for simply NAT deployment. 2. Central SNAT     Can be enabled in NGFW profile mode, NGFW policy mode only supports Central SNAT.     used in complex NAT deployment, has more granular control on NAT. 3. Virtual IP (DNAT) , from Internet to internal server     When Central SNAT is disabled,  VIP is used firewall policy.     When  Central SNAT is enabled,  real IP is used firewall policy.     When VIP is created for a server, outbound traffic initiated from the server will: if VIP has no port forwarding and Inbound FW rule referring VIP exists, and Firewall policy NAT using outgoing interface as SNAT, the VIP will be used as translated IP, but if  Firewall policy NAT using a translation pool, the translation pool will be used as translated IP. if VIP has port forwarding,  outgoing interface is used as translated IP.     Virtual IP is not Address object. To enable central NAT, VIP and IP pool reference need be removed. Without removin

  SSL Certificate Inspection:     use SNI, subject or SAN, only can do web filtering When using SSL Certificate Inspection, the SSL Handshake is not interrupted, but the FortiGate reads the CN part of the certificate. This CN part, has the URL for the certificate was signed to. This way, the FortiGate has an URL to check into its categories database. But the TLS/SSL content is not read in any way  Two Local CA certificate use for SSL Inspection: Fortinet_CA_SSL Fortinet_CA_Untrusted List all local certificates   show vpn certificate local Preconfigured SSL certificate inspection profile SSL Exemption can be added by Reputation, category or address. SSL Decryption for Outbound traffic  Two Default SSL/SSH Inspection Profiles:     -- read-only "deep-inspection"       -- "custom-deep-inspection" SSL Decryption for Inbound traffic

 1. Security Policy use translated IP and real zone.  for example, allowing access from Internet to DMZ server 10.10.10.10 (NATed IP 203.0.22.10) Security Policy:   source zone: Untrust  destination zone: DMZ  source IP: Any  destination IP: 203.0.22.10 2. Destination NAT use zone of pubic IP . for example, accessing public IP 203.0.22.10 on port 80 is NATed to DMZ IP 10.10.10.10 on port 80 DNAT policy: source zone: Untrust destination zone: Untrust Original destination address: 203.0.22.10 Translated  destination address: 10.10.10.10 3. Secure policy for connection terminates on FW use destination untrusted Security Policy:   source zone: Untrust  destination zone:  Untrust  source IP: Any  destination IP:  FW public IP Destination NAT doesn't apply for traffic initiate from server Source NAT with bi-directional enabled means an invisible DNAT is created. DIPP NAT Oversubscription Dynamic IP address Support for Destination NAT     ---- LB???

show is about configuration get is about status filter use grep grep -f  will do grep per configuration section context and pinpoint the grepped word with arrows " <----"  show full-configuration system interface <port> show system interface <port >  execute ping-options ? execute ping-options adaptive-ping <enable|disable> execute ping-options data-size <bytes> execute ping-options df-bit {yes | no} execute ping-options pattern <2-byte_hex> execute ping-options interface <auto | interface_name> execute ping-options interval <seconds> execute ping-options repeat-count <repeats> execute ping-options source {auto | <source-intf_ip>} execute ping-options timeout <seconds> execute ping-options tos <service_type> execute ping-options ttl <hops> execute ping-options validate-reply {yes | no} execute ping-options view-settings execute ping-options use-sdwan <yes | no> execute ping-options reset 1. get r