Presentation is loading. Please wait.

Presentation is loading. Please wait.

Course 301 – Secured Network Deployment and IPSec VPN

Similar presentations


Presentation on theme: "Course 301 – Secured Network Deployment and IPSec VPN"— Presentation transcript:

1 Course 301 – Secured Network Deployment and IPSec VPN
Transparent Mode Transparent Mode RTOL

2 Course 301 – Secured Network Deployment and IPSec VPN
Transparent Mode Module Objectives By the end of this module participants will be able to: Describe FortiGate unit operating modes Describe how VLANs are used on a FortiGate unit operating in Transparent Mode Configure a VDOM in Transparent Mode RTOL

3 Course 301 – Secured Network Deployment and IPSec VPN
Transparent Mode Operating Modes The operating mode of the FortiGate unit defines how traffic is forwarded by the device The FortiGate unit can operate in one of two modes: NAT/Route Mode The FortiGate unit processes and routes traffic using layer-3 IP headers The destination IP address is used to forward the packet Transparent Mode The FortiGate unit acts as transparent bridge and routes traffic using layer-2 forwarding Ethernet packets are forwarded based on destination MAC addresses The device is transparent to network hosts Permits inline traffic inspection and firewalling without changing the IP scheme of the network The operating mode of the FortiGate unit defines how traffic is forwarded by the device The FortiGate unit can operate in two modes: NAT/Route mode The FortiGate unit processes and routes traffic using layer-3 IP headers The destination IP address is used to forward the packet In NAT/Route Mode the FortiGate unit is visible to the network that it is connected NAT/Route Mode is typically used when the FortiGate is deployed as a gateway between private and public networks For example, a company that has a FortiGate unit as their interface to the Internet The FortiGate unit also acts as a router to multiple sub-networks within the company In its default NAT mode configuration the FortiGate unit functions as a Firewall. In NAT mode the FortiGate unit performs network address translation before IP packets are sent to the destination Transparent Mode The FortiGate unit acts as transparent bridge and routes traffic using layer-2 forwarding. Ethernet packets are forwarded based on destination MAC addresses. The device is transparent to network hosts. Permits inline traffic inspection and firewalling without changing the IP scheme of the network. In Transparent Mode the FortiGate unit is invisible to the network and acts as IP forwarding bridge. All of its interfaces are on the same subnet and share the same IP address.. . When the FortiGate unit is running in Transparent Mode only the management IP address needs to be configured so that configuration changes can be made. In Transparent Mode the FortiGate unit also supports all firewall functions supported in NAT/Route mode. For example, Firewall policies are used to control all communications through the FortiGate unit to the Internet and internal network. The IP addressing of traffic passing through the FortiGate from the router to the internal network does not change. The FortiGate unit operates in NAT/Route mode by default when shipped. To use the FortiGate unit in Transparent mode, its mode needs to be switched. When switched to a different operating mode the FortiGate unit does not need to be restarted. To enable Transparent Mode in Web Config go to System > Config > Operation To enable Transparent Mode through the CLI the commands are as follows: config system settings set opmode transparent set manageip <IP> <subnet> set gateway <IP> end The FortiGate unit running in either NAT or Transparent Mode essentially have the same feature set. Due to the differences in the modes however, some features are not available in Transparent Mode including: Network > DNS Databases DHCP Router (only basic routing is available through Network > Routing Table) Virtual IP Load Balance IPSec Concentrator (Transparent Mode supports policy-based configurations) SSL VPN WCCP cache engine RTOL

4 Operating Modes – NAT/Route
Course 301 – Secured Network Deployment and IPSec VPN Transparent Mode Operating Modes – NAT/Route Routing policies control traffic between internal networks internal dmz wan1 Internet NAT mode policies control traffic between internal and external networks Click here to read more about FortiGate operating modes RTOL

5 Operating Modes – Transparent
Course 301 – Secured Network Deployment and IPSec VPN Transparent Mode Operating Modes – Transparent wan1 internal Gateway to public network Internet Click here to read more about FortiGate operating modes RTOL

