Chat Log C:\Users\REP\Documents\ChatLog Lab Demo FortiGate Security 6_2 Self_Paced _ May

18_19 2020 GMT_2 2020_05_18 17_51.rtf

Aguinaldo Pedro (to Everyone): 14:16: Hello

Ahmed Abdelsalam (to Everyone): 14:16: Hello Aguinaldo :-)

Wiktor Sedkowski (to Everyone): 14:28: How is the config encrypted? Using a hardcoded key, or can
you provide your own?
Ahmed Abdelsalam (to Everyone): 14:29: @ Wiktor: Hassan will show now :-)

Wiktor Sedkowski (to Everyone): 14:29: thx!

Bruno Fernandez (to Everyone): 14:30: by using vdoms you have the option to select global or vdom. is
the vdom configuration included when you select global?
Ahmed Abdelsalam (to Everyone): 14:32: @Bruno: When you enable vdoms and if you have an admin
account with super admin profile, you can back up the configuration either globally or for each vdom
separately
Ahmed Abdelsalam (to Everyone): 14:33: So yes global backup will back up everything on the
FortiGate :-)
Camille Madioko (to Everyone): 14:40: Are you going to cover FortiManager config also
Camille Madioko (to Everyone): 14:41: ok - thanks
Bruno Fernandez (to Everyone): 14:47: @Ahmed: thx!
Dimitrios Giannoulakis (to Everyone): 14:48: how can I exclude a few IP addresses from being hangout,
from the DHCP scope
Dimitrios Giannoulakis (to Everyone): 14:48: ?
Ahmed Abdelsalam (to Everyone): 14:48: @ Dimitrios: you can select the range of IPs for the DHCP pool
Ahmed Abdelsalam (to Everyone): 14:49: From CLI you can configure the exclude range
Dimitrios Giannoulakis (to Everyone): 14:50: thanks
Ahmed Abdelsalam (to Everyone): 14:50: using command: config exclude-range
Ahmed Abdelsalam (to Everyone): 14:50: You are most welcome :-)
Alexander Röttger (to Everyone): 15:05: is it right, that i can't choose the same name of a policy?
Hassan Amedioune (to Everyone): 15:07: Why it is not possible sometimes to choose the same Internet
service Inbound? As an Example: Microsoft Dynamics IPs can be only choosed in outbound policies but
not in Inbound ones?
Ahmed Abdelsalam (to Everyone): 15:07: Yes, it also not recommended that you give two policies the
same name. usually name isn't required in CLI
Ahmed Abdelsalam (to Everyone): 15:07: Name is only a GUI requirement that you can relax that from
System>Feature Visability
Mick Mortensen (to Everyone): 15:08: You can allow unamed policy under system -> feature visability
Ahmed Abdelsalam (to Everyone): 15:09: @ Hassan: It depend on the Internet service configuration as
received from FortiGuard Server. Certain internet services can be used only as source and others only as
destination and others as both
Hassan Amedioune (to Everyone): 15:10: Thanks. Is it Possible to contact fortinet to allow that if that
necessary for a company in prod environemnt?
Ahmed Abdelsalam (to Everyone): 15:10: @ Hassan: When you check the internet Service Database you
will see next to each internet service which direction it can be used for
Ahmed Abdelsalam (to Everyone): 15:11: @ Hassan: Send to me privately the internet service you mean
and which direction it is required :-)
Hassan Amedioune (to Everyone): 15:12: ok thank you. I will do that
Kaleab Kassahun (to Everyone): 15:20: please consider explaing or showing how to configure Twice NAT
on fortigate?
Camille Madioko (to Everyone): 15:23: sorry - hoow were you able to browse the Internet without NAT?
Camille Madioko (to Everyone): 15:24: because we re only going to confiure NAT Now
Ahmed Abdelsalam (to Everyone): 15:25: @ Camille: The NAT was part of the Firewall policy configured
Ahmed Abdelsalam (to Everyone): 15:25: Hassan will discuss how we can configure Firewall NAT. which
is a part of the Firewall Policy configurations :-)
Camille Madioko (to Everyone): 15:26: thanks
Ahmed Abdelsalam (to Everyone): 15:27: @ Camille: You are most welcome :-)
Hassan Amedioune (to Everyone): 15:28: yes
Alexander März (to Everyone): 15:28: yes
Rodrigue Agrah Agaki (to Everyone): 15:35: What happens if u still allow firewall nat ?
