![Static Route](/img/default-banner.jpg)
- 18
- 28 764
Static Route
New Zealand
เข้าร่วมเมื่อ 15 พ.ย. 2021
Welcome to Static Route!
This channel is dedicated to learning about networking, from switching, routing, firewalls and a range of cybersecurity topics and a strong focus on Fortinet, Cisco as well as Palo Alto..
You found this channel because we share this passion in common..!!
This channel is dedicated to learning about networking, from switching, routing, firewalls and a range of cybersecurity topics and a strong focus on Fortinet, Cisco as well as Palo Alto..
You found this channel because we share this passion in common..!!
The BEST Way to Set Up an IPSec VPN With Loopback Interface
Learn how to set up a site-to-site IPSec VPN with a loopback interface in this tutorial. Follow along for step-by-step instructions on creating a secure connection between two sites using this advanced networking technique.
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Song: Inspiring by Wavecont
Music provided by
[protunes.net](th-cam.com/users/redirect?event=video_description&redir_token=QUFFLUhqbTZJQktKdVltWEN4RFBESkp3UXJTYU9uTFJMUXxBQ3Jtc0tsajZGc1VabkVYaG5KbER2NWphZUc2YkNpMTBVUXRfRFlhZFRYcGZWcXcxV090OWVDTmkwOW51a2xJdHlaV2ltMkNaaElqWjJlS3BGTWJDQXNBdXgtdlMtN1R6aVc2NVNWSmZsa1lad3V0UHVFbkV1Yw&q=https%3A%2F%2Fprotunes.net%2F&v=0G9mVfWG9_w)
Video Link:
[bit.ly/3S0MVYB](th-cam.com/users/redirect?event=video_description&redir_token=QUFFLUhqbExqM3NyV19DTllyb0ZLQUtYRVhkdEg3RUEwQXxBQ3Jtc0tuQTB5elgxOHJnODF0dTVxblNybmJMelNpRk8tV3AzcXlqdk1ZQmVfWlhYUUVhdF9RYkl3ZFZZeXRfYnB0U2tUQkF1cUw5R1l5ZmZsRG5GVGxadzdhY2pOMkQyaER2MFp0OWxjQkE4a0JocExzSEVVcw&q=https%3A%2F%2Fbit.ly%2F3S0MVYB&v=0G9mVfWG9_w)
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Song: Inspiring by Wavecont
Music provided by
[protunes.net](th-cam.com/users/redirect?event=video_description&redir_token=QUFFLUhqbTZJQktKdVltWEN4RFBESkp3UXJTYU9uTFJMUXxBQ3Jtc0tsajZGc1VabkVYaG5KbER2NWphZUc2YkNpMTBVUXRfRFlhZFRYcGZWcXcxV090OWVDTmkwOW51a2xJdHlaV2ltMkNaaElqWjJlS3BGTWJDQXNBdXgtdlMtN1R6aVc2NVNWSmZsa1lad3V0UHVFbkV1Yw&q=https%3A%2F%2Fprotunes.net%2F&v=0G9mVfWG9_w)
Video Link:
[bit.ly/3S0MVYB](th-cam.com/users/redirect?event=video_description&redir_token=QUFFLUhqbExqM3NyV19DTllyb0ZLQUtYRVhkdEg3RUEwQXxBQ3Jtc0tuQTB5elgxOHJnODF0dTVxblNybmJMelNpRk8tV3AzcXlqdk1ZQmVfWlhYUUVhdF9RYkl3ZFZZeXRfYnB0U2tUQkF1cUw5R1l5ZmZsRG5GVGxadzdhY2pOMkQyaER2MFp0OWxjQkE4a0JocExzSEVVcw&q=https%3A%2F%2Fbit.ly%2F3S0MVYB&v=0G9mVfWG9_w)
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
มุมมอง: 187
วีดีโอ
Configuring IP SLA in Fortinet is EASY! // Discover Link Monitor on Fortigate!
มุมมอง 20514 วันที่ผ่านมา
Learn how to easily configure IP SLA in Fortinet firewalls with this step-by-step guide. Fortinet's implementation of IP SLA is known as Link Monitor and is a powerful tool for monitoring network performance, ensuring optimal operation, allowing your network to automatically failover to a secondary ISP link, dynamically remove from the route table a route via a failed link..! ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬...
