62. Lecture-62:FortiGate Authentication With AD & Lab Setup.
Student hopkins 40 gate authentication with active directory. How we can integrate for tgate for wall with active directory? Active Directory we know LDAP, active Directory, all of these in every organization you will find this integration. This is a common method not only in FortiGate but in other firewall as well. You have to integrate active directory to your firewall so that they can get the user detail. Because we say this is a next generation firewall. So next generation firewall do policy based on user which we call them user ID. So definitely if we want to achieve user ID which is the next generation firewall one best feature. So we have to integrate with them. We already done the local user. If you remember, we create one local user and then we authenticate them. But this time we want to do through active directory centralized location.
Farwell will send the details to active directory. They will authenticate the user. Two different method we can use which we will discuss. So this is called active directory authentication. Two method we can use to integrate FortiGate firewall with active directory. One is active authentication. Active authentication means the user will be prompt to put the username and password credential like this one. Whenever they plug the system to your organization lane and they try to access any services, they will prompt them like this. They please input your detail. You can change the prompt, your logo, your detail. But anyway there is not a difficult task. The task is nobody has to be allowed without user authentication. They will ask them put your username and password. If they put the username and password and click Continue button then they can access the resources. In our case we will access internet, but there can be any resources, DMZ, resources, server, whatever. For active authentication we can use LDAP, reds, local and techxplus. We already done local one. They asked them the username and password. You remember this time we will do LDAP and the same method can be applied to use radius as well. Intake x plus these are also two more method. One is the cisco one and the other one is the open standard radius.
And this is called active Authentication. Why it is activate with prompt you every time another method is passive authentication. They will never ask you to put username and password. Neither they will prompt you to put the username and password. But whenever your system is already integrated to active directory like a normal organization same as mine one in every organization your PC is joining domain like this one, they already joined the domain every PC. So active authentication is basically for those which is not joining the domain. But if your all PC and system is already joined the Domain Organization Active Directory then do need whenever you plug them they will take your login detail the window login detail and they will allow you they will send the same window login detail to the system, to active directory. The firewall will send them and they will ask them to check if this guy is the correct one. They will say yes because this piece is under domain and they are using the same credential it’s okay. So this is called pace of authentication and mostly you will see this type of authentication in real world this type of authentication we call them 14, eight, single sign on FSSO sign on means you have to one time login and you will be logging forever. But for active authentication every time you have to reload in. Okay two method is done. This is active directory integration.
We will use such type of topology, we will create our own. We have active directory, we will use windows, you can use Windows server 2003, windows server 2008, server 2012, server 2016 and server 2019 it’s up to you which one you want to use for XQ directory either you can use Linux LDAP as well and then we need for test purpose few users. We will use window XP, are there, windows ten, it’s up to you, window XP, window eight, windows ten so we will create two zone, one is DMZ zone where we will put two user and we will create one land zone and the land we will put the active directory as well. Normally you will see active directory in separate zone, maybe in DMZ but we are just testing it can be put here either. Here it’s same thing either you can put them in separately like inside normally this is inside active directory so lane is nothing but inside. So inside we will use subnet one and outside sorry NDMC we will use subnet two and then the first port which we will use for management as well. And also for internet purpose as well. So this interface will work for two things for us in the lab. So this is our topology which we will use. We will enable DHCP to get all these system DHCP all the detail automatically because we already written DHCP. So why not utilize them but active directory we will assign them static IP.
As you know this server, normally we assign them static IP. This is autopology. So initial configuration we will do, we will assign interface IP 100 this side, 200 this side. Whatever our vein range is we will assign 100 and we will enable DHCP here, we will enable DHCP here and we will take two system and switch to autism. This is the simple topology to create. And then we will configure one active directory. A lot of stuff to do. By the way in real world you don’t need to configure active directory, this is system side job. But in this lab we will do configure active directory as well. So let’s do and do the basic configuration of this lab. So here you can use JNS Three, you can use Peanut Lab, you can use Cloud and you can use Eve. It’s up to you which simulation you want to use. End of the day, almost. The configuration is similar. So I need one Windows Server. Okay, so let me type Windows Server. I just put only one server. By the way, I have other images for 16 and 19 as well. If you need, I can share, but anyway I’m using Windows Server 2000 R Two. And here I will choose RDP. RDP is better to use. VNC is also okay. And this is my server. Okay, so this is my ad, if you want to change the name. So it’s better let me put them ad. This is the active directory. Now we need for test purpose, fuel system. So let me go to Windows and what we have windows seven we have, so let me take three. Windows seven and put them as a RDP. Okay, so this is window. The two should become here and one has to be in lane. Okay. So this is done. Now I need to switches to connect these. So let me go to IOL and from here let’s take this one. I need two switches. Let me give them SW and change the icon to switch. Okay. And no need to do anything more. Okay they create only one. Let me put another one as well and another switch. And change the icon to switch layer two either layer three it’s up to you. So this is inside switch and let me select and make them here. So more space. Now I need one firewall.