6 Course 301 – Secured Network Deployment and IPSec VPN
Transparent Mode Ethernet Frame The Ethernet frame is used to deliver data between computers The original Ethernet standards defined the minimum frame size as 64-bytes and the maximum as 1518-bytes, including all bytes from the Destination MAC Address field through the Frame Check Sequence filed Some standard may include a Preamble and Start Frame Delimiter field which are not usually included when quoting the size of the frame The IEEE 802.3ac standard released in 1998 extended the maximum allowable frame size to 1522-bytes to allow a VLAN tag to be inserted into the Ethernet frame format The frame consists of a set of bits organized into several fields including: Source and Destination MAC Address The first two 6-byte fields in the Ethernet frame carry the destination and source addresses of the frame The IEEE controls the assignment of these addresses by administering a portion of the address field By providing 24-bit identifiers called Organizationally Unique Identifiers (OUIs), a unique 24-bit identifier is assigned to each organization that wishes to build Ethernet interfaces The organization then creates 6-byte addresses using the assigned OUI as the first 24 bits of the address This 6-byte address is also known as the MAC address, physical address or hardware address. The Fortinet OUI is 00:09:0f As each Ethernet frame is sent onto the shared signal channel, all Ethernet interfaces look at the first 6-byte field of the frame (the destination address) and compares it with their own address The Ethernet interface with the same address as the destination address in the frame will read the entire frame and deliver it to the networking software running on that computer All other network interfaces will stop reading the Ethernet frame whey they discover that the destination address does not match their own address Type If the value of this field is less than or equal to 1500, then the Length/Type field indicates the number of bytes in the subsequent Data field. If the value of this field is greater than or equal to 1536, then the Length/Type field indicates the nature of the MAC client protocol (protocol type) Data This field contains the data being transferred from the source to the destination The maximum size of this field is 1500 bytes If the size of this field is less than 46 bytes extra data bytes are appended in this field to bring the frame length up to its minimum size Frame Check Sequence This field contains 4-byte Cyclical Redundancy Check (CRC) value used for error checking When the source host assembles a MAC frame it performs a CRC calculation on all the bits in the frame from the Destination MAC Address through the PAD fields The source host stores the value in the Frame Check Sequence field and transmits it as part of the frame When the frame is received by the destination host it performs an identical CRC check If the value does not match the value in this field, the destination system assumes an error has occurred during transmission and the frame is discarded The content of an Ethernet header can be displayed from the CLI using the following command: diagnose sniffer packet The port from which the frames will be examined can be identified in the command as in the following example: diagnose sniffer packet port5 “”6 Click here to read more about interpreting Ethernet headers RTOL

7 Course 301 – Secured Network Deployment and IPSec VPN
Transparent Mode VLAN Tags VLAN tags The VLAN protocol permits insertion of an identifier, or tag into the Ethernet frame format to identify the VLAN to which the frame belongs If present the 4-byte VLAN tag is inserted into the Ethernet frame between the Source MAC Address field and the Length/Type Field The first 2 bytes of the VLAN tag consist of the 802.1Q Tag Type and are always set to a value of 0x8100 The 0x8100 value is reserved Length/Type assignment that indicates the presence of the VLAN tag and signals that the traditional Length/Type field can be found at an offset of 4 bytes further into the frame The last 2 bytes of the VLAN tag consists of the following information: The first 3 bits are a User Priority Field used to assign a priority level to the Ethernet frame The next 1 bit is Canonical Format Indicator (CFI) used to indicate the presence of a Routing Information Field (RIF) The last 12-bits are the VLAN identifier (VID) which uniquely identifies the VLAN to which the Ethernet frame belongs RTOL

8 Interpreting Ethernet Headers
Course 301 – Secured Network Deployment and IPSec VPN Transparent Mode Interpreting Ethernet Headers RTOL

9 Interpreting Ethernet Headers
Course 301 – Secured Network Deployment and IPSec VPN Transparent Mode Interpreting Ethernet Headers Destination MAC address Source MAC address 802.1 Tag Type Tag Control Information Type IP Data RTOL

10 VLANs on a FortiGate Unit in Transparent Mode
Course 301 – Secured Network Deployment and IPSec VPN Transparent Mode VLANs on a FortiGate Unit in Transparent Mode FortiGate units can act as a layer-2 switch when in transparent mode The device can tag and forward VLAN traffic or can receive and remove the tag Provides antivirus, web filtering, spam filtering and IPS services on IEEE 802.1Q VLAN trunk FortiGate device in transparent mode can be inserted into the trunk without making any changes to the network FortiGate units can act as layer-2 switch in Transparent Mode The device can tag and forward VLAN traffic or can receive and remove the tag from it In Transparent Mode, the FortiGate unit can provide services such as antivirus, web filtering, filtering and intrusion prevention to traffic on an IEEE 802.1Q VLAN trunk without making changes to the network The FortiGate unit can be configured to apply different policies for traffic on each VLAN in the trunk Usually in Transparent Mode packets are not permitted to move between different VLANs When the FortiGate unit receives a VLAN tagged packet at a physical interface the packet is directed to the VLAN subinterface with the matching VLAN ID The VLAN tag is removed from the packet and the FortiGate unit the applies firewall policies in the same way as it does for non-VLAN packets If the packet exits the FortiGate unit through a VLAN subinterface the VLAN iD for that subinterface is added to the packet and the packet is sent to the corresponding physical interface RTOL