Boost IPSec VPN Security with Signature Authentication!
มุมมอง 21421 วันที่ผ่านมา
How to set up an IPSec VPN with certificate authentication on Fortigate firewall in this step-by-step tutorial. We cover topics from generating Certificate Signing Request (CSR) to Public Key Infrastructure (PKI) user definition in successful certificate authentication.
How to setup BGP on Fortigate over Dial-up VPN Connections with Mode-config
มุมมอง 28428 วันที่ผ่านมา
In this step-by-step tutorial, Learn how to setup BGP on Fortigate over Dial-up VPN connections, we use Mode-config for dynamic ip address allocation as well as iBGP to advertise networks between sites!
Sub-interfaces and Inter-VLAN Routing on Fortigate Firewall / Router on a stick configuration Guide
มุมมอง 401หลายเดือนก่อน
In this comprehensive guide, we will walk you through the ultimate Router on a Stick setup on Fortigate firewall. Learn how to configure your firewall to enable communication between different VLANs on your network, securing data flow and enhancing network security.
Dial-Up VPN Setup WITHOUT Static IP! | FortiGate Configuration Guide
มุมมอง 1.1Kหลายเดือนก่อน
In this video, we will walk you through the step-by-step process of setting up a Dial-Up VPN on FortiGate Firewall without the need for a static IP address on remote sites. If you're looking to establish a secure VPN connection behind a PPPoE or DHCP service, this configuration guide is perfect for you. Follow along to learn how to configure your FortiGate device for a Dial-Up VPN with ease. Do...
Fixing IPSec VPN NAT Issue Once and For All
มุมมอง 545หลายเดือนก่อน
In this comprehensive guide, we'll walk you through the challenges and solutions for setting up an IPSec VPN when it's located behind a Network Address Translation (NAT) device. We start by explaining why IPSec VPNs face issues when behind NAT, including the intricacies of IP address translation and how it affects VPN tunnels.Discover the concept of NAT Traversal and how it helps IPSec VPNs to ...
3 Simple Steps to Configure IPSec VPN on Fortigate
มุมมอง 566หลายเดือนก่อน
In this video tutorial, we will guide you through the process of configuring an IPSec VPN on a Fortigate firewall in just 3 easy steps. Whether you're a beginner or an experienced network administrator, you'll find this guide straightforward and helpful. Stay tuned and learn how to set up your VPN quickly and efficiently on Fortigate.
Understanding the Fortigate Route Database (2024)
มุมมอง 1812 หลายเดือนก่อน
In this hands-on lab we take a closer look to understand the route database on the Fortigate Firewalls and the differences between the route table and route database. Fortigate firewalls maintain routes in 2 tables, the RIB & the FIB. Time line 0:00 - Intro 0:04 - Describing the Route Database 1:00 - Route table commands 1:23 - Understanding the route database
BGP Protocol: Prefix-lists and Route-maps
มุมมอง 5622 หลายเดือนก่อน
This is a walkthrough on prefix-lists and route-maps on Fortigate firewalls, prefix-lists and route-maps are powerful features of BGP that enable administrators to implement fine-grained control over routing decisions, ensuring optimal traffic flow and network performance.
Fortigate BGP Soft-Reconfiguration Explained!
มุมมอง 4692 หลายเดือนก่อน
In this video we look into BGP soft reconfiguration, how to use it and typical use scenario, it allows network operators to apply configuration changes to BGP routing policies without disrupting the flow of routing updates. Unlike a hard reset, which clears BGP sessions and requires renegotiation of routes, soft reconfiguration allows changes to be applied in a non-disruptive manner.
Deploying Fortigate Firewall in AWS Like a Pro
มุมมอง 1.4K2 หลายเดือนก่อน
In this video, we will walk you through the best practices for deploying Fortigate in AWS to ensure that you are setting up your Fortigate in AWS the right way. By following our step-by-step process, you can ensure that your Fortigate is properly integrated into your AWS environment, providing you with the best protection possible. #Fortigate #AWS #Cybersecurity #CloudComputing #BestPractices
BGP on Fortigate - In depth Guide plus important topical exam concepts!
