Bro! You just saved me a good deal of time as I've been pondering why my custom signatures were not working like how so many people described on the web. Well with your indepth explanation, you made it so clear and gave me a vision and long story short, because the IPS doesn't kick in until after the session is added to the session table, other things could be blocking my packet before it hit the IPS. Which was the case. As soon as I create a policy and put it above all the others and pretty much made it wide open to test, bingo! I can't thank you enough for the work you did, this was wonderful.
Great video. The main reason, why routing has to be done before the FW policy is, that the routing determines the involved interfaces, especially the egress interface which is key to determine the matching policy as we have the incoming (ingress) and outgoing (egress) interfaces, which are mandatory elements for a FW policy. This shows, that routing is key, also in terms of firewall policies. It's a good rule of thumb: "Always check the routing first" when dealing with weird firewall behaviors.
Sir it's my feedback Really cool and crystal clear session for upcoming TAC engineer of fortigate also information that your gathered show the effort of you thanks a lot sir........
Thanks sir, i was trying to understand fortigate packet flow from fortigate page itself but did'nt understand. Your way of explanation is easy to understand, super explanation. Again thanks sir!
Slow path process :- 1>DNAT , 2> Routing , 3> Policy , 4>SNAT .... 2nd Question answers :- if there will be no routing in that case.. no use of policy lookup .. so by doing routing lookup we are not much consuming CPU Utilization of firewall ... Thank u so much for explaining it :)
Awesome brother, great explanation, can you make another showing differences between application,dns and web filter. Explaining in detail when to use which filter. Can you explain how SDWAN rules can impact the SNAT selection in policy
Your Explanation was very deep, awezome video. I have a question for you, if i have an specific Firewalls rule at the end, saying ¨Deny any any", and prior that rules execute i have some other App rule (let say office365 for example) the Application control Will not be able to detect the Application because of the "deny" rule it Will not be able to complete the 3way handshake therefore there is no flow to catch? im Right?
Cristian Silva u r right so its always recommend that deny deny at last and then all permit on above and if u creat rule for app with allow like allow youtube then it will do 3 way from that rule
Just a Question. You said that every packet gets handeld first by the CPU. But not in the Case of DDos right? Then de SP would block it before passing the traffic to the CPU? Or other related IPS things?
diag debug flow show iprope enable diagnose debug flow show function-name enable diag debug flow trace start 1000 diag debug enable You can also filter for specific IP address Flow by using - diag debug flow filter
Hey, great video. It's possible to share the powerpoint or the images of this presentation. If i try to reach the source image, i got http 404. Thanks in advance.
If Destination NAT is verified before security policy check then why in WAN to LAN security policy, under Destination Address Public IP is given. why cant we directly give Private IP address. My doubt is not only for Fortigate but also for other firewalls like Sonicwall & Paloalto also.
Destination IP In fortigate is VIP. virtual IP. so in Fortigate its very easy. no confusion at all. packet flow helps you to tell which is happening when.
25:11 Question Why routing before policy ? Ans Because in an Firewall it has lot of policies it means utilize cpu n latency so it will check first routing its ec and also it's crct path
On the basis of routing firewall determine the egress interface and then the policy lookup is done for that flow. Without the egress information policy check won't take place