Differences
This shows you the differences between two versions of the page.
|
sred:lab6 [2021/12/11 00:22] horia.stoenescu [Exercises] |
sred:lab6 [2022/11/25 13:43] (current) horia.stoenescu Updated lab |
||
|---|---|---|---|
| Line 2: | Line 2: | ||
| ==== Setup ==== | ==== Setup ==== | ||
| - | On the last lab, remember that we used an evaluation license (used for a maximum of 1 vCPU and 2 GB RAM) available for only 15 days (see [[https://docs.fortinet.com/vm/vmware-esxi/fortigate/6.2/vmware-esxi-cookbook/6.2.0/504166/fortigate-vm-evaluation-license|here]] more). | + | On the last lab, remember that we used a licensed Forti VM (used for a maximum of 1 vCPU and 2 GB RAM) with Internet access, with a lic that gets invalidated after few minutes. |
| <note important> | <note important> | ||
| Line 18: | Line 18: | ||
| As an alternative, you can delete from this path **/opt/unetlab/tmp** the files created for each node, but the first option is the recommended one. | As an alternative, you can delete from this path **/opt/unetlab/tmp** the files created for each node, but the first option is the recommended one. | ||
| </note> | </note> | ||
| - | |||
| === Licensing === | === Licensing === | ||
| - | From this lab on, we will need to have a licensed VM. As we have only 2 licenses available in total (starting with HA lab, we are going to use 2 firewall machines), we need to reuse them for all Fortigate firewalls using the following steps: | + | From this lab on, we will need to have a licensed VM with no access to Internet (to keep the **Valid** status). As we have only 2 licenses available in total (starting with HA lab, we are going to use 2 firewall machines), we need to reuse them for all Fortigate firewalls using the following steps: |
| 0. We will blackhole the default route after the license is marked as VALID, then create a route only for client user ip (which will mostly be the same for all firewalls). | 0. We will blackhole the default route after the license is marked as VALID, then create a route only for client user ip (which will mostly be the same for all firewalls). | ||
| Line 85: | Line 84: | ||
| 5. At last, go to webui using your browser and start the lab. | 5. At last, go to webui using your browser and start the lab. | ||
| + | <note tip> | ||
| + | Make sure to respect this steps in order for licensing. In case your license is not seen as valid and the default route is added, remove it and wait for system log message to appear on stdout: "**registration status changed to 'VALID'**". | ||
| + | </note> | ||
| ==== Exercises ==== | ==== Exercises ==== | ||
| - | Find on moodle course the pdf [[https://curs.upb.ro/2021/pluginfile.php/430773/mod_resource/content/1/FortiGate_Infrastructure_6.4_Lab_Guide-Online.pdf|file]] for the Fortinet Exercises. As we will work with VDOMs, go directly to chapter 3 (page 62) and start the tasks. | + | Find on moodle course the pdf [[https://curs.upb.ro/2022/pluginfile.php/397572/mod_folder/content/0/FortiGate_Infrastructure_6.4_Lab_Guide-Online.pdf|file]] for the Fortinet Exercises. As we will work with VDOMs, go directly to chapter 3 (page 62) and start the tasks. |
| - | ** Topology setup **: | + | === Topology setup === |
| - | Below you can find our topology (different a little from the one found on page 62): | + | Below you can find our topology (a little different from the one found on page 62): |
| {{:sred:lab6_topology.png?800|}} | {{:sred:lab6_topology.png?800|}} | ||
| - | We are going to reuse our topology from the last lab, but with a small change. Shutdown the second client machine and the firewall. Then, delete the existing connection between client2 and firewall and re-attach the client to port4. | + | We are going to reuse the one from the last lab, but with a small change. Shutdown the second client machine and the firewall. Then, delete the existing connection between client2 and firewall and re-attach the client to port4. |
| The differences in our case are that client2 (which needs to be linked with port4 to firewall, instead of port3 as stated on pdf) will not access the Internet (as all traffic to default route is sinkholed) and client1 will have configured at the end an ad hoc server (for testing the second exercise). | The differences in our case are that client2 (which needs to be linked with port4 to firewall, instead of port3 as stated on pdf) will not access the Internet (as all traffic to default route is sinkholed) and client1 will have configured at the end an ad hoc server (for testing the second exercise). | ||
| - | Next, I will give you some tips regarding the differences for configurations: | + | Next, I will give you some tips/changes regarding the differences for configurations: |
| - | **Exercise 1 (pages 63-69) [5p]**: | + | === e1. [5p] New customer in town (pages 63-69) === |
| - create a new revision as a snapshot (we do not have an already existing one as stated on page 63). Go to admin (from up right corner) > Configuration > Revisions and create a new one (you can call it 'before_vdom_enabled') | - create a new revision as a snapshot (we do not have an already existing one as stated on page 63). Go to admin (from up right corner) > Configuration > Revisions and create a new one (you can call it 'before_vdom_enabled') | ||
| Line 149: | Line 151: | ||
| - to access the firewall using the customer credentials, we will need to access webui from client2: after client2 gets an ip from dhcp server (it should be 192.168.2.2), go to Mozilla > https://192.168.2.1 and try to login with customer's account credentials | - to access the firewall using the customer credentials, we will need to access webui from client2: after client2 gets an ip from dhcp server (it should be 192.168.2.2), go to Mozilla > https://192.168.2.1 and try to login with customer's account credentials | ||
| - | **Exercise 2 (pages 70-74) [5p]**: | + | === e2. [5p] Allow traffic between clients (pages 70-74) === |
| - the mapping are the following: port4 - vlink1 (for customer vdom) and vlink0 - port2 (for root vdom) | - the mapping are the following: port4 - vlink1 (for customer vdom) and vlink0 - port2 (for root vdom) | ||