มุมมอง 3.1K2 หลายเดือนก่อน
In this comprehensive video where we explore BGP on Fortigate in-depth! We cover all the important exam concepts related to BGP topic, from really Basic to Advanced configuration, troubleshooting, and traffic engineering topics. Whether you're studying for an exam or looking to expand your networking knowledge, this video is full of valuable information to help you master BGP on Fortigate.
What is a session table and how does it work on Fortigate Firewall..
มุมมอง 5253 หลายเดือนก่อน
For every active connection to the Fortigate firewall and through the firewall, the Fortigate keeps a record of all active sessions, in this video we use the session table to explore firewall policies and fortigate local-in policies
Fortigate IP Routing Features - What You Need To Know!
มุมมอง 2.9K3 หลายเดือนก่อน
This video demonstrates basics of IP Routing on the Fortigate firewall, we will configure static routes, OSPF as well as BGP in both iBGP and eBGP configurations, we will validate that networks are being advertised as expected and confirm reachability.
Troubleshooting site-to-site VPN // Diagnose Debug Flow
มุมมอง 9994 หลายเดือนก่อน
Troubleshooting site-to-site VPN // Diagnose Debug Flow
Disable auto-save on Fortigate // Auto-Restore after a failed Firewall Change
มุมมอง 2045 หลายเดือนก่อน
Disable auto-save on Fortigate // Auto-Restore after a failed Firewall Change
Mastering Site-to-Site IPSec Tunnel & SD-WAN Setup on Fortigate
มุมมอง 15K2 ปีที่แล้ว
Mastering Site-to-Site IPSec Tunnel & SD-WAN Setup on Fortigate
Will use it in our production environment soon
This is the greatest tutorial for the BGP configuration in TH-cam. Sound and Clear. Thanks for your time and effort.. Cheers!!!!
Superb.
Thank you
Sorry to bother you, but I can't understand in the beginning the way the loopback interface flows data, how was it possible?
I think of the loopback interface the same as VLAN interface,they’re both logical interfaces
Hey Thiago, were you satisfied with the answer?
Thanks man. Appreciate all your work, find the background music distracting though.
Hey, just curious and looking to improve things always, do you mean the background music volume is too high or you’d prefer no background music altogether?
@@staticroute seems particularly high in this video but I'd prefer none at all.
Better pls proceed without background music
IPSec VPN over loopback interface is an increasingly popular deployment because of its many benefits, including ability to control preferred primary and secondary paths leveraging the link monitor config for dynamic failover...this improves the reliability and stability of VPN tunnels significantly!!
Please lower the background music
Thank you very much, noted, yours is one of 2 comments about the background music, I appreciate it 👍🏼
Apologies, I should have started how good your tutorials are, very easy to understand and quite professionally edited. I'd appreciate if you do a video on advance BGP scenarios with route tags, route target, and how to use communities to accept routes and based on community route to specific peer
@ Thanks for the video. I have one doubt here . What's the different bw link Monitor and sdwan. I hope sdwan also do the link failure based on jitter and packet loss . I am not much aware,if you clear will be good for my understanding
you're 100% right SDWAN does it's own link monitoring and I hope to cover that in later video
@@staticroute Thank you
please create one sir @@staticroute
Fortinet's implementation of IP SLA is really awesome, I'm interested to know how popular this is in your deployments, please put a comment and let us know if you are keen to use it if you aren't already...
Thanks. You have explained so simple
I very like how you teach , the content is hard but you can made it look easier and your accent is clear to understanding for asian people who not know so many vocabulary like me. Thank you❤
Thank you very much 😀🤟
Is that id with strange no. from the local-in policy ?
Yes it is, it turns out that’s how it works and I suppose it does make sense
Can you use this as a backup to a static IPSec VPN ?
Yes absolutely..
Thanks very much for the video. Very useful as I'm starting working on the Fortigate. What's the next video, please?
Please do a video about packet flow on fortigate
I’m probably doing that one next..
Awesome
Hey man very nice to share with us, but I saw you created user and group for authentication proposal on Hub, but I can't see you use it for ftg2 and 3, how does it works and why don't you set it on remote ftg?
