SonicWall Firewall Administration Course

1. Welcome: Hi, I want to welcome you to this sonic Wall Firewall Administration course. First. I want to thank you for senior money and you've seen your time in my course. That's mean that you are serious about your career. And pseudo I, I guarantee you that you will learn some Jane from this course. Every lecture in this course is a lab that handle one of the usual administration configuration that you will face. Work in which sonic all firewall. And you want to accomplish each lobe in this course and put your hands on configuration as soon as you can for better understanding. Because one of the best ways to learn is by doing this course. We will start by preparing our lab setup. Then we will dive in into our firewall future is configuration. So without wasting your time, but we'll let you start your journey. Which sonic wall? And remember which I am here to help you. So please, if you have any questions, don't hesitate to ask me. Good luck. 2. LAB PART 1: Before diving into the course content, first thing we need to do is preparing our lab. Now, if you have access to a real device, that's a good thing. Otherwise, if you don't not, that's not a problem. So Nicole got our backs and provide us with a virtual appliance that we can use to practice. So the first thing you need to think about is to have a decent computer to prepare your lab. Your computer needs to have at least eight gigabytes of RAM and a decent CPU. If you can't have more than eight gigabytes of RAM, that's will be better because each Sony called Virtual Appliance use six gigabits and two virtual CPU. So please take that in consideration. Now, moving to the software that we will need in our lab, the first software that we will need is to have VMware Workstation installed. This is my VMware workstation. I think that everyone can download it and unstyled. If you can't get it. I will put in this video resources a download link of VMware workstation with the license. Now, the next thing we need to have is the sonic or virtual appliance image. To get the image, we need to have an account in my sonic wall. So let's see how to create it. I would open my browser. Do we need to go to the link sonic wall.com? From here. We need to sign up. Here. You need to fill your information. There is an important note to the L1 to Medicare is about the amide, so forth. You need to put a business a mile of your company. Because water you notice is when a port public, like the Gmail or any other public E modes that we have. We can not unifies from the trial license that sonic will give us to test the security services or even we cannot download the image. So please put here a business e-mail with your company domain or any other email that you will have with your domain. Otherwise, I found that sign up with an Outlook e-mail can give you the same benefits of a business e-mail. If you don't have a business e-mail, you can create an Outlook e-mail, saying up with it, and you are good to go. You can be unified from the tutorial license and you can download the image of sonic wall. So perfect. I will let you sign up. They will go and sign in because I have my account. So I will go and do login. I already created an account, so I will login with it. Here. I need to enter a verification code. You need to check your email to find it. We enter my own. I'm not a robot and beautiful and perfect. This is the dashboard of my Sony coal account, near riches. First, it may ask you to create a tenant like I did here. This is my tenant for network product. You will find that in the same when you're signing up your in your sonic wall, it will ask you to create a tenant. The tenant is where you put all your products. They're fixed. So now from here, let's see how to get our virtual appliance image. Let's go to a project management. For all near, we need to go to toil software. We need to search for the initial v of VMware. Your riches. This is the virtual firewall that we have, so we will you as the SV2 100. Now we need to do throwing up. Here we can said, you need to choose your tenant. You have one tenant here. And here. We need to give it a friendly name. I will give it a name. This is my name and they will don't try to perfect our product is successful, a registered. Now we will refer us to the product knowledge to download the image, we need to go to sources and support from the download center. Go here. Let's try to find in SV, SV. And we can download the largest release. We need to download the OVA, just the image, the OVA image. It is the one with the big size. To go and download it from here. You can download it for me. 3. LAB PART 2: When you got the image, the next thing we need to do is to unfortunate to VMware Workstation. By now, you should have VMware Workstation installed on your machine. Go to the image and right-click on it. To open with VMware workstation. Perfect. Now, let's accept the germs. Did you do next? Ask us to give it a name so you can give it whatever name you want. For me, I would give it this name. Next port. Let's wait for it to be imported. Perfect. Our image is now unfortunate. Soul, like we see here. Six gigabytes of RAM and two vCPU virtual CPU. And it comes with eight virtual interfaces. Once you need to know about the naming of sonic wall and she'd phases is that each armchair phase starts with x. We have x 0, then x one, x two x three x four, X5, X6, X7. Those are 800 faces. And let me show you an image from sonic wall. This is the firewall of sonic wall. Like I said, x x0, x1, x2, and so on. So for the unshared phase line, which is 0, It's waves default. However, static IP, which is 192 dot 168, no to 168 dot 168. And for the anterior phase one, it's by default, give it to the X1 and X2 interface and it's on the ACP. So perfect. Me show you. We're gonna do that in VMware. So let's go to our machine. Leads to do virtual machine settings. Like I said before, the first interface here is our line interface, which is x 0. So what we'll do here is I will go to lunch segment and formula. I will create a month's segment. They will do. They will name it lawn 0. They will go here in the drop-down menu and you can find it perfect. Null for the x1 until phase. I will keep it Bridge. You can choose not if you want, but I prefer to keep each bridge so you can get internet. And I can also, if I want to monitor the firewall from my local machine, I would show you that in a minute. The next thing we need to go is to do slot machine. The first vote. It might take some time. So just wait for it, Toby, industrialist. Perfect. Like we see here, our firewall is ready. Ip address is like I said, 192168 dot 168 to 2068. This is our land. To access the firewall using the LAN IP should have an administrator in the same solving it. So to do that, or you have a Windows ten machine. So let's go to it. Here. We need to edit the virtual machine's settings from the network adapter. We need to choose lunch segment and choose lon x, z. Also here. You can be in same subnet. So it's like we have a virtual switch. We are putting devices in subnet. Perfect, now let's pour on the machine and white it's watching. I will see with you, if you don't have the resources to install our clients like Windows seeing machine in your PC and you want to access the web portal of your sonic Wall Firewall from your local machine, how to do it? So like I said, the x1 until face over the machine here. Shortly be Brigid. You need to make sure that it's Bridget. And we will go to the firewall. Let's login is branded for us. It is the one IP which is 192 dot 168 dot 0, 0.6s. If you didn't branch it Florio, you need to login to the firewall with the login admin user and password as password. And here we will run this command. Show your face. The 156 is X1, like I said. And IP. You would print as the iPad, which is perfect. Now let's go to our browser and let's get to the IP. Perfect. Continue. Username is admin and the password is password. Perfect. We are no axis it to our firewall. So I will do logo chair. I will go back to the Windows sin machine to show you how to login from it. Okay, perfect. Let's check our IP interface. Logic, IP. So let me put you on the ACP so we can get an IP firewall. Perfect. We got to the IP. Just check it. Just the IP. It's from our firewall. Okay. Perfect. Notice open a browser. Let's swipe the IP. Perfect. This is the default IP of sonic Wall Firewall, like I said before. So let's answer to it. Me make it bigger. Admin and the password. Password. Perfect. By now we see how to import our virtual firewall to VMware workstation. We see Alto access to it. So the next thing we will see is how to register it and activate it. Licenses. 4. Registration & Licensing: The first chain we should do after we access to our firewall is to register it. So let's click here. And here we show login with our my sonic wall account is the account that I showed you how to create it to be four. Here it is. Account. Let's put our credentials. Let's do login. Here. He asked us for the serial number and authentication code. Do you want us to put a friendly name? Social, get those information here. We should go to our account and you go to a product management and my products. From here, you should select your serial number of your virtual furrowed. Perfect, it's selected here from the product to utilize. If we scroll down, we can find a to-do list here. It says updated data center for capture, advanced threat protection. It's updated. Dual compare. Perfect. Now scroll up again. And here we can find our serial number. So let's copy it. Leads to go back here and budget their authentication code here, riches. Let's copy it horizontal. Now for the friendly name, It's better took port, exact same name that you give it here. You can remember it. Name it Sony. Farewell. To submit. The firewall will revolt. So let's wait for it. And Jadids rowboat and why he is voting. Go and check their licenses. So let's go here to the licensed stop from air. Let's start our throwers. Let's start the first trial. On box. Don't choose Cloud shows on box. And to confirm. Perfect. Let's scroll down. You're in deep packet inspection. It's a goal and enable it. Let's scroll down again. Let's start trial of capture client. Perfect. Now let's scroll down again and see what is is lift. Okay? Okay. Content filter also need to be enabled. Perfect. And we still have one acceleration. The global VPN client. Let's do first the one acceleration. Let's check. The global VPN is already licensed. Okay. Everyone seems to go for me. We have the tutorial licenses that we need. So let's go back and login to our firewall. It should be up by now. The default username is admin, password is password. Perfect. We can see that our firewall is registered. What do we need to do now is go to Manage. And here in licenses, we need to synchronize our firewall. So we can synchronize the licenses that we just enabled in the Masonic order account. Let's do synchronized so the firewall can be some coordinated. Here in searches. It says the configuration has been updated, so perfect. You can check in summary of the licenses from here, from security services summary, and that's it. Now, you will know how to import your virtual image TO VMware machine and how to access your firewall. And the register at George Mason Honor Code our count, and start your trial license, please. If you have any question, don't hesitate to ask me. And good luck. 5. Password Change: One of the first genes that you need to do after you deploy your firewall is to change the default credentials of login in somehow, if anyone can have access to our network and succeed and to get to the IP of our firewall and login to the portal, you can easily type def the default login credentials. And you can login to our firewall and do whatever he wants. So we need to prevent this. Let's login with the default credentials and Cl to change our default password. Login again. Admin password. From here, we need to go to Manage. And in the left side, under the system setup, we can see appliance here in base settings. We can see here administrator name and password. From here, we can change the administrator name. For me. I will leave IT admin, and I will put the old password. I would put menu of password onto three. Now, which do accept. From here we can see that the configuration has been updated. So if we logout login again, here we need to type our new credentials. Put your admin menu password. Perfect. So this is it, this is auto, change your default password. 6. Default Lan IP Change: After we saw how to change the default credentials of login, that the Sony core firewall use. The NextGen that will be most change after that is the default IP, which is the IP of the anterior face x 0. Like we know the default IP is 192168,168 dot 168. And in my opinion, for a better security, we must change it. So to do so, we need to go to Manage. Here in the left side. Under system setup, we need to go to network interfaces. And from here we can find that our interface x is in the lungs zone with the default IP. Here it is. It's a static IP. So to change it, we need to go to the right and edit the anterior face. Here. We need to change it with your loan IP. So in my case here, I will put the IP 182168 dot one. This is the IP that I want my lawn to use and I will do, okay. Perfect. Ip now is changed and like we know, this interface here, provide the HCP. So let's go and check if it's RCP. Also change it all. We need to change it here. Under the network seventh year phase or zone, we need to go to DHCP server. This is our DHCP server least scope, niches digit. We can find that is automatically changed. If we need to put any other settings, we can modify it from here. Otherwise, we can do okay. Don't forget to do. Accept. Configuration can be saved. So let's go back and check the anterior face. Perfect. The IP is changed. And that's it. This is how to change the default IP. 7. Time & Schedule: The next thing that we would see is the system time. So time is important to be configured in our firewall because it will help us when we want to do it. For example, our logs. If time is exact, we can know each event. It's particular time. If you're not TOC was helping in our network or a brush, we can know the time of this breach or attack. The time is also important when we want to schedule what our role for example. And it's even important when we want to receive updates from my sonic wall. So when our firewall we want to receive updates. For example, license or offer the database off onto viruses or concentrators. The time should be configured in our firewall. So let's see how to configure it. We need to go to Manage. Here in the left side. Under system setup, we need to go to appliance. And from there we can see seas. Same time. Here. We need to go to a times on. From there. You need to choose your time zone. You need to search it from here. For me. I will choose OHRP. And here we can see that sit time automatically using entropy is checked. If we disable it, we can modify the time manually. If I check it, we can see that we can modify the time and the date manually. I want it to be automatically so I will check it back. Keep the automatically adjust clock for daylight saving time I checked here we can. So check display UGC in log instead of local time. Do you actually see is the stone dark time formal? If the administrator of your firewall are from all over the world, you can choose this parameter here. You can check it. Otherwise, don't use it. And this is unimportant. Things also is display that in international format. With this sitting here, The day will be before the month, which will display the day, then the mount. And then the last setting here is only use custom entropy servers. If we choose it. You need to add an NTP server. You will need to answer the NTP server address. And if you use authentication unit to choose it here. And do we need to draw skiing number and password? Otherwise, you need to check no authentication. You need to put here your entropy server others and press Okay, you will do cancel. They we're not choose custom NTP server. So when you finish, please make sure to accept. From here we can see that the configuration has been updated. We can see that my time is changed there. Perfect. Now, like I told you before, one of the changes that need to be exact is schedule when I would see with, you know, how to create a schedule one. Let's go here to the upper lines. And just under CIS, same time we can find system scheduled. Go towards. From here we can see that we have already some default profiles. So let's go and try to create our own schedule. Press Add. Put a name for your schedule. For example, I will put custom. Here in this schedule type. We find that we have once we have recurring and we have mixed it makes, it is mixed over a query and under once. What one's mean is that our schedule will run only one time. If we put here, for example, the 2001 is also 2001. The moment is, for example, February month. February. The day will be the day one of the month of February, and the end will be the day of February. I will choose midnight and they will choose the mid night or the next day. Been fixed. Minute, I will keep it 0. At this particular date here, this schedule there were run. And if we come to the day tool mid night of February, this schedule will not run again. So if we put this schedule well, in a policy, so this rule or this policy will be valid only during this date. If February three com this policy, we mean notching, it will not work. So I hope that makes sense for you. What, when we choose your query in recruiting mean that this schedule will be repeated. So for example here, I will choose that my schedule will, will be on Monday, Tuesday, Wednesday tours. And for your die. Now, I will put here 0. Here, I would put five. Here, I will put 0. Notch five, I will put 17. Please note that the time is in 24 hour format. So make note of that for me. I make the mistake in the first I put here five because I'm used to 12 hour format. So please don't make this mistake and be aware of this chain. Instead of five, it will do 17 I could get and I want my schedule we're tour on every Monday and Tuesday and Wednesday and Thursday and Friday die at this range of time here. I need to add, which will be added here. This gives you all will be repeated every week and every month and every year. That's the difference between the recruiting and the ones of course mixed. We can choose them, the tools, then we can choose it. So perfect, I will do. Again. They will do okay. They think that the firewall kick us because of idle time out. So I need to log in back again. Ditch me, see if he will let me know and need to create the appropriate again. I will do. Now. I will do okay. Perfect. Our schedule we're now is created. We would see in the coming videos out your schedule, especially in the road. We will see how to schedule a role. So a design. If you have any question or to what you did, please don't hesitate to ask me to. Good luck. 8. Configuration Backup & Restore: Hi. In this video, I will demonstrate how to export and dump ports and sitting file to a walk-up and restore our firewall configuration. I will also cover how to configure Cloud backups, will even create a schedule so that firewall automatically saves a backup, for example, every few days. Much, please not the cloud backup future is available only on Sonic OS version 6.5 or later. Let me login to the firewall. Perfect. Now let's start backup our firewall by exporting the settings file. To do so, we need to go to Manage here in left side. And the updates we need to go to firmware and backups. We need to go here in Port slush export configuration and to export configuration. Then export. And perfect. Now we have a backup file of our configuration settings. It's that simple. I want you to make sure that the backup file that we made is stored in a safe place. So be sure it's in a safe place so we cannot lose it. And we can find it when we need it. Because what is the point of bulking up the configuration file and then lose it. So please save your file. Now to restore the configuration file, we simply need to go back here to import slash export configuration and toe on port configuration. He asked us to do a backup of the seating file before doing the input. We're just doing it. So we will not be doing export local copy. We will go and dope proceed to import. An important thing to note here is that you cannot import switching file that is newer to that operating system version. For example, we export sitting on 6.5 firmware version. So if we want to import it again to our firewall, that will be fine. And if we have a sitting file that was exported from a firewall data and firmware 6.2, which is less than 6.5. And we want to approach it to our firewall that run firmware 6.5 Dutch also will be fine. But if we want to import these settings file that we just exported from the firewall that run the version 6.5 firmware to a firewall that run the 6.2 firmware. Unfortunately, that will not work. So please remember that we cannot port backup file version higher than our query introversion. Like I said, if we export assistance fight from a firewall data run a version higher than the firewall that we want to import it to not work. I hope that it's makes sense to you. Please legit. So briefly, the settings file should not be exported from a firmware higher than what we use. Perfect. Now to unpack it, we need simply to choose File and unpause it like that. Here it is. We'll do cancel. And like we all know, if you import the configuration file to your firewall, the firewall, we need to rowboat after the settings file is imported. And they say to us, air reaches your Sonic or appliance the robots automatically once the importer has completed, I will DO cancel because I don't want to import it. Now let's talk about cloud backups. Cloud backup help us to automate and safely store backups. The backup file will be sent to my soul inequality account. So this is my sonic wall account. To find your backup that it's made by cutting out the backup, you need to go to product management. From my product. You need to select your product. Go to cloud backups. You will find thin air, gradient clear. We have no backup yet because we didn't enable it yet. Let's go and see how to enable it. To enable it, we simply need to check this box here. Perfect. Now to create a Cloud backup, we need to go to Create backup. From here we can see could the bicarb and we can see Scheduled Backup. This cloud workup here, meaning that we can do a money on Cloud backup. And this schedule will mean that we can schedule one, our cloud backups. So let's start with seeing how your skills you award the backup. This is our schedule. I saw with you before the scheduled profile and they saw video how to create it. I will not explain the schedule J pair. You already know it. So from here, we can see that we have already a schedule list. If it suits you, you can keep it. If not, you can press it and do delete all. Then you can create your own schedule. Well, for example, we need to schedule on Sunday and such a day, for example, only on weekends. And then we can add Friday also. Perfect. Now we can choose our time and do odd. Perfect. Finished scroll down. Here we can see that the configuration has been updated. So after you did the schedule, we'll go over the backup. Don't forget to just sit and go to your Meissonier core account at the time that you did in schedule and check if it did automatically the backup or not. Go back to create backups. And it's created or money or backup. From here we can see unimportant option, which is rotating cloud backup and decided that we are limited to three configuration files that can be rotated. Firmware version for the rich and backup disk configuration file will be not overwriting during auto or money or backups. For example, I will inhibit here in the command, I will type, for example, the initial config. So for example, I want my initial configuration file downloads view, overwrite it, and stay in my S1 equal account. I will do upload. Perfect. We can see that we did the Cloud backup. If we go where we can find the configuration version and the date and the type of backup. It's money in. Here we can find if we want to vote our firewall with my cloud backup configuration if I want to restore it. Perfect. Notice check my sweaty cold account to see if the configuration file added to it. Middle fresh. Me, go to my product. The backups. And like you see here, which is our comment and this is our backup. So now we are sure that the cloud backups works. Perfect. Notice go back to the firewall. From the create backup. One important thing that we have is local backup. So for local backup, you can see that is similar to export in settings file, but at different is that the local backup also save a copy of the current system state VMware. You can consider it as a local snapshot of the firmware. We can use it, for example, if we want to operate our firmware in case something happened with the new firmware, we can easily revert back. Let's do a local backup. Can do a comment or it will keep the comments or the initial config. It will confer. This is our local backup and we can vote for them. It also like that. Perfect. Now, one last thing that I want to see a video is how to backup and send our sittings flight to an FTP server. So to do that, we need to go to Settings. We can do it from air. So you need to have a working FTP server. For me. I have a Linux machine here, it says, let me do it straight from here we can see that we use Pro FTPD that's running on port 21, which is FTP port. This is my FTP server. You can set whatever FTP server. Now let's go back to the firewall. Before that, let me have the IP of my server. Perfect, This is my IP. Now let's go back to the firewall and let's check this box here. And here, an FTP server. We need to put the IP. Perfect. Here, our username and password. This username and password, we need to be created on the FTP server. It's not the username and