Category Network Training

1. Download pfSense:
   • Go to the pfSense website (https://www.pfsense.org/download/) and download the appropriate installation image for your hardware. Choose between the Community Edition (CE) or pfSense Plus.
2. Create Installation Media:
   • Burn the downloaded image to a CD/DVD or create a bootable USB drive using software like Rufus (for Windows) or dd (for Linux).
3. Boot from Installation Media:
   • Insert the installation media into the computer where you want to install pfSense and boot from it. You may need to change the boot order in the BIOS settings.
4. Install pfSense:
   • Follow the on-screen instructions to install pfSense. You’ll be asked to select the installation mode (e.g., Quick/Easy Install, Custom Install), configure network interfaces, set up disk partitions, and create an admin password.
5. Reboot:
   • Once the installation is complete, remove the installation media and reboot the computer.

Configuration:

1. Initial Setup:
   • After rebooting, pfSense will start up and present you with a console menu.
   • Use the keyboard to select ‘1’ to boot pfSense in multi-user mode.
2. Access the Web Interface:
   • Open a web browser on a computer connected to the same network as pfSense.
   • Enter the IP address of the pfSense firewall in the address bar (default is 192.168.1.1).
   • Log in with the username ‘admin’ and the password you set during installation.
3. Initial Configuration Wizard:
   • The first time you access the web interface, you’ll be guided through the initial configuration wizard.
   • Set the WAN and LAN interfaces, configure the LAN IP address, set the time zone, and configure the admin password.
4. Configure Interfaces:
   • Navigate to ‘Interfaces’ in the web interface to configure additional interfaces if needed (e.g., DMZ, OPT interfaces). Assign interfaces and configure IP addresses.
5. Firewall Rules:
   • Set up firewall rules under ‘Firewall’ > ‘Rules’ to allow or block traffic between interfaces. Configure rules for the WAN, LAN, and any additional interfaces.
6. NAT (Network Address Translation):
   • Configure NAT rules under ‘Firewall’ > ‘NAT’ to translate private IP addresses to public IP addresses. Set up Port Forwarding, 1:1 NAT, or Outbound NAT rules as needed.
7. DHCP Server:
   • If you want pfSense to act as a DHCP server, configure DHCP settings under ‘Services’ > ‘DHCP Server’. Set up the range of IP addresses to lease, DNS servers, and other DHCP options.
8. VPN:
   • Set up VPN connections (e.g., OpenVPN, IPsec) under ‘VPN’ > ‘IPsec’ or ‘OpenVPN’. Configure VPN settings, certificates, and user authentication.
9. Packages:
   • Install additional packages for extra functionality under ‘System’ > ‘Package Manager’. Popular packages include Snort (for Intrusion Detection/Prevention), Squid (for web caching), and HAProxy (for load balancing).
10. Save Configuration:
    • Click on ‘Apply Changes’ to save your configuration.
11. Final Steps:
    • Test your configuration to ensure everything is working as expected.
    • Consider setting up backups of your pfSense configuration under ‘Diagnostics’ > ‘Backup & Restore’.

Unboxing:

1. Inspect the Package:
   • Open the shipping box and check for the following components:
     • FortiGate 80F unit
     • Power adapter
     • Ethernet cables
     • Mounting hardware (if applicable)
     • Documentation and setup guide
2. Connectivity:
   • Identify the WAN (Wide Area Network), LAN (Local Area Network), and DMZ (Demilitarized Zone) ports on the FortiGate 80F.
   • Connect the appropriate network cables to these ports based on your network architecture.
3. Power On:
   • Connect the power adapter to the FortiGate 80F and plug it into a power source.
   • Power on the device and wait for it to complete the boot-up process. You can monitor the status using the indicator lights on the unit.

