Contents

Devices .......................................................................................................................................................... 2
Stacking ......................................................................................................................................................... 4
Network Management Systems .................................................................................................................. 4
Network Performance Metrics .................................................................................................................... 5
Wireshark/ Protocol Analyzer ..................................................................................................................... 5
Wireless ........................................................................................................................................................ 5
Q o S .............................................................................................................................................................. 8
SDN ............................................................................................................................................................... 9

VLAN ........................................................................................................................................................... 10
STP .............................................................................................................................................................. 11
Etherchannel............................................................................................................................................... 15
InterVLAN routing ...................................................................................................................................... 15
FHRPs .......................................................................................................................................................... 16

Symmetric and Asymmetric encryption .................................................................................................... 16

UTM ............................................................................................................................................................ 17
Stateful and Stateless firewalls.................................................................................................................. 18
TACACS+ and RADIUS ................................................................................................................................. 18
Site to Site IPSEC VPN................................................................................................................................. 18
DMVPN ....................................................................................................................................................... 19
Cisco WSA ................................................................................................................................................... 21
FortiAuthenticator...................................................................................................................................... 26
FortiMail ..................................................................................................................................................... 27

Administrative Distance and Metric .......................................................................................................... 29

Difference between Link State (OSPF, IS-IS) and Distance Vector (RIP, IGRP) protocols ........................ 29
Redistribution ............................................................................................................................................. 30
PBR .............................................................................................................................................................. 30
OSPF ............................................................................................................................................................ 30
BGP.............................................................................................................................................................. 35
ARP .............................................................................................................................................................. 37
DHCP ........................................................................................................................................................... 38
SNMP .......................................................................................................................................................... 38
TCP .............................................................................................................................................................. 39
DNS and DDNS ............................................................................................................................................ 40

Fortigate ..................................................................................................................................................... 40
FTD .............................................................................................................................................................. 48

Devices
Cisco Catalyst 6800 (End-of-Life)
Features: High-performance switches. Offer stacking capabilities for redundancy.
Support a wide range of port densities and speeds (Gigabit Ethernet, 10 Gigabit
Ethernet).
 Ideal Use Cases: enterprise core and distribution networks that require high
capacity, scalability, and redundancy.

Cisco Catalyst 9300

 Features: Supports a variety of interface types like Gigabit Ethernet, Multigigabit
Ethernet (NBASE-T), and PoE+ (Power over Ethernet Plus). Offers features like
Flexible NetFlow, Network Analysis Module (NAM), and Software Defined Access
(SDA).
 Ideal Use Cases: Access and distribution layer for mid-sized businesses or access
layer in large enterprises. Suitable for environments needing PoE for devices like
IP phones and security cameras.

Cisco Catalyst 9500

 Features: High-performance switches. Offer high port density with 10 Gigabit
Ethernet, 25 Gigabit Ethernet, 40 Gigabit Ethernet, and 100 Gigabit Ethernet
 options. Support for StackWise Virtual for redundancy. MPLS capability.
Advanced features like network programmability.
 Ideal Use Cases: Core and distribution layers

Cisco ISR 4351

 Features: Offers up to 400 Mbps forwarding performance. Provides three
Network Interface Module (NIM) slots and two Service Module (SM) slots for
expansion. Generally suited for smaller branch offices or remote sites with
moderate bandwidth requirements. can be integrated with Cisco Unified
Communications solutions for features like Voice over IP and video conferencing.

Cisco ISR 4451

 Features: Delivers up to 2 Gbps forwarding performance. Provides three Network
Interface Module (NIM) slots and two Service Module (SM) slots for expansion.
Also Supports redundant power supply for increased reliability. Provides similar
features to the 4351 but with better performance. Designed for larger offices.
Also can be integrated with Cisco Unified Communications solutions for features
like Voice over IP (VoIP) and video conferencing.

Aruba 7005
o Supports up to 1024 APs (scalable with clustering).
o Offers high-performance Gigabit Ethernet uplinks for data transfer.
o Provides integrated security features like role-based access control (RBAC)
and dynamic VLAN assignment.

Cisco 5508
o Supports up to 500 APs (scalable with stacking).
o Offers Gigabit Ethernet uplinks for data transfer.
o Provides security features like RADIUS authentication and VPN support.
 Stacking
How stacking works (Stackwise):
 When the switches are powered on, Stack Discovery Protocol uses broadcast
messages to discover the stack topology.
 After all switches in the stack are discovered, switch numbers are automatically
determined, but these can be manually configured too
 Then an active switch and a standby switch is elected on the basis of highest
priority number and then on the basis of lowest MAC address

Differences between Stackwise and Stackwise Virtual:

 In S, up to 8 switches can be stacked. In SV, only 2 can be stacked
 In S, the switches can be connected with each other, only with the proprietary
stacking cables. In SV, the switches can be connected with standard fiber cables.
 In S, long distances are not supported and in SV, long distances are supported

Network Management Systems

We can monitor various network devices by adding devices manually or using
automatic discovery features and of these devices we can monitor different metrics
such as CPU usage, memory utilization, interface errors or packet loss.
We can analyze network performance metrics such as bandwidth, throughput, latency.
We can also track and manage configurations, allowing us to do tasks such as backing
up and restoring configs
We can do alerting and reporting. I.e. we can establish alerts to notify of critical
situations, such as:
 Interface errors exceeding a certain threshold (indicating potential connectivity
issues).
 CPU or memory utilization reaching high levels (suggesting device overload).
 Significant increase in latency or packet loss (signaling network performance
degradation).
 Network Performance Metrics
1. Bandwidth: the maximum data that could theoretically be sent over a link or through
a device
2. Throughput: the actual amount of data that is sent over a link or through a device in a
certain time period.
3. Latency: the amount of time required for a packet to travel between two points in a
network and it shows the total effect of all delays between those two points. and there
are different types of delay such as transmission delay which is the amount of time to
send a packet out of an interface. another example is queuing delay which is the
amount of time a packet stays in a buffer (i.e. a queue) before it goes out of the
interface.

Wireshark/ Protocol Analyzer

a protocol analyzer (also known as a network sniffer) can be a tremendous
troubleshooting asset.
You can use a protocol analyzer to capture traffic flowing through a network switch. By
examining the captured packets, you can know the details of communication flows
(sessions) as they are being set up, maintained, and torn down.
The examination of these captured packets is referred to as traffic analysis, which can
give us valuable insights about the nature of traffic. Protocol analyzers can assist in
identifying details such as top talkers, top destinations, top protocols in use, and
quantity of traffic on the network.

Wireless
wi-fi uses the following bands/frequency ranges:
2.4 GHZ
5 GHZ
6 GHZ

Each band is divided into multiple channels. devices transmit and receive traffic on one
or more of these channels. To avoid interference, nearby wireless APs should use
channels that do not overlap with one another. In 2.4 GHZ band, it is recommended to
use 1,6 and 11 channels to avoid signal interference. Channels in the 5GHZ band are
non-overlapping.