password of the firewall. And we need to do apply. Perfect. Now let's go back to settings. And there we can set a schedule to backup our configuration file automatically. Let me save it. I will delete this schedule air. They will create a new schedule. I will do all. They are installed time. We'll do, for example. And they will do, they will do odd. And okay. It's 111 null. Notice to go to our FTP server and it has perfect. This is the end of our backup lecture. Please, if you have any questions, don't hesitate to ask me, and good luck. 9. Firmware Upgrade: Hi. Today we will upgrade our firewalls firmware to take advantage of new futures. As a network administrator, you should keep eyes on new firmware releases and read the rule is not know about the new futures and also the fixes that come in this new firmware version. Okay, so today we will upgrade our initial future 100 farewell firmware. See how to do it. I will login to my firewall admin password. To check the version, you need to go to monitor. And you need to go here in the left side under query and stages in the system searches. And here in system and formations. You can find here your gradient firmware version. Here it is. We have the version 6.5.4. Anthropoid is 188. Let's try to operate it. Before we begin. It will be better to take a backup of our firewall settings in case if after the upgrade of the firmware something happen, we can at least be safe. So I prefer to be safe than sorry. So let's see how to do the backup. To do it, we need to go here and manage in the left side and the updates, we need to go to a firmware and the backups. Here, Let's go to import, export configuration and Luchador. Export configuration and export. Perfect. Now we are safe and we have our backup. The next step that we need to do is to get the new firmware image. So to do that, we need to login to our account with my Sonya code. I already logged into my account. And from there, you need to go to product management and my product from their unit to find your device. Make us this is my favorite word here, and I will press it from this window here. And we'd go to firmware. Unlike we see here in available downloads, we have a release. Here it is. We can scroll down and press Browse or firmware to see all the previous firmware is that we have, they are all under the version 6.5.4 because the initial future ones that run on the vergence 6.5.4. But what's different is the boiled version. This is the boiled version here, we can see that it's different between each release. So let's download the available downloads. Really 0 it is, it's the one with the extension dot is W. In our case, because we are using the initial v, we are using this extension here. If you are using a device like the cheesy or the NSA models, you will find dot, dot is E G. I already download it. What I will do now is to go to the firewall. From here I will upload the firmware. Will go shows file. Let me try to find it. It is I will do open and I will upload. And let's wait for it. Perfect. We have now our new firmware, the firewall. We can see that we are using this version here. It is, this vision of wilt, but we uploaded this new version here to both the firewall with the new version. Please make sure that unit you fight your end user of the downtime. Because when we bought the firewall with the new image, it will be a downtime in the network. Can schedule will offer a time where there is no workers in the office. You can do the upgrade. Perfect. Now let's go to this version here. From both, here in the port. We can do both uploaded firmware and we can see that we have two options. We have the option with gradients configuration and we'd factory default configuration. What that mean is we call configuration. It will upload, which our sittings and all what we changed in the firewall. But in second option here, if we want to redeploy our firewall with a new offering where we can select it. But in my case, I prefer to keep my changes and my configuration. I will choose this version here. Will do okay. If we go and check the firewall, we will find that a is row boating null. We can upload with the new firmware. So let's wait for it to be rebooted. Let's go and login again to check the version. Our firewall is now up. Let's go and try to login to it. I didn't do your password. To check the new image. We can even check it from here, from the firmware and the backups. We can see that he wrote and he used the new firmware. What do we can go to a monitor and incurrence searches, system searches. You can go and find the firmware version here. And we can find that you use the new void. Here it is. So perfect. This is auto upgrade your firewall firmware. Please, if you have any question, don't hesitate to ask me. Good luck. 10. Base Settings: In this video, we will see the base sitting of sonic Wall Firewall. Let's go to manage. In the left side, the system setup that SELEX appliance. The appliance, we can see base settings. So base sittings, partner of sonya Core covers a range of firewall settings. The first one of them is the firewall name. It's a unique identifier of each firewall appliance. By default, we can see that the serial number of the firewall is set as a firewall name. The farewell name is alphanumeric name and can range between 863 character. So let's go and change it. For me. I will make it Sonic fair wall 101. So this is the name that I want to put, like we see here. The Min left of the password is eight and the max is 63. If we check this box here, the HAC fixed will be affected through the firewall name. The next thing we have is the firewalls domain name. The domain name of the firewall can be private domain for hearing aid users or an externally register a domain name. The next thing we have is on force a shipping cost here there check. I would enable it. So this option here allow us to prevent a vulnerability known as host. Here they're injection. The next section we have is Administrator name and password. We saw in the lecture of password changing. It's here where we can change our administrator name and password. And we have one other parameter here, which is one time passwords. If we check it here, we can find that you will have to OTP. What this parameter mean is that we can use it for two factor authentication to our firewall and OTP, onetime password. And the T stands for time-based. Because we have two type of OTP. We have two OTP which is team-based, like I said, and we have OTP which is hash-based. Okay, let's scroll down to see what we have. Here. We have future visibility and we can see that we have enable IP versus it is enabled by default. So if it is enabled, our firewall can use IP VSS. If you have another sonic Wall model like cheesy or a, you will see another option there which is enable wireless LAN. If you enable it, you can manage access points and where less from your firewall. But please note that if you enable it, you will need to rowboat your firewall to use it. Perfect. Now move into the login security. And the login security play a major role to keep the network save, it allows us to configure password complexity and constraint to ensure that administrator and users use secure passwords. And first parameter is post-World most to be changed every day is. So if we inhibit this volume here is by days. So every 90 days, a user will need to change his password and enter a new password. If the user login with an expired password, a popup windows will show up so the user can enter a new password. And the other switching we have is that the password can be changed since last chance. And this volume of air is in hours. So for example, if we enter a new password and we want to change it during one hour, we cannot do it. We need to wait one hour until we can change the password again. And the next parameter we have is bar repeated passwords. And for this minute changes and thats prevent the user from using the same old password in your passwords. And here, this parameter error followed this parameter here. If we enable it, we need to enable this parameter. It's better to enable it. Because in this parameter here tells us that we must choose h different characters from the old password in our new password. Perfect. Now, we can choose the minimum launch of our password. By default, it's eight. We can choose it if we want. And here we can see that we have on force password complexity and we all have a drop-down menu. If we preset, we can see that we have two options on options with outflow of Utica and numeric characters. And the other have somebody collectors other than if we chose the symbolic one, we can see that somebody character is enabled. And if we chose only on form, Vedic and numeric, we will not be able to modify it somebody characters. And from here we can define how many contracts are. Can be uppercase and tell me is lowercase and the number of characters in the password. And the next switching we have is to hold this password security policy is applied. We can find here that if we enable this, it will be uploaded to administrator and other for administrator, Limited administrators, guests, and local users. We can uncheck and check each of them. Perfect. Here we can find the logout Administrator Officer in activity. So if an admin user login to the firewall and be in logic for five-minute the firewall, it automatically came out. You can modify it if you want. Audio can leave it as it is. Perfect. Now, let's scroll down. Here. We can find the administrator end-user rocket. If we enable it, it will locks administrators and users out of accessing the appliance after a specified number of uncorrect login attempts. So I will inhibit. Here we can find another parameter which is enabled local administrator account lockout. And it says uncheck for login, IPA others lockout. That means that if an administrator under user login from same source IP, it will lock both of them, and that would prevent the administrator from accessing firewall if you need to manage it. So if you're disabled it, the lock will be based on the users. So it will only block the user that he enter wrong credentials. And you will allow the administrator to login to the firewall and the log event only without lockout, which would only log the failed attempt. And we will not local to the user. And here we will find how many a challenge we can allow to a user in every minute. Before we lock it. We can change even the attempt or the minutes. Here we can find the lockout period. It's all minute and 0 mean low count forever. So if we put 0, it will lock that user forever. Here we can find the max login attempts from CLI, and it's also five attempts. Perfect. Now let's move on. The next tool we have is multiple administrators. First thing we have here is on-prem chain by another administrator. We can find here two options. They're all paternal, conflict mode and logout. This mean that administrator users try to login to the firewall. Sign time. The first user, we log to the firewall and other administrator that try chore log to a query into administrator session, we'd be either rug out from the firewall or drop to know config mode. And denote conflict mode mean that the administrator were not to be able to configure the firewall will be only on mode viewing. So again, if we have an administrator that she is already logged in to the firewall and manage the firewall. And another administrator total oriented to the firewall. While the query into administrator still managing the firewall, the new administrator will be either drop journal Conflict Mode or log out from the firewall. You can choose which option you want. I will keep it by default and let's go on. And here we have a low preemption by a lower pitch administrator after inactivity of gen minutes. And thats mean that in this ten minutes here, if our query and administrator is inactive, it will allow to allow priority administrator to preempt. And there we can see enabled and your administrator message1. By enabling this parameter here, we allow administrator to send text messages throat the management interface to other admins that are logged into the firewall at the same time. Like I said before here, if we have two administrator and the way you choose drop journal config mode, the other administrator will be on viewing mode. So our current administrator can send a message to the other administrator. And this is the pooling on this board. An ANOVA here is by seconds. And that's mean that this is the time that the browser of the other administrator, we refresh trying to find new messages. And here we can enable multiple administrative roles. Joe login to the firewall, same time. So if we go here, we can find that we have administrator, which is this administration, which is adenine. And we can find for administrator, Limited administrators and each one of them have different role. So if administrators with different roles try to login to our farewell, it will be able to login if we enabled this parameter here. Perfect. Now let's move on and we can find enabled enhanced audit login. This parameter here. Allow us to see data log. You will be able to see which parameter is changed in the firewall and by which user. The next thing we have is the width management settings. And from here we can find that we have a checkbox to enable HTTP management. So by default, if we try to login to our firewall using HTTP, whether directs us to HTTPS. But if we're inhibited, we can also log into our firewall using only HTTP, but that is not recommended. And from here also we can modify and change the HTTP and HTTPS port. We can see here that we have a parameter that is delete cookies. And if we press delete cookies, which will delete all cookie, save it by our Sonic or firewall. But please note if you delete the cookies before saving your current configuration, you will lose it. If you made the configuration and you didn't save it, you will lose it. Here we can find and config mode. So if the current administrator want to give it config access to other administrator, you can simply go here and press and config mode. And here will be in the viewing mode or no conflict mode. Fixed. Here we can find certificate that firewall use for HTTPS. We can import our own certificate or use the safe science certificate. This is the common name of the certificate. And here we can find the default table size and this volume here is by item. And here we can find the interval in second intuition, the table referenced. So I prefer to keep the settings here. By default, you can change it as unit. And the next checkbox that we have is use Threat Protection view or searching page. That's mean that if we enable this box here, the next time when we log into our firewall will appear us the threat protection view. So every time we login to our firewall, the first page we will see is the threat protection view. Scroll down. We have enabled tool chip, and the tool tip is small pop-up windows that display when you hover your mouse over our UI element, they provide brief information describing data element. For example, here, if we put our mouse here, we'll show a pop-up window. So this is the tool chip. Each give us brief information about this sitting here. The torch tip of your label, four boxes, buttons and text. And from here we can change the tilt of the show up of the pop-up for each one for the box and for the bottom, for the text. And the next turn we have, of course, is on fourth TLS 1.1 and above. So it will enforce the firewall to communicate only with browsers that support terriers won't 0.1. Perfect. Let's scroll down. And here we can find clients certificate check, enabling client certificate check is typically used for a comment access card. However, it's useful in scenarios that require a client certificate in HTTPS and SSH connections. So if I inhibit her, a pop-up window will show up and say to me that I might not be able to manage the firewall by a ship AS again, without a valid client certificate. Okay, window, okay. We can find enabled client certificate cache. We can catch it in the firewall, so I will inhibit it. And from here we can choose the issuer of the certificate. For example, if we generate the certificate from Microsoft, we controls Microsoft wrote certificate authority. And for the Common Access Card user, we can choose if itches and local user or LDAP user. And here we can see that we have a box that says enable or CSP chicken. If we enable it, it will verify if the certificate is still valid or not. And we can see that responder, your box appears here. This box contains derivatives of the server that will verify certificate. It's usually embedded inside the client certificate. You can find it there. And here we can see enabled periodic check. And this is the interval in hours that the server will check for if the certificate is valid or not. Perfect. So let's scroll down again. And we can also modify and change the SSH port from here if we don't want to use the default port. Okay, The next January of is sonic boy IPA. If you enable it, you would see another options here. Sonic boy is APA is an alternative of Sonic oh, is SSRI for configuring various functions. If you want to use Sony call SAP or you can inhibit. And here, under advanced management, if we want to manage our firewall from the GMS, we can enable it here. For those who don't know what GMS is. The GMS is global management system that allow us to manage multiple firewalls from one place. So next, if you enable it, you will press configure. And there you can type the host name or the IP address of the GMS. And from here you control the management mode. If it is IPSec or HTTPS, or existing tunnel, will do cancel. Let's move on. The last two sittings we have is the language. We can choose our language from here. Now, we have only English. And if we modify it, it says here that we need to rowboat our firewall to applied settings. Perfect. And the last thing we have is do you your ID settings. And this box here says, show you your ideas for all. If we're enabled, which would show do you ID for others objects, services, users scheduled, and all those objects here. What UUID mean is universally unique identifier is used to uniquely identify objects. Each object will have a unique ID. This is all what we have in the base settings. When you make changes here, don't forget to press Accept to save your changes. 11. Administrator User: Like we see in the base sittings lecture, our firewall support multiple concurrent administrators. So in addition to the default admin user, additional administrators can be created. And that's what we will see in this video. Now, needs to go to a mileage. Here in the left panel. And the resistance setup, we need to go to users and local users and groups. From here, we need to choose local users. And here I will create a user. I will name it sonic impulse word, and we'll give it a password. Confirm my password. The next thing we need to do is go into the groups. In-groups need to affect groups through this user. So we have three administrative groups. We have limited sonic wall and only admins. The Limited administrators group is a limited administration configuration privilege. Our admin will be limited to some configurations only. For the Sonic or administrator. This girl pair have full access to the firewall configuration. For the read only admins, as the name says, is only the users will have four oxygens to the firewall. But we will not be able to configure though any changes on it. Select a group. We need to select it. And we need to press this arrow here. Perfect. So our user now is added to this girl pair. And the next thing we need to do is okay, Perfect. Our user is created. And here in abdomen, we can see that says full. That means that we have a full administrative user. So now I will not modify anything else to show you some mistakes that people, usually though, windy create administrators reuser. I will log out from the firewall and I will try to login with this user. To login with a username is sonic. The first error we see here is user login not allowed from here. So let's see what do we need to do to resolve it. So let me login again with the automation account. The way the way the abdomen account is the default account connect. And to resolve this problem here, we need to go to work. And under Interfaces here, since we are connecting Trotter, the one onto your face, this is our IP address and this is our one on G0 phase. You can see that we are trying to login using the one IP address. So we need to go to the one IP address. From here we can see a parameter here says user login. We need to check HTTPS. Since we are using HTTPS and dorky. I don't recommend the tool enabled this parameter here in one unchanged phase, or even enabled management in one unshared phase. I prefer to keep the management the lung, but I'm using that control my firewall throw to my local machine. I don't want to use a virtual machine to manage it. So that's why I chose the 100 phase. Perfect. Now let's press Accept to save the changes. And they will do logout, stretch or organ again. So the user is sonic porches password. Perfect. Now, what says no is failed to open and sonic all user searches. I will do okay. And I will press this popup pair. I will choose alloys allow pop-up under direct from this IP address here, the IPO of our firewall, and it will go down. Now, let me refresh. Perfect. We can see starches window. So when we log in to the Firewall as a user with administrator rights such as popup windows will appear. This is starches popup window. And from it we can see the lifetime that we can login to the firewall. And we can from there change our passwords and choose to manage firewall. We can see this pop-up window here. Like I said, it's up here because we are not connecting with the default username, which is our domain. So now say reading mutual show you how to remove it and login with the new user sonic, like you are logging in with the default user admin. So let me do a logout leave and let me login. From here. I will login with the account admin. Perfect. Now, let's go back to user and local users and groups. And from here we need to go to a local groups. The, we need to find Sony court administrators because our user Sonic is belong to the group sonic world administrators edited. And here in administration, we can see a parameter here says, members go straight to the management, user interface own way blogging. We need to check this and do it. Okay, perfect. Now let's logout and login again. Let me login with the user sonic. Nick. Perfect. Now we are logging in through the firewall directly without any popup or anything. So please remember that I showed you now the mistakes that the users normally DO creating administrator or users. This is auto create, an admin user. Now the next thing I wanted to show you is the anterior administrator messaging. We talked about it in the base, sitting in lecture. So let's go to Manage. And here under SCCM setup, we'll go to apply for on base settings. If we scroll down. We can find here in multiple administrators enabled anterior administrators message1, a read enable it. And I will do accept. Perfect. What I will see with you also may find it. Yes, this parameter here, which is dropped or no config mode and logout. We talked about it also in the best city in lecture. But let's see how it's looked like. Now every login with the user automate using a different machine. So let me go to VMware and I will use my Windows machine. Let me make it a bigger login using the lawn IP address. Login with the user admin and the popup show up. This is what I told you about. And from here we can see that he asked us to connect either with config mode or no config mode because we are connected with the user admin, which is a default admin. Give us this option here. Otherwise, if we are connecting with the user admin and after I interconnect with another user liked sonic, it will not show us this option here. It will only show us know config mode. I will chose know config. Perfect. Now we are accessing our firewall. We can go here to manage. We can see all the configurations that we have in our firewall. But like I said, we are a mode know config, so we cannot modify any chain. So the next thing I want to show you is the enter dominion search of messaging. To send a message from the admin user to sonic user, we need to go to a monitor. From monitor we need to go to your query in stages. And under user sessions, we need to select Octave users. From here, we can see our user admin and sonic. From here. Message1 can type send message and they can send a message. I will send, it, will go. Okay. Now let's try to go to the session of user sonic. From the browser air, we can see our message reaches sonic. That's it. Please, if you have any questions, don't hesitate to ask me and good luck. 12. Admin TOTP: Still with users and design, we would see 12 factor authentication. We know two-factor authentication is an extra layer of security which can help us protect our firewall access. The classic methods to access to all firewall is using user and the password, but using two-factor authentication. We will need also to use an extra code to login to our firewall. To do that, we need to go to manage. Under system setups, appliance. We need to go to a base settings. And this is the parameter that we need to enable. We talked about it in the base settings lecture, and now we will enable it. So from here, I will enable to OTP, which mean team-based onetime password. So I will enable it. Perfect. Now what we will need to install is Google Authenticator. We need to install it in our mobile device. But first let me do except to save the configuration. And the next january need to do, like I said, is unsorted Google Authenticator. Google Authenticator, Virginia, right for us, the OTP codes to login to our firewall. So please go and install it in your mobile device. For me, I already unsorted. So what I will do now is simply log out and try to login with the user admin. Perfect. Now, what we see here is a barcode. Barcode here we