Show page

Differences

This shows you the differences between two versions of the page.

--- sred:lab7 [2022/12/16 15:16]
horia.stoenescu Updated exercises
+++ sred:lab7 [2022/12/16 15:37] (current)
horia.stoenescu Updated setup
@@ Line 7: / Line 7: @@
 === Lab infra ===
+In case you already solved the previous lab (with HA), there is need to stop all nodes, remove all connections, and delete the switches (or keep them for later, but not connected to anything).
 == Local-FortiGate ==
-In the past 2 weeks, we configured a single FGT device (which will be referred from now as **Local-FortiGate** - you can also rename the node with this name after shutting it down) with 2 VDOMs (root and customer) which is licensed (it may appear in Dashboard with 'Validation Overdue', but you can ignore it as VDOM and IPsec will still work). VDOMs are going to be kept on this FGT and we will require only to use **root** VDOM as we will use the following interfaces:
+In the first 2 Fortinet labs, we configured a single FGT device (which will be referred from now as **Local-FortiGate** - you can also rename the node after shutting it down) which is licensed (it may appear in Dashboard with 'Validation Overdue', but you can ignore it as IPsec will still work). Revert to a revision without HA configured and check again the mgmt ip.
+We will use the following interfaces:
 <note warning>
-As VDOMs are still enabled on the first FGT, you will need the following syntax to access the interfaces config (for example):
+If VDOMs are still enabled on the first FGT, you will need the following syntax to access the interfaces config (for example):
 <code>
 FGT81 # config vdom
@@ Line 25: / Line 29: @@
 </note>
-- **port1**: for GUI access from your host and principal tunnel connection with the peer (FGT2 or Remote-FortiGate) - **subnet in network 10.3.0.0/16**
+- **port1**: for GUI access from your host and principal tunnel connection with the peer (FGT2 or Remote-FortiGate) - **subnet in network 10.3.0.0/16**. This is assigned by the dhcp server.
-<note>
-You may see that you cannot access webui via http/https. This is caused by the changing of your public ip address, which means also the internal one (10.12*.*.*) is going to be changed and the added static route by you will be useless. In this case, redo the steps from the previous lab for [[https://ocw.cs.pub.ro/courses/sred/lab6#licensing|Licensing]], with the exception of 2 and 3 (no need to readd the license and reboot machine).
-</note>
-- **port2**: used for creating a client network (the branch we need to connect via IPsec tunnel). For this, you can keep **client1** from the previous lab and remove **client2** from port4 interface (found in **customer** VDOM). You should have for port2 interface 172.16.0.1 and for client1 172.16.0.2 (or any other ip given by DHCP server) - **subnet in network 172.16.0.0/24**
+- **port2**: used for creating a client network (the branch we need to connect via IPsec tunnel). For this, you can keep **client1** from the previous lab. You should have for port2 the ip 172.16.0.1 and for client1 172.16.0.2 (or any other ip given by DHCP server) - **subnet in network 172.16.0.0/24**
 - **port3**: used for creating a backup connection between the 2 FGT devices. For this, we need a new Cloud Network that will connect virtual interfaces and simulates a new ISP connection (same or different) from both sides. You can use here the alias **outside_redundant**.
@@ Line 53: / Line 54: @@
 == Remote-FortiGate ==
+<note important>
+Do this just in case you did not solve the last lab (HA):
 For the second FGT (FGT2 or Remote-FortiGate), create a new node with 4 interfaces, 1 vCPU, 2 GB RAM, then connect port1 to Cloud0 (already added to topology), port3 to Cloud1 (already added to topology), and port2 to client2. Start client2 and FGT (Remote-FortiGate), then you will need firstly to change the mac address:
 <code>
@@ Line 62: / Line 66: @@
 </code>
-Then, repeat all steps from the latest lab regarding [[https://ocw.cs.pub.ro/courses/sred/lab6#licensing|Licensing]] (use for it the secondary license available on moodle) and configure the following interfaces:
+If you have a revision before adding the HA, revert to it. Else, go to cli > config system ha > unset all variables, then end.
-- **port1**: , modify the mac address:
+Then, repeat all steps from the latest lab regarding [[https://ocw.cs.pub.ro/courses/sred/lab6#licensing|Licensing]] (use for it the secondary license available on moodle)
+</note>
+Configure the following interfaces:
-the ip is again taken via dhcp. The static routes should be the same as for FGT1. Example
+- **port1**: the ip is again taken via dhcp. The static routes should be the same as for FGT1. Example
 <code>
 FGT81_2 # get router info routing-table details
@@ Line 80: / Line 86: @@
 - **port2**: connection with client2 (reuse the one from the latest lab and connect it to port2 of FGT2). Use the network 172.30.0.0/24 with 172.30.0.1 for port2 and dhcp server configured (with .2 - .254 pool). Enable also http, https, ping for admin access. Then, go to client2, check the ip from eth0 and ping the firewall.
-- **port3**: connection with Cloud1, in the same netw as the first FGT. Use ip address 10.0.0.2/30 for port3 and enable ping. You can also use here the alias **outside_redundant**
+- **port3**: connection with Cloud1, in the same network as the first FGT. Use ip address 10.0.0.2/30 for port3 and enable ping. You can also use here the alias **outside_redundant**
 {{:sred:sred_2020-sred_lab7_ipsec2.png?700|}}
-After finishing the netw configuration on both machines, check the following:
+After finishing the network configuration on both machines, check the following:
 - from eve-ng machine (root:student credentials), see the bridge configuration (pnet1 for Cloud1):