Wireless/site survey tools such as AirMagnet/Ekahau can provide analysis of what

channels are currently in use. They can also collect data to show the relative strength of
signals in the areas being serviced by the APs.

Design and deployment

1. Planning and requirements: Firstly, we get the requirements like how many users and
bandwidth required.
2. Making a predictive design: While designing a wireless network, we can use Ekahau.
We add the layout of the area and specify user count, bandwidth needs, and desired
applications. Ekahau then provides a visual prediction of signal strength and the optimal
number of APs for good coverage throughout the space.
3. Pre-deployment site survey: The survey team visits the actual site to confirm the
layout matches the one used in the predictive design. This includes checking for walls,
furniture, and other physical elements that might affect signal strength. Based on the
survey data, the access point placement can be optimized to ensure good coverage,
minimize dead zones, and meet the network's performance requirements.
4. Configuration and installation
5. Post-deployment site survey: The main purpose is to validate that the real-world
network performance aligns with the design goals. This involves measuring signal
strength, signal-to-noise ratio (SNR), and data transfer rates throughout the designated
coverage area. The survey can uncover any unforeseen issues that might have emerged
after deployment. Like Interference from unexpected sources like other wireless
networks or electronic devices and Configuration problems with the access points
themselves.

MIMO uses multiple antennas for transmission and reception. These antennas do not
interfere with one another BECAUSE MIMO uses a technique called spatial multiplexing.
It transmits different data streams through the different antennas, essentially creating
separate channels for each stream. Since the data travels on separate channels, the
signals are less likely to interfere with each other.

Wifi standards:
802.11n 2.4GHZ/5GHZ Wifi 4
802.11ac 5GHZ Wifi 5
802.11ax 2.4GHZ/5GHZ/6GHZ Wifi 6
802.11be 2.4GHZ/5GHZ/6GHZ Wifi 7

Encryption:
different protocols can be used to encrypt traffic for e.g. AES
WPA2- AES-CCMP
WPA3- AES-GCM

EAP Authentication methods/protocols:

a. EAP-FAST: a secure TLS tunnel is established between the client and the server
b. PEAP: in this a secure TLS tunnel is also established between the client and the server,
and the server has a digital certificate and the client uses this digital certificate to
authenticate the server
c. EAP-TLS: in this a secure TLS tunnel is also established between the client and the
server and also this method requires the server and also all of its clients to have a
certificate. most secure method

QoS
Implementing Q o S through Modular Q o S CLI (MQC):
1. Class-map: we define the classes of traffic, what kind of traffic to match. e.g. https,
voice.
2. Policy-map: what action will be taken on the traffic. in this step we define what is to
be done to the classified traffic by using different Q o S mechanisms. for e.g. how much
bandwidth we want to allocate to each type of traffic
3. Service policy: apply the policy on the specific interface

Q o S mechanisms:
1. Classification and Marking: we place the traffic into different categories, for e.g. voice
or video and then we can mark the classified traffic with marking values. Marking
changes bits within a packet to indicate how the network should treat that traffic and
then based on the marking, priority will be given to the classified traffic.

2. Congestion management: we can prioritize the transmission of the packets of the

different types of traffic on the basis of queues. different queuing algorithms such as
weighted-fair queuing (WFQ) are used which divide an interface’s buffer into multiple
logical queues. The queuing algorithm then empties packets from those logical queues
in a sequence and amount that is defined by the algorithm’s configuration. For example,
traffic could first be sent from a priority queue (which might contain VoIP packets) up to
a certain bandwidth limit, after which packets could be sent from a different queue.

3. Policing: we define the maximum amount of bandwidth that a certain kind of traffic
can use. for e.g. https traffic. and the packets exceeding that max threshold will be
dropped.

4. Shaping: in this we also define the max amount of bandwidth that a certain kind of
traffic can use, but here instead of dropping the packets, they will be delayed by being
stored in a buffer.

SDN

SDN
It is an approach that centralizes the control plane functions of the network devices
through a controller
an SDN controller manages the control plane functions such as determining routes. now
each device will only have data plane that they will use to forward packets. through this
controller we will control how the traffic will be forwarded. we will manage the devices
through the controller. i.e. configurations will be done on it and will be pushed to the
devices
the SDN controller interacts with the network devices using APIs. and we will use
applications or scripts that will tell the controller what network behaviors are desired

SD-Access
Cisco DNA center is the controller in SD-Access that manages the network devices which
form the fabric of SD-Access architecture. and we have scripts and applications that we
will use to manage the DNA controller.
The fabric consists of underlay which is the physical network of the devices such as
switches and Aps and their connections and the fabric also consists of the overlay which
is the virtual network built on top of the physical underlay. the overlay consists of vxlan
tunnels between the switches through which data will be transported.

SD-WAN
SD-WAN uses a centralized controller to manage and optimize traffic flows across
different WAN connections like MPLS, broadband internet. In Cisco SD WAN, VManage
is the controller which will handle the wide area connections between the remote sites.
It manages the cisco routers such as specific isr and asr models, and viptela devices such
as vEdges. These are known as WAN Edges.
 Through SD WAN, it becomes easy and efficient to do policy based routing. i.e. to
decide what link (mpls or internet) should be used for a specific type of traffic.
Traditionally if we want to do this we will have to log in all the devices and do the
policy based routing configurations. However, in sd wan we have the capability to
make centralized policies on the Vmanage controllers.

 Also in SD WAN, the traffic going between the branches and HO will
automatically be encrypted through ipsec due to the default encryption policy.

VLAN
Trunk will not form if these parameters are not same on both sides of the trunk:
• Frame-tagging protocol
• Native VLAN
• Allowed VLANs
• VTP Domain, if configured
 STP

DP, RP and NDP:

DP:
 these are the ports in the forwarding state.
 it is the port on each segment that is closest to the RB in terms of cost (usually
based on link speed)
 there can only be 1 DP/Segment.
 and if the ports of the switches on a segment have the same cost to the RB, then
in such a case we look at the Bridge ID of the switches, and the switch with the
lowest Bridge ID, that switch’s port will become the DP. and All ports on the RB
are DPs.

RP:
 these are the ports in the forwarding state.
 it is the port on a NRB that that is closest to the RB in terms of cost.
 there can only be 1 RP/NRB
 if the cost is same, then the port connected to the neighboring switch with the
lowest bridge ID, such a port will become the RP.

NDP:
the port that is neither a DP or an RP. this is the port or ports that are blocked.