need to scan it with our Google Authenticator. The other important information in this page is the emergency Scratch code. So please keep this Scratch code here in a safe place because it will be the only way to login to the firewall if the mobile device that we use to login is lost. So now let me scan code. Perfect, now I have the code. So I will type pitch air. It will do okay. Now, I need to press critic here to continue and perfect. We are locked into the firewall using two-factor authentication. One on porting chain that I need to mention here is, like I told you before, it's time-based password. So please make sure that your firewall time is correct. If you want to change your firewall telling, please check my lecture that I talked about changing the firewall time. If you have any other questions, please don't hesitate to ask me and good luck. 13. Zones: Hi. In this video we will see zones. Zones is a logical grouping of one or more interfaces with friendly names. It's a flexible method of managing both on general and external networks, allowing us to separate and project critical anterior non-network network resources from unapproved access or attack using zones, we can grow up similar until faces and applied same policies to then, instead of having to write same policy for each interface in sonic wall, there are seven predefined ones that are not modify it. In some models, we don't find old seven zones. Like in our case here, we are using the NFV appliance and we only have six zones. So if we navigate to manage here in nature walk There zones. We can see that only six zones that we have, the servant zone that we don't have is the WLAN zone. That's because the industry appliance don't support W on. The first zone that we have is lands on it. Alonzo can consist of multiple launcher phases depending on your network design. Each onto your face in the lungs zone will have a different network subnet attached to it. And the next zone we have is the ones on. This is on current consists of multiple anterior phases and each interface in this zone needs to be in a different network subnet. And if you are using one failover, you need to add second interface to the ones zone. Of course. Now, for the DMZ zone, it's normally used for publicly accessible servers. And current consists of one to four anterior phases. If you have, for example, a web server in your network and you want it to be accessible from outside. You should put it in a Teams it's on. That doesn't mean that you can't put it in the lungs zone, for example, or any others one. But for security reasons, the best practice is to push it in. The teams need to be separated from the other networks, pass into the VIP ends on and repeat enzyme is a virtual zone for simplifying and secure remote connectivities. When we create an IPSec VPN, our junior interface is automatically assigned to this one, and it's the only zone that don't have a physical interface assigned to it. And like lipid ends on the SSL, VPN is only used for secure remote access with SSL encryption. Last zone we are weird is the multicasts zone. It's provides support for IP multicast sin, which is a method for sending pockets from a single source simultaneously to multiple horses. For example, if you have an IPTV server, you need to put it in this zone. Now for the WLAN zone that we don't have here, it provides support to sonic, sonic point and Sonic waves. Those two are Sony calls axis point. So any packets coming in from unknown sonic wall axis point to this zone will be dropped. We can see that each zone have a security type assigned to it. It used to define the level of trust given to that zone. For the lung zone, we will always find it through a trust. It provides the highest level of trust, meaning that the least amount of scrutiny is applied to traffic coming from thoracic zones for the anterior neck, face and interfaces that are on the ones on. We can see that it's always after our SID and that represents the lowest level of trust. And we can see also that the multi-class zone is on trusted and untrusted zone control of us unprotected side of the firewall by the fourth trophic from untrusted zone is not permitted to enter any other zones type without explicit roles, but traffic from any other zone is permitted to untrusted zone. For example, traffic from land zone is always permitted to ozone one. Now, for the public type, It's offer I allover of security than untrusted zone, but a lower level of trust then the thrust zone, it's assigned to DMZ because like I told you, its own DMZ where we report our servers that we want to be accessible publicly for uncorrupted. And this is L VPN security, two types, they are used by VPN zones. That's mean that traffic to and from those zones is encrypted. Now, let's go and try to create a zone. Let's go and press Other new zone object. Here in name. I will give it a friendly name. For example, I rename it. Udemy. This is just an example. You can, for example, name it sales. If you are a sales department in your company or engineering or in your friendly name, you'll want here in security type. We can see that we have trusted public and it is a VPN. I would choose to Rosset know. The first season we are weird is the unload interface trust and this sittings automating the creation of axis rules to allow traffic to flow between anterior phases of this one. For example, if you assign extra and extra interfaces to this zone, the hosts on this until faces will be able to communicate with each other. Of course, if the box is checked, like in our case here, for me, I will uncheck it. If you want to uncheck faces in same zone TO communicate, you can keep it checked for the auto-generate oxysterols to allow traffic between zones of the same trust low vein, that's mean all zones that have in security type trusted can communicate in between them. So for example, our lungs zone have also thrusted, secreted to Louisville. The anterior phases in our lungs zone can communicate to the interfaces in the Udemy zone. I don't want that. I will uncheck it then. And this parameter, a low traffic zones with lower trust level. For example, traffic from our lawn zone to the ones on. If you want do Udemy members to have Internet access, you can keep this parameter here checked. You can uncheck it and create the 40 see manually. So I prefer to do that manually because if the firewall generate policy, it will allow any to any I don't want that. We will uncheck this. And this also because it's a lot traffic from zones retired Roscoe will zone and also deny traffic from zones with lower thrust. This zone here, like I said, I prefer to create zones, money on the ward. Great demo automatically. Like we see here, we can enable security services to traffic from zones, but I will not discuss that now. I would keep it until we see it. Security services of sonic wall. For now, I will do. This is our zone. Now let's go to answered phases. This go to extra onto your face and Cl2 outside zone to it. We are in zone. You can go here and we can see our zone. Let's press it. We can sit or static IP to the anterior face. For example, I will set this IPR would keep the mosque as it is. And they will dorky not enable union management services in this interface. They were press Accept. That's it for this video, please. If you have any other questions, don't hesitate to ask me and good luck. 14. WAN Interface: Hi. In this video we will see how to set a static IP address for our one unshared phase and how to configure it. So we need to configure our one until phase. So our firewall can connect to it to get updates. And also the end-users can get out to the Internet by default. The x1 until phase is the one unshare phase and by default, its own DHCP will go with you to the VMware. My firewall. Here. If I right-click on my firewall and they go to Settings. Here, the network adapter TO, which is Bridget, is my one unshared phase. So this is the x1 and x2 phase. You can either set this interface here, Bridgette, or not, to have Internet access. And the interface, perfect, now a window console. And let's go back to the firewall. Now to check the one on G0 phase, we need to go to, uh, manage the brigade. Here, draw network interfaces there. We can find our one interface. Let's do Edit. Unlike we see, the IP assignment is the HTTP. We can see that we are also static and wire mode. Unlike we see our x1 until phase is the one on your face. If you want to use another bronchial phase into tokens layer. And if you want, for example, to use X to launch phase also as a one on G2 phase, you need to edit it. You're in design. You can choose one, and you can choose it also as a 12 phase. Perfect. Now let me do a console. Let's go back to our one interface. From the IP assignment. Like I said, we have three options. We have static, DCP and the wire mode. By default, the anterior face is on the ACP. If you are using another model rather than the industry appliance that we are using right now. For example, if you are using the cheesy series or a, you will see more options like stop mode or detect but be. But for us, we only have those three options. We want to set a static IP. I will choose static. Static means that you assign a fixed IP address of the interface. At this point, you should have the public IP, the mask, and the gateway from your ISP. You can connect to ensure and hit for me, I will enter a private IP. But let's pretend that it's a public IP because this is just in my lab. So put the IP 1821 dot 168 dot 0 dot 20 to the Musk is 24. I will leave it. The gateway is a 192168 dot 0 dot one for the NSA would put Google DNS. Perfect. Now we're in management. I'm selectin HTTPS. And that's mean that I can manage my firewall use initially peers throat may want unshare face. I'm doing it because I managing the firewall from my NACADA machine, my host machine can be able to reach the firewall and manage it, but I don't recommend you do that. There is other secure way is to manage the farewell remotely, like using VPN. If you are forced to enable management onto one interface, at least to go to a roles and change the source to unknown source from where we will manage the firewall. Therefore, the user login, we can see that a ship and the ship is disabled. We need to enable them. When we went remote users to authenticate to all firewall using our ONE interface. And here we can see that other or to enable or direct from a ship your ship is, is checked. So if we put off the firewall in Ishi p, it will redirect us automatically to a ship is perfect. Now if we go here to Advanced, we can see that we can change the link speed of our uncheck phase. And we can also override our default MAC address. And we can also configure other options here. Like to bend which management if we're enabled, depend on which management here we can sit. How many bandwidth week want to use in downloads and uploads. It's why kilobytes. Perfect. I will disable it when you don't want to configure it. Perfect. Now I will do. Here we can see that the X1 API that is changed. We will connect to the new IP. It is asking me to enter my password again. Perfect. And if we go back to the interface, you can see that it's on static now, this is our IP. Perfect. Like I told you before, if you force it to enable management on the one until phase, if you need to go to the policy and seed source to unknown source. So I will show you how to do it. So we need to navigate to policies and enrolls. We need to go to accessors from air. We need to choose one tool. We need to choose also from our ones on, from our one zone to our ones on. The first row is for pink, so I will leave it. And second, third policies are for HTTP and disappears management. So those are the rules that I need to modify. Like we see here in source. It's set to any, what do we need to do is create neural network on there. I will name it no source. And we are in zone assignment. I'll see you in the to the ones on port host. And for example, let's see my IPR. So Aidan to kick myself. This is my IP. You will need to do it. Also. I need to find the known source heritages. They will do. Okay. Perfect. Go back. Students selected here, so I need to service an issue piece also. Perfect. Now, I will need only to access the firewall if my IP is 192168 dot 0 dot 240. So if I try to connect from another machine that using a different IP will not be able to manage the firewall. Now what do we need to do is to adjust the Antoinette were configured our one interface. Now we should see if our firewall can successfully reach and journeys. So let's go to NVC gate. They are insistent. Diagonal six. We need to go to a diagnostic tool and choose pink. It's being, for example, Google DNS shows our X1 and X2 interface. And toggle. Perfect. It says is alive and that's me and that we can nourish and Jeannette. So that's it for this video, please. If you have any other questions, don't hesitate to ask me and good luck. 15. Vlans: In this video, we will see how to create violence in our sonic Wall Firewall. But before that, let's scroll and see our topology. This is a topology. And we are here in our Sonic or firewall. And we will create, whereas on our firewall. So our firewall need to be linked to our switch and toes. We need also to be created in switch port connected to our firewall. In switch needs to be a mode trunk, and this is a configuration example of a z-score switch. So we need to put this switch here. Are more drunk and allow our virulence. So perfect. Now let's go back to our firewall. Now before creating the virulence, the best practice is to create a separate zone for each VLAN to prevent violence from talking to each other. So let's go and navigate. My knowledge. Then network. And it's a gorgeous zones to create custom zones will add. For example, here in names. Here we've put the name, for example, sales and security type. Make it cross it. And of course, I will uncheck those settings to prevent sales zone total luck to all other zones, and they will dorky. I will create another zone. For example, I will name it for management and check this. And they will doggy. Now, I will go to onto faces here. And the anterior face settings. We can find here that we can add an armchair phase. And if we pull down the drop-down menu, we can see virtual until phase. So here we can create our VLAN where it ends on, it's in assigned, and we'll assign it to sales. Here in VLAN tag. I want it to be VLAN ten. So this is the idea of the valence. If we come back to the topology, we don't have here virulent, virulent Duany. I will put the unreal onto any. This is the idea of the villain. Here in the parent interface. The interface is extra. I would choose x2. Here. We'll put unlike P dot one. And I can enable management if I want. Only inhibit pink, and it will do okay. Then I will go and create another VLAN. And it will assign it to management and give it the ID to a G. And it will also select the unary phase x2. And they will give it an IP address. Only pink, and they will do. Yes. Now if we go here to X2 interface, and here we can find that we have virulence under it, villain 20. And if you want your gene, the R sub interfaces, like we said, it's a villain cell bunch of phase. Now we created VLAN training and violent dirty under extra onto your face in our switch, if you configure it. And you put this interface here on my trunk. And you have those villains here created in the switch. The connectivity short bus between sonic wall and switch. That's it for the valence, please, if you have any other questions, don't hesitate to ask me. And good luck. 16. DHCP Server: In this video, we will see how to configure the TCP server in Sonic or firewall can also serve as a DHCP server and provide our end-users with IP addresses, gateway and DNS. So if we go to Manage, then under system setup, network and go through DHCP server from here, we can configure our TCP server. So if you are not just here in enable, the ACP server is by default checked. I want you to be aware of that. By default, DHCP server in our firewall is inhibited. If you have another DHCP server in the network that might cause conflict. So please be aware of that. By default, we have a dynamic scope with our Z until phase, which is our line interface. So from here we can add our dynamic or static scope. And here inquiry and DHCP leases. From here we can find our DHCP leases. So for example, this machine here, which is a new virtual machine with this mock others here, have this IP hair educated from our DHCP server, which is our firewall, go to VMware, and this is my virtual machine. And if we go to the firewall and you go to settings, first adopter, which is our x 0 until phase is LAN segment. And the LAN segment is the launch row 0. So if I go to my, if I go to my virtual machine settings here in the network adapter, I will find that is horizontal in same line segment. If I throw it to find the IP address of my machine where it says 192.2184168. And it's, it's same. Ip in our firewall is. Now what I will say we do is how to create a dynamic scope. First, we'll go to our interfaces and it will enable extra interphase. Assign it to this zone. Here, put it in lunch on. They would fix the IP address, 172 dot 16 low to Antoine. They will enable pink and they will doggy. Okay, Perfect. Now I will go back to the HTTP server and we'll try to make a dhcp scope for this interface. Let's go. Here. In scopes, I will press our dynamic. Perfect. Now we can find here parameter that is checked which is enabled this dhcp scope. We can create scope, but we can choose to either enable or disable it. So take that in consideration. First. Sitting we have is the range start and the range and where we put the range that we want our end-users to get. We have two options here. We can either fill those settings here manually or we can use Discord future that Sony Court provides us with it, which is interface prepopulate. If we check, it, will ask us to select a nonzero phase. And they will select my exponential phase. And you filled the conformations for us automatically. After that, we can either modify the range start or modify the gateway or the mask. So perfect. Now we can choose DNS. From here. We can either inherited from Sony coordinates settings or specified manually. And they are in advanced. If we have a col Manager, we can put his IPR. If we have VoIP servers and phone. We have also DHCP generic options. We will see that later. For now I will go, okay, perfect. And this is our scope here. It says it's greater than Interface X3. Now what I will do is we would go to the firewall and they will create another LAN segment. This is my x 0 on G0 phase. This is my x1, x2, and this is my exponential phase. We're in LAN segment. I will add on one segment. They rename it X3. Will doggie DNA would choose. They would go to my machine and they will do it the same ten non segment. They will choose X3. And okay. Now I really renewed my IP. So I will do josh client. They will do dash v to be perfect. Like we see here, we get our new IP. So if I did, IF Config name of the anterior face, this is my new IP, 172 dot 16 dot one, dot 250 to do IP wrote. I can find my gateway is the IP of extra interphase in my firewall, which is 172 dot 16 dot one, dot one. So let's go to the firewall and check that. If I refresh here and the laces, we can find that our evolves your machine, take the new IP header, it is perfect. Now let's go and see how to set a static IP. For example, I will set a static IP for why you want to machine. So what I need to do is I need to copy the mac address. I need to go here and add static. Then I will make sure that enabled this dhcp scope is inhibited. They report, for example, a friendly name, cheese Onto server. Static IP that A1 is on a 172 dot 16 dot one dot 100. This is the MAC address. The giveaway is a 172 dot 16, dot one, dot one. Subnet is 24. And don't forget DNS. It's inherit from Sonic chords DNS settings. So I will keep it will go. We got a narrower air that says that 172 dot 16 dot one, dot 100 is overlaps with the entry. And this anterior is our range from our dynamic scope. What do we need to do is the anterior needs to be out of the range. I will go to arrange and a report 99. And they will do okay. Dna would go back and add static. They rename it to server. Then I will put again the IP 100 MAC address to gateway subnet. They will doggy. Perfect. Configuration has been updated. Please be aware of debt. If you wanted to add a static scope, it needs to be out of the range of our dynamic scope. If we go to our eventual, if I do again DHCP client to get a new IP, this is it. I got it. If ideal config name of the angio phase. Keep showing this. But here in the inbound, it says that you've got the IP 172, not 16 dot one, dot 100. Let me see. I keep showing the old IP. We have the new IP. Here it is. If we go back here to the firewall, refresh here, and there it is. We can see that we have delays for our inventory machine and this is the IP that we fix their static scope. And in the type, you told us that it's static IP. So perfect. Now the last thing that I want to see with you is DCP options. To configure DHCP options, you need to go here in this advanced button, hair and cardiac get there, press Add option and put your name for the option. For example, if we want to add an option for TFTP, TFTP, the option number. We need to find the option 66. They are in the option value. We need to put the IP of our TFTP server. I will put here, for example, on IP. They will dorky. Perfect. If we have more than one option, I can go to Option groups and grew up all my options. Otherwise, I will do OK. To apply the option, we need to go to the scope. I will go to my dean, I'm mixed scope of this range here. And they will do configure. During advanced. I need to scroll down and here in DCP genetics options, here in non, I will pull down the drop-down menu. From here, I can find my option, which is TFTP. I will select it and they need to make sure that send generic options or otherwise is checked and they will do okay. Perfect. That's it for DHCP configuration. Please. If you have any questions, don't hesitate to ask me. And good luck. 17. Port Forwarding: In this video, we will see port forwarding what it is and when to use it. So port forwarding is a technique that is used to allow external devices to access our angina servers. It does this by mopping an external port to another hearing on IP and port, you can use the same public IP to warm up multiple internal servers, but the external port should be different. You will need to use portfolio or if you have, for example, an internal web server that you'll want it to be accessible by your clients or employees that are outside of your network. Perfect. Now, which means show you our topology that we will work on on this video. This is our firewall, and this is our x1 IP address, which is our one. Until phase, we will pretend that this is a public IP and this is the internal IP of the firewall. It's the IP of x phase. And we have a web server that is connected to the LAN interface of the firewall. And this is his IP. And here we have our firewall connected to on GeoNet. And this client chair will try to access this web server here by using the public IP of our firewall. Firewall will redirect his request to our internal web server. So perfect. Now let's go and see how we can do it. Will go to my firewall. So sonic Wall Firewall make it easy for us and create always are that we can use here in the top. In quick configuration. If we go here, we can find that there is always to follow. So we can publish or internal server publicly, but I will not use this wizard. Now. It will show you how to create the policies and configuration minority. And in the end of this video, we can see how to do it with the result also. Perfect, I will exceed the guide. They will go with you. My VMware machine. And here in my firewall would show you how I connected Michael Lyons and my web server. This is our firewall in sittings. This is our x's here until phase, which is our LAN interface. We are in la signature is going to the line segment AB dorky. Here in Windows ten, this is our internal clients or so. This is an internal client is going to torso to the line x, z. And our web server should be also connected to the LAN X 0. Here it is. And our external user, which is this client here, will be our main host. So my OS will be the client from where we will just and access the internal server. So like we said, I am connected to the firewall using his public IP. That mean that my host is in the outside of the firewall and it's perfect to chest and access the firewall from outside. So perfect. Now if I go back to my web server, it's a Unix machine. I have unstyled on it, Apache. So I've unstyled Apache by using the command G install. Like this portion that are Apache listening TO is bought 80. So to see that we need to type the command get state. Perfect. This is the port 80 using by our Apache server. And the IP address of our machine is c. What is the IP? So the IP is 192168. No chain the 200. And of course it should be a static IP. Now let's go to our firewall. The first place we need to go to is the axis roles. We need to go to manage. In the left side under policies, we need to go Joe roads. Here in oxysterols. Those are our axis roles. Like we know our clients will come from the one on your face toward our land onto your face. So from here, we would show us from one tool, one. Perfect, and from air, we will add our row. Go to odd in the policy name, give it a friendly name. For example, web server. Here in the auction, of course it will be alone. Here from, it will be from one to our land and G2 phase source port will be any. And here in service, here we will chose ECP. It's ECP here in source. Our clients will be an armchair net. So of course, we will chose any because we can't know their IPs. And here in this equation where our client will come from the one until phase, you will enter in their browser, our public IP, to access our internal server. So we're indecision, we need to choose our x1 IP address. So let's