11 VLANs on a FortiGate Unit in Transparent Mode
Course 301 – Secured Network Deployment and IPSec VPN Transparent Mode VLANs on a FortiGate Unit in Transparent Mode FortiGate unit operating in Transparent Mode Tag: VLAN 100 Tag: VLAN 100 Switch A Switch B 802.1Q trunk link Port 1-4 Port 5-7 Port 6 Port 4-5 VLAN 100 VLAN 200 VLAN 100 VLAN 200 Subnet 1 Subnet 2 Computer sends data frame over the network Switch A tags data frame Switch A forwards tagged data frame to other VLAN 100 ports Switch A forwards data frame to 802.1Q trunk link Switch B removes VLAN 100 tag Switch B forwards data frame to VLAN 100 Data frame received by destination computer on VLAN 100 Branch office Headquarters Click here to read more about VLANs on a FortiGate running in Transparent mode RTOL

12 Course 301 – Secured Network Deployment and IPSec VPN
Transparent Mode Port Pairing Binds two ports together when the FortiGate unit is operating in transparent mode Can create firewall policies that regulate traffic only between two specific ports, VLANs or VDOMs. Traffic is captured between these ports No other traffic can enter or leave a port pairing For example, a FortiGate unit has three ports, where port 1 and port 2 are paired together, because the two networks only need to communicate with each other. If packet arrives on port 1, the FortiGate unit needs to figure out whether the packet goes to port 2 or port 3. With port pairing configured, it is more simple. If packet arrives on port 1, then the FortiGate automatically directs the packet to port 2. The opposite is also true in the other direction. This can be ideal when to groups only need to transfer data between each other. RTOL

13 Course 301 – Secured Network Deployment and IPSec VPN
Transparent Mode Port Pairing FortiGate unit operating in Transparent Mode Internet Wan1 Port2 Port Pair → Exclusive Traffic Port3 Port1 RTOL

14 Course 301 – Secured Network Deployment and IPSec VPN
Transparent Mode Transparent Bridge Transparent bridging allows a switch to learn about the location of nodes on the network The presence and operation of the bridge is transparent to network hosts Builds a table for traffic forwarding by analyzing the source addresses of incoming frames from attached networks Intra-segment traffic is isolated Reduces traffic seen on individual segments Can improve network response time Transparent Bridging is a technology that allows a switch to learn everything it needs to know about the location of nodes on the network. The presence and operation of the bridge are transparent to network hosts. Transparent Bridging has been standardized as IEEE 802.1D. When Transparent Bridges are powered on, they learn the workstation locations by analyzing the source address of incoming frames from all attached networks. Through this process called learning transparent bridges build a table as the basis for traffic forwarding. When a frame is received on one of the bridges interfaces the bridge looks up the frame’s destination address and any of the bridge’s ports aside from the one on which the frame was received, and the frame is forwarded out through the indicated port. If no association is found the frame is flooded to all ports except the inbound ports. Transparent bridging can help reduce the traffic seen on individual segments and can improve network response time. Bridging functions are confined to network bridges which interconnect the network segments. The active parts of the network must be physically built using a tree structure or by using bridges that use the spanning tree protocol to build a loop-free network topology and selectively disabling network segments. This allows broadcasting to occur simply by copying packets; the tree structure ensures that loops will not occur and that broadcast packets will therefore not be copied indefinitely. Click here to read more about transparent bridging RTOL

15 Course 301 – Secured Network Deployment and IPSec VPN
Transparent Mode Broadcasting Domain A broadcast domain is a network segment in which any networking equipment can transmit data directly to another device without going through a routing device All devices can be reached by sending a simple frame to the broadcast address All devices share the same subnet, use the same gateway and are in the same VLAN All devices detect frame transmission, but only the devices to which frame is addressed receive it A broadcast domain is a network segment in which any network equipment can transmit data directly to another device without going through a router device Every single device on the network can be reached by sending a simple frame to the broadcast address All the devices share the same subnet, use the same gateway and must be in the same VLAN All devices will detect the frame transmission on the network but only the device to which frame is addressed actually receives it A special broadcast address consisting of all 1s is used to send frames to all devices on the network Layer-2 (switched) domains are isolated by layer-3 (router) devices Click here to read more about broadcast domains RTOL