So let me take firewall 40 gate 40 at 40 gate here they gave them the name so we have so many firewall. Anyway let’s take any of this version. It’s all of them similar and no need to do anything. So this is a firewall. Now I need internet cloud. So choose network and let me type internet. In my case in your case most probably you will use management for internet. But in my case it’s cloud one. So this is our internet and also for management as well. Now let’s do basic connectivity. So this is connected to any port. We don’t care which port has to be connected, it’s not. And also connect this window and this one. And let me connect first port which is DHCP enabled port one which is a management port as well. And now connect port to here inside lane and this port go to DMG. So my topology is ready now. Okay there is a way to make them at least it’s in line. Okay let me on until it’s on what we will do only one is enough right now till day time. Let me put some text. So 192 168 one dot 00:24 and let me change the color because you are waiting so the firewall can boot another stuff. So it’s better to do some thing here this side. So this is this subnet and let me create another subnet this side and make them two done. And let me duplicate this one active directory. We will assign static IP. It’s up to you which IP you want to assign them. 192 168 suppose ten. So this is the IP address of active directory and rest of everything they will get IP through DHCP. Either you can make this active directory or the DHCP which we done it, but in this case we will make these interfaces. And let me type 100 dot 100 with some other color, like a blue or something. Anyway, they didn’t done it, so it’s okay. So this interface IP will be 100 same this interface and same above interface it’s up to you. Okay and now let me make them a smaller now. Okay, this is the basic configuration. First let’s go to firewall. Can we access them? Double click and open secure CRT and let’s check the IP address. Get the IP address or not? This issue as well because I’m using server, not my own system. So sometime last time, which we get issue but hopefully so admin there is no password. Enter new password 123123 control queue show system interface question mark so it’s git. Luckily we get the same 100, otherwise I was about to change them.
So let me access the firewall. This is the same issue, I believe. Now we are getting okay. Now it has to be http because this is without license, so I hope so if this one is accessible, then our issue will be easy now. Okay? So admin n one, two, three. So this is my management as well, and when as well. What is the vein IP because I’m using the actual interface. So IP of this place is one. Let me type them 192, 168 one. This is the gateway. Okay. And basically this one so let me put this the gateway and 100 is management okay, so what to do first? Let’s configure firewall first basic stuff I don’t need this one now let me close this one so I need to configure these two interfaces 100, 200 if you want to give them the name so let me give them the name DMZ this is like our DMZ okay? And let me make them the other one inside. Okay, let me give N so this is N side and this is DFC either length it’s up to you whatever name you want to give them so let’s do the basic configuration of this place so begin and change the name is better to change the name if g otherwise they will ask every time to change. Okay, so now let’s see the interfaces two is the lane, three is DMZ and one is when first thing first which we always do go to network, go to interfaces okay first interface this is just give them when even though it is also management as well. That’s why management is on. Okay, now go to two support. Two is our len. So let me give them len and allowed pin so that we can test them.
And which IP we decide. 192, 168, 124 is a subnet mask. Ping is allowed. But we want to enable DHCP as well as we decide. No need of second range because we have only one system. So this is enough. Default gateway will be the interface, DNS will be the same and no need to do anything. And that’s done. So my lane is enabled now and also I put the IP and I enabled DHCP port three port three is basically this one which is DMZ. Okay, so let me give them name. DMZ and IP should be 200 which we decide ping will be allowed and we enable DHCP on this one. No need of second range and same DNS and Sam everything and okay, so these two PC can get IP automatically through DHCP and also this side. But we will assign static from this range. One 10. Okay, so this is also done port four. We are not using this to leave it. So our interfaces is done. Next step we always do DNS configure DNS to go out we need one eight DNS and second my 101 interface 101 is my WiFi router it’s done. It’s also by the way, mentioned here as well. It’s okay. So I will use DNS these two. Another thing I need is static route so that my all traffic can go. So all this traffic and this traffic has to go out on this interface next hop is 101, which is my router. So create new and here anything I would say give it to 101 that’s the next top I told you and interface choose when administrative rest is ten. We already discussed this so this was also done. These are the basic requirement is done from firewall side DHCP configure everything. If I go to XP it has to get IP automatically I believe. So let me go to XP and not XP but client so I believe it will get automatically through DHCP from here. Let’s see test them one PC then we will go so by default name is I think so test and test one, two, three or user one, two, three I think so user and test one, two, three is the user name bio deferred in eve? Yeah it’s welcome so let me just the correct one user and password is t capital test one, two, three if you want to use the same image in your eve by the way, all of them is like this. So this is my DMZ client I just want to test that is getting IP automatically or not.