go and find X1 IP address. It is. They will live the following fields. Like the odd. Let's check out policy again. Our clients will come from the one until phase towards our land and G2 phase. And source port will be in a disservice. Do it hit port 80? So we need to choose HTTP in source. We can't know, like I told you, all our client's IP addresses because they are in the Internet. We would show us any. And yet in the destination, we will choose our x1 and telophase. We will choose our x1 IP address. And after this axis roll, we will create another policy and do not policy will handle neutrons light of the traffic from the X1 and X2 interface to our internal web server IP. Now, I will do add glows, and this is our policy. So the next step we need to do is to go to notch policies here on the roads. From air. We will create our policy, will do Add, and it will name it, for example, Inbound Web server. Here in the original source, we will choose any. Because like I told you, this is the IP of our clients. We don't know our clients and users IP. So I will chose any introns later source. I will keep it original. We don't want to translate our client's IP. We want it to be as it is. So I will keep original. In the original destination, I will choose my x1 IP address. This is IP of my one on G0 phase and translated destination. Where do we choose our internal IP address? I will go and create a new Address Object, rename it web server. So this says my internal web server here in zone. It's on the LAN zone, so I will choose lawn, would keep it to lost. And yet I will type is IP. It's 1000, okay, Perfect. Now, the origin of service, you will choose, of course, each GP translated service, we will keep pitch origin. They are in the inbound interface. Of course, our clients will come from our X1 and X2 interface. So I will chose x1 and they will do odd. Perfect, our policy is added to check. It needs to go here to view and choose Custom. And this is our policy. Again here in source origin. This is the IP of the clients. Will be from the one interface, so I will chose it any translated source. You don't want to mess with their IPs. So everyone not translated them. I would keep them origin. And the destination interface, it will be x1. X1 IP address will be translated to our anterior null web server. And service, of course, is a ship. That's it. That's short do the job. So let's go and try to access our internal web server from our main host. I will try my firewall, public IP, which is 192168 dot 0 dot 21. Perfect. I can see that I access the Apache default page. Editors. So perfect, flourished again and see their fixed. I can successfully access to it. One important note that A1 to make here is if you are enabled management throughout your one until phase, please make sure that you are not using port 18. If we go to our firewall, we go ahead and systems set up under appliance. Here in the base settings. If we scroll down, we can see that I'm not unaware and management via HTTP. So if you inhibit, please make sure to change this port to another port or if you are using HTTPS liquid are using now we are using HTTPS port and you'll want to publish a web server that use HTTPS. You either changed the port of your firewall or use a different port to access your internal web server. So perfect. The next thing we will see is how to use a different port to access our internal server. Should go to our roles. For example, we access our internal server using port 80. Now we will show it using port 8080. So let's go back to the firewall and their foreign policy. I will go on digit. They are in service. Instead of ATP, it will create a new service. It will create new service. Rename it. Bought the protocol. I will choose TCP. We put a GAG and the port range. And they will do. Okay. Perfect. It's changed now. Let's do okay. Now we need to go and change. Also the Nazi Party. See what digital forum air in the original service. We need to choose the port that we just created. So let's go and choose it. Here it is. Translated service. Here we need to choose HTTP. It is. It's low. Okay, perfect. Now let's go back and throw it to access our anterior null server using the new port. Perfect. We can perfect the oxygen to it. So now I will show you another general. If our internal users try to access the anterior and our web server using the public IP, there will not be able to access, so it should go and test. That. Starts my Windows ten machine. Open the browser, swipe our firewall public IP. Of course, we will use port 8080. So let's hit Enter. We are enabled to access our anterior no web server using the public IP of the firewall. So what do we need to do is to create low black notch policy to be able to access through it. Let's go back to our firewall and see how to do it. From the Nazi party says, I will create another policy and a rename it Journal loop. Back. In the original source, you will choose firewall subnets. By choosing forward subnets that we chose, all the internal subnets in our firewall or our internal users. It can be access to our internal web server using public IP firewall. And here in the translated source, we need to translate those subnets to our x1 IP address. So let's go and choose x1 IP address. Here it is. It's our one IP. In the original destination, we will choose x1 IP. Because our anterior null users will enter X1 IP address in their browser to access the anterior and our web server. So I hope that this makes sense to you. Here. Introns dated dissemination. Of course we will show us. Our web server. They are in the original service. We will chose port 8080, go and choose it. In the throws later service, we will choose, of course, HTTP. Go ahead. And close. Policy is created, and that should do the job. So if we go back to our client, Let's press try it again. Perfect. We can now access to it. Now it's sine two CO2, all that quickly using the quick configuration wizard or sonic wall. But first, let's go back to our firewall. Exits. Delete all our policies that we create. Delete, delete selected. Notice we go and delete the axis, roll and delete market rules. And Okay, now if I go back and I delete cookies, Let's see. Now I will try to access my unshare and our web server again. It cannot access, so it goes to the firewall and it will go here in the top. And quick configuration, will select public server guide. It's a quickly configure your sonic wall to provide public access on internal server. Okay, It's doing next. In server type. He asked us if it is a web server or it is FTP or male or terminal server. We have also another option which is other, if we chose other weekend type money, Ali, the number of the board. If we do order, we can go ahead and either select a service from air or create a new service. For me, it's a web server, so I will select Web server and they will say That's only is sheep. And they will do next. We put the server name. For example, I rename it apache. Here I need to put several IP. This is the internal IP. I can put a comment if I want, and they will do next. The public IP of our firewall is this. That's correct. So I will do next. We will not modify it. You show us a summary of the configuration. So this is what the firewall will create. This is what this wizard will create for us. You will create for us another as objects of our private IP address. And also the X1 IP address, which is assigned to our one and telophase editors, the IP. And also you will create a service group named Apache. Create a service name Apache services with the HTTP service, which is the port 80. And orderly will create the policy is this first police. It's the inbound policy which we create together manually before. This says policy that all of us to access the internal web server externally. And the cheered policy is the policy which will create to allow our users to access the web server using the public IP address and orders they will create for us the accessor or from one toll on. Perfect. Now let's do apply and lit firewall create or dot, close and liquid, not just the firewall created for us. The three roles. Those are the three laterals. Their effect. They are in the axis rules. Create for us or drawer from the one-to-one on allowing the Apache service on port 80. Now, if we go to our client, if we refresh air, we showed access to server using the port ET mirror move port 8080. Perfect. We can successfully oxygen so it now if you want to use custom port rather than the default port, which is port 80, like we do in our example, we reconfigured the port 8080. So let's see how to do it. So let's go to the firewall and they are in the accessory. Go unmodified first row. Here, instead of the Apache service, should go and search for our port 8080 that we have created before. It is. And each dog. Now go to the NAACP policy. In any origin. In the third policy goal, modify the Apache services tool port 8080, throws Data Service Apache. We can also select HTTP because they are use in same port, which is port 80. Okay. Let's go and change also fair word subnets. We can allow access of our internal users, like the windows and user, to access the firewall using the new port. I mean the internal server. So in the origin, of course, choose port 8080. Perfect. I will choose the Apache services and they will doggy. Now here in main, main host, if I try to access the internal service using the new port, I will. Perfect artist saw it. So let's type the IP firewall and gets you to the port 8080. And let's hit Enter. Perfect. I can perfectly axis so it, There it is. Now let's go and test our internal user. Create a new tab. And they will do IP and port. And let's hit Enter. Perfect. I can Perfect. Perfect. This is it for this video, please. If you have any other questions, don't hesitate to ask me and good luck. 18. WAN Failover & Load Balancing: Hi. In this video we will see one Failover. Failover enables you to configure one of the network considered faces as a secondary one port. And secondary one port can be used in a sample active, passive setup to allow traffic to be only wrote throat and secondary one port. If the primary one port is unavailable. This allows the firewall to maintain a persistent connection for one port traffic before then over to the secondary one port. We can also load balance traffic between the 21 port drove any fights from the bandwidth of both interfaces. We will see how to do all of that. But the first thing we need to do is to add the second one port and a will start first by VMware machine. So if we go to our VMware machine, here in our firewall, if we go to Settings, I want my X3 onto phase in the firewall to be my second 100 phase. So this is my X launch phase. This is x1, this is x2 and x3. And by default, or the angel faces are bridged. So I have my first interface, x1 rigid. So my experiential phase, I want it to be not. So both until phase is X1 and X3 are one interfaces on the internet, connections on them. Perfect. Now, when H0 is not here in the experiential phase, which is a network adapter for it will do okay. Then I will go back to the firewall. They will go to a manager here in the left side under system setup and we'll go into a network interfaces. It will go to my exponential phase, and it will be digit here and so on. I will chose one. It's important to chose one zone because in order for the unshared phase two appears in the group of load balancing and failover. It should be on the ones on. So I will chose one and they are in the IP assignment. You can either keep it static or change it to DHCP. For me, I will chose it joule DCP. We'll enable only pink, and they will do okay, perfect. Now our interface, X3, an IP address. Here it is, it's 100 an integer, not 168 dot 112155. Perfect. And if we go to our x1 and telophase, we can notice that here in group, here's Wadi forge belong to the default load balancing group. The next thing we need to do is to assign this interface here to the default load-balancing group. So to do that, we need to go to failover and load balancing for them. Here we can see that incidence by default, enable load-balancing is checked soloed balance and is enabled by default. Now to add the interface to the default node balancing group, we need to go here in configure the group. And here in numbers, we can see that our experiential phase is appear there. We need to select it and then do, add. And we need to do, okay. Perfect. Now we can see that is in the group. So if we go to uncheck faces here in group, we can see that he is a cyanotic default load-balancing group. Perfect. Now let's go back to the failover Anglos balancing thawed. And if we roll into configure here in the type, we can see that it's basic failover. And the basic failover means that if the primary one interface faults, our traffic will be routed to the exterior until phase, which is staggered member in the group. And here we can find that preempt and for bike to prefer the interfaces when possible is checked. That means that if we lose our x1 until phase and experiential phase, 100 and traffic. And if we recover our x1 until phase, or the traffic will be again Roche it to x1. Make sure to choose it if you want all the traffic to be routed, again to the primary one and G2 phase, which is in our case X1 and X2 interface. Now I will do okay. We will go and test our configuration. Will go to my Windows machine and it's connected to my lawn on GTPase. So we are in network adopters. We can see that it's connected to our line interface. I will do okay, and if I open a command prompt, we'll do throughout sort is not a touch. I can see that we use the IP 192 dot 168 dot, dot one, which is the gateway of our first central phase. So let's go back to the firewall and go back to the interfaces. So this is our X1 and X2 interface, and this is his IP. So 0 dot one is the gateway of this interface. Perfect. If we go back here to failover and load balancing. In statistics, we can see that here in your connections, X1 and X2 interface handle 100% of the traffic. That means that you handle all the traffic. We are in connections. We can see that he has handled all refresh me, go engineer rate some traffic. I will open the browser. They will go, for example, to Facebook. Read it. And if we go back to the firewall, we can see it in your connections that the number goes up. If we refresh all the traffic boss throat, our x1 interface. Now to just our configuration, what I will do is I will go to the VMware machine. In sittings. We'll go to my X1 and X2 interface, which is the network adapter TO. They will disconnect the anterior face. That's like you unplug the cable from the farewell. I will do. Okay. Now I will go back to my Windows machine. Being each of those eight touch eight to see if I have anterior net are not perfect. I have on Janet. Now if I do throughout, I can see that I'm using and you'll get away, which is the gateway of my second, third phase, X3 anterior face. Okay, perfect. Now let's do traceroutes again. We are using it again. Perfect. You can see that we have anterior needs oxygen, ozone. So perfect. Now I will definitely lose access to the firewall from my host machine because I disconnected the anterior phase from where I am connected to the firewall. So if I refresh air, not to be able to access the firewall, will do is I will go and open. And it will access the firewall using He's not IP, which is dot gen. Me make this bigger login. Now if we go to Manage, then we go to network. And here in failover, unload one and sin. We can see from searches that the link is down. From here we can see that our exponential phase is a 100 all the traffic. So perfect. Now we know that our failover configuration is working properly. So I will go back to the firewall. They would connect the interface again. From here? Yes. And they will connect and a would just preempted configuration. So I will do okay. And I will see when the angio phase now is connected. If firewall we wrote to the interface, again, to the X1 and X2 interface. From air. I would try to pink. Again. Perfect. I have pink salt. Yes, I can see that I'm using the gateway of my X1 and X2 interface. Again, firewall. If I refresh, I can see it from statistics. The group that X1 and X2 interface is. And again, all the traffic. Perfect. Now let me go back to the main host. I'm in no config mode here, so let me grant access to VR mode config. We'll go here to appliance, and they will go here in the base settings. It will choose configuration mode. We'll do config. Perfect. Now I am mode configuration. Now let me go back here. One other thing that I want to show you here in the failover is if we go here in config. So for example, if we want our X3 until phase, the primary one until phase, we can simply select it. And here in this move up arrow, we can press it. Now we can see that our exponential phase is the primary interface. And we can do okay. Now it's refresh to go on junior rate, some traffic in our client. Refresh this. There, we're going to finish this and teach you go and see our firewall on from here. In the new connection, we can see that our exponential phase is the prime oriented interface. And here's the landlord connections now. So perfect. It's mirror finish. Perfect. Now let's go back to the group. We'll make me X1 and X2 interface, again, the primary interface. Now let's go and see the types that we all in load-balancing. If we pull down the drop-down menu, we can see that the first algorithm of load-balancing that we have is Robin. So basically row the robin will distribute our clients request says across all our one until the faces that we have here in this group. And the way that we will not unify it only from the bandwidth of one interface, but we will be notified from the bandwidth of all the interfaces that we have selected here. So perfect. In spillover. Spillover ask us to enter a bend in which air, for example, I would enter 100 kilobytes. So atrial us, judge, when the bandwidth exceeds 100 kilobytes on X3 and telophase, you still consider experiential phase as the pre-modern interface. Okay. To take z1 as the brain motor interface. And did you go back again? Perfect. X1 is the primary interface. Now, we're told us that depend awaits when you exceed 100 kilobytes on our pre-modern shear phase, the new flows will go to the anterior neck group member in the round robin manner. What's that mean is when we emit this threshold there in our x1 and G2 phase, or new traffic will be routed to the next interface, which is in our case experiential phase. If we have another interface here or the traffic will be routed to it. When our exponential phase or omit, this is 100 kilobytes. Perfect. Now if we go to Type and last type we have is ratio. What we're assuming is he help us to set a fixed percentage for each phase by default. Put 50% in the first anterior face and 50% for exponential phase. So to change this percentage here, we can select the interface and change the percentage from here, press modify ratio, and you go to the second, third phase. For example, cure GI and to modify ratio and perfect. Now we can see that 70% of the traffic will be routed throat our X1 and X2 interface. And only 30% of the traffic will be routed to our experiential phase. For example, if we have in our X1 and X2 interface is more bandwidth than our exponential phase. We can modify the ratio as that. Or we can simply modify it and toe or the auto adjust to relate to the firewall, decide how much traffic will be passed throught each intial phase. Doggy to save the configuration. So perfect. I will just read you the road Robin type. So if we go ahead and choose round robin will keep X1, the primary interface and the extra edge secondary anterior face. And it will do okay. Now I will go to my Windows machine and I will generate some traffic. So I will refresh here, and it will refresh all that they will access to you to also, if we go back to our firewall, we can see that boat until faces are angling traffic. So we can see that same connection goes to X1 and X2 phase, exponential phase. You can see, like we see, the percentage is even between the two phases. And the way that we can benefit or it's formed bandwidth of both interfaces. For example, if we are megabytes in first and interface and ten megabytes in second nature phase, we will be notified from a maximum bandwidth of 20 megabytes, and that's a good ten. So perfect. Now what we'll see with you is the probe. If we go ahead and configure each interface, for example, it's such by the first interface, which is our x1 and G2 phase. And each digit, we can see here that the settings by default chosen only physical monitoring. That mean that only you check if the interface is up or down. And that's it. But we don't want that because for example, we can see loved interface up, but we'd know angina, it's connection in the anterior face. What are we going to do is I will chose logical slash probe monitoring enabled. There in the drop-down menu. I can either choose up 68 when main target response, or mean boat main targets and alternate target respond. I prefer to chose this enable the main and alternate targets forum here we can choose to keep the default responder of sonic wall or choose another responder, or they prefer to though is here in the main target. I keep it as sonic wall and they are in the alternate target. I chose pink. For example. I chose a reliever server in the Internet to pink, for example, H dot eight dot 88 and a donkey. Now I will go into the same ten for the exponential phase. We can already see in our X1 and X2 interface that the target is alive. And alternate target also is unlike perfect. Notice sort of fresh. Now our exponential phase is alive. So perfect and the way that we can monitor our interfaces. And as soon as one of the interfaces loads gonna activity. Both targets or the anterior face link is down. We can automatically switch to the other until phase that we see it off without laws in the conductivity. So that's it for this video. Please. If you have questions, don't hesitate to ask me and good luck. 19. SD-WAN: After we have seen one failover and load-balance in, the next thing that we must talk about is if you don't know what you still one is due on stand for software defined one. It's a technology that use the concepts. It's the end is software defined network to provide software-based control over one connection. It enables organizations to build, operate, and manage high-performance networks using readily available and low-cost public and Janet services. It's an alternative to more expensive technologies such as in Paris. So in short, is still one hip ensure more consistent performance and availability of critical business and SaaS applications we can use is still wanted to optimize the traffic to a SaaS application, for example, or a business application. In this video, we will see how to optimize the traffic to Zoom application and to Office applications. The first thing we need to have is interfaces. I mean a 213 phases. That's what we already are because like we said in the previous video of one failover, we have configured the 200 faces, like we see if we go here to manage under cesium setup in network, we can find that we have 21 on interfaces. We have x1 and G phase, exponential phase. They are both in the zone one. Now, let's go and see how to configure is still one. So we are also under system setup, we need to go Joe is D1. And first thing we obviously is the one groups still on groups where we choose and select our one until faces that we want to use to optimize the traffic to an application. If we go here to add, we can find that we have both of our one interfaces, X1 and X3. Silica ten volt. And I will add them to this group and rename this group here once. And it will do okay. Please note that we can also have VIP engineers until faces honesty one group. In our case, we will use the one-inch interfaces because we want to optimize the access to applications that are in Internet. If you are in the remote side and you have applications in the head office that you want to access. You can create to repeat engineers between your sides and then use the VP Engineer and interferes is in one group. From their follow-up with me. In this demo on groups, we need to have at least one until phase in the group. We can not have a mix of one and VPN interfaces in same group. A group cannot have a one-inch interface and a VPN interface on it. So we need to have either only 100 years, this is all only VPN interfaces integral. And also we can not use the same interface imagery prayer groups. For example, if I use this antifreeze here, which is X1 and X2 interface in the group ones, I cannot create another interface and use this interface here in that you grew up or liquid say, I cannot say ydx from any member here. And the maximum members of a group are ten. We can have a channel interfaces in one group. So now the next thing we have is, but farmers probes. It's still on performance probes are used to determine performance metrics such as latency and packet loss. For an interface. From air, we can monitor our anterior face and confined the health and quality of our links. So let's go on to add. First probe I want to do is for the application XOM. So I will go ahead and name it. Zoom is d1 grew up. I will chose me grew up ones. They are in the probe target. We can either Sidak and probe to public server, for example, Google DNS or something else. But since we are creating this role to monitor and optimize the traffic zone, it's better to probe to a server of his home. So to do that, let's go and find out your server. So I will go here and they will. Go to Google. What I will do is I will type Zoom servers URLs. I will choose the first URL, which is zoom.us. They are in the probe target. It will create new Address Object, rename it zoom server, and inches on. I will choose this one because the server is on the ones on the or in the type I will choose, FQDN would put it and they will do okay. Okay. In the prop type, instead of being I will do TCP port. We can find here that you choose port 80 and port 443. So we will