Initial Configuration:

1. Access Web Interface:
   • Open a web browser and enter the default IP address of the FortiGate 80F (e.g., https://192.168.1.99).
   • Log in using the default credentials (usually “admin” for both username and password).
2. Initial Setup Wizard:
   • Follow the prompts of the setup wizard to configure basic settings:
     • Set the system name and administrator password.
     • Configure the time zone and date/time settings.
3. Network Configuration:
   • Set up the WAN and LAN interfaces:
     • Assign IP addresses to the interfaces.
     • Define DHCP settings if applicable.
     • Configure any additional interfaces based on your network design.
4. Security Policies:
   • Define security policies to control traffic flow. This includes inbound and outbound rules based on source, destination, and services.
   • Implement firewall rules, NAT (Network Address Translation), and security profiles (antivirus, intrusion prevention, etc.).
5. Update Firmware:
   • Check for firmware updates in the web interface.
   • Download and apply the latest firmware to ensure security patches and feature enhancements.
6. VPN Configuration (Optional):
   • If your organization requires VPN connectivity, configure VPN settings:
     • Set up IPsec or SSL VPN tunnels.
     • Define VPN users and access policies.
7. Monitoring and Logging:
   • Configure logging settings to capture events and monitor network activity.
   • Set up alerts for critical events.
8. User Authentication (Optional):
   • If applicable, configure user authentication:
     • Integrate with LDAP or RADIUS for centralized user management.
     • Implement two-factor authentication for additional security.
9. Wireless Configuration (Optional):
   • If the FortiGate 80F has wireless capabilities, configure wireless settings, including SSID, security protocols, and access controls.
10. Testing:
    • Perform thorough testing to ensure that the firewall is functioning as expected.
    • Test internet access, VPN connections, and the enforcement of security policies.

Link Aggregation Control Protocol (LACP) is a standard that allows you to bundle multiple physical links together to increase bandwidth and provide redundancy. This is often used to improve network performance and ensure high availability. Below are the general steps to configure LACP on network devices such as switches:

1. Ensure LACP Support:

• Make sure that the network devices (usually switches) you are using support LACP.

2. Identify the Ports:

• Identify the physical ports on the devices that you want to aggregate. For example, if you have two switches, identify the ports on each switch that will be part of the aggregated link.

3. Access the Device Configuration:

• Access the command-line interface (CLI) or web-based management interface of your network device. This is typically done through a console cable, SSH, or a web browser.

4. Navigate to Port Configuration:

• In the device configuration interface, navigate to the port configuration section.

5. Configure LACP:

• Enable LACP on the ports that you want to aggregate. This is usually done by setting the aggregation mode to “Active” or “Passive” depending on your specific requirements.
• Active mode means that the port actively initiates the LACP negotiation.
• Passive mode means that the port responds to LACP negotiation but doesn’t actively initiate it.

Example (Cisco Switch CLI):

interface range GigabitEthernet0/1 - 2

channel-group 1 mode active

In this example, GigabitEthernet0/1 and GigabitEthernet0/2 are part of a channel group with mode set to active.

6. Configure the Same LACP Settings on the Other End:

• If you are aggregating links between two devices (like two switches), ensure that you configure the same LACP settings on the corresponding ports of the other device.

Example (Cisco Switch CLI – Other End):

interface range GigabitEthernet0/1 - 2

channel-group 1 mode active

7. Verify the Configuration:

• After configuring LACP on both ends, verify the status of the aggregated link to ensure that the LACP negotiation is successful and that the link is up.

Example (Cisco Switch CLI):

show lacp neighbor

show interfaces port-channel 1

These commands will show the LACP neighbors and the status of the aggregated link.

Keep in mind that specific commands and procedures may vary depending on the vendor and model of your network devices. Always refer to the documentation provided by your device’s manufacturer for accurate and device-specific information.

Remove the maintainer account (which allowed users to log in through the console after a hard reboot). Users who lose their password must have physical access to the FortiGate and perform a TFTP restore of the firmware in order to regain access to the FortiGate.

Setting up a VoIP (Voice over Internet Protocol) phone system at home or in an office with FreePBX involves several steps. FreePBX is an open-source PBX (Private Branch Exchange) software that can be used to manage and control VoIP phone calls. Here is a basic guide to help you set up a VoIP phone system using FreePBX:

1. Requirements:

• A computer or server to host FreePBX (can be a physical machine or a virtual server).
• A reliable internet connection with sufficient bandwidth for VoIP calls.
• IP phones or softphones for users to make and receive calls.
• VoIP service provider for external call routing.