Ahmed Abdelsalam (to Everyone): 15:36: @ Rodrigue: We have two types of NAT: Firewall Policy NAT
and Central NAT
Ahmed Abdelsalam (to Everyone): 15:37: you can't enable both of them at the same time
Rodrigue Agrah Agaki (to Everyone): 15:37: When creating policy for someone to access the dmz from
the internet then u allow the firwall nat dispite configuring CNAT?
Rodrigue Agrah Agaki (to Everyone): 15:37: Alll okay.. thanks
Ahmed Abdelsalam (to Everyone): 15:37: So as Hassan mentioned the last example was using Firewall
Policy NAT
Ahmed Abdelsalam (to Everyone): 15:38: You are most welcome :-)
Hassan Amedioune (to Everyone): 15:39: That remember me on ASA Firewall :)
Camille Madioko (to Everyone): 15:40: which form of NAT will be used most often ?
Camille Madioko (to Everyone): 15:40: I assume the Firewall NAT because it allows exemption? Right?
Alexander Röttger (to Everyone): 15:40: are there some issues with the sound/voice?
Ahmed Abdelsalam (to Everyone): 15:40: @ Camillie: It depends on your implementation scanrio and
the number of FW Policy you have
Hassan Amedioune (to Everyone): 15:41: yes there are some issue with voice I confirm
Ahmed Abdelsalam (to Everyone): 15:41: In case of MSSP and you have 20+ policies then using CNAT
will be better
Camille Madioko (to Everyone): 15:42: ooh I see
Ahmed Abdelsalam (to Everyone): 15:42: because you can create 3 or 4 CNAT rules that can match the
20 policies
Camille Madioko (to Everyone): 15:42: thanks
Ahmed Abdelsalam (to Everyone): 15:42: no need to configure NAT per each policy
Ahmed Abdelsalam (to Everyone): 15:42: you are most welcome :-)
Saujanya Bohara Bohara (to Everyone): 15:43: anone else experiencing cconnectivity issues
Bruno Fernandez (to Everyone): 15:43: yes
Saujanya Bohara Bohara (to Everyone): 15:43: *anyone
Shamsudeen E.P (to Everyone): 15:43: yes
Laut, Lars (to Everyone): 15:43: Yes
benjamin quidor dit pasquet (to Everyone): 15:43: yes
Hassan Amedioune (to Everyone): 15:43: There are some issues with voice
Camille Madioko (to Everyone): 15:43: Looking at the diagram, are you doing double NAT?
Alexander Röttger (to Everyone): 15:43: yes
Colin McRae (to Everyone): 15:43: Audio connection is getting worse
Shamsudeen E.P (to Everyone): 15:43: im anot able to hear
Saujanya Bohara Bohara (to Everyone): 15:43: yeah there is a lag no voice now
Stefan Agh (to Everyone): 15:43: mee too
Anil Kumar Saidugari (to Everyone): 15:43: yes
Ahmed Abdelsalam (to Everyone): 15:43: Hi Everyone, I will update Hassan. Just a minute
Hassan Amedioune (to Everyone): 15:43: no voice
Wiktor Sedkowski (to Everyone): 15:43: same
Alexander März (to Everyone): 15:43: same here - no audio
Camille Madioko (to Everyone): 15:43: because the public interfaces on the firewalls are also using
private IP addreses
benjamin quidor dit pasquet (to Everyone): 15:43: yes
Ayat Ali (to Everyone): 15:43: yes
Stefan Agh (to Everyone): 15:43: yes
Wiktor Sedkowski (to Everyone): 15:43: yes
Colin McRae (to Everyone): 15:43: yes
Hassan Amedioune (to Everyone): 15:43: yes
Dimitrios Giannoulakis (to Everyone): 15:43: yes
Alexander März (to Everyone): 15:43: yes
Alexander Röttger (to Everyone): 15:43: yes
Mick Mortensen (to Everyone): 15:43: yes
Saujanya Bohara Bohara (to Everyone): 15:44: yeah can we go back to end of nat
Saujanya Bohara Bohara (to Everyone): 15:44: please
David Tyler (to Everyone): 15:44: Yes I have same issue
Wiktor Sedkowski (to Everyone): 15:44: again voice gone
Saujanya Bohara Bohara (to Everyone): 15:44: yeah audio gone again
Alexander Röttger (to Everyone): 15:44: ...???
Shamsudeen E.P (to Everyone): 15:44: no voice
Ayat Ali (to Everyone): 15:44: no voice
David Tyler (to Everyone): 15:44: audio gone
Hassan Zarhoun (to Everyone): 15:44: one moment
Shamsudeen E.P (to Everyone): 15:44: pls check your internet connection
Camille Madioko (to Everyone): 15:45: Looking at the diagram, are you doing double NAT? because the
public interfaces on the firewalls are also using private IP addreses

