I am about to start a new job as a Cybersecurity Analyst and now i know if will be managing many fortigate. I have never touched one before but viewing your videos has given me a relief. Thank you Mike.
Mike, you've been helping me a lot! Thanks. Now I'm putting an 80F 6.4.10 into service. The idea is to use Policy-Based and to do fairly heavy Application-Based blocking. A couple of issues for me: - I don't know what applications are in use so I have to figure that out by capturing them. - As you've suggested, I have logging set up but don't know what to look for to see just application accesses. Then, I'd pick the commonly-used production apps to Allow. That's sort of a "white list" approach and I'm a bit leery of doing that as there will no doubt be a long learning curve
Thanks for sharing this content, I'm subscribed and hit the notification button, Good stuff man keep it up, im 100% focused on Fortinet and PALO for now, i think they are super good.
Great video man, want to know if the same block we can do with the profile-bases and the policy base, so excecutives can have access to youtube and the rest dont.
Hi Mike. Really appreciate your work (and your wit). Would you consider making A to Z Fortinet courses on a platform such as Udemy ? Don't get me wrong, free stuff for the community is so valuable, but I know I would definitely subscribe to a complete and organized course (sections, labs, etc.).
Hi Mike, thanks for sharing your knowledge. DO you have any videos how to block Skype, whatsapp or any other video calling applications but allow the messaging only of those apps?
hi there nice tutorial after i add the firewall i couldnt download any applications can you please tell me how to do that? im new to fortigate environment please let me know thank you
Hi Mike, I have a cuestion about the user. The user "mike" is configured in active directory server? For ex: I have a domain user "max". The FG can identify "max" as domain user? In other words, the FG can identify the user logged in domain PC?
Nice Video, Have u observed when selecting Flow mode or proxy mode in fw policy (New feature from 6.2) the UTM doesnt get change. as Flow mode only support less UTM features like VOIP it doesnt support. Also when u click on creating web-filter for Flow based from Policy then it shows you proxy web-filter.
Hi Mike, thanks for your video. I have a question regarding the "Allow and Log DNS Traffic" application control profile option. The only info I managed to find regarding this option is that we should only enable it during investigation. 1/ when the option is enabled which DNS requests will be logged ? all dns requests ? 2/ where can I find the logged DNS requests ? 3/ Disabling this option is supposed to block DNS traffic ? I setup a small lab, and disabling the option didn't lead to block DNS requests . I wasn't able to find the documentation regarding what this option does excatly ... any help would be appriciated :) many thanks,
Nice, just came across your channel while I was looking for info about having both Tunnel and Bride mode for FortiAP. My WiFi thoruput is slow (currently in tunnel mode), so I'm considering switching over to bridge mode. I have several SSID's and would like to keep them is possible. Glad I stopped to listen, will definitely watch all your other videos... I'm one of those that have spent hours trying to figure things out, as frustrating as it is at times it is a good learning experience. I have a 60F I use for home and work. I do have one question regarding the CATCH-ALL to allow all other traffic out. Wouldn't one want it to deny all other traffic because the other policies are taking care of what you allow out? This is probably a silly question....Thanks for doing the videos..the answer I'm looking for is probably in one of your other videos. Take care and Thanks !!!
Hi Mike , Under Application control , we are having two options " Network Service" and " General Internet" could you please tell me which of them should be allowed and which need to be block . Please share guidelines for the same
Hi Mike, I'm trying to figure out how to let the kids get on youtube for 30 minutes a day. I can't seem to get it working. Have you done timers with it yet?
You could do quotas but that is more on bandwidth. Time wise I suppose you could do a policy with a 30 minute schedule assigned to it and let them know they can only get to UA-cam from 11-11:30 etc? 😂
@@FortinetGuru I was trying to use the time based quotas that are in 6.4. The problem is these stinking chromebooks the kids have from school. I may have to open a ticket with Fortinet and try and get it working.
Thank you for this very informative video. Question - for a security policy, if i dont have any app control profile applied to it, does it still identify application traffic? or does it just show up on the logs as a standard firewall port based traffic? I guess what I am asking is, if I want the app to be identified (whether i want it blocked or not), do I always need an app control profile? Thank you in advance.