STP Process:
step 1: election of RB and NRB
STP enabled switches send bpdus out of all their interfaces. switches use a field in the
bpdu, which is the bridge ID field, to elect a root bridge for the network. this bridge ID
contains the bridge priority (by default 32768) and mac address. so the switch with
lowest bridge priority will become the RB and if the priority is the same then the switch
with the lowest mac address will be elected as the RB and the other switches will
become NRBs.

step 2: RP
The NRBs will select one of their interfaces as the RP which is a port in the forwarding
state. The RP has the lowest cost (usually based on link speed) to the RB. if the cost is
same, then the port connected to a neighboring switch with the lowest bridge ID, such a
port will become the RP.

step 3: DP
Each remaining segment will select one interface to be a DP. it is the port on a switch on
a segment that is closest to the RB in terms of cost. and if the ports of the switches on a
segment have the same cost to the RB, then in such a case the Bridge ID of the switches
will be checked, and the switch with the lowest Bridge ID, that switch’s port will become
the DP.

step 4: NDP
the remaining port or ports will be the NDPs.

STP Port States

1. Blocking:
 NDPs are in a blocking state
 these interfaces do not send/receive regular network traffic
 they receive bpdus but not send bpdus
2. Listening
 After the blocking state, DPs or RPs enter this state
 these interfaces do not send/receive regular network traffic
 they receive and send bpdus
3. Learning
 After listening state, DPs or RPs enter this state
 these interfaces do not send/receive regular network traffic
 they also receive and send bpdus
4. Forwarding
In this state, DPs and RPs send/receive regular network traffic and also bpdus

BPDU Guard
for e.g. there is a port on which portfast has been configured. now if another switch is
connected to this port, high chances that a loop will be made as due to portfast, stp
won’t be running on that port. so we can configure bpdu guard on this port where
portfast has been enabled. now whenever this port will receive a bpdu from the another
switch, it will go into err-disabled state (kind of a shutdown). no loop will be made.

PortFast
When this is enabled on a port, the port bypasses the listening and learning stages of
STP. This allows the port to transition directly to the forwarding state as soon as the link
comes up, significantly reducing the time it takes for devices connected to that port to
start communicating.

RSTP:
 -Port states:
Unlike stp which as 4 states, rstp has three states, which are forwarding, learning and
discarding
  -Network change/Convergence:
Standard stp can take up to 30 seconds to respond to a network change while rstp can
take 6 seconds or less to respond to a change

 -PortFast:
When this is enabled on a port, the port bypasses the listening and learning stages of
STP. This allows the port to transition directly to the forwarding state as soon as the link
comes up, significantly reducing the time it takes for devices connected to that port to
start communicating.

PVSTP+ (Cisco):
in PVSTP we create a separate spanning tree instance for each VLAN. so we can assign
different RBs for different VLANs. This means each VLAN can have its own set of
blocking and forwarding ports, allowing for more efficient traffic flow.

Rapid PVSTP+ (Cisco)

Rapid PVSTP+ inherits the core concept of PVSTP+, where a separate spanning tree
instance is created for each VLAN. It also adds the features of RSTP

MSTP:
Groups multiple VLANs into a single spanning-tree instance. This reduces the number of
spanning tree instances. we do load sharing in mstp by having separate root bridges for
each STP instance.
 Etherchannel
Conditions for Etherchannel:
1. The same type of links should be in the etherchannel (e.g. fast Ethernet links)
2. Configurations such as of trunk and access ports should be the same on all the links

LACP and PagP:

LACP: -
open standard. has modes active and passive. active mode should be at least on one
side of the etherchannel for etherchannel to be formed. if both switches will have active
mode, they will actively try to form an etherchannel.
PagP: -
cisco propriety. has modes auto and desirable. desirable mode should be at least on one
side of the etherchannel for etherchannel to be formed. if both switches will have
desirable mode, they will actively try to form an etherchannel.

InterVLAN routing
1. Multi-Layer Switch/ SVIs: -
we can create logical interfaces that are SVIs on the switch and these SVIs will have IP
addresses associated with each VLAN and will act as the default gateways for the VLANs

2. Router on a stick: -
Consists of a router connected with the switch, on a trunk. Physically we have only one
interface on the router but different logical sub interfaces are created, one sub interface
per vlan and each subinterface is configured as a default gateway for each vlan.
 FHRPs
HSRP:
it is a cisco propriety protocol. we make a group of the routers and we give a Virtual IP
to this group. we give priorities both routers. the router which we want to make active,
we give a larger priority to it. and we will set this Virtual IP as the gateway of our end
devices. Preemption has to be enabled in HSRP.

VRRP:
this is an open standard protocol. in this, we have Master and Backup routers instead of
active and standby as was in the case of HSRP. Preemption is enabled by default.

GLBP:
it is a cisco propriety protocol. Main difference between glbp and hsrp is that It supports
load balancing. That is, if we have multiple gateways (routers), we can simultaneously
forward the traffic though all the routers.
Active Virtual Forwarders (AVFs):
The AVFs are the routers which act as the gateways and all AVFs will have the virtual ip
and each will have a virtual mac address
Active Virtual Gateway (AVG):
Among the AVFs, one will be the AVG which will assign the virtual mac addresses to all
the AVFs and this AVG will be the router that will be replying to the ARP requests
coming from the LAN

Symmetric and Asymmetric encryption

Symmetric encryption
In symmetric encryption the same key is used by both the sender and the receiver to
encrypt or decrypt a packet. Symmetric encryption is fast in comparison to asymmetric
encryption.
Asymmetric encryption
In Asymmetric encryption different keys are used by the sender and the receiver to
encrypt traffic. Asymmetric encryption is slow in comparison to symmetric encryption.
Example of asymmetric encryption (SSL Encryption): - for e.g. a client pc wants to
communicate with a web server.
1. Client Initiates HTTPS Request: Client initiates a secure connection and requests the
server’s digital certificate
2. Server Sends Certificate: Server responds by sending its SSL certificate, which
contains:
 Server's public key
 Digital signature from a trusted Certificate Authority (CA)
3. Client Authenticates Certificate: client knows the received certificate is really from
server because the certificate has been authenticated (signed) by a trusted CA.
4. Client Generates & Encrypts the Session Key: Client generates a random string of
data called a session key. Client encrypts this key using the server's public key. And only
the server 's private key can decrypt this session key.
5. Client Sends Encrypted Session Key to the server.
6. Server decrypts the session key using its private key.
Secure Communication Established: Now, both client and server share the same session
key. This key is used for encryption of data exchanged during the session.

UTM
Unified Threat Management (UTM) is a cybersecurity approach that combines multiple
security functions into a single device or software solution. Traditionally, network
security relied on separate tools for firewalls, intrusion detection, antivirus, and other
protections. UTM simplifies things by offering these features in one place.
 Stateful and Stateless firewalls
Stateful:
1. they maintain a record or state of the connections passing through them which
means that regarding each connection, they keep track of things such as source and
destination ports, source and destination ips and protocol.
2. they analyze the packets by considering the context provided by the state table. This
context allows them to decide if a packet belongs to an established connection.