David Tyler (to Everyone): 15:45: yes

Wiktor Sedkowski (to Everyone): 15:45: yes
Hassan Amedioune (to Everyone): 15:45: yes
Shamsudeen E.P (to Everyone): 15:45: yes
Dimitrios Giannoulakis (to Everyone): 15:45: yes
Saujanya Bohara Bohara (to Everyone): 15:45: yeah
Hassan Amedioune (to Everyone): 15:45: yes
Wiktor Sedkowski (to Everyone): 15:45: oh gone again
Wiktor Sedkowski (to Everyone): 15:45: its connectivity issue
Shamsudeen E.P (to Everyone): 15:45: gone again
Hassan Amedioune (to Everyone): 15:45: we hav enot hair any thing with AuThC
Saujanya Bohara Bohara (to Everyone): 15:45: yeah if we can start again with FW auth
Colin McRae (to Everyone): 15:46: the voice connection is very flaky, comes and goes mid sentance
Wiktor Sedkowski (to Everyone): 15:47: multiple devices...
Bruno Fernandez (to Everyone): 15:47: voice is still laggy
Shamsudeen E.P (to Everyone): 15:47: no voice
Wiktor Sedkowski (to Everyone): 15:47: and gone
Shamsudeen E.P (to Everyone): 15:47: its breaking
Wiktor Sedkowski (to Everyone): 15:47: sorry but you need to fix it
Colin McRae (to Everyone): 15:47: yea
Dimitrios Giannoulakis (to Everyone): 15:47: yes
Sebastian Szmytka (to Everyone): 15:47: yes
Saujanya Bohara Bohara (to Everyone): 15:47: the voice seems to break again and again
Shamsudeen E.P (to Everyone): 15:47: some thing has to be corrected
Shamsudeen E.P (to Everyone): 15:47: yes pls
Wiktor Sedkowski (to Everyone): 15:47: its really hard to follow the session with those breaks
Saujanya Bohara Bohara (to Everyone): 15:47: please
Wiktor Sedkowski (to Everyone): 15:48: yeah, everone is working remotly now
Wiktor Sedkowski (to Everyone): 15:48: so thats the new normal ;-)
Hassan Amedioune (to Everyone): 15:49: This is one of Corona results :=
Saujanya Bohara Bohara (to Everyone): 15:49: better
Ahmed Abdelsalam (to Everyone): 15:50: Let's enjoy the Firewall Authentication lab :-)
Ahmed Abdelsalam (to Everyone): 15:55: Hassan is answering. Thanks Hassan :-)
Ahmed Abdelsalam (to Everyone): 15:57: @ Maarten, 2FA can be used forr SSLVPN
Ahmed Abdelsalam (to Everyone): 15:59: @ Maarten: I have answered directly :-)
Ahmed Abdelsalam (to Everyone): 16:00: @ Maarten: You are most welcome :-)
Ahmed Abdelsalam (to Everyone): 16:09: We will have a break for 5 minutes. Thanks!!
Ahmed Abdelsalam (to Everyone): 16:12: Hi Zubairu, The recordings needs to be edited and will be
avaliable later on the demo page on our NSEI
Ahmed Abdelsalam (to Everyone): 16:15: You are most welcome :-)
Hassan Amedioune (to Everyone): 16:19: and local logging ?
Ahmed Abdelsalam (to Everyone): 16:20: @ Hassan: Local logging is avaliable only if your FortiGate has
internal hard-disk and usually kept only for 7 days
Hassan Amedioune (to Everyone): 16:20: that means for a Test VM I can't logg locally?