For fortigate, I think this is a must feature to know your traffic readable in fortiview, else it is very hard to know where is the traffic in and out with what application in use. From fortiview can see clearly what application is in use and some of the vendors like aws, teamviewer have a lot of IP, so this feature filter all it. And recently I found that the services function also can use base on vendors services, this is awesome and I hope more vendors will be cover by fortigate for example some could base antivirus like Cybereason, Crowdsrtike etc. Great video.
Amazing stuff as always! Qq does NGFW/policy mode also require ssl w deep packet inspection? Thinking of shifting gears over to that style (been in legacy profile-based since forever)
Hi Mike. I'm struggling a bit with my Infrastructure Specialist role because our consultant IT Manager is also a kind of technician in his company and he's very intrusive with the work I do. Nowadays he's insisting in putting in place super LAN2WAN restrictions going back to L3-4 traditional firewall rules sending to trash all the troubleshooting work I've done to fine-tune applicationcontrol and webfilter based firewall policies. For example he's applying L4 service filters on policies to which application control is already applied. Doing so, if policy is matched when outgoing service is HTTPS, when firewall sees let's say a Microsoft Teams call which is a non-HTTPS connection it shouldn't match the rule and go forward until it matches implicit deny all, right?
App control gives you the ability to limit based on applications. Using straight layer 3-4 traditional firewall rules is rudimentary for the use case you are mentioning. Not sure how we can tweak that to meet your managers needs without giving him a lesson or two on NGFWs. Are you running UTM mode or NGFW Mode? If NGFW mode, there is no reason to limit by Layer 3/4 because applications will be taken into consideration anyways. Also, most services run on CDNs now so locking stuff down by IP is a crazy ask.
@@FortinetGuru This is a very good point. From my experience the profile mode is much more stable and evolved than policy mode. Visibility seems to be much better in profile mode as well. There are so many small issues, tweaks and bugs when using policy mode in production. Policy mode may be the future but man, Forti Q&A department needs to hire!
can u make video tutorial where we can control or allow all whatsapp call traffic to other Branch fortinet ISP in site to site fortinet scenario and all other internet traffic to stay and go in HQ fortinet ISP
As per information available in FortiOS-6.2.4-Cookbook.pdf - page 276, All cloud applications require SSL Inspection set to deep-inspection on the firewall policy. For example, Facebook_ File.Download can monitor Facebook download behavior which requires SSL deep-inspection to parse the deep information in the network packets. For cloud apps, this requirement of having SSL Inspection set to deep-inspection in the firewall policy is NOT specified in FortiOS-6.0-Handbook.pdf Q1: Does cloud application control work in v6.0.X, with the default SSL inspection profile, without doing SSL full-inspection (as this requirement isn´t specified in Forti´s official documentation)? Q2: For cloud apps and the default SSL inspection profile, can the main App be controlled in the security policies (i.e. Facebook) but any dependent App (i.e. Facebook chat) cannot be controlled (allowed/blocked/ etc...)? Q3: Why do cloud apps have this requirement for SSL deep-inspection, but other apps do not need SSL deep-inspection enabled?
Figure out what Applications are going across your network and GET CONTROL of your security!
Subtítulos xD.
I am about to start a new job as a Cybersecurity Analyst and now i know if will be managing many fortigate. I have never touched one before but viewing your videos has given me a relief. Thank you Mike.
Seeing System -> Settings -> NGFW mode was very helpful. Thanks!
Thank you for making the first completely understandable tutorial I've seen about the fortigate. Cheers.
Just watched once.. getting addicted..and subscribed... You deserve it...
You are a great teacher. Thank you.
Mike, you've been helping me a lot! Thanks.
Now I'm putting an 80F 6.4.10 into service. The idea is to use Policy-Based and to do fairly heavy Application-Based blocking. A couple of issues for me:
- I don't know what applications are in use so I have to figure that out by capturing them.
- As you've suggested, I have logging set up but don't know what to look for to see just application accesses. Then, I'd pick the commonly-used production apps to Allow.
That's sort of a "white list" approach and I'm a bit leery of doing that as there will no doubt be a long learning curve
Thank you for your very instructive videos.
Hi Mike. Appreciate your tutorial. Well, do you have a tutorial on configuration bridge lan as a domestic link?. Thank you
Thanks for sharing this content, I'm subscribed and hit the notification button, Good stuff man keep it up, im 100% focused on Fortinet and PALO for now, i think they are super good.