2. Install FreePBX:

• Download the FreePBX ISO from the official website: https://www.freepbx.org/downloads/
• Install FreePBX on your chosen hardware or virtual machine following the installation instructions provided on the website.

3. Access FreePBX Web Interface:

• Once the installation is complete, access the FreePBX web interface using a web browser. The default login credentials are usually:
  • Username: admin
  • Password: admin

4. Configure System Admin Module:

• In the FreePBX web interface, go to the “Admin” menu and select “System Admin.”
• Set the time zone, hostname, and other necessary system settings.

5. Configure Extensions:

• Extensions represent individual phone lines or users in the FreePBX system.
• Navigate to the “Applications” menu and select “Extensions.” Add extensions for each user or device, specifying the type of device (SIP phone, softphone, etc.).

6. Set Up Trunks:

• Trunks are used to connect FreePBX to external VoIP providers for making and receiving calls.
• In the FreePBX web interface, go to the “Connectivity” menu and select “Trunks.” Configure trunks with the details provided by your VoIP service provider.

7. Create Inbound and Outbound Routes:

• Inbound routes determine how incoming calls are handled, and outbound routes determine the path for outgoing calls.
• Navigate to the “Connectivity” menu and select “Inbound Routes” and “Outbound Routes.” Configure routes based on your requirements.

8. Set Up IVR (Interactive Voice Response):

• If needed, create an IVR to provide callers with menu options for call routing.
• In the FreePBX web interface, go to the “Applications” menu and select “IVR.”

9. Configure Voicemail:

• Set up voicemail boxes for users who need voicemail services.
• In the FreePBX web interface, go to the “Applications” menu and select “Voicemail.”

10. Test the System:

• Once everything is configured, test the system by making internal and external calls to ensure that the setup is working as expected.

11. Security Considerations:

• Implement security measures such as firewall rules, strong passwords, and regular system updates to protect your VoIP system.

Remember to consult the documentation provided by FreePBX and your VoIP service provider for specific configuration details and troubleshooting tips. Additionally, configuring a VoIP system may require a good understanding of networking concepts and VoIP protocols, so be prepared to address any technical challenges that may arise.

Hello everyone , in this video I am going to integrate fortigate firewall with radius server , after that fortigate administrators can login and manage fortigate by using their active directory username and password.

Step 1: Log into FortiGate

Access your FortiGate device through a web browser or SSH client.

Step 2: Navigate to System Settings

1. Go to System > Settings in the FortiGate web interface.

Step 3: Configure RADIUS Server

2. Under Authentication Settings, click Create New to add a RADIUS server.
3. Fill in the following details:
   • Name: A descriptive name for the RADIUS server.
   • Server: Enter the IP address or hostname of your RADIUS server.
   • Secret: This is a shared secret key that must match the one configured on the RADIUS server for authentication. It ensures secure communication between FortiGate and the RADIUS server.
   • Authentication Port: Usually set to 1812 for RADIUS authentication.
   • Accounting Port: Typically set to 1813 for RADIUS accounting, if needed.
4. Click OK to save the RADIUS server configuration.

Step 4: Define a RADIUS Server Group

5. Under Authentication Settings, click Create New to add a RADIUS server group.
6. Give the group a descriptive name to identify it later.
7. Add the previously configured RADIUS server(s) to the group. You can use multiple RADIUS servers for redundancy and load balancing.
   • Select the RADIUS servers from the list and use the right arrow button to move them to the “Selected” column.
8. Click OK to save the RADIUS server group.

Step 5: Configure User Groups for RADIUS Authentication

9. If you want to use RADIUS for user authentication, navigate to User & Device > User Groups.
10. Edit an existing user group or create a new one based on your needs.
11. In the user group settings, go to the Remote Groups section and select the RADIUS server group you created in Step 4.

• This configuration ensures that users in this group will be authenticated against the RADIUS server.

Step 6: Testing

12. It’s essential to test your RADIUS configuration to verify that it’s functioning correctly. You can do this by attempting to log in using user accounts associated with the RADIUS server.