So let’s go to it should be one or two IP because 100 we assign to the interface and DHCP ranges from one to 99 so this is my lane interface and it’s get two one it’s correct it gets the gateway, it get the DNS and another DNS. So it means our DCP is working. So let me minimize this one. Okay? And hopefully it will get this PC will also get automatically if this one is get so it means it’s correct. Now coming to the difficult part which is out of scope but we are doing and that is to configure Active Directory. So click on Active Directory. Okay. And we will do remotely start to Active Directory Server 2008. Why is not going? Let me remove this PC right now. No need right now. So let me do what else to do. At least to do it for some reason. Let me test this one. Let me refresh. Okay, I block here. Sorry. So allowed and done. Let me allow forever. Why is blocking this browser? Okay now so let’s see. We can do right now or not this time I open it. So now I want to go to Active Directory to make the basics configuration. Okay? By default, username is administrator. Administrator and password is test one, two, three. This one is user and test one, two, three. And this one is let me show you test one, two, three. In case you want to use this in your EB, these are the default credentials. Will share all the eve username and password. Whatever image you want to use.
There is a list also available on Internet. So now I’m in active directory. So let’s go to an assign them static IP first. We can assign from many places from here, control Panel from here. Anyway, let’s check them first here to assign. This is the first step to create them. So why it’s not showing me here? So it’s better to go to Control Panel and go to Network Sharing Center and change it after setting. Maybe it’s get automatically get one automatically. So let’s give them the same one one IP by the way, either then it’s up to you. No need. IPV six disable this one and 192, 168 one dot suppose let me give them 200 and 192, 168, 100 is the gateway you remember? Here is the firewall IP eight is DNS and 192, 100 and 6800. One is another DNS but I think so instead of 88, we will use this server as a DNS as well. 192, 168, 1200 and okay, so I changed my mind and I assigned them 200 IP to the server. And let’s require a static IP. This is the first tip. Static IP is configure. Now go to you can click from here either. From here. So this is 1200. Okay. By the way, there is IP six hasn’t to be enabled. If you refresh it will go anyway. If I close, you can click from here. Okay. So SRV is the name 100 remote Desktop is enabled.
We don’t need. Do not show this again. Now what you need to do I just need one role before Active Directory to install, click on a role. Okay, click next and there is active directory domain services. This active directory domain services has to be installed before configure active directory and install. So until that time, let me change this IP so we are not confused. I changed my mind because Ten is coming under the DHCP pool. So rather than to make some issue, it’s better to assign IP which is out of scope IP of DHCP. So I assign them 200. Okay. And now this service is required for Active Directory. To configure active directory. Also we will need DNS role. So let’s wait for this one. Active Directory Domain Services active Directory is basically a centralized location where we create user group and so many other things, systems and all. And from there we can authenticate to the centralized location. Mostly organization are using Microsoft and nowadays you will see a server 2016 most of them and maybe some organizations switch over to the server 2019 as well. But end of the day concepts are almost similar.
Only there the graphical will be different like a window XP and seven and eight. So there is a bit different. Yeah, the same is inserver. In 2019 they give them like a window ten type of display. So we need this one first too. Okay, let’s go to do what thing? Okay, so this is my DMZ. It’s get IP and they will get also an IP which we can verify from Firewall as well. By the way, admin one, two, three, which we’ve done. And DHCP if we go to Firewall and go to Monitor and there is a DHCP monitor, they will show you the IP in lane. They assigned one IP. And DMZ. They assigned one IP. So it’s true and it’s correct. Okay, now let’s go back to Swiss install window automatic update is not enabled. It’s okay if they have some error. Now they say if you want to launch Active Directory either type DC promo, either click here. So why not click here is better. Otherwise you can type here DC promo. So this prompt will come click next. Next we are using create new domain. This is the first time we are creating and let me give them name test local. Any name you can give them test local. Either test Lab is up to you. Let me make them more simple. Test Lab this is my domain name. Fully qualified domain name test Lab okay, they will check that maybe this name is already there or not.