Awesome and straight to the point Video! Keep those coming, mike! :)
Great video man, want to know if the same block we can do with the profile-bases and the policy base, so excecutives can have access to youtube and the rest dont.
Thanks for your demo, May I know how to setup executive youtube in FortiGate 101F?
Thank you for another good production.
Thank you!
Good demo, thanks.
Hi Mike. Really appreciate your work (and your wit). Would you consider making A to Z Fortinet courses on a platform such as Udemy ? Don't get me wrong, free stuff for the community is so valuable, but I know I would definitely subscribe to a complete and organized course (sections, labs, etc.).
The thought has crossed my mind
@@FortinetGuru you should Mike, you are great!
Great video! which is better to us in an environment, UTM Profile or Policy Profile driven policy? Thank you Mike for great content.
Great video Mike, very useful
Hi Mike, thanks for sharing your knowledge. DO you have any videos how to block Skype, whatsapp or any other video calling applications but allow the messaging only of those apps?
hi there nice tutorial after i add the firewall i couldnt download any applications can you please tell me how to do that? im new to fortigate environment please let me know thank you
You're the man!
Hi Mike, I have a cuestion about the user. The user "mike" is configured in active directory server? For ex: I have a domain user "max". The FG can identify "max" as domain user? In other words, the FG can identify the user logged in domain PC?
Nice Video,
Have u observed when selecting Flow mode or proxy mode in fw policy (New feature from 6.2) the UTM doesnt get change. as Flow mode only support less UTM features like VOIP it doesnt support.
Also when u click on creating web-filter for Flow based from Policy then it shows you proxy web-filter.
Great Video. Google Chrome is allowing UA-cam traffic even if it blocked. How to fix that
Are you allowing QUIC? It will bypass some threat protections if you are.
Please in the app category can i find STBemu for iptv to allow on fortigate ?
Hi Mike, thanks for your video.
I have a question regarding the "Allow and Log DNS Traffic" application control profile option. The only info I managed to find regarding this option is that we should only enable it during investigation.
1/ when the option is enabled which DNS requests will be logged ? all dns requests ?
2/ where can I find the logged DNS requests ?
3/ Disabling this option is supposed to block DNS traffic ?
I setup a small lab, and disabling the option didn't lead to block DNS requests .
I wasn't able to find the documentation regarding what this option does excatly ...
any help would be appriciated :)
many thanks,
Nice, just came across your channel while I was looking for info about having both Tunnel and Bride mode for FortiAP. My WiFi thoruput is slow (currently in tunnel mode), so I'm considering switching over to bridge mode. I have several SSID's and would like to keep them is possible. Glad I stopped to listen, will definitely watch all your other videos...
I'm one of those that have spent hours trying to figure things out, as frustrating as it is at times it is a good learning experience. I have a 60F I use for home and work.
I do have one question regarding the CATCH-ALL to allow all other traffic out. Wouldn't one want it to deny all other traffic because the other policies are taking care of what you allow out? This is probably a silly question....Thanks for doing the videos..the answer I'm looking for is probably in one of your other videos. Take care and Thanks !!!
is it better to use dns filter to block a website ? what is the advantage of using layer 7 inspection
Hi Mike , Under Application control , we are having two options " Network Service" and " General Internet" could you please tell me which of them should be allowed and which need to be block . Please share guidelines for the same
Hi Mike, I'm trying to figure out how to let the kids get on youtube for 30 minutes a day. I can't seem to get it working. Have you done timers with it yet?
You could do quotas but that is more on bandwidth. Time wise I suppose you could do a policy with a 30 minute schedule assigned to it and let them know they can only get to UA-cam from 11-11:30 etc? 😂
@@FortinetGuru I was trying to use the time based quotas that are in 6.4. The problem is these stinking chromebooks the kids have from school. I may have to open a ticket with Fortinet and try and get it working.
How do you apply application and web filters to mobile phones ? These filters are only working on computers.
Question: Fortigate has been blocking my spotify how do I resolve it?
Awesome video.... I'm not able to find the link you mentioned to work on the tweak of the app control BASE.
It is in this video, about half way through ua-cam.com/video/mC3xvZWFMtY/v-deo.html
Thank you for this very informative video.