Step 7: Monitoring and Troubleshooting

13. FortiGate provides various monitoring tools under Log & Report where you can review RADIUS authentication and accounting logs. These logs can be instrumental in troubleshooting any issues with the RADIUS configuration.

Step 8: Additional Configuration

14. Depending on your specific requirements, you may need to configure additional options such as RADIUS accounting, timeout settings, and other advanced features. Consult the FortiGate documentation for comprehensive details on these options.

Step 9: Save Configuration

15. Make sure to save your configuration changes to ensure they are preserved across device reboots and updates.

By following these detailed steps, you can set up FortiGate to authenticate and authorize users through a RADIUS server effectively. This configuration enhances network security by centralizing user authentication and access control.

Hello every one , in this video I will introduce how can you integrate your fortigate firewall with Microsoft teams and get notification in case of admin login failed, Also I will describe fortigate automation service to do some actions for triggered events.

1. Configure Microsoft Teams Incoming Webhook:

• Log in to your Microsoft Teams account and navigate to the channel where you want to receive notifications.
• Click on the three dots (…) next to the channel name and select “Connectors.”
• Search for “Incoming Webhook” and click on it to configure.
• Give your webhook a name and customize its settings, such as the icon that will be displayed with messages.
• Once configured, a unique webhook URL will be generated. Copy and save this URL, as you’ll need it to send notifications from FortiGate to Teams.

2. Configure FortiGate Automation:

• Access your FortiGate firewall’s web interface or CLI.

a. Define Triggering Events:

– Depending on your specific use case, you’ll want to define the events or conditions that trigger notifications. For example, you might want to send notifications when: – A critical security event is detected (e.g., intrusion attempts, malware activity). – A specific network condition is met (e.g., bandwidth threshold exceeded). – Configuration changes are made on the firewall.

b. Create a Custom Script or Action:

• FortiGate Automation typically involves creating custom scripts or actions using FortiScript (for CLI-based automation) or FortiManager (for GUI-based automation).
• Here’s an example of a custom FortiScript that sends a notification to Microsoft Teams using the webhook URL:

  # Define the Microsoft Teams webhook URL
  set teams_webhook_url "https://yourteamswebhookurl"

  # Define the message to send
  set message "A critical security event has been detected on FortiGate!"

  # Construct the JSON payload
  set json_payload '{"text": "'$message'"}'

  # Send the HTTP POST request to Microsoft Teams
  execute log "Sending Microsoft Teams notification..."
  execute external "post $teams_webhook_url" $json_payload

c. Customize the Message:

- You can customize the message within the script to include details about the triggered event, such as date, time, event type, and any relevant information.

3. Test the Automation:

• To test the automation, trigger the event or condition that should initiate the notification. Check Microsoft Teams to ensure that the message is sent and received correctly.

4. Enable the Automation:

• Once you have successfully tested the automation and are confident in its functionality, you can enable it in your FortiGate configuration.

5. Monitoring and Fine-Tuning:

• Regularly monitor the automation to ensure that it continues to work as expected. If needed, you can make adjustments to the script or action to meet changing requirements or address any issues that may arise.

By following these detailed steps, you can set up a robust automation system within FortiGate to send Microsoft Teams notifications whenever specific events occur, helping you stay informed about critical network and security events in real-time.

Hello everyone in this video i will configure traffic shaping and session limit for my test web server , By enforcing session limits, you can prevent a single client or a group of clients from establishing an excessive number of connections, thus reducing the impact of DDoS attacks, also Web servers have finite resources, including CPU, memory, and network bandwidth.

Allowing too many concurrent sessions can lead to resource exhaustion, resulting in degraded performance or even server crashes. The FortiGate Traffic Shaper is a feature within the Fortinet FortiGate firewall platform that allows you to control and manage network traffic by applying quality of service (QoS) policies. The Traffic Shaper provides a set of tools to shape, control, and monitor network traffic based on predefined policies and rules.

1. Log into the FortiGate Web Interface:

• Open a web browser and enter the IP address of your FortiGate device.
• Log in with administrator credentials.

