Bro! You just saved me a good deal of time as I've been pondering why my custom signatures were not working like how so many people described on the web. Well with your indepth explanation, you made it so clear and gave me a vision and long story short, because the IPS doesn't kick in until after the session is added to the session table, other things could be blocking my packet before it hit the IPS. Which was the case. As soon as I create a policy and put it above all the others and pretty much made it wide open to test, bingo! I can't thank you enough for the work you did, this was wonderful.
Great video. The main reason, why routing has to be done before the FW policy is, that the routing determines the involved interfaces, especially the egress interface which is key to determine the matching policy as we have the incoming (ingress) and outgoing (egress) interfaces, which are mandatory elements for a FW policy. This shows, that routing is key, also in terms of firewall policies. It's a good rule of thumb: "Always check the routing first" when dealing with weird firewall behaviors.
I do agree. Destination interface is part of the tuple verification that firewall policy performs to find the firewall policy that matches the traffic. Regards!
Sir it's my feedback Really cool and crystal clear session for upcoming TAC engineer of fortigate also information that your gathered show the effort of you thanks a lot sir........
Thanks sir, i was trying to understand fortigate packet flow from fortigate page itself but did'nt understand. Your way of explanation is easy to understand, super explanation. Again thanks sir!
Slow path process :- 1>DNAT , 2> Routing , 3> Policy , 4>SNAT .... 2nd Question answers :- if there will be no routing in that case.. no use of policy lookup .. so by doing routing lookup we are not much consuming CPU Utilization of firewall ... Thank u so much for explaining it :)
Awesome brother, great explanation, can you make another showing differences between application,dns and web filter. Explaining in detail when to use which filter. Can you explain how SDWAN rules can impact the SNAT selection in policy
From Fortinet documentation. Security Processing Units (SPUs) includes NPUs and CPs. That means there are two types of SPUs, which are NPUs and CPs. Not sure if that is correct
diag debug flow show iprope enable diagnose debug flow show function-name enable diag debug flow trace start 1000 diag debug enable You can also filter for specific IP address Flow by using - diag debug flow filter
Your Explanation was very deep, awezome video. I have a question for you, if i have an specific Firewalls rule at the end, saying ¨Deny any any", and prior that rules execute i have some other App rule (let say office365 for example) the Application control Will not be able to detect the Application because of the "deny" rule it Will not be able to complete the 3way handshake therefore there is no flow to catch? im Right?
Cristian Silva u r right so its always recommend that deny deny at last and then all permit on above and if u creat rule for app with allow like allow youtube then it will do 3 way from that rule
Just a Question. You said that every packet gets handeld first by the CPU. But not in the Case of DDos right? Then de SP would block it before passing the traffic to the CPU? Or other related IPS things?
Hey, great video. It's possible to share the powerpoint or the images of this presentation. If i try to reach the source image, i got http 404. Thanks in advance.
If Destination NAT is verified before security policy check then why in WAN to LAN security policy, under Destination Address Public IP is given. why cant we directly give Private IP address. My doubt is not only for Fortigate but also for other firewalls like Sonicwall & Paloalto also.
Destination IP In fortigate is VIP. virtual IP. so in Fortigate its very easy. no confusion at all. packet flow helps you to tell which is happening when.
25:11 Question Why routing before policy ? Ans Because in an Firewall it has lot of policies it means utilize cpu n latency so it will check first routing its ec and also it's crct path
On the basis of routing firewall determine the egress interface and then the policy lookup is done for that flow. Without the egress information policy check won't take place
What a great explanation of Packet Flow. Loved it.
Thank you.
Bro! You just saved me a good deal of time as I've been pondering why my custom signatures were not working like how so many people described on the web. Well with your indepth explanation, you made it so clear and gave me a vision and long story short, because the IPS doesn't kick in until after the session is added to the session table, other things could be blocking my packet before it hit the IPS. Which was the case. As soon as I create a policy and put it above all the others and pretty much made it wide open to test, bingo! I can't thank you enough for the work you did, this was wonderful.
spread the words🤗
Great video.
The main reason, why routing has to be done before the FW policy is, that the routing determines the involved interfaces, especially the egress interface which is key to determine the matching policy as we have the incoming (ingress) and outgoing (egress) interfaces, which are mandatory elements for a FW policy.
This shows, that routing is key, also in terms of firewall policies.
It's a good rule of thumb: "Always check the routing first" when dealing with weird firewall behaviors.
perfect
subscribe and share to support this channel
I do agree. Destination interface is part of the tuple verification that firewall policy performs to find the firewall policy that matches the traffic.
Regards!
Very nice explanation sir, sharing good knowledge
Brother, I always like your Video.No one should dislike it as far as Networking is concerned.
Sir it's my feedback
Really cool and crystal clear session for upcoming TAC engineer of fortigate also information that your gathered show the effort of you thanks a lot sir........
I could not have said it any better myself.
Thanks sir, i was trying to understand fortigate packet flow from fortigate page itself but did'nt understand. Your way of explanation is easy to understand, super explanation. Again thanks sir!