Stateless:
1. they do not maintain any record or state of the past network connections.
2. they evaluate each packet individually on the basis of rules such as predefined acls

TACACS+ and RADIUS

 Radius uses UDP ports 1812 and 1813 and Tacacs+ uses TCP port 49
 Radius encrypts only the password during the authentication process, not the
username, while Tacacs+ encrypts the entire session
 RADIUS is mainly used for user authentication and authorization for general
network access. While TACACS+ is mainly used to control administrative access to
network devices such as routers, switches, firewalls

Site to Site IPSEC VPN

1. IPSEC provides three core services: -
• Confidentiality – this is about using encryption in which encryption keys are used to
both encrypt and decrypt data. Diffie-Hellman (D-H) Public Key Exchange is the most
common standard used to create and exchange keys. The strength of the keys is based
on the encryption algorithm used (e.g. 3DES, AES) and the D-H group used to generate
that key (Group 1, Group 2, Group 5)
• Integrity – ensures that data is not altered when going from one site to another. and
integrity is achieved using a hashing algorithm. The hashing algorithm calculates a
specific hash value as each packet is sent. Once the data is received, it is run through
the hashing algorithm again. If the hash value is different, then it means the packet was
changed. Hashing algorithm e.g. SHA256
• Authentication – confirms the identity of the host sending data, using pre-shared
keys or a Certificate Authority (CA).

2. IPSEC Phases: -
IKE Phase 1 establishes the ISAKMP tunnel. In this phase, i. the end to end peers are
authenticated using pre-shared keys or digital certificates, ii. encryption and iii. hashing
algorithms are negotiated. iv. Also both sides agree on a Diffie-Hellman group.
Then each device generates a private key and a public key based on the chosen DH
group. They exchange these public keys with each other. and then using their own
private key and the received public key, each device calculates a shared secret value
which is used in phase 2 to generate the session keys for encryption and decryption of
the data.

In IKE Phase 2 it is decided what IPSEC protocol will be used for securing the data. These
protocols are AH and ESP. ESP is preferred as it provides both encryption and hashing.
And then for the chosen protocol, Encryption or Hashing algorithms are negotiated.

DMVPN
DMVPN is a scalable VPN solution that allows for direct communication between
multiple remote sites without the need for a direct point-to-point connection between
them.
How it works:
DMVPN uses multi point gre tunnel setup. issue with just using mgre is that you will
have to define the tunnel ip to public ip mappings on all sites statically. DMVPN allows
us to do dynamic mappings. in this we set one of the routers as a Next Hop Server (NHS)
which is the central Hub. And only one mapping will be done on the spoke sites and in
this mapping we will point to the NHS. So when the tunnel interface will come up, the
spokes will register with the NHS. so the NHS will DYNAMICALLY learn about the tunnel
ip to public ip mappings of all the sites. So now if I want to connect, for e.g., site A with
site B, site A will send a next hop resolution request to the NHS asking about the tunnel
ip of site B. so the NHS will send that ip from its NHRP mappings to site A.

Phase 1
Phase 1 is about Hub and spoke data path. in this phase, the sites will send the data to
the Hub and an ACL will be defined which will decide where the data will go from the
Hub. Advantage is more control at the central place. as the head office will decide what
traffic to send to the sites. Disadvantage is that it will be suboptimal data forwarding as
the data first will go from one site to the head office and then to the other site. so it
depends on the requirement of the company.

Phase 2
In Phase 2 the data path is Spoke to Spoke. the default behavior in phase 1 is that the
next-hop attribute of the routes that the Hub sends to the spokes, it changes this next
hop to itself. so this causes the spokes to resolve the next-hop to the Hub and this
causes the data to be sent through the Hub. In Phase 2 the direct Spoke to Spoke data
path is accomplished by changing this behavior of the Routing Protocol. we do this by
changing the routing protocol in such a way that the Hub does NOT change the next-hop
to itself.

Phase 3
In Phase 3 the direct Spoke to Spoke data path is not achieved by changing the behavior
of the Routing Protocol. In phase 3, on the Hub we can add intelligence in a sense that
the tunnel interface on which the Hub receives the data from one spoke, it sends the
data packets out on the same interface to the other spoke. This basically tells the Hub
that the spokes have direct reachability between them. To achieve this, we give the
command of ‘nhrp redirect’ on the Hub. The end result of Phase 2 and Phase 3 is the
same. Phase 3 is faster than Phase 2.

Cisco WSA
### Detailed Features of Cisco Web Security Appliance (WSA)

1. **Web Filtering and URL Filtering:**

- **Function:** Blocks access to inappropriate or malicious websites based on URL
categories.
- **Benefit:** Enforces acceptable use policies and reduces the risk of accessing harmful
content.

2. **Advanced Malware Protection (AMP):**

- **Function:** Provides protection against malware, including zero-day threats, by
using dynamic analysis and retrospective security.
- **Benefit:** Detects and blocks advanced threats before they can cause damage, and
allows for retrospective analysis of files to detect malware that evaded initial detection.

3. **Application Visibility and Control:**

- **Function:** Monitors and controls the use of web applications.
- **Benefit:** Helps manage bandwidth usage, enforce security policies, and prevent
unauthorized use of applications.

4. **Data Loss Prevention (DLP):**

- **Function:** Monitors and controls the movement of sensitive data to prevent data
breaches.
- **Benefit:** Ensures compliance with regulatory requirements and protects sensitive
information from unauthorized disclosure.
5. **Integration with Cisco Umbrella:**
- **Function:** Enhances security by integrating with Cisco's cloud-delivered security
service.
- **Benefit:** Provides additional layers of protection by leveraging threat intelligence
and cloud-based security services.

6. **Content Caching:**
- **Function:** Caches frequently accessed web content locally.
- **Benefit:** Improves web browsing performance and reduces bandwidth usage.

7. **User-Based Policies and Authentication:**

- **Function:** Applies security policies based on user identity and role.
- **Benefit:** Ensures that policies are enforced consistently and appropriately for
different user groups.

8. **Reporting and Analytics:**

- **Function:** Provides detailed reports and analytics on web usage, threats, and
policy enforcement.
- **Benefit:** Helps administrators understand web traffic patterns, identify security
incidents, and ensure policy compliance.

9. **High Availability and Scalability:**

- **Function:** Supports deployment in high availability configurations and can scale to
meet the needs of large enterprises.
- **Benefit:** Ensures continuous protection and performance as the organization
grows.

10. **Centralized Management:**

- **Function:** Centralized management through Cisco Security Management tools.
- **Benefit:** Simplifies administration and policy enforcement across multiple WSA
deployments.