So let’s see that. Okay, so what we done, we gave them the name alias name wen interface we configure when we configure Layen Interface, we enable DHCP, we configure DNS and then we configure default route to push all the traffic there. And we enable on DMZ DHCP server there as well and LAN as well. Okay, now this part we will do after this active Directory. So they say which one? So I say Windows Server 2000 R Two. Either 2000 R? It’s up to you. Whatever you want to choose. Domain functional. Okay, now we did not install DNS. It’s required DNS. By the way, Active Directory have some prerequisite. One of them server has to be static IP. Second one there should be a DNS. Okay, so maybe they will install automatically Active Directory. DNS is required DNS. We discuss, I believe you remember. So yes, we say install DNS because it’s required. So next and yes, they will install DNS either you can install DNS from a role in advance. Okay, it’s up to you. But it requires so it will do. Now they are installing. Do you want to continue? Yes. So they will store their database. This is NTDs. Okay in here and syslog. All the policy will be stored here in this location. Now we need a complicated password. ABC at the rate 12345 ABC at the rate 12345 and confirm them.
If you want to export all your detail, you can export any way. We don’t need and we just want to install Active Directory. Okay, so they are writing all the detail, whatever we have Active Directory and DNS configuration. After a while they will complete the configuration. Then next step we will configure DNS, which we study by the way. Now we will see how we are configuring DNS, which is must end require for Active Directory. It has to be properly configured and by default is not configured. We will see how we can configure them and how we can test them. Their DNS is properly working or not. So let’s see they are still working on it. It will take a bit, maybe one more two minutes. And then we will configure DNS properly. So our active directory will be ready. After ready this one we will create user inside Active Directory which is requiring for user authentication. So we will create some group, then we will put some user and then we will authenticate them those users through PCs which we have Windows and also we will call that group inside our policies. But before that, we will integrate our active directory to FortiGate Firewall. These are our step which we want to achieve. Okay, so still maybe they require a reboot as well sometime when you install Active Directory and do everything so they will ask you to reboot the system. Before the name was SRV. Now it will be test local.
You remember it was only showing we go to property. So SSRV still is not yet. It will show the full name here. Okay, domain is here now, but it should be server test local after a while. Okay, so when it’s done, let me increase time. It’s always disconnected. Yeah, so let me go to system setting session out. I need to increase the session out. This session out. Idle timeout whenever I’m coming is idle timeout five minute. So the last one is four 80. So now it will be not logged out again. And again. Okay, let’s go back. Okay, it’s done. And finish. Unfortunately there is a you have to restart the Active Directory to work. So restart now and our Active Directory will be ready after rebooting this server. Okay, so we need to wait for a while. Okay. And it’s better to stop them here. So our basic configuration is done up to this point, our DHCP is working, system is getting IP or interfaces is configured per interface. DHCP is enabled and we have one Active Directory which we configure. But by the way, there is a DNS as well. So let me wait, I thought let me close the video. But we need to configure DNS as well, then everything will be ready. So let me try again if we can access them. So let me do RDP again, because it’s rebooting. So until date time it will not take RDP. We have to wait. So maybe it will disconnect. Then we will try again, because still we are not sure it’s rebooted yet or not. Okay, so let me type here. The username is administrator and password is test one, two, three. This is active directory. One server to any server which you are using. So this is the user name. Okay. And the system username and password is okay, let me change this one to user. This default username and password.
So it’s not working because the system was not on. So my session was disconnected. Let me do it again and hopefully this time it will be okay. So it’s come up administrator not this one use different, not the Hakkum, I think. So our one is administrator at the ratetest dot lab. And password is test one, two, three. Okay, so it’s showing us that they going to apply all the setting which we configure. Active Directory will take some time to apply the policy. Then we will configure DNS. Okay, now they say change the password it requires. So what was the old password? Test one, two, three. And let me A-B-C at the rate 12345 and change it. That’s not sorry. Password is there is test one, two, three. New password is ABC at the rate 12345 and repeat ABC at the rate 12345. And now change it. So password is changed. Now we can login the last thing which we need here to configure DNS and to create some user. Okay, so it’s come up. Now click on this one. Okay, so it’s come up. We have some role install now. Okay, but if we go to role and click on DNS either, you can go from here as well. Okay, from it will show here as well administrative tools. And there should be DNS. When you click on DNS either from here, it’s bring me here. So this SRV is my system name forwarding lookup, you know where I told you in DNS. So test local SRV and 120 is there, but reverse lookup zone is not there. So it’s not configured. How I know? If you click on SRV and click large NS lookup there will be error.