Slow path process :- 1>DNAT , 2> Routing , 3> Policy , 4>SNAT .... 2nd Question answers :- if there will be no routing in that case.. no use of policy lookup .. so by doing routing lookup we are not much consuming CPU Utilization of firewall ... Thank u so much for explaining it :)
If there is no route the traffic will be dropped from my understanding
Much appreciated, greetings from Vienna
good bro ! policy will be the first counter for all the traffic before it moves to NAT and Security
Superb bro..well done. much helpful.
Awesome brother, great explanation, can you make another showing differences between application,dns and web filter. Explaining in detail when to use which filter. Can you explain how SDWAN rules can impact the SNAT selection in policy
25:10
What is slow path chkng proccess?
1 DNAT
2. ROUTING
3 POLICY
4 SNAT
Thank you sir, this video is very helpful
Wonderful bro its really very informative need more troubleshooting videos ...
Greeting, Technical_Scoop. extremely picturesque video. thanks. :)
The route is before Policy because after Routing, specify the Policy ,based on the outgoing interface
Very helpful 👍, thank you.
Fantastic explanation. Could you please share the traffic flow diagram which you explain here.
You king sir! Thank you very much for this Video. If you would have had a good Microphone I would rate this Video 11/10!
Sir where in the picture is SD-WAN taking place?
Do you have explaination about NTurbo and IPSA?
I'm struggling trying to understand that feature.
Wonderful Bro !!
Great explanation. Thanks or this knowledge.
From Fortinet documentation.
Security Processing Units (SPUs) includes NPUs and CPs.
That means there are two types of SPUs, which are NPUs and CPs.
Not sure if that is correct
how can i enroll for other videos
Good explaination
Very helpful thanks 👏
In the slow path it checks the DNAT, Routing , Policy Lookup, SNAT
Great content!!
You gained a subsciber thanks for awesome content
Hi, Which command I should ran to check this flow of packets on my device
diag debug
check my another video on this
diag debug flow show iprope enable
diagnose debug flow show function-name enable
diag debug flow trace start 1000
diag debug enable
You can also filter for specific IP address Flow by using - diag debug flow filter
where does urpf happen in packet flow ?
If you mean Reverse Path Forwarding... It takes place just after DoS policy validation.... before the IP header Integrity check, as far as I know
Your Explanation was very deep, awezome video. I have a question for you, if i have an specific Firewalls rule at the end, saying ¨Deny any any", and prior that rules execute i have some other App rule (let say office365 for example) the Application control Will not be able to detect the Application because of the "deny" rule it Will not be able to complete the 3way handshake therefore there is no flow to catch? im Right?
Cristian Silva u r right
so its always recommend that deny deny at last and then all permit on above and if u creat rule for app with allow like allow youtube then it will do 3 way from that rule
sir thanks ...
Awesome
Love the video! Would it be possible to share the flow chart you made? Want to use it as my background, to have a quick peak when needed.
thanks John, i lost it myself. my website was expired and was no plan to extend due to high cost. but renwed website , unfortuantely lost images.
excellent
could you please focus on fast path steps in deep?
Just a Question. You said that every packet gets handeld first by the CPU. But not in the Case of DDos right? Then de SP would block it before passing the traffic to the CPU?
Or other related IPS things?
superb
Really nice
Thanks, spread the words 🙏🏻🤗
Hello Sir. Thank you for the content. But I have one question. Where is the DNAT happening for Fast Path?
slow path
Hello , Do you have full Forti gate videos , if nor here on other platform , Please let me know
Sorry bro, no videos for now. but planning to make in near furure
Hey, great video. It's possible to share the powerpoint or the images of this presentation. If i try to reach the source image, i got http 404.
Thanks in advance.
Thank you
If Destination NAT is verified before security policy check then why in WAN to LAN security policy, under Destination Address Public IP is given. why cant we directly give Private IP address. My doubt is not only for Fortigate but also for other firewalls like Sonicwall & Paloalto also.
Destination IP In fortigate is VIP. virtual IP. so in Fortigate its very easy. no confusion at all. packet flow helps you to tell which is happening when.
@@SantoshSharma Hi thanks for your reply, Can you explain packet flow for Sonicwall.
JAI SHREE RAM🙏
hello, do you share that power point doc?
Go to my websiite to see this packet flow in image
Pls share the flow chart
IPS LOGS, APP LOGS, WEBFILTER Logs are not visible
kindly Share the screenshot.
sir please upload the flow chart in HD Format
Are you teaching over the Skype or zoom
Monu Gothwal What happend? I didn’t understand the question, if u want training , Please contact me on email
info@tekguru4u.com
25:11
Question
Why routing before policy ?
Ans
Because in an Firewall it has lot of policies it means utilize cpu n latency so it will check first routing its ec and also it's crct path
On the basis of routing firewall determine the egress interface and then the policy lookup is done for that flow. Without the egress information policy check won't take place
@@toptalkers7980 i would say awesome answer
@@SantoshSharma thank you sir
one dislike may be a child when his father watching the video the child could have click it.
🤩🤩
pls activate windows