### Detailed Implementation of Cisco WSA in a Company

#### 1. **Deployment:**
- **Planning:** Conducted a thorough network assessment to determine the optimal
placement of the WSA within the network architecture. Collaborated with network and
security teams to integrate the WSA seamlessly with existing infrastructure.
- **Installation:** Physically installed the Cisco WSA at the network edge, ensuring it
was positioned to monitor all inbound and outbound web traffic. Connected the WSA to
the network switches and configured initial settings using the management console.
- **Configuration:** Set up basic network settings, including IP addressing, DNS, and
routing. Configured interfaces for both internal and external network connections.

#### 2. **Web Filtering:**

- **Policy Creation:** Defined URL filtering policies based on organizational
requirements. Categorized URLs into groups such as business-related, social media,
streaming media, and malicious sites.
- **Access Control:** Created different access policies for various user roles (e.g.,
employees, contractors, guests) to ensure that only authorized users could access
specific categories of websites.
- **Custom Categories:** Developed custom URL categories for specific business needs,
such as blocking competitive websites or allowing access to industry-specific resources.

#### 3. **Advanced Malware Protection (AMP):**

- **Configuration:** Enabled AMP on the WSA to scan web traffic for known and
unknown malware. Integrated AMP with Cisco Threat Grid for dynamic analysis of
suspicious files.
- **Retrospective Security:** Configured retrospective security to analyze file behavior
over time. Set up alerts for any files that were later identified as malicious, enabling
prompt remediation.
- **Regular Updates:** Scheduled automatic updates for AMP signatures and threat
intelligence feeds to ensure the WSA was protected against the latest threats.

#### 4. **Application Visibility and Control:**

- **Monitoring:** Enabled application visibility to monitor web application usage across
the network. Collected data on which applications were being used, by whom, and for
how long.
- **Control Policies:** Developed control policies to manage the use of web
applications. Restricted access to non-business applications like gaming and streaming
sites during work hours to conserve bandwidth.
- **Reporting:** Generated reports on application usage to identify trends and
potential security risks. Used this data to adjust policies as needed.

#### 5. **Data Loss Prevention (DLP):**

- **Policy Creation:** Created DLP policies to monitor and prevent the transfer of
sensitive data such as customer information, financial records, and intellectual property.
- **Content Inspection:** Configured content inspection rules to scan web traffic for
predefined patterns, keywords, and data types indicative of sensitive information.
- **Alerts and Actions:** Set up alerts for potential DLP violations and configured
actions such as blocking the transfer, logging the event, and notifying the security team
for further investigation.

#### 6. **Content Caching:**

- **Caching Policies:** Configured caching policies to store frequently accessed web
content locally. Determined which types of content were most frequently accessed and
set appropriate cache lifetimes.
- **Performance Monitoring:** Monitored the performance improvements resulting
from content caching. Analyzed metrics such as reduced load times and decreased
bandwidth usage.
- **Cache Management:** Regularly managed and purged the cache to ensure optimal
performance and storage efficiency.
#### 7. **User-Based Policies and Authentication:**
- **Integration with Directory Services:** Integrated the WSA with the company's
Active Directory (AD) for user authentication. This allowed for the application of user-
based policies based on AD groups and roles.
- **Policy Enforcement:** Developed and enforced different web access policies for
various user groups, such as executives, sales, and IT staff. Ensured that policies were
consistently applied based on user authentication.
- **Single Sign-On (SSO):** Enabled single sign-on (SSO) for seamless user
authentication and policy enforcement without requiring multiple logins.

#### 8. **Reporting and Analytics:**

- **Regular Reports:** Scheduled regular reports to provide insights into web usage
patterns, security incidents, and policy compliance. Shared these reports with relevant
stakeholders, such as IT management and compliance officers.
- **Custom Reports:** Developed custom reports to address specific queries or issues,
such as investigating a security incident or analyzing the impact of a new policy.
- **Dashboards:** Used the WSA's dashboard features to provide real-time visibility
into web traffic, threats, and policy enforcement. Configured dashboards to display key
metrics and alerts for quick monitoring.

#### 9. **High Availability and Scalability:**

- **High Availability Setup:** Deployed WSA in a high availability (HA) configuration to
ensure continuous protection and failover capabilities. Configured load balancing to
distribute traffic evenly across multiple WSAs.
- **Scalability Planning:** Planned for future growth by designing the WSA deployment
to scale with the organization’s needs. Monitored traffic patterns and resource
utilization to anticipate when additional WSAs might be needed.
- **Regular Maintenance:** Conducted regular maintenance and updates to ensure the
WSA remained up-to-date and performant. Applied firmware updates, patches, and
security fixes as necessary
 FortiAuthenticator
Designed specifically for user authentication and authorization. It provides a central
platform for managing user accounts, authentication policies, and integrates with
various network services using standard protocols (RADIUS, LDAP) for AAA functionality.
1. Authentication:
 Centralized User Management: FortiAuthenticator provides a central platform
for managing user accounts and their credentials. You can define user groups and
assign them specific authentication methods such as Multi-Factor Authentication.
 Integration with Various Services: FortiAuthenticator can integrate with various
network services (such as file servers and web applications) using protocols like
RADIUS and LDAP. For example, when a user tries to access a service, the service
might use RADIUS or another protocol to communicate with FortiAuthenticator.
FortiAuthenticator then receives the credentials and verifies them against the
configured authentication source (e.g. Active Directory). If the credentials are
valid, FortiAuthenticator sends an authentication message back to the service.
and the service grants access to the user.

2. Authorization:
 User Groups and Access: FortiAuthenticator allows you to define user groups and
assign them specific access permissions. These permissions control what
resources (applications, servers, network segments) a user group can access. For
example, the "Marketing" group might have access to the marketing file server
but not the finance server.
 Integration with Network Devices: FortiAuthenticator can also communicate
with network devices (firewalls, switches, wireless access points) using RADIUS
and implement access control policies based on user groups. We can define user
groups for network administrators with different levels of access privileges. for
example, a "Junior Admin" group might only have read-only access to
configurations.

3. Accounting:
  RADIUS Accounting: FortiAuthenticator can be configured as a RADIUS
accounting server. This allows it to collect accounting data from network devices,
such as user login/logout times, network resource usage (bandwidth, applications
accessed), etc.

FortiMail

A. Anti-Spam and Anti-Phishing Configuration

1. *Spam Filtering*:
a. I configured spam filtering using FortiMail’s
Reputation analysis (to analyze the sender's reputation. This includes factors like the
sender's IP address and domain history to identify emails likely to be spam),
Heuristics (This uses pre-defined rules to scan emails for characteristics commonly
found in spam),
Bayesian filtering (This is a statistical method that "learns" from past user actions. If a
user marks an email as spam, it helps train the filter to identify similar emails in the
future).
b. Custom Policies: I also set up custom filtering policies based on our organization’s
needs, which included blocking emails from specific domains and IP addresses known
for spamming.