Ahmed Abdelsalam (to Everyone): 16:21: If you allocate a Hard disk space to that VM then you can log
on it :-)
Hassan Amedioune (to Everyone): 16:21: ok Thx
Hassan Amedioune (to Everyone): 16:26: Why when I choose on our Appliance firewall logging locally
some options of the menu left Log& reports disapear totally ( like antivirus, ...)
Ahmed Abdelsalam (to Everyone): 16:27: The options under log & reports are triggered when a match
exist
Ahmed Abdelsalam (to Everyone): 16:28: so next time a virus will be caught by ForitGate the Antivirus
log tab will appear
Hassan Amedioune (to Everyone): 16:28: Ah ok, great to know thx
Ahmed Abdelsalam (to Everyone): 16:28: when you switch to local Hard disk, you still don't have any
logs stored yet :-)
Ahmed Abdelsalam (to Everyone): 16:28: you are most welcome :-)
SAMIR BEN HASSEN (to Everyone): 16:31: Please Will we have a full recording of this presentation
Ahmed Abdelsalam (to Everyone): 16:31: Yes Samir :-)
Ahmed Abdelsalam (to Everyone): 16:31: It will be avaliable in the demo page later on our NSEI webstire
Ahmed Abdelsalam (to Everyone): 16:32: website*
SAMIR BEN HASSEN (to Everyone): 16:34: Thanks
Ahmed Abdelsalam (to Everyone): 16:35: You are most welcome :-)
Dimitrios Giannoulakis (to Everyone): 16:46: full ssl inspection works only on proxy mode, correct ?
Camille Madioko (to Everyone): 16:50: I guess we will need GPO to push it to all users - right
Mohammed Imran (to Everyone): 16:51: yes we can push by GPO also
Ahmed Abdelsalam (to Everyone): 16:51: Yes :-)
Ahmed Abdelsalam (to Everyone): 16:59: We will have 5 minutes break and then show the securtiy
Fabric configurations :-)
Plamenko Hadrovic (to Everyone): 17:00: we can't hear you
Muhammad Rehan (to Everyone): 17:00: Dear Hassan, let me know how long it will take to finish
because estimated time going to be finished.
Ahmed Abdelsalam (to Everyone): 17:05: Hi Muhammad, I think between 15 to 20 minutes once we
start
Muhammad Rehan (to Everyone): 17:08: sure brother
Dimitrios Giannoulakis (to Everyone): 17:16: which protocols is device detation using ?
Dimitrios Giannoulakis (to Everyone): 17:16: *detection
Ahmed Abdelsalam (to Everyone): 17:16: we have two modes: Agent-based and Agentless
Ahmed Abdelsalam (to Everyone): 17:17: for Agent-mode: end-point must have Forticlient downloaded
Ahmed Abdelsalam (to Everyone): 17:17: For Agentless:
Ahmed Abdelsalam (to Everyone): 17:17: Detection methods:
HTTP user agent
TCP fingerprinting
MAC address vendor codes
DHCP
Microsoft Windows browser service (MWBS)
SIP user agent
Link Layer Discovery Protocol (LLDP)
Simple Service Discovery Protocol (SSDP)
QUIC
FortiOS-VM detection
FortiOS-VM vendor ID in IKE messages
FortiOS-VM vendor ID in FortiGuard web filter and spam filter requests