choose port 443. We'll do odd. Perfect. It will bring us some statistics here and some video. We needed to we need to watch for it. It is already show us some results. So we can see that we have in the latency, 147 milliseconds and it keeps changing. I have to admit it. I have a Bud Light, I have a button bloodline connection tool to answer your net. That's why we can see that the latency is a little bit of a higher volume of air is high. Normally, if you are using more reliable and more stable Internet connection, you will have lesser values then what you have here, we have created the probe for XOM. Did you go and create another probe for Microsoft? I will name it here of S 365. And deer in the steam one group I will chose or XOM a group once they are in the prop target. Here, we need to enter Microsoft Office Server. So what I will do is I will do the same thing as Zoom, which I pair office will go to the first URL. If we scroll down, we can find there in Exchange Online, we can find some URLs. I wanted to Office 365, so I will chose this. You're in here. I need to go back here. It would create a new object and rename it Office 365 in design. I would put it on the one. You chose FQDN with past the end of the server and they will do okay. Let's go back. In the probe job. I will choose board GCP, the type of GCP, and they are in the port. You could also choose port 443. They will do. Perfect. Now let's wait for it to give us some results. Perfect. We can see that we have less Latin suitable office than Jerusalem, so we have only 69 and in the second interface we have 73. It's more better than the urgency that we are. We are in the endosome. Perfect. Now what do we need to do is to go to a performance class objects. Performance class object is used to configure the desire of the performance counters series six for the application, we use it in the past selection profile to automatic to the selection of the anterior face use to access the application by default, we can see that we have already three profiles created air, but it's recommended to use those profiles and create your own profile based on the recommendation of the application that you want to optimize. Don't worry, I will explain that, Julio, and I would show you how to get the recommendation of your application. So let's create first performance class objects for XOM. Just go to Add and dirt in the name. I will name it Zoom class. To get the recommendation of latency and packet loss to XOM, we need to go again to Google and Skype, Zoom. Optimal latency. Jitter. Let's access the first link. Scroll down. Here under audio, video and screen-sharing. Here we can find in latency that typically I'll let him say over 150 milliseconds or less is recommended. Now we know what we need to put in the latency. We need to put 115 millisecond. In Jitter. It's recommended to Puerto 40 milliseconds. The packet loss. The recommended settings are 2%. This is Otto get to the volume was to put. Much. In our case, I cannot put those values here. Because like I told you, if we go back here in the performance probes, I can see that my aunt your face is really bad. My Internet connection to launch it and it is not good enough to meet those values. So if I if I don't put the volume is the recommended zone. The problem that we face is my sd-wan will consider my answer phase are the most qualified. Did you will not use it to optimize the traffic to the application. In sick of this video, I report higher volume was done, Zoom recommendations. But in your case, if you have a good internet connection and you have good volume was better than me. You can follow the recommendation of a zone like the port here. For me, I will put the double of those values here. In the latency, I will put 300 and in Jupiter I would put 80. And in the packet loss, it will push for dorky. You need to be in firewall. This here, then I need to do okay. I'll keep their fifth. Now. I have the class for Zoom. Now ready to go and sit on another class for office. We need to go through also the same thing, a Zoom. We need to go ahead and to Office 365. It's oxidized. The first link. Scroll down. Scroll down. Network performance requirements from Skype for Business to Microsoft network edge. No, that's not what we want. So let's get scrolled in. This, is it. This is network performance requirements from your network edge tool, Microsoft network edge. The network edge is our rotor or in our case, our firewall. This is what we want. So if we go here, we can find that the best latency is less than 16 milliseconds and the best bucket loss is less than 0.12 ******. Georgia is less than 15 milliseconds. Those are the recommendations of office. Let me go to the firewall and see if the probe manager faces mid data. Volumes are not. Also for office. I don't emit those videos. I read off to Puerto all your values then the recommendations of office. Like I told you all, this is just for my case here. For you. You can follow the recommendations of your application in Lake office or zone to have a better results. Now I will go here. They report you're into volume. I would put, for example, let me see. I will put you on a 120 in Jupiter. I would keep it 80 and they would keep the packet loss for they will doggy need to go to the class. Perfect. Not way off here at my own classes. Those are the values that I want to interface. Respect. If one of the probes here goes higher than the videos that I put here. And your affairs, we'd be considered as not qualified. And the firewall will use the other antivirus that is qualified. Go to the path selection profile and port selection profile is where we put all our objects together. So we can say that the best. But for our application where we would put this one groups and the performance probes and the performance that we need to emit if we want our interface to be used the base of t1. So we're good to go on to add there, I rename it to Zoom. But they would choose me grow up ones. Yeah. I would choose Zoom. They will choose the zone class or who are in the backup onto your face. It's better to choose a backup onto your face in case none of the anti-thesis of your groups meter the values. So if in case of both of your anti-thesis considered as not qualified is the one. We will not use the traffic to the application that we tried to optimize the traffic tool. For example, in our case here, Zoom Office applications. If they are not qualify the both of them, we will not be able to access to them. So it's better to choose a backup on GFS. And here in my case, I think that the onset phase X1 is more reliable than the antifreeze X3. So I will choose it as a backup and they will do they will create a second part for office. It would keep X1 as a backup and they will do odd close. We already see here in the three-phase stretches that onchocerciasis are quantified. From here we can find if our interface qualified or not. If the interface most qualified. The firewall videos, the other antifreeze that she was qualified in same group in case both of our interfaces are qualified. Like we can see here. What firewall will do is we load balance traffic between the two phases. On like that. We would benefit from the redundancy. And we'll be unified horizontal from the bandwidth of the boat interfaces. Like we see. It's just a goal is not qualified under go back to a qualified like I told you, I really either but near the connection, that's why I have that. Now let's go to this day one policy. So we are in this still want to watch policy where we create our policy to allow access to the application that we want to optimize. If we go ahead and add, ensures, we can say the anti-thesis and zones that we want them to access the application. And here in destination we can either acidic service if we want to optimize a service using is the one material in our case, we are using applications. So we need to select up. If we go here to up and pull down the drop-down menu, we would find the login. We need to enable Application Control and create a match object for the application XOM and the Microsoft application first. Then go and create a policy. What does it do? Can say air. And let's go to an application control. Let's enable Application Control and enable login for all apps. And to accept. Then go to objects in the match objects. And make sure to choose application list, object, list, create objects of Zoom. It will uncheck the auto-generated much object name and they will JP are in the names home and they are in search box. I would search for Zoom. Here, I find my result here, any tool, but it's the plus sign. And now my application is in the applications in the group audit. Able to accept. Now this is my application. This is Zoom. Let me go. And other offers horizontal. I will uncheck this again and we'll name it Office 365. And I would try to find micro soft office. I'm like we see here, we can find the Microsoft Office application plus sign documents of office. Okay, Perfect. Let's see if we have GM's here or it's already included in the application, got a pair. Let's see. No, it's not. Let me choose horizontal or soft teams. They will do accept effect. Now I have an object for my applications that I want to optimize. To go back to its D1 and create the row. First position is able to create is the 40 seven-fourths XOM. So I will name it here to Zoom. And they are in source. I will choose my lawn users that they are in the subnet. Perfect. And they are in destination. I will keep it any because those are the IPs of an obligation that A1 to access. I can not know all the IPs of the cylinders of his home. They are frequently changes. So I will keep it in and filter by up the IP. It can be anything. As long as the application is. I will choose a zone. And yet in the part profile, I will chose part of the metric. I will give it one. They will do. Okay. Perfect. Let me make it smaller again. Now let's create another policy. Office. Again in source, we will choose our x is 0 or subnet. Destination is. And we will select application and predict office in the pot, we will select office. And they are in the metric is choose one and it's the oaky. Perfect. This is all for the configuration. What do we see need to do now is to suggest that our configuration. Before let me go back to the path selection profiles and our atrophies is a seer qualified or not qualified. Now I will go to VMware and they will access to my Windows machine. This is a client in the lungs on its index 0 subnets. From here I will try to generate some traffic to his home and Microsoft Teams to adjust my roads. Let me make this bigger. I already have the application of Teams installed in my computer. And horizontal application of what a will try to do is I will create a new meeting here in Zoom. In same thing I will try to access, for example, contacts and board and apps. I will just draw, generate some traffic engineer with XOM. Know the next thing I need to do is I will generate some traffic also in the Microsoft Teams application. I will go ahead and start meeting. Join now. No access to go to the colander. For example. Onto the oxygen you want to just generate some traffic. I will leave the meeting was to generate as much as traffic as they can. Now let's go back to our firewall and check our SQL logs. Where n is still one connection logs. We can find that we already have some traffic. You can see here in the source IP. This is the IP of our client, our Windows machine, and towards our destination IPs, for example, just IPR. Let's see what triggered it. So it's triggered the whiteboard. Wrote, I mean to office, that's mean data. Traffic of Microsoft Teams. This is also traffic of Zoom, which we can see here is we have a lot of traffic, DNS. So I will try to filter the traffic. I can see only the traffic of our application. I don't want to see a DNS, so let's go to Filter. And yet in the protocol, I will choose GCP and they will do accept. Perfect. Now we can see some traffic also to the office. Here it is. There is some traffic to the office to choose x1 and also trafficked her office. He was the entrepreneur is x1 liquid, say the traffic zone. Here, the anti-fascist X1 and use the interface X3. Perfect. This is the one I opened that you understand the details of it. Please. If you have any other questions, don't hesitate to ask me. Good luck. 20. Local Users: Hi, and welcome to the auto conjugation section. In this section, we will see averaging related to authentication from creating local users, which is what we want to see today. Two important elder abusers and more so about local users. The users stored and managed. The firewall will call database and to his local users. We can use them, for example, to authenticate to our firewall, like we did when we want to create an administrator user. And we can use them also when we want to give access to a network or source or to access to Internet. We will see all that in the coming videos. But for now, let's see how to create local users. To do that, we need to go to, uh, manage. In the left side. Under system setup, we need to go to users and from air, we need to go to a local users and groups. From here, we can see that we have some settings. First setting that we have. And it's also checked is apply password contract for all local users. If you remember, the password contracts, we see them in the base settings. When we see auto configure login security settings. So if preset here, we will go directly at your appliance base settings. And from here we can see the login security. We saw that in the base sittings video. Perfect. Now let's go back to your users. If you wanted the password contracts to apply to your local users, keep it at checked if not, uncheck it. And here we have another setting which is brown expired user account. That mean that if an account lifetime expired, the user account will be deleted. If you uncheck the box, the account will simply be disabled after the lifetime expired. And you can re-enable it by resisting the account lifetime. If you wanted to local user to be deleted after a expired, keep it checked. If not, and you want renewable accounts that are expired and check it. Perfect. Now, this is the display format. I prefer to equip it automatic. So it gives the L dot schema format. It's just a display format. And here we are inactivity timeout. And it's pure days. And we can see it here if we say text, we need to enable this born in Knox reviews or account after timeout. Thats means that if we create a user, we don't use this user to authenticate, to own your resources like VPN, unlike neutral axis or something like that, this user here will be automatically deleted after the tests that we fix here. So after you finish, please make sure that your press accept. The configuration will be saved. Now, let's go to Local Users. List other user. Here we can give it a name, for example, user and a password. You need to repeat the password. If you check this box here, the user, the user will be prompted to change his password. The next blogging will not be allowed to login and Toledo. And here we have the onetime password method. It's disabled by default. We see this metal here in the Bay sittings when we do it for the admin user. So if we pull down the drop-down menu, we can see here that we have this option here, which is Time-based One-time Password. You remember it? The next option we have is OTP, OTP VM male. So we use that for two factor authentication for local users. Also, I saw with you or like I said, that the chain based for the OTP via mail. We will see it in the next video. For now, I will keep it disabled and they will go here we have the account lifetime, the email address. I will configure that video. And when we want to enable the onetime password for air, we have them lifetime, which is never expire. This is the lifetime that we need to fix if we want the users to be disabled or deleted after the explorer time, you can choose minutes, hours, or days. For example, I will chose days. And here they give us the option to enable the prone or not. So if you want accountant to be deleted automatically, like I said, if the lifetime Explorer you can keep it checked. If not, you can actually get underway default, like we say, it's checked because in the sitting, we keep it checked. And here you can type how many days I wanted this account to be valid. For example, seven days. And here you can do a common, for example user. That's it. The next time that we need to see is the groups. From here, we can select the group memberships. For example, here we have trusted users do and everyone knows are the default groups that we have in our firewall. And for a normal user that we want to use, for example, to access or internet or to access to a network resource in our network, we can keep those groups here. If we have some other preferences. Like if you want this group here to authenticate to VPN, we need air to select and assign the group is every pen to it. And if we wanted to be an administrator like widow before, we choose from Sonic or administrator or read-only or limited administrator. And to guess administrator also, we have it here. It is two. I will not choose only one of them because we want it to be just a normal user. Those tabs here also, we will see them in the coming videos. And when we talk about VPN, this tab here, VPN, access and bookmark, I would see them with you in the VIP lecture. What I will say we do also is the user quota. So we are in user quota. It can be specified as a session lifetime or, or transmit and slosh or receive traffic limit. So what I want to say is here we can specify how many sessions, how many bandwidth user use in a cycle. And let's see now the cycle, what's its mean? If it is no cyclic di user is an able to access the Angelo net upon meeting the quota. For example, if we input here, indecision lifetime ten. Here we put, for example, ten megabytes. Megabytes after the user meet to discuss the air after he passed ten minute in a session and use GAN megabytes and receive and transmit data, the user will not be able to access to Internet. Again, ever. This is what non-cyclic mean. Usually people don't use this cycle type here. People normally use from those cyclic air. The other circulate that we have is build a better week or per month. What's that mean? Is the user will be unable to access the Internet upon meeting the quota until the next cycle begins. So let's see an example, for example, pure days. If the user made to this quarter where he will not be able to use Antoinette the rest of the day. But when another day calm, he can be unified from this quarter here again and so on. So I think that it's clear. So now after we finish, we need to do, okay, perfect. Our user is created. And here in the searches we can see our RNN. This warning here told us that the password is just short. User, we need to change it. If you remember, I told you that the passwords should be from a range of eight to 63 character. Because we keep the needs to go here to configure, not configured it to go here to settings, because we keep this option here checked. The password counter ions are applied on our local user. So our password that I put here is the password. So when I login with the user will be prompted to change my password or I will not be able to authenticate. So this is it for local users. Please, if you have any other questions, don't hesitate to ask me. And good luck. 21. Two Factor Authentication: After we have created our local user, now, we will see how to configure to fluctuate authentication using male OTP. We talked before about RTP, but I will explain it again. Or GP, or onetime password is a random password or code that we use to authenticate in addition to our username and password, each RGB is single-use. That means that whenever a user successfully on a valid OTP, he can't use it again. Now, let's see how to enable functional conjugation on our local user, which go to Configure. From here we can see onetime password method. By default it's disabled. If we pull down the drop-down menu, we can find that we have two methods. We have OTP, V and L, and this is what we will see now. And do we have to OTP? We saw two OTP or Time-based One-time Password. We saw when we configure two-factor authentication for our administrator. So let's select OLTP VMA. What we'll do is we'll send a generated password to the user made so we can use it for two factor authentication. So please, after you choose your method, which is made, don't forget to enter. The user may or others air. I will answer my email address. And that's it. We'll do now. Okay. Here we have a warning that we need to configure a mild server. And the other is we can send OTP passwords to the users males. So let's press Okay here. Before seeing an auto configure the mail server or other thing that I want to mention here is that we can enable two-factor authentication or zone from the group. So if we go here to local groups, for example, we go to trusted users, which is the group that are all losers. Going to by default, we can find here that we can enable one to impossible form here also. But please, when you enable it from the grow up directly and not from the user, you need to make sure that your user email otherwise configured on it. Otherwise, this user can't login. Perfect. I will do cancel. And now to configure the mail server, we need to go to the left side here. From log and reporting the log settings. We need to go to automation. We need to scroll down. And from here we can find MID server settings. So here you can enter your mail server IP address or name. Here you can put the mid address, which will send the OTP passwords to the user image. For me, I will chose Gmail, SMTP. Smtp.gmail.com. This is the SMTP mail server of Gmail. There I will put the email from which I want to send my OTP passwords. The next-gen any to do is to go here to Advanced. If you argues in another SMTP server and you have a custom SMTP of polio can put it here. For connection security method. For Gmail. It's better to start TLS. In username and password. You need to put this email and password. So I would put it again. Perfect. Now what it's dorky. After you finish. To adjust settings, you need to press this button here. Perfect. It's still us that the mesh settings are okay. So for Gmail users, you may need to login into your Gmail account. And in the security settings, you may need to enable less secure app access. Social anechoic can use and authenticate to your email and send OTP passwords to the user email. So please don't forget that when you are using Gmail. Perfect. Now we need to press Accept to save the configuration. Now we need to just sit. Just sit. I will go back to all users. Users, and they are in local users and groups. And you'd go to a local user. I will assign my local user to the group of administration. They will do Okay. I will give it the permissions of administrator so I can login to the firewall with this user and test the two Fox or authentication via e-mail. So I will log out there. I will login with my user. Perfect. Mitchel us delta temporary password has been sent to your email address. Please enter it to below. So at this time, we need to go and check our mail for the onetime password. So let's go and check it. Like we see here. I have received my OTP password. Like we see here. I have received my OTP password. I will copy it. I will go back to the firewall and unsure a chair. Perfect. See it. Perfect. Now I will do Okay. I will click here to continue. Perfect. I am now N. I used successfully logged in using two-factor authentication. One less thing that I will see with you is the format of the OTP password. Go to manage users in sittings and the authentication. We need to scroll down. From here, we can find that we have sittings for onetime password. You can see that we can enforce the password complexity and we can also choose the OTP email Forma to be plain text or HTML, which is print x by default. In the password forma, we have it as character. Do, we can do also ONNX of Caracas replace numbers. And we have numbers only, like we see here. For the launch of the OTP password, the maximum light we have is 14 character and the minimum is four. So if we do here, for gene, it will be excellent. Like we said, the password strength is excellent. If we do for password stretch is poor, we can't do it less than four and we can't do more than 14. I will put it as 14. You can also do a next of collage or press number. And when you are done, don't forget to press Accept. That's it for today's video. Please. If you have any other questions, don't hesitate to ask me and good luck. 22. LDAP Authentication: In this video, we will see how to integrate LDAP server with our firewall. So by onto greater than L, the observer, to our fair world, we can easily port users from it and use them. That will save us time. And if four. So before starting, you should have a working ends up server. I already installed my LDAP server here. This is my DC. I've installed here Windows Server. And I set up a domain which is sonic wall. This is the IP of the server. The server is in the lung. So make sure you're in the lab setup. I create LAN segment. Just let me go to it. This is LAN segment. It's less than 0. So I put my server inland x is 0 and my firewall machine is, it's online, x is 0 or zone are connected together. Perfect. After you have the LDAP server, you are good to go. So let's go back to our firewall. And before starting the configuration, let's say if the firewall can see the LDAP server. So let's go to MVC gate, mirror, the air in the left side and their chores. We need to go to sit same diagonal six. And here from the diagnostic tools, we need to choose, being we chose here ping. I will put the IP of my ends up server. Perfect. It would let the interface as any, you can choose your face X1 if you want. But as long as we have our server on your face, which is our land, I will keep pitch any and I will go, go from here. We can see that our server is alive. Perfect. Now let's go to, uh, manage. On from here, we need to go to a system