2. *Phishing Protection*:
a. URL Filtering: To protect against phishing, I enabled URL filtering that scans email
content for malicious links. This feature helped prevent users from unknowingly clicking
on harmful links.
b. Content Analysis: I used FortiMail’s content analysis to detect and block phishing
attempts, using machine learning to identify suspicious email patterns. Suspicious Email
Patterns: Phishing emails often have specific patterns in their content, such as: Urgent
language urging immediate action, Generic greetings instead of personalized names.
B. Anti-Malware and Advanced Threat Protection
1. *Virus/Malware Scanning*:
I configured FortiMail to scan all incoming and outgoing emails and attachments for
known malware using signature-based detection. This provided a first line of defense
against common threats.

2. *Sandboxing/Advanced Threat Protection*:

For advanced threat protection, I enabled sandboxing to analyze suspicious attachments
in a controlled environment. This allowed us to detect and fight against zero-day threats
that traditional antivirus solutions might miss.
How it Works:
1. When a suspicious attachment arrives in an email, FortiMail can use sandboxing
to send it to the isolated environment.
2. Inside the sandbox, the attachment is opened and its behavior is monitored.
3. If the attachment has malicious behavior (like trying to access sensitive data or
download additional malware), FortiMail can: Quarantine the email, Block the
sender, Take other pre-configured actions.

C. Data Loss Prevention (DLP)

1. *Content Filtering*:
I implemented DLP policies (These are rules that define what constitutes sensitive
information within your organization. This could include credit card numbers, social
security numbers, or any other data type you deem confidential) to scan outbound
emails for sensitive information, such as credit card numbers. This helps prevent
accidental data leaks.

2. *Encryption*:
I configured FortiMail to automatically encrypt emails containing sensitive information,
ensuring secure communication.

Administrative Distance and Metric

1. AD: It is the criteria for a protocol’s preference. i.e. If a router receives route
information for the same destination from multiple routing protocols, it will prioritize
the route with the lowest administrative distance.
EIGRP: 90, 170 OSPF: 110 BGP: 20 (eBGP), 200 (iBGP)

2. Metrics: Routers use metrics to decide the best path to send packets towards a
specific destination.
OSPF: cost
EIGRP: bandwidth, delay, reliability, loading, MTU

Difference between Link State (OSPF, IS-IS) and Distance

Vector (RIP, IGRP) protocols
1. in DV, routers will have knowledge only about the next hop so poor convergence, in
LS routers will have knowledge of the entire network topology so faster convergence in
case of any issue such as a link failure
2. in DV, complete routing table is transmitted, in LS only the change in the routes is
transmitted
3. in DV, no support of areas, in LS support of areas is there
 Redistribution
Route Redistribution allows routes from one routing protocol to be advertised into
another routing protocol. The routing protocol receiving these redistributed routes
usually labels the routes as external.
At least one redistribution point needs to exist between the two routing domains. This
router will run both routing protocols.

PBR
It is a technique to route packets on the basis of policies instead of the networks in the
routing table.
in PBR, Route maps are used to forward traffic. A typical route map mainly uses MATCH
and SET parameters. first we match the packets on the basis of ip address and once we
have matched the packets, then we use the set statement to decide a route for the
packets. and this can be done on the basis of a next-hop ip address or we can specify an
interface that we want to use as an egress interface. and finally we apply the route map
to a router’s specific interface.

OSPF
 an IGP
 link state routing protocol
 scalable
 one of main benefits is support of areas
 best route is decided on the basis of the least cost
 OSPF routers will only become neighbors if the following parameters within a
Hello packet are identical on each router: - • Area ID • Area Type (stub, NSSA,
etc.) • Hello and Dead Intervals • Network Type (broadcast, point-to-point, etc.)

OSPF/LSA STATES
1. down: no hello packets are received in this state and the routers do not know about
any OSPF neighbors yet

2. init: in this state, only one router will receive the hello packet
3. 2-way: both routers will receive hello packets from each other, and in their hello
packets information such as their router ids are present. in this state the routers will
become neighbors. election of DR and BDR will happen in this state.

4. exstart: the routers exchange DBD packets (database descriptor) so that the election
of master and slave can start in this state. in this election the router with the highest
router id becomes the master and the other becomes slave

5. exchange: routers exchange the DBD packets which contain LSDB summaries. so the
routers compare contents of the DBD packets with their local LSDB to find out what Link
State information they need to request from their neighbors.

6. loading: the routers then request each other for the Link State information that is
missing in their LSDBs and then they update their LSDBs

7. full: then full adjacency is formed, meaning, the link state databases of the routers are
synchronized

Cost Calculation
1. calculation using the interface bandwidth
(reference bandwidth) 100 Mbps/ interface bandwidth

2. manual calculation
specify the cost under the interface
Network types
1. Broadcast: enabled by default on Ethernet interfaces
 Routers dynamically discover neighbors by sending and receiving OSPF Hello
messages
 A DR and BDR must be elected

2. Point to Point: enabled by default on Serial interfaces

 Routers dynamically discover neighbors by sending and receiving OSPF Hello
messages
 DR and BDR are NOT elected

3. Point to Multipoint: this network type is used in Hub and Spoke architectures
 Routers dynamically discover neighbors by sending and receiving OSPF Hello
messages
 DR and BDR are NOT elected

4. Non Broadcast Multi Access (NBMA): enabled by default on Frame-Relay interfaces

 Routers DO NOT dynamically discover neighbors. we manually configure the
neighbor’s IP address
 A DR and BDR must be elected

DR, BDR and DROTHER

1. Election: -
Election happens firstly on the basis of Priority # and then Router ID. the router with the
highest priority # or router ID becomes the DR, the router on the second position
becomes the BDR and the rest of routers become the DROTHER.
2. Roles: -
DR (Designated Router):
 Acts as the central coordinator for all OSPF communication
 Exchanges routing information (Link-State Advertisements) with all other OSPF
routers on the segment.
 Maintains a complete Link-State Database (LSDB) containing information about
the entire network topology.

BDR (Backup Designated Router):

 Serves as a secondary role and takes over as DR if the primary DR fails.
 Maintains a synchronized LSDB with the DR.

DROTHER (Other than Designated Router):

 Refers to any OSPF router that is neither the DR nor BDR.
 DROTHERs sync their Link-State Database with the DR only, not directly with each
other

ROUTER TYPES
a. Internal Router: A router with all its interfaces in a single area
b. Backbone Router: with at least one interface in the backbone area
c. Area Border Router (ABR): the router that connects two or more than two areas and is
responsible for the communication between them. (one of the areas that it is
connecting is the backbone area)
d. Autonomous System Boundary Router (ASBR): the router is used when redistributing
routes into our ospf domain
AREAS
Backbone area: all areas must connect to this backbone area

Stub Area: External routes (routes outside the OSPF domain) are not allowed in a Stub
Area. inter area, intra area and a default route is allowed within a Stub area.