Ahmed Abdelsalam (to Everyone): 17:17: All of those can be used :-)
Dimitrios Giannoulakis (to Everyone): 17:18: thanks
Ahmed Abdelsalam (to Everyone): 17:18: You are most welcome :-)
Maarten Sneekes (to Everyone): 17:34: 10.200.1.254?
Stefan Agh (to Everyone): 17:36: bad email address in automation
Mick Mortensen (to Everyone): 17:36: you put traning.com and not training.labs
Hassan Amedioune (to Everyone): 17:40: can I use this automation with one FGT without having security
fabric configured?
Hassan Amedioune (to Everyone): 17:41: thx
Aditya Deshpande (AP) (to Everyone): 17:42: when will we get the demo lab for hands on?
Ahmed Abdelsalam (to Everyone): 17:43: Hi Aditya, I think you mean the Facilitated labs that you can
configure the labs by yourself. That can be purchased through one of our partners
Aditya Deshpande (AP) (to Everyone): 17:43: ok ! Thank you !
Hassan Amedioune (to Everyone): 17:45: thx
Camille Madioko (to Everyone): 17:46: Thanks Guys
Saujanya Bohara Bohara (to Everyone): 17:46: thank you guys for your time
Camille Madioko (to Everyone): 17:46: Much appreciated
Ayyubi Gampal (to Everyone): 17:46: Thank you very much. Jazakallahu Khairan
benjamin quidor dit pasquet (to Everyone): 17:46: thk guys
David Tyler (to Everyone): 17:46: see you tomorrow
Braamhaar, Hans (to Everyone): 17:46: Thanks
Hassan Amedioune (to Everyone): 17:46: can I send you a question with mail, about fgt in Azure
Mick Mortensen (to Everyone): 17:46: Can i send events via webhooks to fx discord? just for test
purposes
Ahmed Abdelsalam (to Everyone): 17:46: Thank you hassan for the great session
Sebastian Szmytka (to Everyone): 17:46: thank you lads
Camille Madioko (to Everyone): 17:46: Hassan, can you send me the link for the FortiManager
registration
Maarten Sneekes (to Everyone): 17:46: Thanks for today.
Thierry Tummers (to Everyone): 17:46: perfect, thanks
Muhammad Rehan (to Everyone): 17:47: Good session, Hassan
Saujanya Bohara Bohara (to Everyone): 17:47: is the security fabric resource extensive for FG device
itself
Mick Mortensen (to Everyone): 17:47: Thx
Ahmed Abdelsalam (to Everyone): 17:48: Hi Camille, please check this link:
https://training.fortinet.com/course/view.php?id=3099
Maarten Sneekes (to Everyone): 17:48: Is Security Fabric usefull when you don't have connectivity
between your Fortigates? For instance when the Fortigates have internet only.
Hassan Amedioune (to Everyone): 17:49: thank you for the great session.
Maarten Sneekes (to Everyone): 17:49: It does not work without the tunnel?
Maarten Sneekes (to Everyone): 17:50: Thanks alot for the answer and the entire sessioin!
Stefan Agh (to Everyone): 17:50: Thank you. See you tomorrow.
Mick Mortensen (to Everyone): 17:50: Thank you see you tomorrow
benjamin quidor dit pasquet (to Everyone): 17:50: thk, see you tomorrow