setup. And users. Here in settings, we need to go and configure our LDAP server. The first thing we need to do is here in user authentication method, we need to tell the firewall to yours local users plus our L DAP users to authenticate. If we didn't choose this sitting here, our firewall will not use L DAP users to authenticate. So please make sure that you pull down this drop-down menu here and choose plus local user. Going to, of course, use LD up only if you want. But I prefer to use L dot plus local users. Perfect. Now we need to go to a configured. From here we have LDAP servers. Go to odd and odd your server. Here, put the IP of your server. Perfect. Now import this port here is for L dot over TLS. This video we will see only installed our end up, not sealed up over TLS. I will keep it for another video because they require additional configuration in the Windows Server. And also it's recommended to configure first L dot put the object TLS and just sit. And after you make sure that it's works, then go and use L DAP over TLS. So let me change the pore. This is the default port of Stonewall, ends up without JLS 389. Let's choose it. Here. It's disabled USGS. Perfect. The next-gen Trudeau is going to login slash blind. And we need to enter our LDAP server credentials. Check this box here. And here Let's type our user, which is Administrator. Here. We need to put our domain, which is like a said. Sonic though toward this is in this user here, this is where our username is. So if we go back to our server, we go to Tools, go to Active Directory Users and Computers. Here under users, we can find our administrator user. If you have another organization unit. You will need to choose the air, your organization unit. You need to put the name of your oil. Otherwise, if your user is under the default, which is users, keep it like that. There are fixed. Now, let's put our password. Perfect. After that, we needed to do save weight and yet our firewall connect to the LDAP server to apply. These, to go back again, to see are perfect. It's a green. So our firewall should not be connected to our LDAP server. Now let's go back and edit. And from here we need to go through Directory, select auto configure. From here, we can see that bring us our domain, which is sonic notochord, and ask us to append to existing tree, which is my domain.com slash users or replace the existing tree. So I don't have this three here in my domain. So I will draw replace existing tree. Gets you don't stock. Needs to go again to see. Perfect. We can see here that our domain is added here. Now to suggest it should go here to the test WF, test first, the connectivity to our LDAP server. So let's do just perfect. It says success there in the return that information it says successfully bound or sonic slash administrator. Perfect. Now it's just user authentication just gets put. The credential of RUs or Dutch reside in our LDAP server. I created before I use that name it Sonic, I would put his credentials and leads to do just perfect LDAP authentication is succeeded. By that. We can know that our integration of LDAP server is perfect. So the next thing we need to do is okay. And here we need to do accept. Perfect. Now, we are knowing that our LDAP server is directly integrated with our firewall. The next thing we need to do is I'm port users from our LDAP server. So let's go on sale to do it. Go back again to a configured held up from users and groups. Here. We can see our a parameter that says default, LDAP user group selected. The default grew up that our firewall use is the trusted users. You can use a trusted users as a default group for L-dopa users. When we onboard users from our LDAP will be automatically members of this group here, which is trusted users. After that, you can also link them other groups if you want in groups under local users and groups, we would say that first, let's import our users. This is our server, so we need to do okay. And tools our users here. This is the use of Sonicbids artists. Earlier. We can either true one user by user, by one user, or choose them all. I would choose them all. And they will do save selected. I will do apply. Perfect. Notice to go to a local users and groups. From here, we can see that our users are successfully unfortunate. If we go to a local groups, we go to trusted users. We can find that by default there are members of the group trusted users. If we go back here to a local user, we can see that we can also import them from here. So perfect. Now our LDAP server is successfully integrated with our firewall. In the next video, we will see how to use LD up over TLS. Please, if you have any other questions, don't hesitate to ask me. And good luck. 23. LDAP TLS: After we successfully bind our LDAP server with our firewalls sonic wall. In this video, we will see how to do end up over TLS to secure the connections between our LDAP server and sonic Wall Firewall. So to do that, we need to have a valid certificate on our LDAP server. That's why I'm connected to my Windows Server. The first thing we need to do is to install the Active Directory certificate services. So let me make the window bigger. Perfect. Now to do that, we need to go to a manage. And from here we need to do other ores and futures. Then Next. Next, here we need to choose oxygen Directory, certificate services, then odd futures. Next. Next. Next, make sure that certification authority is selected. Next. Onslaught. Perfect. It's installed. Now we need to configure it. So press Close and go here in flog. Choose configure Active Directory certificate services. Make sure that your administrator user is selected and turned next. Select certification authority. Perfect. Now the next literate entreprise CA, and to our next zone next, yes, we want to create a new private key, so do next. And next, this is the name of our certificate. You can keep pitch or you can change it if you want. I will keep it like that and I will do next. Here. You can choose how many years you want the certificate to be valid. I will keep it for our viewers as default, and I will do next. Next again. And configure. Perfect to close. Now, the next thing we need to do is go Doron and go to around the year. We need to go to a certificate template, dot c to go to certificate complete. From here, throw it to find Kerberos authentication. Here it is. Right-click on it and select Duplicate template. I'll go to General and give it a name. For example, I will give it sonic wall. They are in the validity period. I will put five years. Please make sure to select Publish certificate in Octave directory. Now go to your request and Lynn, and make sure to select a law private key to be exported. Then go to your subject name and make sure that DNS name is selected. Do Apply. And Okay. Now let's close that and go here to joules. Then Certificate Authority. Go and expand certificate. Go to certificate template, Right-click on it and tow new certificate template. From here. To find the certificate complicated that we just create a name, It's sonic wall, which may find it. Okay, perfect. Now we need to go and open the console, which may open around. Let's open it. Bmc. Perfect, here in file, go and shows under amorphous not been through it. You'll find certificate. Do add, and make sure to use computer account. Next, and Finish. Then. Okay, perfect. Now from here, go to a personal. Right-click on it. Then. All task chose request new certificate. Next. Next. Here, choose your template, which is Sony code. And honor. All perfect. Don't finish now. Open certificate. This is our certificate here. Right-click on it. In all tasks. Go onto export. Next. Next, make sure to use base 64 encoded. Then next, choose where you want to export it. Wants to put it in my desktop. And I wanted to name it sonic L DOPS. And to save. Then Next and Finish. We have now a valid certificate to chest. If your LDAP server work on TLS, you need to go and open windows portion and try to run LDP here in connection to connect their anterior domain name. So I will put my computer name, which is Udemy dot, sonic dot. Here, choose the port of which is 636, and try to choose SSL and two, okay? And perfect. If you see this, that means that your LDAP server can work over TLS. An important change here is the version. The version here is three. So make note of the version of your AirDrop. Now, let's close that. Close that. The next thing that we need to do is to import this certificate to our firewall. So let's go and login to our fair old. I already logged into it. Throw it in his lawn IP. Perfect. Now let's go to Manage. And under system setup, appliance, go to a certificate and make sure to select on porches certificate and requests to import. Choose the second option. To choose phi. I stored certificate in my desktop. So I will go to the desktop. There it is. Then I will do open port. Perfect. My certificate now is unfortunate. The next thing we need to do is to tell the firewall to use LD up over TLS. So the first thing we need to do and make sure of is to go to a network DNS. And here under DNS, we need to specify IP v4, DNS server money array. We need to put the IP of our Active Directory server, a DNS. So we're going to resolve the name of our domain. That's an important change. Firewall, neutral resolve the domain name of our LDAP server where we can put the DNS server off Google. And to accept, perfect, now to just debt, we need to go to MVC gate, then CSM diagnostics. Yet under diagnostic George, we need to choose pink. Scroll down here, enter the domain name. And don't go. Perfect. You can resolve the domain name. Now we need to go to manage. Under system setup, we need to go to users. Here in sittings. We need to go and configure up. In our server. We need to edit it. And instead of IP address, we need to portray the domain name. We need to chose l dot over TLS. And make sure to check again this box here that steer us use TLS, then need to meet, make the screen a little bit smaller. They're fixed. Now though, save your engineering settings. We need to make sure that the protocol version is three, like we see when we test our tailless under the LDAP server. There we see that our version is three. So please make sure that you are using three. Go back here. And it's the apply. And to accept. Didn't go back here. Let's go and do a test. And it's just conductivity to our server over TLS. Just perfect. It says success. That's it. We saw how to use LDAP overall JLS, please, if you have any other questions, don't hesitate to ask me. And good luck. 24. SSO Authentication: Hi. In this video we will see it is all sand for single sign on. So this is all, it's a passive or conjugation muddled. By passive. We mean that in the classic authentication method, when we integrate LDAP and upward users from it, those users will be prompted to login page and enter their credentials in order to authenticate. While using is is all, the user will be automatically authenticate as long as the machine that this user is logged in from, it needs to be added in the domain. So by now, you should ask yourself how it works. So basically, when a user traffic pass through the firewall, for example, when the user tries to access Internet, sand, buckets are done port or a blocked and saved while the firewall try to communicate the issues or agent running on our LDAP server to find a match for that user wants to use are identified if the firewall find that this user is in a group that have permission, geographic access. The firewall will let you is traffic to pass, otherwise it will be blocked. And this is a picture from sonic wall that you explain how it all works. So those are the steps. So the first step is that the client log into the network. So for example here try to access to Internet. And the next ten or sonic Wall Firewall to write your query, the client ID from the SSO agent. Agent can be installed on a workstation that you can see all the domain on birth, or it can be installed directly in our domain controller. So after that, the SSO request the ID from the client to try to match it in our LDAP server. Once the idea is matched, the LDAP server determine the group member. Permissions from that firewall can decide to grant access or not. Perfect. Now let us go back to the firewall. Now in order to configure is all you should make sure that you have is integrated on your sonic warfare world first. So by now, you should know how to do it. You should have that integrated through your firewall successfully. And also using TLS. In configure up. We already have held up configured using the TLS port. Here it is. We have secure connection to our area, the observer. So please make sure that your LDAP is correctly configured before jumping into the SSL configuration. The next thing that you need is the ECS or agent. So we need to download it and install it on our LDAP server. So to do that, you need to login to your account and from the muscle and equal account, you need to go to Download Center. And here the byproduct line. You need to go here and try to find Directory Service Connectors. Here it says directory services going extra benefit. We will of course, download the largest version. It needs to be expanded. Download the version that you are using. So I have a 64-bit Windows machine, so I will download this version here. You can download it from there. Already of it in my machine. So let's go to the LDAP server and Cl2 and started to put the file into the VMware. You either try to go to sitting here and go to options. In short for others. You need to make a folder and put the file on it, and then start your machine. When you start it, you will need to go to files. Here from this PC. You will find short for there. You can easily login to your my sonic outcomes from your VM machine and download the file. Let me go to downloads. I already have it where it is. So let's start the installation. Me make this bigger. Perfect. Now let's do next. Accept Next. Next. Here we need to put our domain name. So my domain name is sonic wall. So I will put sonic wall. Therefore the username. I put the domain administrator, which is meaning Strong benefit. Here's password. Do next. He asked us to enter the sonic Wall Firewall IP address. My S1 equal 0. Interface IP address is 19216814 is 2258. So you may need to open this port on your Windows Firewall in order for the agent to talk with our firewall. So please go to your windows firewall and try to open this barrier. For me. I just disabled firewall. I don't recommend that, but in your lab you can do it or you can open this port here. And here I will put shared key to next. Onslaught. Will check the box lunch Sonic or Directory connector and they will do finish. Riches it right or connect to our sonic wall firewall. But you will not be able to connect because we didn't touch our farewell Yet. There is no configuration offices and our firewall. So that's where not work. What do we need to do is go into a domain controller. Go to auto discovery is bringing our domain here, which is our domain. And here it is the IPO of our LDAP server and install your CO2. I Taconic refresh. Here is connected, so perfect. That's pretty much all what we need to do in the LDAP server. We have now it is an agent installed. So let's go to seed configuration in our firewall. The firewall, we need to go to Manage. And under system setups in users. Here in settings we need to go. And yet in Single Sign-On methods, we can find their SSO agent and we need to enable it. After you enable it, don't forget to press Accept. Then dual configured. This is o. This is o Agent. Though. Put your LDAP server IP and share the key. We need to put same shared key that we enter in the SSO agent. Perfect. Now those Save. And after that we'll go to a junior our settings and make sure to enable agent authentication and to apply. Perfect. Now let's go back again. Let's wait for the SSO agent to connect to our firewall. Perfect. It's up now, one thing that I want to tell you is if the SSO agent searches is red, that mean that it's not connected. The reasons of that is either, like I said, the port that material, which is this part here, is not allowed in the firewall of your Windows Server or shared key that you put in the Assistant agent is not saying as the shared key that you put here. So please make sure that you have right shared key. And also you will have this port here or load. And of course the IP of the host needs to be corrected or zone the host value unstyled, the agent new to be correct also, perfect. You will need to wait for it a little bit too cool to be green. So to give chance to a firewall to exchange the connection information with the agent. So perfect. If we go to windows Server called appliance, we can find that air in searches. It's connected before it was trying to connect and it show connected. Now it's connected. Perfect. Now let's go back to the firewall. Here. Ingest. Choose your own agent IP address. And just Perfect, Just searches us that the agent is already. Let's try to check the user here later as that we can choose from domain controller or using net RP. So first let's show us domain controller and the way Domain Controller Damian, that will try to check the idea of the user from the domain controller, which is our Windows Server Machine. So let's put the workstation IP address that we want to check. For example, I will check my Windows Server Machine to check the user administrator. The effect, now it's just perfect. Tells us that the user was identified from domain controller logs. Here is the user and here is the domain. Here. If we enable this, you should have port 135149445 also enabled on the firewall of your machine. You can do that by GPU. You can create a policy and do that from GPU formula, like I said, adjust disabled firewall. That's not recommended. Recommended way is to create a GPO policy and allow those port here. The poor one year to five and want your genuine and for four or five, Perfect, I will do now, just perfect. The user was identified. And that means that the SSO request the ID of the user directly from the machine and not from the LDAP server. Ldap server, I meant the domain controller. One last thing that I want to see a video here is the enforcement. So we're in the enforcement. We have Pearson is his own enforcement and innocence all like I said in the beginning of the video, it work when a user try to pass trough vector firewall. And if the user didn't pass the traffic, it firewall, the SSO will not be triggered. And do users that are not trying to pass traffic, throat firewall will be considered as inactive users. If we enabled this parameter here, for example, for the zone one, the users on this zone air will be forced to trigger a CSO. So let me go back and disable it. I don't want it and didn't exchange that we have is this is all bypass. For example, we can use it when we have a parameter or an IoT device that we don't want it to stop it. So to add a bypass, you need to go and do Add. From here, you can choose from services or addresses. For example, here in other places you can put the IP address of your device. You can select it. And when you selected unit here to bypass type and do for bypass, the aces all will not be triggered. And do odd. We'll do consult. And it will do okay. That's it for the SSO. In the coming videos, you will see how to use the elder abusers and is used to authenticate to Internet and to authenticate to other resources in our network. We would see then when we talk about policies, I hope this lecture was helpful for you to set up your SSO agent and configured on the firewall? It is. If you have any other questions, don't hesitate to ask me and good luck. 25. Access Rules Overview: Hi. In this video, we will talk about oxysterols in Sonic or firewall. First. Alexis role is a management tool that allow us to define our incoming and outgoing policies with user authentication. When we have seen L-dopa integration in the education section, I told you all that we will see how to use the unfortunate users to authenticate in the oxysterols section, and we will see it in this section. So these policies can be configured to allow or deny the axis between the firewall zones. In short, axis roads allow us to control traffic that pass between our firewall zones based on source, destination services and more to configure and Lexis role, we need to navigate to manage the left panel under policies. We need to go to a roles and select Axis roads. Here we can see that we have a bunch of default rules that the firewall create automatically. So here in class, we can see that it's a default role. Here in view, we can select to show either default rows or the custom roles. For example, if we select Custom, we would see a notch. And that's of course because we don't create in your old money early yet. So let's go back and select default or all types. If we select all types that will show us the default roles and custom roles. Perfect. There. We can filter by IPV4 and IPV6 roles or to select both. If we select IPv4, we will see only IPV4 roles. Let's go back and select them all. From air. We can select to show only, for example, roles that come from LAN one until phase. So like that we will see only the rows that we are from launch to one. If you want to see all we can, of course syllabus or perfect. And we can also do it from air from the matrix view. Here we have the from and the error we have to, for example, from our lungs to our one. We need to select this button here to close. And there it is. I would show us all to all again. Here it is. They will do close. From here, we can refresh if we add another role. And from here we can display disabled roles or the unused zones to disable or enable a role. We can do it from the air, from the right. If we go to the right ear, this is the integral bottom. Let me hide this. So this is enabled. For example, we can enable this role or disable it. This says, if it's uncheck it, that means that it's disabled. If we check it, that means that it's enabled. From here, we can clear the roles such as sick. To check the roles such as sick, we need to go to the right and over, over this button here. And those are the rule studies six. This bottom that says restore row table to default. So for example, if we create a manual role and added to the table of roles, and we want to restore the road to the default. We can say that this option here, and it will automatically delete all the other roles. Here it is. All roads you have added will be erased. It will do okay. Perfect. To delete a role, you need to selected and then press the button, Delete. And you can either delete market roads or delete or custom roles. Of course, customers are the rules that we create manually, not the default roles. And to other role. You need to go to this button here and press out a new role. From here we can create our customer or so. I will do close. All right, Now I will give you a couple of best practices for accessories. Number one is accessor should always be granular. In other words, don't create a role from one to one and leave the network and services as any unit to be as specific as possible. For example, if we go here, we see the act from LAN. One. We can find that the default role from lunch one is any, any, any in source, destination, and services. It's allow the traffic to pass from the lung to one. If we do configured and we can see that the row or lower in all the traffic. So it's in E2. Any services is any. We don't want to do that. We need to be more specific. And second best practice is to get rid of in your own words, you aren't using. So to find and use drawers, we need to go over the traffic study sick. And from here you can find if the rows used or not. For example, our lung to one's own role is not used yet. So we can see all the values are 0. What you can do to be sure is to go here In this clear button here and clear all the roles such as sick and use the firewall for a significant period of time, then go back and check the such a sick. And if you find that there is still some roads that are not used, you can check the roles and you can find if you are still needed or not. And generally, if the row is not used, it's likely not required and you don't need it. So perfect. That's it for this video. In the coming videos we will see how to create roles and enable access, authentication and more. Please, if you have any questions, don't hesitate to ask me and good luck. 26. Internet Access Rule: Hi. In this video we will see how to create an axis roll to have Internet access. So our end-users that are connected to our firewall need to have access and navigate to January two websites. And to do so, we need to create an ox's role in our firewall to enable profit from our lungs on to our ones on, to do that, we need to go to Manage. Of course, under policies in roles, we need to go to oxysterols. And like we see in the previous video, we know that our firewall create some default rules. So for example, if we go to here and select our lands on and in the destination, we say that our ones on. We can see that by default we have two rows are all for IPV6 and role for IPv4. Those roles allow all traffic from the lungs on to the ones on. Unlike I told you in the previous video, the best practice is to be granular in the axis roll. So first what we'll do is let's prepper our end-user and we will go back to the axis roads. So if we go to the VMware machine, here, I already have my Windows machine. And what do we need to do is here in the firewall, if we go and select Settings, the adopter, this is our x 0. And your faith, we can see that in the last segment, we put it in the line x is 0 phase. We need to have the same ten. In our Windows machine. In the network adapter. I put the Angelo phase in the line 0 and telophase. Perfect. Now if I open CMD, I check my IP. I have 192 dot 16810154. If I go back to my firewall and go to network, like we see in the DHCP server lecture. And we'll go here to TCP server. We can see are in the leases. This is our Windows server IP address. So perfect. Now we know that our client is