Totally Stub Area: both inter area and external routes are not allowed in a TSA. only
intra area and a default route is allowed within a Totally Stub area.

Not So Stubby Area: Like a Stub Area, NSSA restricts external routes within the area
itself. But unlike a Stub Area, an NSSA allows you to selectively choose specific external
routes. These chosen routes are injected using a special mechanism called Type 7 LSA.
This Type 7 LSA is generated by the ASBR of NSSA and translated into a standard Type 5
LSA.

LSA TYPES
LSA 1 (Router LSA): Contains a list of all links local to the router, and the status and cost
of those links. Type 1 LSAs are generated by all routers in an OSPF area.
LSA 2 (Network LSA): The information that is originated by the DR and contains
information such as the DR’s router ID
LSA 3 (Network Summary LSA): Generated by ABRs. These LSAs are sent between areas
to allow inter-area communication to occur.
LSA 4 (ASBR Summary LSA): The information that is originated by the ABR and it is
regarding ASBR’s Router ID.
LSA 5 (External LSA): The information that is originated by the ASBR. This information
will be regarding the outside/external routes.
Virtual Link
-in case if an area cannot be connected to the backbone area, we can configure a virtual
link between it and the backbone area.
-e.g. area 0 connected to area 1 and area 1 connected to area 2.
-area 1 will be known as the transit/virtual area
-transit area shouldn’t be a stub area as it should have full routing information, of the
ospf network

BGP
 an EGP
 path vector protocol i.e. bgp tells us the entire path of the routes through the
Autonomous Systems
 scalable
 unlike ospf, in bgp we statically configure the neighbor’s ip address
 IBGP peers are dependent on an underlying IGP of the AS to connect peers
together. By default, all IBGP peers must be fully meshed within the Autonomous
System
 BGP maintains its own separate routing table. This table contains a list of routes
that can be advertised to BGP peers.

BGP Peers Messages

1. an OPEN message is sent between peers to initiate the session.
2. KEEPALIVE messages are sent periodically to ensure that the remote peer is still
available.
3. UPDATE messages are used to exchange routes between peers.
4. NOTIFICATION messages are sent when there is a fatal error condition. If a
NOTIFICATION message is sent, the BGP peer session is torn down and reset
Attributes
BGP ‘path attributes’ enable BGP to:
 Select the best path and for efficient data forwarding.
 Implement routing policies.
1. weight
 commonly used to influence outbound routing decisions.
 this attribute has a local significance to the router and so it is never passed on to
BGP neighbors
 the link/path with a greater weight will be given preference

2. local preference
 also commonly used to influence outbound routing decisions
 this attribute that gets assigned to a route is carried throughout the AS, to the
BGP peers
 preference is given to the greater local preference value

3. originate
 this attribute shows whether a route was originated by the local BGP router itself
or learned from a BGP peer
 locally originated routes are preferred over routes that were learned from BGP
peers

4. AS-Path length
 this attribute tells us that to get to a destination, how many Autonomous
Systems have to be passed
 the route with the shortest AS path is preferred

5. origin code
  indicates how the route was injected into BGP table. i.e. through the network
command or through redistribution
 network command (i) is preferred over redistribution (?)

6. metric/MED
 it allows an AS to influence how routes from ASes enter its network to reach a
specific destination
 preference will be given to the path where the metric value is smaller

7. neighbor type/paths
preference given to the route coming from an ebgp peer over ibgp peer

8. router ID
the route received from the router with the lowest ID is preferred

ARP
ARP is used by network devices to determine the MAC address of a device in order to
communicate with it.
When a device wants to communicate with another device on its network, it sends a
broadcast ARP request message to the network asking for the MAC address of the
device with a specific IP address. The ARP request contains the IP address of the device
sending the request, as well as the IP address of the device it wants to communicate
with.
When the device receives the ARP request, it sends an ARP reply back to the requesting
device, containing its MAC address.
 DHCP
DORA
 Discover: In this initial step, the client device broadcasts a DHCP Discover
message on the network to look for a DHCP server
 Offer: A DHCP server willing to lease an IP address responds with a DHCP Offer
message to the client. This message includes the offered IP address, subnet mask,
lease duration and other options like default gateway and DNS server address.
 Request: The client then sends a DHCP Request message to the DHCP server. This
message indicates the client's acceptance of the offered IP address.
 Acknowledge (ACK): Upon receiving the Request message, the dhcp server
acknowledges the client by sending a DHCP Acknowledge (ACK) message to the
client. This message confirms the lease agreement.

DHCP RELAY AGENT

In large enterprises, a centralized DHCP server is often used. However, DHCP clients
might be on a different network where their broadcast messages for requesting IP
addresses wouldn't reach the server. Here, a router or a multi-layer switch can be
configured as a DHCP relay agent. This agent receives the client's broadcast Discover
message, and encapsulates it in a unicast packet and forwards it to the DHCP server.

SNMP
SNMP manager: receives information from the managed devices.
SNMP agents: these are devices that are managed and monitored by the SNMP
manager. these agents have a Management Information Base (MIB). A MIB contains
Object Identifiers which define the information that a manager can read or set on the
SNMP agents

The SNMP manager can send a query to the SNMP agent and ask for specific
information. Also, the agent can proactively send trap notifications to the manager
which will notify the manager about an event that occurred on the agent. for e.g. if a
certain threshold like CPU usage is exceeded

TCP
1. definition
The Transmission Control Protocol (TCP) is a connection-oriented transport protocol,
providing reliable delivery over an IP network.

2. characteristics of TCP
 Connection establishment – connections are established, maintained, and then
terminated between devices.
 Segmentation and sequencing – data is segmented into smaller pieces for
transport. Each segment is assigned a sequence number, so that the receiving
device can reassemble the data upon receiving.
 Acknowledgments – the receiving of data is confirmed through the use of
acknowledgments. If a segment is lost, data can be retransmitted.
 Flow control (or windowing) – data transfer rate is negotiated to prevent
congestion.

3. three-way handshake
TCP uses a three-way handshake to form a connection. Control messages are passed
between the two hosts as the connection is set up:
 HostA sends a SYN (synchronize) message to HostB to initiate a connection.
 HostB responds with an ACK (acknowledgement) and sends its own SYN
message. The two messages are combined to form a single SYN+ACK message.
 HostA completes the three-way handshake by sending an ACK message to HostB

4. SYN Flood attack

A SYN flood is a common denial-of service attack that sends a large number of TCP SYN
messages to a host. The host will respond with an equal number of SYN+ACK messages,
and will wait for the final ACK message that never comes.