@staticroute
remote firewalls present their "local-id", which we set to ftg02 and ftg03 on each site plus the psk. FTG01 will be expecting these specific Peer-IDs so they have to match. FTG01 is like domain controller with user accounts, etc, and local-id is like username, psk being the password. it works in the same way with certificates
@@staticroute ok budy, now i got it, make all sense right now for me, thank you so much
Nice job, you must have read my mind! .. I was about to ask you about this. I was wondering the dynamic IP addresses used as VTIs for BGP at the spoke will change every time you reload ?
Ah man I’m so happy this has been of value, let’s keep at it…
ok so the VTI's stay the same always when you reload .. Is that correct? ..
That's a critical point you're raising and the simple way to address that I think would be with the following config update on the DC fortigate: config router bgp set as 100 set router-id 1.1.1.1 set recursive-next-hop enable config neighbor-group edit "remote-fw" set remote-as 100 next end config neighbor-range edit 1 set prefix 172.16.100.0 255.255.255.0 ----->define the range as the VTI address scope, you can make this smaller if you need to. set max-neighbor-num 2 ----------> also this should probably match the number of peers you expect should peer with your DC FW. set neighbor-group "remote-fw" next end
There's a similar config here: community.fortinet.com/t5/Support-Forum/BGP-Neighbor-Ranges/m-p/290127
Thanks, could you please explain the neighbor-group and neighbor range configs? So if I defined the phase1 range as set ipv4-start-ip 10.215.1.1 set ipv4-end-ip 10.215.1.250 set ipv4-netmask 255.255.255.0 and then defined the prefix as set prefix 10.215.1.0 255.255.255.0 Does that mean the hub will setup a bgp neighbor for each ip it address it's allocated for the spokes ? Is there a way to control which ip address is allocated for which spoke and keep it that way. I'm trying to make sense of the below config, I can add the max-neighbor command . config router bgp set as 65410 set router-id 10.20.41.1 set ibgp-multipath enable config neighbor-group edit "SPOKE_ISP_1" set interface "TUN_INET_ISP1" set remote-as 65400 set update-source "TUN_INET_ISP1" set route-reflector-client enable next edit "SPOKE_ISP_2" set interface "TUN_INET_ISP2" set remote-as 65410 set update-source "TUN_INET_ISP2" set route-reflector-client enable next end config neighbor-range edit 1 set prefix 10.215.1.0 255.255.255.0 set neighbor-group "SPOKE_ISP_1" next edit 2 set prefix 10.215.1.0 255.255.255.0 set neighbor-group "SPOKE_ISP_2" next end
Could you please share packet flow in fortigate firewall
Yea I’m definitely doing a video on that soon…
This has been a definate learning experience for me making this video....again 😀 I want to thank @oinkersable for spotting an issue with the video...which is now rectified... The video covers: 1. Basic Dialup VPN 2. How to use Mode-config (DHCP for tunnel interfaces) 3. Basic Fortigate tests and verifications 4. BGP! Enjoy!
Thank you
@@MrSatadal for sure! I'm particularly interested to hear your thoughts about this config 😀
Aws cloud networking
If you'd like to quizz yourself on this topic, check it out here: courses.staticroute.io
Inter-vlan routing lab, this config is useful when you need to aggregate switch ports, which is almost always recommended! Enjoy and as always, I'm happy to hear your thoughts!
In FGT 01 Where to define dialup client Tunnel IP range?
In our example, we don’t require the use of routing protocols, so the tunnel interface doesn’t need an ip address.
@@staticroute can you please make a video of dial UP ipsec with BGP? If already have the video please share link.
I’m publishing that video today, thank you for the suggestion..
Fortigate BGP over a Dialup VPN Site-to-Site Configuration th-cam.com/video/-porUcCZhxE/w-d-xo.html
I hope this is what you were looking for, let me know..
Your video it's really helpful. We wanna more videos on Tshoot thank you
Sure thing! I have a plan for more videos on the topic
Great videos. Can you please do a "Life of a Packet" video?
hey Anand, yes certainly, that is in fact part of an upcoming "Networking Fundamentals" series, I estimate I will only begin working on it near the end of the year...