connected to the LAN zone of our firewall. Now let's go and test on internet peering for example, It's eight dot eight. And see, perfect, we can ping it. And let's pick a domain name, for example, Google Domain Name. Perfect. I can ping it also. Now what I will do is I will go back to my firewall and it will delete the default role. This is the foetal, I will select it. And they will go here to delete, and it will delete the market roles. Now I will go back to my client. Let's try to ping angiogenesis again. Like we see, we cannot bring it. Right now. We don't have any access to Internet. Let's go back to our firewall and let's create a role. Here. I need to go and press the Add New button from air into policy name. I will name it. For example, Internet. And it will be specific and select only the Internet for lunch on there in the auction. I will select a low. And from it's from line to one. And here in source port, it will keep it any. And they are in services. I will create a new group. Like I told you, we need to be more granular. So what I will choose is we'll select DNS. They will select HTTP and HTTPS. They will allow pink to just pink to anterior net. That's pretty much all that we need to have access to Internet in first-time. When you create the policy, choose only those services. And with time, you can know what services and what your clients neutral axis to engineer it and you can add them here. But the important thing is to not allow, for example, if your client want to access an FTP server and on Jeannette, You can also allow FTP like that. Like I told you. By time, you can find what your clients need. For example, when you roll, one of the clients come to you and told you all that. He got access, for example, achieve GPS survey non-zero net. What you will do is you will go back to the services group and you will allow for m, the GPU also like that. The upwards and ten is to not allow all. I will give it a name, for example, name it internet. They will doggy. Go back to the ADC. In the services. It's Antoinette here in the network, will choose 0 or subnet. Here it says, I will not allow any, or all. I will not allow any. I want only two alone. My x is 0 subnet. They are in destination. Of course, we are going to underneath. So I will allow any schedule. Will you need to make sure that it's always on? Or you can create your own schedule while to allow, for example, this policy only in work hours or any scheduled video shows. Perfect Log activity of the policies. Make sure to check this parameter by default, check it. And what I will do is odd and close. Perfect, This is my policy. Now let's go on to sit. We'll go back here. This pink dot h. Again. We can bring good successfully. Let's test HTTP and HTTPS access. So I will open Firefox. They will go, for example, to Facebook. They can perfectly access Facebook. Now let's go back to our firewall. It's over statistic button. Unlike we see, we are using our role. One last thing that I want to check with you here is the priority button. For example, it's create another role from lunches on. And let's name it and turn it. For example, customer and will allow and I will what I will do is I will allow any to any. This is just an example to show you the priority. They will do. They will close this unshaded cost somewhere. If we wanted to take priority of the Angelo and wetland, we need to go ahead and choose this. And here in the priority, it will put one and a window. Okay? Unlike we see are unmyelinated calcium is the first row. Like we know. When the firewall try to inspect traffic, which we will go to the first row and try to find them much for that traffic. And from there, a specific traffic. And you can decide either to allow or deny traffic or what services and ports that here with a low or the night. So why that our firewall will use this alternate custom rule here and will allow any to any. And we don't want to do that. So what I will do is I will go back, add, select this priority bottom here. And a weird portrait value one. Value one mean the highest, which will be values to rule. And it will dorky. Perfect. On deck we see our role is. Now in the top. We'll delete this role because they don't want to allow any to any religious. That's it. Please. If you have any other questions, don't hesitate to ask me. Good luck. 27. Access Rule | LDAP Authentication: After we have seen how to create an ox's role to have and give unto your net access to our end-users. In this video, we will see how to authenticate users. You can have internet access. So before I start creating the Partisi, need to check the authentication section. And by now you need to have LDAP server integrated with your firewall. So if I go to Manage in users, here, I'm choosing inducer authentication method or dot plus local users and their and configured L dot. In sittings. I already have my LDAP server bounded with my firewall. So please, before watch this video, you need to watch and purchase the authentication section of this course. Perfect. For me. I have L-dopa integrated. And if I go to local users and groups, and I go to a local groups, I already unfortunately my groups. So those are my groups. And if I go to the VMware machine and I wrote on my Windows server, here I have created, grew up that I name it, and Jeannette and I assign it, destroy users here. If I go to the properties of this group and I go to a member's, you can find that my user one and user Joe are members of this group. Perfect. Now I will do cancel, will go to my firewall. Now, let's go and create the policy. We are in policies in roles like we see here. This is the policy that we create in our previous video. We can see that we are choosing from lunch to one. Make sure to choose from land to one, then go and configure the policy that we created before. So this is our custom policy. You can also find it by going to View and choose custom. It is, we can see only the IPv4 policy because this is what you will create. Now what I will do is I will go in the right side and policy. Now from here, we need to go and find user included. Here. Let's pull down the drop-down menu. Do we need to go to user groups? From air? You will try to find my group and your net error it is, I will select it and I will go. And the show us a warning that says that this role will require users to login from the lungs on. But you as a logging is not query currently enabled on any anterior face in that zone. So I will show you how to enable it. What I will do now is okay, perfect. Now we can see that our group is in our user include. So perfect. The next step we need to do is to go to network interfaces. And in lunch on, in our x, z and chill phase, we need to configure it and we need to check the user login. I already do it. I checked a shape S, and the checked order or to enable or direct trauma shift patrol ship is. If it's not checked for you, please make sure that you check it. And doggie. Perfect. Now let's go and test our configuration. I will go back to my Windows machine. This is the machine where we test our insurance policy. In the previous video, I will open the browser. Let's try, for example, to go to google.com. You can see a neuron misses that says that we are throb are finding that said, that mean that we don't have ungenerous axis in this machine. But we need to know why this open the command prompt. I will do IP config. You can see that I see it. I have the same IP address that we see in the previous video. I am connected to the firewall. So I will try to ping the firewall No.1. They can successfully being good. But if I try to ping dot eight, dot eight, I can't bring it. One of the mistakes that users door when the configure authentication in the axis rotation that give access to Internet. What do we need to do in addition to select the user in the axis roll? Let me go back to our accessors. Perfect. In addition to this, we need to create another rule and rename it DNS. Only. In this role, we need to allow only DNS. So our users can trigger the authentication page and can enter their credentials to have access to engineer it. So please don't forget this important step when you want to authenticate your users to give them access to Internet. In the auction, I will keep it allow and from zone LAN to the zone one. Here in services, we will choose only DNS. Dns. So this is the only service that I will choose. Here from source. I will of course be granular, ensures only my x is 0 subnet. Here in destination. It will choose any, will not choose my grew up in users included. We'll keep it all. It will do. The next thing I need to make sure of is my DNA is only role is in top of my anterior net. So make sure that the rules that are loading is, is the highest role. Now let's go back to our Windows machine. Again. You can see that our browser tell us that you must login through this network before you can access the internet. So this is a Goldstein. They sell us that we can access the authentication page. I will select it. Let me make it bigger. And then I will click here to login. Go to Advanced, and accept the risks and continue. Here I would put user one, this is the LDAP user and they will enter his password. They will do it again. Perfect. We can see that we are logged in to the anterior nitinol. Perfect. Now if we try to go to Google now, we can perfectly access to it. If we go to Facebook, for example. We can also access to it. Only users authenticate can have access to engineers. In your unauthenticated machine will not have access to internet. So perfect. Let me go back with you to the firewall. Perfect. Null to check the authenticated users, we need to go to monitor and they're under user sessions. We need to go to Octave users from air. We can find that our user one is connected from this IP address air. And decision time is three minutes. Perfect. That's it for this video. Please. If you have any other questions, don't hesitate to ask me. And good luck. 28. Access Rule | LAN To DMZ: In this video, we will see how to create unlocks this role to allow traffic to pass between our firewalls zones. The example that we will see today is we will allow traffic to pass from our launch on to our DMZ zone. Lake. We know DMZ zone is the zone where we normally put services that we want to access publicly before touching the firewall will go with you to my VMware. Here. We'll go to the firewall. Let's see how jewel configure the virtual machines adopters first. Then we will see the firewall. In my virtual machine, firewall will go to settings. And I want to choose my x 0 and interface DMZ than two phase. So this is my x 0 on G0 phase. This is my x1 until phase, and this is my exponential phase. So I will say exit. And we will check LAN segment. They will create your last segment. We will name it DMZ. Perfect. Would say ejected. Dorky. I have a Windows machine. This Windows machine, I want you to be connected to Milan and TFA's. We are in sittings. The network adapter is connected to the line x one sheet phase, which is my learners. Your face. Perfect. Okay. Close this. Now I will go to my machine. So this event to machine, I want you to be connected to my DMZ didn't check phase. You would go to settings. Here in the network adapter. Will select D and Z. They will. Doggy. Perfect. Now let's go back to our firewall. Let's go to, uh, manage. Then. Under system set up, go to our network interfaces. It will go and configure me exponential phase. We're in design. I will put it in the DMZ zone. They will give it an IP address, would enable only pink on this until phase. They will doggy. Perfect. Now let's go to the TCP server. You would create a dynamic port for this interface. Perfect. Now I will doggy. Now I would go back to my VMware machine with no dash client loss V to get a new IP perfect Config. You would see that I have a new IP address. Here in this wonderful machine. I already installed Apache. So I can just connect from my lunch on to DMZ zone, throw it away on Jell-O phase. So if you do see that my server listen to port 80, which is the Apache port. Now let's go back to the firewall. Now let's go to the roles here in oxysterols. Here for I will keep it from land and the air tool, I will choose DMZ. So you will choose the MZ. And a weirdo odd in the policy name, rename it to web server. Perfect. The oxygen will keep it low. In source. It will keep it. Here in services. I want to allow access to our web server. We need only to allow each GP. And this ship is I will select services and they will create new group. And there I will name it web server, http and HTTPS. They will add only pink forges. Doggy. Go back. Perfect. Our services is selection. Now we're in source. Would choose my x is 0 subnet. I can be more specific. And the controls only the IPs of the machines in my LAN interface. To access the DMZ zone. Here in destination. We chose me extra. Solving it. I can also be more specific and shows only the IP address of my web server. This is the extra subnet. Now, what we'll do is close to just debt. It will go to my Windows machine. Close. This will open a command prompt. They will try to pink from this machine TMZ server first, which middle? Ip config? This is my IP. It's in the range of my LAN subnet, middle being 172 dot 16252. I can ping it. Now if I open a browser and navigate to 17216152, I can perfectly axis, so it's perfect is to go back to our firewall. Just check our policy again. Like I told you, if we want to be more specific, here in source, we can choose only the IP is over the machines in our lands on this, we want them to access to our web server and they are in the destination. You can also choose only the IP of my web server. For example, here, I will create new network and they are a rename it web server. And yet in the type I will get bit host. Here, I will take the IP address, my web server. They can do okay. We can also authenticate users before they can have access to our web server. In users can go and choose user groups. Users. For example, I will choose my anterior natal group. That H0 is when we create the anterior axis rule. Let me find it. It is. You can do. Okay. Perfect. Now if we go back, let's make it bigger. Again. If we ping again, we see we cannot ping server anymore. What do we need to do is to authenticate first, then we can have access to our DMZ. Sorry, I will try to access again to the web server. Perfect. Now we are asking me to authenticate told me that the policy setup by your network administrator required that you authenticate yourself with this firewall before you cannot access. One thing that I forgot to show you all is when we want to authenticate users, we need to go to a zone and check the user login in each ship and the ship S. So let me go back to the firewall. Here. If we go to network zones, DMZ is on. I mean, in the anti-thesis, the exponential phase. Here in user login, we need to see the ship is, check the box other also enable the electron we ship your ship is and torque. Then let's go back to our client. Let's click here to login. Now, I will log in with my user. User one. Perfect. Now I couldn't access the web server again. And they can also ping it. See, perfect. To see the use of activity, we need to go back to the firewall. We need to go to a monitor. And under user sessions, we need to go to Octave users. On from here we can see our user one IP address from where it is authenticated. Perfect. This is it for this video. Please. If you have any question, don't hesitate to ask me and good luck. 29. VPN Overview: Hi, and welcome to the VPN section. In this section, we will see the different types of VPN. Mildly, you are two popular types which are IPSec, SSL, VPN. We will try to get dip on them and see a different configuration options that we have. But first, let's see what is a weapon? Weapon and stand for virtual private network. It's allow us to extend our private network across a public network and enable users on different locations to talk to each other. Like they are connected directly to the private network. The benefits of a VPN is security. That's done by creating an encrypted channel to secure our data. I have here a picture that demonstrate the VPN that we have in sonic world. So here we have Sony code. And sonic would be those sonic words are in different locations and they are connected throat onto your net. Using VPN. We can allow these clients that is sitted behind this firewall here with the different lawn IP address. Total CK, judice, machine air that is sitting behind this firewall here that have a different client IP address. This type of VPN called site-to-site IPSec, VPN. Ipsec. Ipsec is a set of protocols for security at the packet processing layer of network communication, which provides security services for IP network traffic such as encrypting sensitive data. With education and protection against replay and data confidentiality. And other type of VPN that we have is SSL VPN. So this is a protocol for managing security of a message transmission on the underneath, usually by HTTPS. So here we have our own modules are, unlike we see, here is not beyond any firewall or remote user can be in his home or anywhere in the world, or watching you need to have is anterior net connection. And theories, two ways to connect to our internal network. The first way is using the net external program or the virtual office portal. The virtual office portal is a web portal where we can log into it and access our internal network resources. All what we need to have to connect your virtual office is a web browser. And that's it. For the net extender. It's a program that can be installed either only index or a Windows machine. So this is it. This video was only a quick introduction to the VPN. In the next lecture, we will see how to configure and create site-to-site IPSec VPN, between two also inequal firewalls. 30. Site-To-Site IPSEC VPN: Hi. In this video, we will see how to create a site-to-site IPSec VPN. And this is our topology. We need to have first 12 firewalls and we need to have a different subnets in the lung side. We should not have the same subnet behind Sonic code a and behind Sonic worldview. Otherwise, it will be a conflict and our connectivity, we're not work and we will not be able to connect to the VPN. So perfect for me to save time. I already are the firewall, so this is my second firewall. I already added. If you want to know how to add and get Sonic or firewall, please check my lab setup section to see how to add and get Sonic or firewall and license it. Perfect, The second thing that I need to have is to configure it. So let me go to it. Here it is my firewall. I will go to Manage and I need to configure the unshare phases. So I will go to a network there in entrepreneurs is I will configure the line on shear phase. Here I will change the IP torch one, dot one and a window. Perfect. Now I will go and change the one IP. And I will move it from DHCP or static type. My IP. In default, gateway will give it. My gateway will give it. The Google DNS. Will do. I will try to log into it throat the new IP address. Perfect. Need to allow pop-up. Done. Then I will refresh. I will need to enter my password again. Perfect. And I m n. So let's go back to, uh, manage network and check the interfaces. Perfect, this is my alarm IP, and this is my one IP and same ten in my other firewall. So we are in network. This is my lawn IP. If you'll launch, configure it yet, please do it. And this is my one IP. So perfect. The second thing I need to do is go to VMware. In my second firewall, I will go just sitting in the network adapter. The first one, which is our x z interface, I will choose non segment. Here in LAN segments, I will create another LAN segment for our second firewall. And I will name it long TO underscore x. They will do okay. They would choose it. Didn't a window. Okay, perfect. Now let's go back to our firewall. Let's go to the first firewall, and let's start our configuration. Configure site-to-site IPSec, VPN. We need to go to Manage dinner in the left side. Under connectivity, we need to go to a VPN from the base settings. We need to make sure that enable VPN is checked. If not, we need to check it to enable VPN. Second ten we need to do is to go to a VP and policies and forum air. We can add Our VP input is odd, perfect. Here in the policy type, we want to create a site-to-site IPSec VPN. So we will leach it, like it says. And they are in the authentication method. I want to use Ike and I want you to use pre-shared secret. So I will leave it like that. Here in the name. We can give a pharyngeal name to the General. For example, I will type here sonic wall to. You can put any name you want. Here in the IPSec primary getaway name or address. We need to put. Public IP address of the second firewall, which is this IPR. I would enter it here. The effect here in the ICC authentication. I need to put a shared secret. The effect, then I need to go to network. Here in the network, we need to put our local network. So our local network is the network that we want our users to access tool. So let's go back to the apology. So I'm in this firewall air and I'm trying to configure the VPN and my internal network. This network here, I need to put this network here. Let's go back. Here in the local network, it will choose the non-linear phase. Let me find it where it says 078. This is our IP and it'll us to choose our remote network. Destination network. Is this network, the network behind the other firewall. So let's go back there. Instead, electron mode network needs to do create new address object. From here, I will name it remote lawn InDesign assignment. I will assign it to VPN. There. I will choose Network. And I will type in the network. It's 20. This is the mask. They will doggy. The masks should be like that. And they will now go to the proposal. And the proposal, we have two phases. We have phase one and phase two. Phase one is responsible for authentication and Faisal is responsible for encryption. In the phase one we have exchanged, and in exchange we have to IPSec virgins. We are a Q1 and Q2. In IC1, we have two modes. We have main modes and aggressive mode. We use aggressive mode when one of the firewalls that re-throw it to setup site-to-site IPSec between them don't have a static IP. So if one of the firewalls have a dynamic IP, we should choose aggressive mode if you want to use icon. In this video, we will see like Joe, Joe is an enhancement of IC1. It's more advanced and secure protocol. It supports largest IPSec encryption algorithms alongside MailChimp or other ANCA oscillation ciphers. Another Andreessen future that actual offer is more bike, which stands for morbidity, and meet your home in protocol. So mobile, It's provided the ability for maintaining a VPN session when a user moves from one IP address to another without the need for real solution. The ICS security association gateway and the way the way security association, or is a is an agreement between the two IPSec bears. In our case, our Sonic or firewall, and contain the information is required for both pairs to exchange data securely. So let's choose a conversion tool, which is the enhanced protocol version of IC1. And second parameter we have is the sugar up, so they grow up or Diffie-Hellman determine strength of the key, indicate exchange process, the higher the H numbers are more secure. So for me I will keep it default. You can choose from the groups that we have air from one to 14, or you can choose the Sweatt v groups that we are aware. For me again, I will keep it true. Encryption. I will keep it horizontal default. You can choose other on corruption if you want. For the education, I will keep it short. One might be your organization of policy that will tell you what you grew up to choose and watch encryption and authentication scenarios in both phase one and phase. So if not and you don't have, you can choose the parameter that suits you and you can enable it. Now ready to go to face TO. I will keep the protocol as it is, the encryption and authentication. Here we can enable perfect forward secrecy. If we enable it, we will be able to. Configuring the age group in phase TO also, here it is. I will keep it disabled. And please make sure that this proposal hair needs to be the same as the other end. So in our second firewall, we need to put the same exchange mode and same grow up and same encryption and authentication for both phase one and phase. So let's go to advanced. And they are in the advanced settings. You can find here enables keep alive. So keep alive viewers here to create messages between pairs. If one end of the general fades, to keep alive would automatically renegotiate the channel once the both sides become available again. So let's enable it. The way that we make sure that if, for example, the other firewall shut down or the one until affairs of the other firewall disabled and our chain is down. Once the other firewall can be reachable. For our firewall, they keep alive would automatically enable the channel again. Perfect. And here we can find a parameter, the middle ear to the automatic accessors creation for VPN policy. So this was are there, we'll create automatically the oxysterols for the VPN. If you want to create them manually, we can enable this parameter here. And here we find disabling IPSec onto your replay. And this detects the arrival of duplicate IP data grams. And for enabling Windows networking, which is h boils broadcasts by enable it, we will allow access to oral mode, network or sources. For example, some parameters chaired by the native warriors name. So if we want to play it on the remote network, we will need to enable this parameter here. And of course, in neighboring multicast saying will allow multicast traffic such as streaming audio and videos to pass throughout our VPN tunnel. And therefore management via this is a if we enable HTTP and this is age, we can login to our firewall from the other side. And we can also enable the user login throat, our VPN gentle soap, perfect. We can know though, Okay, to save our configuration leads to accept. Perfect. Now let's go to the second firewall. Let's go to a VPN to configure it with the n we need to go to, uh, manage. Then under connectivity we need to go to VPN. We need to make sure that enable VPN is checked. Then in VPN party says we will do a site-to-site VPN and their name, I will give it a friendly name. I will put the IP address of my first Sonic or firewall. Here, I need to put the same shared key that I put in the first firewall. Make sure to put the same shared key. Perfect. Now let's go to network. Local network is the 0 subnet. It is. For the remote network. We need to create it. So it is created. Rename it also remote lawn. I will assign it to the VIP, the ends on. And I will chose here in the type network. And I will put my remote land IP, which is ten, loads 0. There I will put to the mask. Will do. Okay. Now let's go to the proposal. Again here, we need to make sure that the same settings that we put here are the same the other side. So if you make any changes here, you need to make the same changes in the other pair. I didn't touch it the settings. I keep it default. So I don't need to change anything. We'll go to Advanced and AI will enable keep alive. And I will do. Okay, perfect. We can see here a green indicator that tells us that the agenda is up. And if we scroll down, we can find here in the query and active lipid engineers that our Jeanette is up. And we can see that our local IP is this. And this is our mode subnet. This is our gateway. The gateway is the public IP of the other firewall. And from here, we can enable or disable the agenda if we want. All. What we still need to do now is to adjust the VPN. So to do that, let's go back to the VMware machine. Here we can see that I have to turn your core machine. It's a small Linux distribution. You can download it and install it, or you can use a Windows machine if you want. And if you have enough resources in your machine or your Senior Corps because it's small and don't use a lot of RAM and disk space. So perfect. I will go to the first machine and they are in the settings. I will go to the network adapter. We will choose lon segment. I will chose the first non segments, which is non 0. And it will dorky. This machine here will be connected to our first firewall. So a weird power, it will go to the second machine. In settings, we will go to the network adapter and a will enable line segment. And I will choose my lunch tool, Z and a window. And the way that my second machine will be connected to my second firewall. Perfect. I will do power on. Let's go and check our first machine. Where it is, I will open the terminal. Let's check my IP. I get my IP from the firewall one. Now let's go unchecked second machine, open a terminal here or zone. Let's check our IP. Now let's try to ping this iPad from the other machine. Perfect. We can see that we can ping it. Now, let's try to ping this machine from the other machine. Perfect. Being walked from the board slides. 