16 Course 301 – Secured Network Deployment and IPSec VPN
Transparent Mode Broadcasting Domain ARP broadcast on VLAN101_wan1 FortiGate unit operating in Transparent Mode VLAN101_wan1 VLAN101_internal VLAN103_dmz Port 1 VLAN102_dmz VLAN104_dmz RTOL

17 Course 301 – Secured Network Deployment and IPSec VPN
Transparent Mode Forwarding Domain Forwarding domains allow separate broadcast domains to be maintained per VLAN Packets are contained and only broadcast between interfaces in the same VLAN Forwarding domains allow separate broadcast domains to be maintained per VLAN. Packets are contained and only broadcast between interfaces in the same VLAN. With regards to VLANs the FortiGate unit is an endpoint; tags are removed and applied on these interfaces but the tag information is not forwarded through the FortiGate device in Transparent Mode. To maintain a separate broadcast domain per VLAN, forwarding domains need to be configured per VLAN. Click here to read more about forwarding domains RTOL

18 Course 301 – Secured Network Deployment and IPSec VPN
Transparent Mode Forwarding Domain config sys interface edit VLAN101_wan1 set forward-domain 101 end config sys interface edit VLAN101_internal set forward-domain 101 end ARP broadcast on VLAN101_wan1 FortiGate unit operating in Transparent Mode Forwarding domain 101 VLAN101_wan1 VLAN101_wan1 VLAN101_internal VLAN101_internal VLAN103_dmz Port 1 VLAN102_dmz VLAN104_dmz RTOL

19 Spanning Tree Protocol
Course 301 – Secured Network Deployment and IPSec VPN Transparent Mode Spanning Tree Protocol Spanning Tree Protocol is a link management protocol that provides path redundancy and ensures a loop free topology Allows a network design to include redundant links in tree-like structure that spans all switches If one network segment in the tree becomes unreachable, the algorithm reconfigures the spanning-tree topology All switches gather information on other switches through an exchange of Bridge Protocol Data Unit (BPDU) data messages The FortiGate unit will forward or block (the default setting) BPDUs The Spanning Tree Protocol is a Link Management Protocol that provides path redundancy and a loop free topology for the network. Spanning Tree Protocol allows a network design to Include redundant links in a tree-like structure that spans all switches in an extended network If one network segment in the tree becomes unreachable or an active link fails, the algorithm reconfigures the spanning-tree topology and reestablishes the link by activating a standby path. All switches participating in Spanning Tree gather information on other switches in the network through an exchange of data messages known as Bridge Protocol Data Units (BPDU). The FortiGate unit does not participate in Spanning Tree In its default configuration the FortiGate unit forwards or blocks BPDUs (interface cli setting stpforward) In most cases, it is best to forward BPDUs (except with HA clusters) Click here to read more about Spanning Tree Protocol RTOL

20 Course 301 – Secured Network Deployment and IPSec VPN
Transparent Mode Link Aggregation Link aggregation describes the use of Ethernet network cables and ports in parallel to increase the link speed beyond the limits of single cable or port Increases the redundancy for higher availability Bundles several physical ports to form a single logical channel A FortiGate unit operating in transparent mode can be inserted into aggregate link Link aggregation describes using multiple Ethernet network cables/ports in parallel to increase the link speed beyond the limits of any one single cable or port and to increase the redundancy for higher availability A FortiGate unit operating in Transparent Mode can be inserted into aggregate link; in this case 2 aggregate links are created The FortiGate unit participates in the management of both links using the Link Aggregation Control Protocol (LACP) LACP controls the bundling of several physical ports together to form a single logical channel LACP allows a network device to negotiate an automatic bundling of links by sending LACP packets to any other directly connected peers that also implement LACP Click here to read more about link aggregation RTOL

21 Course 301 – Secured Network Deployment and IPSec VPN
Transparent Mode Link Aggregation interface GigabitEthernet1/1 no ip address switchport channel-group 1 mode active ! interface GigabitEthernet2/1 Port1 Port2 config sys interface edit “link_agg” set vdom “root” set ip set type aggregate set member “port1” “port2” end GE1/1 GE2/1 Gateway router: RTOL

22 Course 301 – Secured Network Deployment and IPSec VPN
Transparent Mode Student Resources Click here to view the list of resources used in this module RTOL


Download ppt "Course 301 – Secured Network Deployment and IPSec VPN"

Similar presentations


Ads by Google