NSE4_FGT-6.4 Fortinet NSE 4 – FortiOS 6.4 – FortiGate Firewall V6.4 Part 20
April 30, 2023

63. Lecture-63:FortiGate Active Authentication(AD).

Done basic setup. We create active directory, we enable domain, we configure DNS. We have done basic setup. We enable DHCP and everything is ready now, first thing first, we will do active authentication. In active authentication it will ask the user. It will prompt to put username and password whenever the user going to check the resources of either want to go to internet. This is called active authentication. So how we can do it? So let’s go. We have the same topology which we configure in last slave. Inside we are using one subnet DMZ we are using two subnet and outside we have 100 subnet equivirector is 1200, okay? And these PC will get automatically IP. But before using active directory user which we created in last slab HR group and sale group and four user. First we need to integrate firewall to this active directory with 1200. So come to firewall one, two, three okay and now let’s integrate them. So how we can integrate firewall? So go to there is user and device and user and device there is LDAP server. This written here LDAP server LDAP is nothing but active directory so nothing is there. Let’s create new and give them any name. Suppose I give them ad you can give any name active directory IP we know this is 200, you know this one? Yeah 201, 200 and server port.

They are using three, eight, nine then they say common name identifier and distinguish name we will integrate. And now they say bind type. You know, these are mentioned here three type. We can do it when you want to integrate if you have different branches then you can use different so in common name this word is using everywhere. This is like a common name, same account name and it should be like this one. If you search them, it will give you whenever you want to use any active directory you have to type this for active directory, same account name for LDAP. This is the attribute whenever you log in and use them. This is Microsoft suggestion. They use them like this and it should be like this. It’s small so let me copy this one. So this is common identifier. Okay? Yeah, I was talking about three things. This one anonymous. Anonymous can be used if you have different branches and your active directory is integrated to different branches. And also if anonymous search is enabled then you can use anonymous bind type regular means if you have branches and anonymous is allowed it does not allowed an anonymous is allowed and also you have different branches. Maybe anonymous searches connected directory is an option. If you want to allow anonymous means anything you then you can use regular. And the other one is the simple one burn without search.

And if it is a one branch in these two cases you have different branch. You are using active directory to integrate with different branches. And one you anonymous is enabled, then use anonymous. If not enable, use regular and simple is the simple. In our case, simple is the best one. But we can use regular as well. It’s okay. So first common Identifier, same account, no need of distinguished name. Distinguished name is DC. So our DC is test and then comma DC domain controller is lab. This is called distinguished name domain controller test domain controller lab it means our name was domain name was test lab you remember this one? Test lab. So we have to write in this way. And this is the administrator username, which we log in here. Administrator user. This one administrator. So administrator administrator and password. We put ABC at the rate 12345. Click on this I so that can you oh, it’s wrong. ABC at the rate it’s better to show otherwise it will work.

It will not work if you use secure connection. We are not using secure connection to authenticate. If you are using this protocol to authenticate and you are using certificate different certificate can be used. This for security purpose to integrate with active directory. But anyway, we are using simple unsecure and test connectivity. So it’s enveloped credential so something is wrong. Administrator ed ministrator and test connectivity now. So I am not reachable. Let’s say invalid credential okay. And let me browse them. So it’s not coming. LDAP is not reachable. So let’s see what we have test. Let’s use simple if we can connect, so no, it means something is wrong. Let me remove this one and password I type ABC 123458 minutes traitor is correct. So let’s try now invalid. So it means I type maybe something wrong. Administrator is correctly a d eight minutes correctly. By the way, NABC is the password, so they say invalid credential 1200 executive directory. Let me ping from here. It’s reachable or not execute ping 192, 168, 1200 so yeah, it’s reachable. Reachability is not an issue. What else can be the issue? Okay, it’s better to type like this test dot live sometime is also the issue. This time it’s successful. Also, if you want to type that either. If you browse, it will come automatically. Yes, come up now. DC test and dclab domain controller. So either type your own either from here. So I use regular. There are three methods simple as one. If you are using directory for one branch, anonymous for many branch, but anonymous is allowed. And regular for many branch, but anonymous is not allowed. And this is secure connection. And here you can test connectivity. So it’s okay.

Then you can okay. And test user. Maybe you have user. You know, we have HR user HR one by the way, sorry. And password of all one, two, three test them. It’s a six pool user credential error. It hasn’t to be error. You can type test lab maybe so it’s a successful connection. SSX pool user credential is the wrong HR one we have and the other one is cell one n one, two, three was the password. Let’s see test this one. So connection is okay. Maybe it’s not join that’s why so you can test the user as well if you want. So now it’s okay and press OK inactive directory is joined. It was so simple. So my active directory name is ad. I gave them the ad. This server IP active directory port is using same name. Account is the name distinguished name is this one and reference nobody is using this active directory right now. If you want to delete, if you want to clone either, if you want to edit it, it will come here again. So this is done. Integration is done. Now how we can call the user?

We have these user, the one which we created in here. So for that you have to come to user definition LDAP is done. Now click on user definition. Last time we create local user here this time we will create new local user. No, this time we don’t need local user. And rather than why not click on user group we have group. Why not call group rather than one user by user? So click on user group and create new okay and okay these names shouldn’t be the same. We have group HR and group sales. It can be like suppose this is HR group I can give them any other name and type should be Firewall. This one we will do a bit later the other method and click on add and click remote active Directory which we just integrated. We gave them this name and search for that group which you want to map here. So the map group is HR and click HR and okay so I say my local user group is HR group. I want to integrate them to the I did not do it HR HR right click and edit selected n. Okay so I say my local name should be here display HR group but actually behind the scene will be HR group which is this one. In HR group there are two user and OK now there is another group we created.