2. Navigate to Security Policies:

• In the FortiGate web interface, go to “Policy & Objects” or a similar section, depending on your FortiGate’s firmware version.

3. Create or Edit a Security Policy:

• You can either create a new security policy or edit an existing one. A security policy defines the rules for traffic passing through the firewall.

4. Configure the Session Limits:

a. General Settings: – In the security policy configuration, you’ll find an option to set session limits. Look for a section labeled “Session Options” or similar.

b. Select Session Limit Type: – Choose the appropriate session limit type based on your requirements: – Limit: Sets a maximum limit on the total number of concurrent sessions allowed for this policy. – Per-User Limit: Sets a session limit per user, which is useful in user-based authentication scenarios. – Per-IP Limit: Sets a session limit per source IP address.

c. Configure Limit Value: – Specify the numeric value for the session limit. For example, if you chose “Limit” and set the value to 100, this policy would allow a maximum of 100 concurrent sessions.

d. Define Action on Limit: – Choose what should happen when the session limit is reached. Common actions include: – Accept: Continue accepting new sessions, ignoring the limit. – Drop: Reject new sessions once the limit is reached. – Log: Log information about sessions that exceed the limit. – Rate Limit: Throttle the rate of new sessions when the limit is reached.

e. Idle Timeout and Session Timeout: – These settings help manage session duration: – Idle Timeout: Set the maximum time a session can remain idle (no traffic) before it’s terminated. This prevents stale connections from consuming resources. – Session Timeout: Define the maximum duration a session can last before being terminated, regardless of activity.

f. Advanced Session Options (Optional): – Depending on your FortiGate firmware version and specific requirements, you may have additional session-related options to configure. These could include session helpers for specific protocols or advanced settings for more granular control over session behavior.

5. Save and Apply the Configuration:

• Once you’ve configured the session limits according to your requirements, save the changes and apply the updated security policy.

6. Testing and Monitoring:

• Thoroughly test your firewall rules and session limits to ensure they align with your network’s security and performance needs.
• Monitor firewall logs and session statistics to track how the session limits are being enforced and whether any adjustments are needed.

Please note that the exact steps and terminology may vary depending on your FortiGate firmware version. Consult the official Fortinet documentation or seek assistance from Fortinet support for version-specific details or advanced configurations. Additionally, it’s important to regularly review and update your security policies to adapt to changing network requirements and threats.

Hello everyone, today I am going to show you how to automatically back up your FortiGate configuration. As you know, backing up the configuration is crucial for every network engineer. Sometimes, network engineers forget to download backups of their configurations. If you follow along with me in this video, your firewall configuration will be automatically backed up every day. Additionally, every time an admin user logs in to the FortiGate, it will also generate the configuration and upload it to SFTP.

Step 1: Access the FortiGate Web Interface

1. Open a web browser and enter the IP address or hostname of your FortiGate device to access its web interface.

Step 2: Log in 2. Log in to the FortiGate web interface with administrative credentials.

Step 3: Configure the SFTP Server

a. Navigate to System > Config > Features. b. Locate the “Backup” section and ensure that “Enable SFTP” is enabled. This allows the FortiGate device to communicate with the SFTP server for backup purposes.

Step 4: Create a Backup Profile

a. Go to System > Admin > Settings. b. Under Backup, you’ll find the “Backup Profiles” section. Click on the “Create New” button to create a new backup profile.

Step 5: Configure the Backup Profile

a. In the “Create New Backup Profile” window, provide a descriptive name for the profile. This name will help you identify the backup profile later. b. Select the frequency at which you want backups to occur. You can choose from options like daily, weekly, or monthly. c. Specify the time of day when the backup should be initiated. Choose a time that is convenient and doesn’t disrupt your network operations. d. Under the “Backup Location” section, select “SFTP Server” as the backup destination.

Step 6: Configure SFTP Server Settings

a. After selecting “SFTP Server,” you’ll need to enter the following details for your SFTP server: – Server IP Address or Hostname: This is the address of your SFTP server where backups will be sent. – Port: Typically, SFTP uses port 22, but ensure it matches your SFTP server’s configuration. – Username: Provide the SFTP username for authentication. – Password: Enter the password associated with the SFTP username. – Directory: Specify the directory on the SFTP server where you want to store the FortiGate backups.