Question - for a security policy, if i dont have any app control profile applied to it, does it still identify application traffic? or does it just show up on the logs as a standard firewall port based traffic?
I guess what I am asking is, if I want the app to be identified (whether i want it blocked or not), do I always need an app control profile?
Thank you in advance.
You need an application sensor applied to the policy passing traffic in order to view the app data. Fortinet does not auto ID like Palo Alto does.
Can we block 3DES in application control? thanks
Difference with "internet services" as destination ?
For fortigate, I think this is a must feature to know your traffic readable in fortiview, else it is very hard to know where is the traffic in and out with what application in use.
From fortiview can see clearly what application is in use and some of the vendors like aws, teamviewer have a lot of IP, so this feature filter all it.
And recently I found that the services function also can use base on vendors services, this is awesome and I hope more vendors will be cover by fortigate for example some could base antivirus like Cybereason, Crowdsrtike etc.
Great video.
Hello, i have a prept configuration file to upload to a Firewall Fortigate 61F. But i don't now how. Can you provide me some information please?
Amazing stuff as always!
Qq does NGFW/policy mode also require ssl w deep packet inspection?
Thinking of shifting gears over to that style (been in legacy profile-based since forever)
Hi Mike. I'm struggling a bit with my Infrastructure Specialist role because our consultant IT Manager is also a kind of technician in his company and he's very intrusive with the work I do. Nowadays he's insisting in putting in place super LAN2WAN restrictions going back to L3-4 traditional firewall rules sending to trash all the troubleshooting work I've done to fine-tune applicationcontrol and webfilter based firewall policies. For example he's applying L4 service filters on policies to which application control is already applied. Doing so, if policy is matched when outgoing service is HTTPS, when firewall sees let's say a Microsoft Teams call which is a non-HTTPS connection it shouldn't match the rule and go forward until it matches implicit deny all, right?
App control gives you the ability to limit based on applications. Using straight layer 3-4 traditional firewall rules is rudimentary for the use case you are mentioning. Not sure how we can tweak that to meet your managers needs without giving him a lesson or two on NGFWs. Are you running UTM mode or NGFW Mode? If NGFW mode, there is no reason to limit by Layer 3/4 because applications will be taken into consideration anyways. Also, most services run on CDNs now so locking stuff down by IP is a crazy ask.
Hey Fortinet Guru,
Restricted SaaS access do the video its very help to all.
Thank you!
NIce video man, best regads from Mexico, i didt now obut de second way you block youtube, have a nice day
Which mode most of the enterprise prefers policy-based or profile-based ?
Most are running Profile mode. Most dont run policy based on Fortinet devices yet. I'm going to start trying though :P
@@FortinetGuru This is a very good point. From my experience the profile mode is much more stable and evolved than policy mode. Visibility seems to be much better in profile mode as well. There are so many small issues, tweaks and bugs when using policy mode in production.
Policy mode may be the future but man, Forti Q&A department needs to hire!
Sir please uploaded all videos of fortigate firewall
How to block RDP in fortuner firewall sir
Thx
can u make video tutorial where we can control or allow all whatsapp call traffic to other Branch fortinet ISP in site to site fortinet scenario and all other internet traffic to stay and go in HQ fortinet ISP
great! tnx
As per information available in FortiOS-6.2.4-Cookbook.pdf - page 276, All cloud applications require SSL Inspection set to deep-inspection on the firewall policy. For example, Facebook_
File.Download can monitor Facebook download behavior which requires SSL deep-inspection to parse the deep
information in the network packets.
For cloud apps, this requirement of having SSL Inspection set to deep-inspection in the firewall policy is NOT specified in FortiOS-6.0-Handbook.pdf
Q1: Does cloud application control work in v6.0.X, with the default SSL inspection profile, without doing SSL full-inspection (as this requirement isn´t specified in Forti´s official documentation)?
Q2: For cloud apps and the default SSL inspection profile, can the main App be controlled in the security policies (i.e. Facebook) but any dependent App (i.e. Facebook chat) cannot be controlled (allowed/blocked/ etc...)?
Q3: Why do cloud apps have this requirement for SSL deep-inspection, but other apps do not need SSL deep-inspection enabled?
how to block psiphone proxy software by fortinet firewall
Bro can u help me on how to block a portion of youtube and limit it to education only?
What happened to your hair?
? It changes wildly due to making videos so far apart lol