31. WAN GroupVPN: Hi. Today we will set up and configure one grew up VPN future on our sonic Wall Firewall. So one group VPN, allow remote and users to access to our network or sources behind a firewall, like they are connected directly to the anterior neural network. Normally connect our remote users to our internal resources. We use SSL, VPN, but we can do that also using IPSec. And the way we do it on Sonic or firewall is why configured in one group VPN. So let's start First. We need to go to Manage here in the left side and their conductivity on the pan, we need to go to base sittings. And by default, a policy for the one group VPN is graded. If you want to enable, grew up with the end for another zone, you can do it. Let me show you how we can enable it. You need to go to a network here under system setup. Then we need to go to zones. And here, for example, if you want to enable group VPN for the lunch on, we need to go and press configure. Here. We can check, create a group VPN and do okay. Now if we go back to VPN here in the base settings, we can find under VPN policies that a policy is greater than four, the lung group VPN. So perfect. Now let's see the configuration. I will go and do configure. For the authentication method. I will keep it by default because I want to use the pre-shared key. If you want to use the certificate, you are free to choose it. For me, I will choose the pre-shared key. Here. In shared secret, I will choose my super secret code, which is 12345678. Don't use a shared secret like me. So this is just a tutorial video. So here I would go to the proposal and tools are the IPSec, phase one and phase two for proposal. So for me, I will use default settings, but in your case, your organization may require additional security measure. For example, using perfect forward secrecy. The phase though, if you remember when we set up the site-to-site IPSec VPN, I told you all that if we enable it, we can set the age group for phase Joe or zone. Here it is. We can choose it also here. For example, in your case, you can enable it or you can use higher authentication algorithms and encryptions or zone, you can use higher digits. For me, I will use the default settings and they will go to Advanced. And deer, for example, if I want to enable the management of the firewall throat that VP engineering, I can enable HTTPS and if you want, This is a short SNP. You are free to choose what you enabled and what you don't enable your clients. And it is our last tab here, where you can enable the client to store username and password on his local computer or not. It's recommended to chose never. But like I said, you are free to choose whichever you want here. They are individual adopters settings. We will choose the HEP these because I wanted the virtual adapter to take an IP address. The firewall will provide it. We will see how to create and setup DHCP over VPN. In a minute. I will choose DHCP lease. Here we can choose a low connections between split general and all security gateway difference between split general and, or security gateways are in split juniors, the client will access only the internal resources that will be defined for M, we will see how to define to the clients what resources that you will access in our network. For old security gateways. Here we'll access our internal resources. And then if you want to access, for example, our website in the Ontario, for example, here I want to visit Facebook. This session air will be transferred to our sonic warfare wall. Then decision will be transferred to the website. For example, if we have a monkey virus security services enabled, it will apply to that request. Okay, perfect. For me, I will chose only split channel. They will dorky. Now the last thing we have here is to check the enabled box. Perfect. And then I will go and setup DHCP. You will go to a network. We'll go today CPS ever create a new DHCP server here, I need to make sure that this IP range is not in my network. I need to make sure, like I said, that subnet that I will put here is not in my local network. For example, I will put ten to one and the range is twinning. For example, I don't have to put the gateway. I can put the mask. Like I said, if you want to choose custom settings, for example, if you have, I'm not sure if dialectical rate and you want to put Dennis IP of your survey, you can choose a chair. You can specify the DNS server manually. And potty chair. You can put here your eye, like I said, they're York, DC server. In the advanced. If you have a void peak on manager or you have some specific parameters, you can choose them where if you want. Otherwise you can leave this like a chess and they think that you make a mistake. They will do. Okay? Perfect. Now I need to go back to the end and you need to go to a DHCP over VPN incident or get away. I need to press configure, need to enable it. You need to check for global VPN client. And the question that you will ask is out Sonic or will forward the dhcp scope that I configure to the global VPN and not the other scope that we have or zone because we have two scopes in the ICP server for order and for him to know, we need to go here to the grid, a IP address, and we need to put on IP address within the range of our scope, but it needs to be reserved IP. So for example, I and scope. So for me, I will do 21. I hope that you understand that the important change is disease-related IPO. There needs to be insane subnet, but it's needed to be out of the range. I will do here. Okay. Let me go back to the ICPSR virtual show you what I did. This is my the ACP and this is my scope. This is my list and it's 20. This is the end of the range. What was in the relay IP address is 21. So the IP should be in the same subnet, but it's needed to be out of the range, so perfect. Now the next thing that we need to do is to download a program called Gvc. It's global VPN client, throat dots program. We will be able to connect to our firewall. You need to go show you on my Sony called account. Do we need to go to the download center? You need to go to resources and support? No, to the download center. The resources and support. And from the download center, you will need to go here, search for global VPN client. Here it is. They will choose the last version. One mode to the A1 to make here is that global VPN client is only available for Windows machines. You can use it only on Windows machines. I already download it. What I will do now is I would go to my Windows ten machine. This is the client machine. This is where I will do the test, where I would onStart Gvc and two iconic to the firewall. So what I need to do is to configure the adopter of this machine. Here I will go to Settings and it will go to the network adapter. And a will choose Bridget. And it will do. The important chain is that the machine should see the firewall. One public IP middle here, yes, the machine near to Risch, our firewall. That's why I put it here. And Bridget, go back to the firewall. To me go to interfaces. This is our one, your phase, and this is our firewall, public IP. So the machine should be able to reach this IP hair. Perfect. Let me go back. I already have the program and started. Let me make it bigger. Arity is my program. I will start it to video. Perfect, he is onStart now. It's enabled it forward. Next, we need to put our firewall ip address. You can choose the connection name if you want. Do next. Yes. No. Do finish. This is my connection and it will do enable. Here. I will put my separate pre-shared key, which is 12345678. And they will do, okay. One thing that I forget is the configuration of the username. Go back to the firewall. Let me close that. Let's go back to the firewall. I almost forget that. I need to go to the user and local user's local users. We can use our Active Directory users because we see how to import them and integrate our firewall to the active directory. Or you can create a local user. Let's go and create a local user. For the test. Rename it with pen. It will give it a password. The next thought that I will need to go to is VPN access. And here where I sit to the client, what until neuro sources surely axis. Here, I want it to access my LAN network, which is the subnet. Here it is. If you wanted to access another subnet, you can choose it from the air and put it in the axis list. They will do okay. Now let's go back to our Windows machine. Me make it bigger again. And let's see if we can connect with do username. So VPN ops, VPN password. The password is connected, like we say. Perfect, he is connected. And like we said, our virtual IP is ten log ten dot dot nine. And it's within the range that we set me go back. Here, we can see at the virtual adopter name is sonic over VPN connection. If we go to data, as we can see, our IP address here it is. So that's perfect. Now let me open command line and just try to ping an internal device. For example, I will pick the IPO of my Sony coal firewall. That it's perfect. I can ping it. Perfect. If I did the IP config, I can see the IPO of my virtual adapter and they say that my machine IP is this. And I can ping the ten dot one, which is the firewall land IP address narratives. I think that I chose the management, the VPN, so I can manage my firewall, throws the VPN. So let me see if I can do it. You ship is this is the IPE. Me. Go back. Let me close that. This is the IP. Yes, I got access to it. Perfect. He told me that administrative login is not alone because this user that I'm using, I didn't give him the permission of administrator. That's why I see this page air. So the important chain is that our VPN is work and we are connected to our firewall and can access our anterior nodal sources. So that's it for one group, VPN. Please. If you have any questions, don't hesitate to ask me. And good luck. 32. SSL VPN PART 1: Software we saw how to create remote access VPN using group one VPN that use IPSec. In this video, we will see how to set up and use a VPN and our sonic wall firewall. Vpn is allowing remote users, so-called after the firewall and access the internal network or sources and the secure disconnection using SSL. The users will be connected and throat, this is a VPN to our network remotely because they are connected directly to it. There is three different methods to connect using SSL VPN. And first method is using virtual office. And virtual office is a web portal that Nick only our browser in the computer to connect to the VPN. And second method is using net exchanger, which is a client application that we unstyled in our machine. For mobile users. There is an application that called mobile connect. And we will try in this video to connect to our SSL VPN using the trematodes. So to configure SSL VPN, and firewall, we need to go to manage from Manoj here and the left sides and their conductivity, we need to go to SSL VPN. Ssl VPN searches on zones. Here we have three zones. We have LAN, one and DMZ. So those are zones that we have currently in our firewall. Now to enable vapor and ozone, we need to select it for our case, our clients are remote clients, so they will come from the one. Then we will need to select one. Perfect. We can notice that this dot here become green. That's mean that we have is L VPN enabled on the one zone and they are in the server settings. You can find here SSL, VPN port. And the way default, it is 4433. We can change it if we want. It will keep the default pore, but you can change it if you want. Okay? So here we have the certificate. Like I said, we are using SSL certificate. You can use self-signed certificate. If you have your own certificate, you can go to sustain and certificate and add your own certificate. Here, this is the user domain. When we want to connect using the net external application, we need to be careful with this domain here. We need to put exactly the same domain. If you change this non-linear, you need to change it in the niche extensor or zone. And here, if we want to manage our firewall throat is a VPN, we can enable it. And they told us that if we inhibit it, we need to add a row in the firewall. We can allow access from an SSL VPN to our lungs. And it says, the show us dots because you don't want to create the role automatically. So we will need to create a role and manually. I will disable it for now. We can do it sentence for SSH. And if we want to end the SSL VPN connection due to inactivity timeout, we can enable it for me where it says L VPN activity check, we can enable it. And then here we can put the timeout value. For example, we can put ten minutes if we want, it's by default, or we can increase it or decrease it like we want. So air will uncheck it. And that's it for the server settings. Now we will do accept. Okay, perfect. Now we will go to client settings. Here. We need to go to the default device provide. From here I will go and configure IP. I wanted to be in every pen. And here in the network address will create neural network. This network air will be assigned to the SSL VPN clients that are using net extender or mobile connect applications. So in our clients connect to the SSL VPN using the numeric standard application or the mobile connect. Here we need, Unlike be VPN IP to connect to our firewall. So let's go and create new network. Rename it. This is L subnet. I wanted to be in the SSL VPN zone. Here in type. I will put me to work in this network here, you need to make sure that subnet is not in any place in your firewall. So be sure that you are not using subnet, that you will put your anywhere. For me, I will put this signature. Okay. Let me go back. Here. We need to go to client routes. And here we can find junior or mode, and by default it's disabled. So we have two modes. We have junior or mode, and we have split general. When junior or mode disabled. That's mean that we are using split tunnel. And what is split gentlemen, is that our client, when he connects to our firewall using VPN, it will be only have access to the network that will give it access to the networks that we can give oxy. So for our case, I want you to access to our LAN network, which is the 0 subnet. So let me find z subnet, IP subnet here it is. By that, our clients can access x 0 network. If I enable this, and they put it enable, our clients can access this signature. And also if they want to access a website in the anterior neck, their request will be forwarded to our firewall first, then forwarded to the website. For example, if we have junior or mode enabled and clients connect to our firewall using VPN. You want to access Facebook. So the request of Facebook will be sent it to our firewall. Here will access Facebook throughout our firewall. So the request with post-stroke our firewall. Perfect. So I will keep it disabled. Here we have client settings. Here. In client settings, we can put a DNS server if we have it in our internal network. And here we have the network standard client settings, your artery to choose what you enabled and what you're disabled. So it's depends on your case. For example, we can enable the client auto update and you can allow or disabled the password storing in the local machine. For example, you can do a low saving of username and password on the local machine or not. Or you can do a probate saving of username and password. For me, I will only allow saving the username. And it will do. Okay. Here we have portrait sitting, and here we can change the virtual office page. For example, we can change the title so the client can know that they are connected to the right place. For example, we can put our company name and we can choose the homepage message. The login message can be changed. And also the logo. Here it is the logo. The logo mostly in G forma, and this is size of the logo. If you want to put your company logo, you can put it here. Benefit. Accept. Now after we configure SSL VPN, what do we see in it is a user to connect to the SSL VPN. And that's what we will see. We need to go in the left side and the resistance setup to users and to local users and groups. And let's use the user VPN that we used before when we connect using rope one VPN. So let's go and do configure. This is our user. What do we need to do is to go into groups. And here we will notice in users groups that we are having unnecessary VPN services group. We need to select it and assign it to the user. And this is one of the mistakes that most of the users do is when the setup is as a VPN, D forgot to assign the SSL. Vpn services grew up to the user. So please make sure to select it. Second thing that we need to do is go into VPN access. And we can find here that we already give it to the 0 subnet. If you don't give it access to 0 subnet, please do it and you can search the x 078 from here and selected then also in it in the axis list. Perfect. Here we have bookmarks. He will not allow us to create a bookmark until we do after we give it the SSL VPN services here and the numbers we need to do, okay? Then we need to go back and configure and go to a bookmark. And now we can create a bookmark. So basically a bookmark is a connection. So if we do add a bookmark, we can see here that we can give it a name and IP address and services. Here and bookmark, we can configure our connections, for example, RDP or SSH or Telnet, or B and C. So if we have a Windows Server in our internal network and we want a remote user to access to it. We can choose LDP, put the IP of the server, then go and use custom credentials and put the credentials of the server. And the client will see a connection link to the server. We connect using virtual office, but like we see here, is L VPN is limited. For example, if we want to access so shared folder or we want to access our web server weekend. We can only access to LDP is HTL net NVENC. I will close that and a window. Okay. Now what I want to show you is another mistake that most users do also in the configured a VPN. So let us go to all network. Here under interfaces, we need to go to x1 on Jeff phase. Here under zone one. This is the one until phase because we are enabling, this is a VPN in the 1s on. So let's go ahead and configure. The mistake that most users do is that they don't enable is GPS and HTTP here under user login, I am already inhabited. I'm enabling ATP and AMP check box here that says other auto enable direct from a sheep pitcher ship is going it is. So make sure to enable uncheck this box here. Doggy. Perfect. Now we are done with firewall, needs to go to just our configuration. 33. SSL VPN PART 2: This is a Windows machine. In sittings. The network adapter settings. It's not it's not connected to the anterior network of the firewall. Perfect. Ms. Started me make it bigger. Let's open a browser. Go and connect to the virtual office, which is the web portal social connector, which we need to do is GTPase. No one IP address of the firewall. This is the IP of the unshare phase where we enabled. This is every ban. And we need to put the port that you reconfigure in the SSL server settings, which is 4433. Perfect. Go to Advanced, accept the risk and continue. And there it is. The virtual office. Marriages were in username and we put the user VPN password. It's the law again. Perfect. Now we are connected. Like I said, if we want to create a bookmark, we can do which also from here, we can press Add and other bookmark. But again, we are limited to ADP is age, Telnet and V and C. For example, let's say our connection throat is H. It will inhibit here is his age. They would put the IP address of a machine that I have behind the firewall in the x's 0 subnet. It rename it, this is h, and you're able to automatically accept or fixed. Now let's go and see if I put the right IP of NADH. This is IP or the machine. They have never done it, which is port 20 tool, which is 40. Go back to Windows. Press this is H. Told us to input the username and password. We are connected to the machine using SSH. Perfect, Here it is. This is the machine. Here it is. We'll do a logout. Now. One other thing that we can see here is that we can download the niche, extend their client formed the virtual office if you want, you can press here and you will be able to download the image extended. This is the first method to download it. And second middle to download it is by going to the Masonic wall account. So let's go to CL, go connect to my Sony cold account. From here, we need to go to resources and support and download center. Here. We need to search net extender. Here it is. We can download it from here. We can see that it is available only for Windows and Linux machines. For me I already downloaded. Go back into the machine. May make it bigger. Just to go on to uninstall it. Next. I agree. Next. Next. Here we need to put the IP of the server, which is the IP of our firewall. We need to put the domain, which is local domain. Make sure that you are putting the name correctly. The domain. We'll do next. We'll do next. Yes. And they will launch soon Aquatic Center. Let's go and open inequality. In the server. I forgot to put the port, which is 4433. So please don't forget that. And they are in the username, or we'll put again my username and password. Of course, our domain. Let's do connect. Perfect. We are connected. This is starches and this is the road. If we put it down as we will find it. But we didn't. We are in searches in the client IP. We can see that we have the IPA that reconfigure earlier. Here it is. Let me go back with my virtual machine. Here. Like we see, we have port 80 open and it's Apache. So we have a web server. So let's try to access this machine. Go to the browser. Perfect, I can perfectly connect to our internal network using SSL, VPN. So for next, we will see how to use mobile connect. Jolkona have choices and VPN using our mobile. 34. SSL Mobile Connect: I'm in my underwear mobile. And I want you to know that same thing apply to the iPhones, IOS, mobile underwear. We need to go to Play Store and Play Store. We need to go and search and find sonic wall. Like we see. This is application, so Nicole and mobile connect. So let's go and onStart it the way, the way I'm connecting my home network, this is my home network. Go to show you. This is my IP address dot 0 dot six. And my firewall ip is not 0 dot 21. So I am in same range of the firewall icon access the firewall. This is just the real-world. The firewall will be in a different subnet. But essential chain is we need to be able to reach the firewall public IP address. So let's go back to Play Store. The application is installed. Let's open it. In connections. Go onto connection. Name it. I would put the IP of my firewall. Continue. Automatically detect that I'm using the port 4433 because I forget it again. Detected for me. I will do, yes. And the audit for me. Perfect. He is kind in username. I will put the n and I will put my password, which is my super, super Password. Save. Now let's try to connect. I will check this box here. They will do always a low year in searches. We can see that it is connected. We are in monitor. You can see that I got the IP, that's a configured before. Here it is. That's it for the SSL VPN. Please, if you have any other questions, don't hesitate to ask me. And good luck.