Let me give them the same name. So it has been proof that these names shouldn’t be similar like this it can be same and it can be different. So sale type should be Firewall. Click on aid choose your active directory which you just integrated. Search here which view group you want to map here. Right click on that group and a selected and okay it will show here and press OK so two group is integrated here now done. And this way you have to integrate all. If I go to LDAP server now it will show four references because now we integrated four user there because we integrated two group and every group there are two users. Now it’s done. Now I can use active directory group inside my policies. Now let’s go to the last tip and policy and update IP four policy. Okay, there is only default rule. Click create new this rule I want to create from lane to either DMG to when the traffic will come from DMG the traffic will go to when source will be all zero either create your own subnet you remember we created let me create so my DMZ zone is which 1192-1682 now I can create so DMZ subnet give them any color if you want and put the subnet 192, 168, 20 I’m showing you the real word. So that’s why I want to make them more so. Now this is my subnet. Rather than to call all, it’s better to restrict them DMZ I said DMZ plus user will be which group HR group and says it’s up to you which group will come either if you say both will come, so put both end destination can be anything. I know they can go to internet anywhere all the time. Services be all the time. We already discussed this should be accept flow based net will be enabled no need to apply the policy election I want to apply and okay but this rule was created from DMZ to Internet. What about this guy? So for that I need to create a new rule.

Create new rule and this time I say land to when. This time I say the guy will come from lane they will go to when source. Now I need put all his win and I can create same like this one. So it’s better to create. This is the best way to do it. So this one land subnet either you can allow single IP as well if you want, give them any color and subnet 192, 168, 124. This is the lane subnet. Yeah, this 10. So I say lane subnet but user will be HR and sales. They can go anywhere. We already discuss restriction and everything services restriction, we discuss netted, we discuss policy, we discuss in all session and okay, so two policies but user has been called without user they cannot go and user we pull out from active directory. The last thing to test them logs and report here you will see there should be a for logs to user. Anyway, we will see log later on. Let’s see now. Now go from DMZ and test them. So let me go to DMZ PC and let me generate some traffic to go outside and let me see that I can go or not. So more choice. And let’s use different. So user is user and password is test one, two, three. I told you, system are using user and test one, two, three password. Okay, so now I’m here.

And let me generate some traffic from here. I already get IP. By the way, if I check here from DHCP, okay, I don’t have IP. I have yeah, 192, 162, one and default gateway is there and even DNS will be there. So look at, say, open network login page. I cannot go now it will ask the user credential then I can go just the authentication. So we have HR one because I allowed both on this subnet. HR one and password is one, two, three continue. Then this PC can go to internet. It will be authenticated. After that I will be redirected. Now I am resistful and now I can go to any website from here to Facebook either Twitter, either anything so I can go now to Facebook. com and either BBC whatever you want you can go there. So yes Facebook is open but how I know that it’s working or not? So we can verify from Firewall. From firewall so many places we can check them if we go to there is log and report. There is another way monitor and if we say router no there is one more option. Yeah firewall user. So if I click on firewall user so HR one is logging. Yes because we tested only one user and rest of them you can check them logs if you want forwarding traffic. So we visit Facebook. So it will be mentioned after a while by the way and either from 40 view if we go to all session it should be mentioned here as well. Okay so by the way it has to show the user as well.

Two one is the PC from DMZ but no user. I don’t know why they have to show let me go from here as well from many places now you can verify by the way also showing it has to show user. Anyway for some reason after a while maybe it show the user here. Because now we are using user user base authentication and this is active authentication. In the same way if you want to test from lane PC just go to lane PC this time and both are using the same active authentication user as pulling out from active directory. And whenever you are accessing any resources they will ask you a username and password. So user and password is test one, two, three. First let me log into this PC. Now this is inside PC. Okay the lay in PC you can restrict per group as well. Okay so let me try to go somewhere and we use last time which one? Let me see firewall user. We use HR this time I will log in with sales so that we can test both. So there is now open network authentication.

So it will redirect me and this time I will say one and password is one, two, three continue. Okay and now it’s authenticated. Let me go to BBC. com and I hope so it will work if I’ve been authenticated. BBC is working now let’s go to here and refresh. So now sales is login with the sale group 17 2nd duration. This the IP one two and this is DMZ using different range two one this traffic and method is Firewall. Firewall mean the active directory because when we creating group so this was calling this one we will do a bit later and this is not part of the course. It’s also so easy. The same method we will do a bit later this one so we integrate firewall that’s why they call the group firewall so that’s why you can test them from here, from logs and report it should be now here as well. Policy is hitting DMZ to this one and this is the source IP as well. Okay and what else? Okay we can verify from land to when. So now there should be two IP now okay and also from 40 view as a source as well it will show you the source I’m showing here now. So cell one and HR one, this is the two user which are going there and also if you want to test the DNS application policy analystion, you can verify from here which they are going.

So this is called active authentication. We test them okay what we done, we create a local group and we map them to the active directory group by clicking a selected one and this way we created two groups and after that which we create, we integrate group. Okay this one and then we create a group policy and we call the user. You can restrict per zone a group as well but I call both the group and one zone and also both the group and other zone but you can put that restriction as well so we call HR group and sales group to the policy for verification. So it’s asking me like this way and after that we test from here firewall user monitor to go to monitor and here here all session you can see by name as well and also from source you can see by name. So this was the method of active authentication.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!