Step 7: Schedule the Backup

a. After configuring the SFTP server settings, go to System > Config > Backup. b. Click on “Create New” to create a new backup schedule. c. In the “Create New Backup Schedule” window: – Select the backup profile you created in the previous step from the dropdown menu. – Choose the days of the week for backups (for weekly backups) or the day of the month (for monthly backups).

Step 8: Review and Apply Configuration

a. Review your backup configuration to ensure that all settings are accurate and complete. b. Click “Apply” or “OK” to save and apply the changes.

With these detailed steps, your FortiGate device is now configured to automatically back up its configuration to the specified SFTP server at the scheduled time and frequency you defined. Regularly verify the backups to ensure they are functioning correctly and provide a reliable safeguard for your firewall’s settings.

Hello everyone , in this video I will describe and configure vlan on hp switch and assign vlans to ports as access and trunk. In HP (Hewlett-Packard) networking switches, “tagged” and “untagged” are terms commonly used to describe how VLANs (Virtual LANs) are handled on switch ports. Tagged ports are used to carry traffic for multiple VLANs simultaneously. These ports are typically used to interconnect switches or to connect devices that need to communicate with multiple VLANs. Tagged ports are also known as “trunk” ports in Cisco networking terminology. Untagged ports are used to connect end-user devices, such as computers, printers, or IP phones, to the network. Each untagged port is associated with a specific VLAN. Untagged ports are also known as “access” ports in cisco networking terminology.

Tagged Ports (Trunk Ports): Tagged ports are used to interconnect switches, routers, or other networking devices and carry traffic for multiple VLANs. They are configured with additional information called VLAN tags, which helps identify which VLAN each Ethernet frame belongs to. Here are the key details:

• Port Configuration: To configure a port as tagged (trunk), you typically need to access the switch’s command-line interface or web-based management interface.

In Cisco devices, you might use commands like:

interface GigabitEthernet0/1

switchport mode trunk

switchport trunk allowed vlan 10,20,30

switchport trunk native vlan 10

In HP/Aruba switches, you might use commands like:

vlan 10

tagged 1-48

• VLAN Membership: You specify which VLANs can traverse the tagged port using the “switchport trunk allowed vlan” (Cisco) or “tagged” (HP/Aruba) command. In the example above, VLANs 10, 20, and 30 are allowed to traverse the trunk port.
• Native VLAN: The native VLAN is used for untagged frames on a tagged port. In the Cisco example, VLAN 10 is the native VLAN. Any untagged traffic entering the port is treated as part of this VLAN.

Untagged Ports (Access Ports): Untagged ports are used to connect end-user devices, such as computers, phones, or printers, to the network. They are associated with a single VLAN, and traffic on these ports is not tagged with VLAN information. Here are the key details:

• Port Configuration: To configure a port as untagged (access), you typically follow a similar process as configuring tagged ports through the switch’s management interface or CLI.

In Cisco devices, you might use commands like:

interface FastEthernet0/1

switchport mode access

switchport access vlan 10

In HP/Aruba switches, you might use commands like:

• VLAN Assignment: You specify which VLAN the port is associated with using the “switchport access vlan” (Cisco) or “untagged” (HP/Aruba) command. In the examples above, the port is assigned to VLAN 10.

Use Cases:

• Tagged Ports: Tagged ports are used for scenarios where you need to carry traffic for multiple VLANs between network devices. Common use cases include connecting switches together, connecting to routers that perform inter-VLAN routing, and connecting to virtualization hosts where multiple virtual networks exist.
• Untagged Ports: Untagged ports are used to connect end devices to the network. For example, a computer in a specific department would connect to an untagged port in that department’s VLAN, ensuring that all its traffic is part of that VLAN.

In summary, configuring tagged and untagged ports correctly is crucial for effective VLAN management. Tagged ports allow traffic from multiple VLANs to traverse a single physical link, while untagged ports connect end devices to a specific VLAN. This segmentation helps in maintaining network security, optimizing traffic flow, and organizing network resources.