We need to remove this error. Then DNS will be configured this the shortcut way. So first thing first. Our forwarding lookup is there. DNS is translating domain name to IP and IP to domain. Remember, right click reverse lookup zone next primary zone next IP four. So what is our network ID? 192, 168 one next and finish. So my reverse lookup zone is there. But again there will be an error if I click launch in a lookup still there is some error why I don’t have entry for the reverse. So create pointer and 200 is the SRV server. Click an SRV forwarding test server and okay and now let’s try again for the last time. Okay, so it’s still giving me error. Why? I told you we need to disable IPV six. So let’s go to creating issue. Go to control panel. Go to network and Sharing center change adapter setting. So I think I removed from this but not from the other one. So IPV six is disabled here. So maybe this one is creating issue. There is another one. Disable this one by default. This is IP six is powerful. Let’s get that one. So now let’s go to our DNS. Okay, just stuck for a while. So let’s see CTRL or delete. So we are back now let me cancel and let’s go to DNS again. Administrative tool go to DNS and let’s see it’s. Same error either. Because we disable IPV six now. And click on server. Right click, large nslookup. So now it’s okay. Default server is Srvtest lab and this is our domain. And if you type SRV it will show you the IP. And if you type IP 1200 it will show you the host name. That’s what we do. Yeah, this DNS do. Because in DNS we have only one entry. We don’t have any user. Otherwise if you type PC one it will give you PC one IP. But we don’t have any way. My DNS is okay. And how you can verify? Right click launch NS lookup it will show you server name and iPad set. So forward in lookup zone was already there. I create reverse lookup zone and I put the entry PTR which we discuss. Now DNS is ready. The last thing before this basic setup is to create an user in active directory. So go to active directory. There is active directory user and computer. We will need some test user. So this is test lab is my domain.
There is user. Why not create a separate ou? Create new organization unit. We call them ou and call them suppose firewall. So I create a separate ou for my own lab purpose. And here I need to create user now. So create user. Suppose user one either. Suppose we have it in cell. Okay? Either HR one is the username and it. Require a complicated password so let me remove complicated password setting so if I go to administrative tool there is one group policy management so that I can give them simple password otherwise I will need a complicated password to set so group policy next? No. There is one way. Administrative tool. I need to remove the various Group policy. I think it’s Group policy management. Yes, it should be here. It’s not. I cannot create. Maybe I’m in the wrong place. Your domain. Sorry. Domain test and there is default group policy. Okay. And let me edit. I just want to put simple username and password. So for that purpose, I am here to create a new user base. I think. So either the system base I can’t remember sbinage is I use them but anyway, let me come to administrative and there is some security I think when Window yeah, I remember something okay, so let me go to Window okay and there is security and security. There is local policy and account policy. There’s the password policy. They say at least has to be seven characters.
So I say leave it. Save one character. One character. And they say it should be complicated password. I say disable complicated password and that’s it. Okay, but for this one, if it is to work, I need to apply the policy so there is a command gpubdate slash four something I hope it will work. Let’s see. Now I want to create some user. So user, let me create HR one username is HR one. Next I want to put 123123 user cannot change password and password never expire and finish. So HR one is created. Let me make a copy of this one. Sorry, I disable them. Enable account there is to copy your copy and HR two HR two. Next, one, two, three and one, two, three and finish. Two user is enough. And let me create two more user in another one another. Maybe it one either sale one sale 1123 and one, two, three user cannot change the password. Password never expire and let me copy them. Next. 123123 and finish. Now I need to create two group to put them. This is the beauty of active directory. So that we can apply the rule group base. So one group is HR okay, next. And another group is let me go back to new and where is group here sell and okay, now go to HR group.
Let me make them bigger. From where we can make them there is an option I forgot. There is something yeah, this one something was to show bigger. You know there are two. This is group and this is one person is looking, this is user. Okay. So in HR no one is there. So let me add those two user here. So remember, I will say aid HR one check name and aid apply NHR two HR two check name and okay, so two user has been added. Either you can say sell and aid to group which group? Sell group check name and okay and now sell right click a to group, sell check name and okay, so if I come to cell there two user will be already there. Yes, cell one, cell two. Okay, and if I go to HR one so two member are there HR one and HR two that said, this is the test purpose we need to create and our active directory is now already everything is done and the basic configuration is done. Now we will go move to our main topic. So let me stop this.