From the fortigate packet flow perspective - dnat then to route lookup to snat order and where the session table fits in that. Thank u
@@AnandNarineI’m so glad you’re quiet right… about the order and I found this document to support your statement: docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/86811/packet-flow-ingress-and-egress-fortigates-without-network-processor-offloading Session table is part of stage 3 - stateful inspection and session management, after traffic is forwarded and a 3-way handshake is complete and session established… Thank you for a great question…I had to double check it before answering 😅
Do u know if a policy lookup needs to be done to allow new traffic Before it gets entered into the session table?
@@AnandNarine yes correct, otherwise you won’t see that traffic in session table
what version fortios here ?
Hi Anand It's Version 7.0.15
Again very helpful. Thanks.
Glad it was helpful!
Dialup VPNs are useful where remote branches have no fixed ip address, such as LTE, etc…I hope you find the video useful and as always, I’m curious to know how many people are using Dialup or intend using dialup VPN
i have a challenge. A tunnel has failed to come up between Fortigate and Linux server running strongSwan. The Fortigate has NAT-T enabled and they are translating their external IP from Private to Public. Can you assist.
Hi @mrmendes4ever, I assume you have NAT-T enabled on the StrongSwan as well? From Fortigate try to run the following and observe output: 1. get vpn ipsec tunnel summary we are interested in status: selectors(total,up).. 2. diagnose sniffer packet any 'host x.x.x.x' 4 we want to see bidirectional IKE exchange, be sure to use the public address of the StrongSwan. 3. diagnose vpn ike gateway list name "tunnel-name" or simply diagnose vpn ike gateway list if there's only 1 tunnel The idea is to see what status phase 1 tunnel is in: connecting or Established. Then we can take it from there..
Assuming the 2 devices are in fact correctly exchanging IKE and UDP/500 UDP/4500 and ESP are not blocked anywhere, try this to see what the peers are disagreeing on: - diagnose debug application ike -1 observe the output and hopefully this leads us to the root cause. Best of luck!
Not many people can explain clearly like this, good job!
Thank you!
You're better than my teachers
Thank you @Rejo-ni3hz, I try to be rooted in theory but apply practical application so that anyone can easily understand, I’m glad the content is achieving that…😀 thank you for being part of this community..
Hey everyone, this has been the second video on the VPN topic, I value your feedback, let me know your thoughts...!
That is a great and simple explanation. Thank you. Can you also create a video on how to set up FortiGate and multiple WAN/ISP links setup for SDwan labs in GNS3?
It’s part of the schedule, will definitely be doing that soon
@@staticroute awesome thanks.
Hi, your video was very much helpful and knowledge gaining session as well. So kindly bring up with many lab sessions with the fortinet it will be more helpful to others. I really enjoyed.
I’m real happy this content is useful, I am working to create more….so more will be coming!
Hello everyone.... this is our first video of the IPSec video series I'm working on. I'll be making several videos focusing on various VPN-specific topics...If there's a specific topic you want me to cover, just leave comment and I'll get to it and make it happen..
please do a full course on udemy
Great content! Thank you for your efforts! For the policy ID in the session list, this is usually one of the local in policies of the fortigate that allowed the traffic. You can view these policies via the following command: #diagnose firewall iprope list
Hi Ahmed, thank you for being part of our community! about this command...I've seen it around but I have no experience personally using it...thanks for this..I'm going to check it out for sure :-D
Hi everyone, thanks for tuning in… Leave your comments below, let me know what I’m doing right, and what needs improvement… most importantly, I’ll do my best to create video content as you request..
I have two IPsec tunnel using two different ISP. I would like to manipulate the outgoing and incoming traffic through specific tunnel using BGP. Can you please provide the configuration ?
@@VishnuK-br7ee Hi Vishnu, This article may be useful: community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-modify-route-preference-using-Local/ta-p/305018 so for inbound traffic, the best way might just be to work with your ISP to edit the attributes on their end being advertised to you. Also keep in mind the default BGP behavior like this: community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-route-selection-process/ta-p/195932
@@staticroute IPsec tunnels between site to site not with ISP.
@@VishnuK-br7eehey Vishnu, try to please draw it and indicate clearly what you would like us to achieve…share on Google docs or Dropbox, etc I promise I’ll have a look
Awesome, Do you provide online training classes also?
Hi Muhammad, thank you for tuning in and being part of our little community..to answer your question, I'm not yet ready for that but it is definately the plan.
This is a remake of an older video, enjoy everyone 🎉🎉...remember to let me know what other videos you'd like to see on the channel..
OMG! A South African!!!! Subscribed the moment I heard "My name is Tegobo" I want to recreate our SD-WAN, hoping to get insight from your channel.
Hi sis, thank you 🤣
This particular video is up for a redo, I definately plan to go deeper on SDWAN because there’s so much to it
This is extremely helpful. Thank you.
You're very welcome!
Great work sir, Thanks
Thank you for being part of our Static Route community…
I’m preparing more content as part of my re-certification journey and I’m happy its useful to you as well 🙏🏽
Hi, Will do videos on SDWAN and Security Profile also ?
Hey Kevin, for sure SD-WAN is not too far off..
Thanks for supporting the channel
Hi team, Pls suggest or share fortigate image for lab. My image is only for 15 days key
Hi Selva, my recommendation is to register for free on the Fortinet website www.fortinet.com > Forticloud Login > Register and follow the process, fill out the registration form...it takes less than 2 minutes to complete and your new account is active immediately! Once registered and logged in, go to support.fortinet.com/Download/VMImages.aspx to download any image you want, my suggestion is to download [ FGT_VM64_KVM-v7.4.3-xxxx ] Fortinet now gives you FREE permament license, check out more information here: docs.fortinet.com/document/fortigate/7.4.3/administration-guide/441460
All lab materials available here: courses.staticroute.io/ enjoy!!
Even if there is no policy, tunnel will be up. Policy requires only for interesting traffic? May I Right?
Hi Selva, That’s mainly for policy-based VPNs. So far we’re doing route-based VPN. Check out this video, inspired by your question.. IPSec VPN - Firewall Policy or Not? th-cam.com/video/bYljEf3QZ_M/w-d-xo.html
Useful troubleshooting, Thanks for the video.
Greatest Video on Fortigate SDWAN with IPSEC, I have to do the similar thing with 2 IPsec VPNs on two WAN links. in our environment all the data go through these VPN to DC and then goes to internet. I understand the way you do it. but in my case as soon as I plug the second WAN link the internet stops working for the WAN1, am i missing something. do I have to create SDWAN first for the WANs? or set priority for second WAN? may be I am missing something. can you guide me.
Hello @user-sc4gn4uh9h Thank you for supporting the channel, I appreciate your comments. Basically, your Branch wan1 and wan2 interfaces (Underlay) must already be working. If you have 2 tunnel interfaces (which will be your SDWAN underlay), they must also individually be working and capable of handling all branch traffic. That way, when you make them SDWAN members, they continue as normal. I suggest you test it out in GNS3 to see where it could be failing. If you need some help, send me a zoom invite we could look at your GNS3 setup and get that working.
Let me ask: Is it necessary to set IP tunnels for these VPN lines? Thank you very much!
Site-to-site IPsec tunnel interface doesn’t require ip address, remote networks are explicitly reachable over statically defined path that uses tunnel interface as exit interface together with policy to allow it. You don’t need anything more.
thank u@@staticroute
@@staticroute Could you please explain when the IP addresses are required.
@@rjnasr8078when the tunnel interface has an ip address, typically used with dynamic routing protocols…I’m preparing g a video on that very topic…I hope it will help..
@@staticroute Yes, Thank you. I am trying to understand all this as I have a situation where there are a number or VPN site-to-site links and I need to add another backup 4G link for each site. So I am trying to work out how to do this. In fact some sites will have a Starlink connection for wan1 and 4G for Wan2. I can't seem to find any info or topology on this kind of setup. I'm still waiting on a 40F with inbuilt 4G to be delivered but also I am wondering if I can just use a 4G modem connected to the FortiGate. I thought this type of setup will be very popular ? If you have any idea how to do this that would be great. Thanks again.