DNS and DDNS

DNS: for e.g., when you type yahoo.com in the browser, if your browser or operating
system cannot find the ip address in its own cache memory, then it will send a dns query
to a resolver server which is usually the isp. then resolver will look for the ip address in
its dns cache and if it cannot find it, it will send the query to the root server.
The root server will direct the resolver to the top level domain (TLD) server for the .com
domain.
Then the TLD server will direct the resolver to an authoritative name server, and finally
this server will give the ip address of yahoo.com to the resolver server.

DDNS: in a DNS database, a domain name is mapped to a static ip address. dynamic dns
is used with a dynamic ip address. the home ip address is dynamic. for e.g. if u want to
access your home pc remotely. the ddns allows u to create a custom hostname and then
u can link that hostname to ur home network's current IP address. now when the home
ip address will change, ddns will map that new ip address with your custom hostname
automatically.

Fortigate
Fortinet Security Fabric
An integrated security architecture that connects various Fortinet security products
across the network. It gives us broad protection and visibility into every network
segment and device which can be hardware, virtual, or cloud based. It has different
features such as:
Topology views: These show us connected devices, including access layer devices. It also
shows information about the interfaces that each device is connected to.
Security ratings: Security ratings analyze the Security Fabric deployment to identify
threats and highlight best practices to improve the network configurations and security.

Zone based policies

Zones are a group of one or more physical or virtual FortiGate interfaces. you can group
interfaces into logical zones. Grouping physical interfaces or VLAN sub-interfaces into
zones simplifies creation of security policies.

Identifying/classifying traffic while making policies

on the basis of parameters such as: incoming and outgoing interfaces, Source and
Destination, user identities, services (The services chosen represent the TCP/IP port
numbers)

Transparent mode
No ip addresses on the firewall interfaces, fortigate will act as a L2 switch.
Useful when you already have a network in place and u don’t want to change the ip
addressing after placing the firewall.

Virtual wire pair

A virtual wire pair consists of two interfaces that do not have IP addressing and are
treated like interfaces in a transparent mode firewall. All traffic received by one
interface in the virtual wire pair can only be forwarded to the other interface.
Useful when u have an Internal Segmentation Firewall (ISFW). In this example, a virtual
wire pair makes it easier to protect a web server that is behind a FortiGate operating as
ISFW. Users on the internal network access the web server through the ISFW over the
virtual wire pair.

HA
Requirements:
 same firewall models
 same licenses and firmware

HA deployment modes:
1. Active-Passive HA
 One firewall will be the Primary one and only this will actively carry the traffic.
 The other firewalls will be Secondary which are will remain in passive mode, and
they will be monitoring the status of Primary firewall.
2. Active-Active HA
 One firewall will be the Primary one and others will be Secondary.
 All firewalls will actively carry the traffic. One of the tasks of the Primary firewall
in active-active mode is to balance some traffic among all Secondary firewalls.

What can cause a secondary fortigate to take the role of the primary, what can trigger
the failover:
 link failure (we can enable link monitoring)
 loss of power

SSL VPN in FG
Step 1 is to create the users or groups you want to grant permissions to connect: You
can use local users or any of the supported remote authentication servers (RADIUS or
Active Directory) for this.
Step 2 is to review and, if needed, edit the SSL VPN portals: FortiGate includes three
default SSL VPN portals configured for web access, tunnel access, or both. You can also
create custom portals to meet specific needs for specific users.
Step 3 is to configure the SSL VPN settings: These settings determine the port number
that will be used to receive connection requests and the SSL certificate to be used. In
this step, you also decide which users will be accessing which portal.
The last but not the least is to create a firewall policy to allow the VPN traffic.
Flow based vs Proxy based inspection
flow based:
 in this mode, traffic is inspected in real-time, without being stored in a buffer.
 advantage is: fast, so better performance
 issue is incorrect identification might happen, as deep inspection does not
happen
proxy based:
 traffic is inspected while being stored in a buffer
 advantage is that more security as deeper inspection happens
 issue is that it is slow

Security Profiles: -
1. IPS
An IPS can detect and block malicious network activity by analyzing the network traffic
and blocking potential threats. To identify and block malicious traffic, FortiGate uses its
IPS engine and IPS sensors: -
An IPS sensor is a collection of IPS signatures that define what the IPS engine scans
when the sensor is applied to a firewall policy. Each signature has predefined actions,
such as block, allow and monitor attached to it.
The IPS engine uses two main detection techniques which are Protocol decoders and
Signatures: -
 1. FortiGate uses protocol decoders to detect irregular traffic patterns that are not
according to established protocol standards. This allows FortiGate, for example,
to identify any HTTP packets that are against the HTTP protocol standard.
2. After FortiGate identifies the protocol, it uses signatures to check for malicious
traffic. Signatures are entries in a database that include very specific details
about known threats. The IPS engine examines the network traffic and looks for
matches in the database. When it finds a match, the IPS takes the action
configured for that specific signature.
We configure an ips sensor in which we choose the ips signatures and define an action to
be taken when a signature match is detected. Then we attach the sensor to a firewall
policy.

2. Web Filtering
Web filtering restricts or controls user access to web resources & is applied to firewall
policies. Web filtering classifies & controls web browsing based on content. Using web
filtering, we can block communication to known malicious URLs.
In URL based filtering, we can create a URL filter by adding specific URLs and then, we
attach it to a web filter profile. FortiGate/FTD can block, warn & monitor web pages
matching any specified URLs. Then we attach the web filter profile to a firewall policy.
In addition to URL based filtering, we can also do Category based filtering. Categories
can be like social networking or video streaming sites. In this type of filtering, we create
a web filter profile and in it we choose the categories that we want to block or allow.
Then we attach the web filter profile to a firewall policy

3. Application Control
FortiGate can recognize network traffic generated by a large number of applications.
Application control sensors are used which specify what action to take with the
application traffic. Application Control uses IPS engine to compare the application and
micro application traffic to known application patterns.
We create an application control profile in which we define the application sensors that
will specify the applications that we want to control. We can add signatures of multiple
applications within one sensor and define actions like monitor, allow or block. Then we
attach it to a firewall policy.

Traffic shaping:
FortiGate provides quality of service by applying bandwidth limits and prioritization to
traffic. Traffic shaping is one technique used by the FortiGate to provide QoS. A basic
approach to traffic shaping is to prioritize higher priority traffic over lower priority
traffic. basically we rate limit the traffic by defining the upper threshold for certain kinds
of traffic. e.g. voice, video traffic consumes more bandwidth. so u rate limit the other
applications, for e.g. voice traffic will get 2Mbps from the total chunk of let’s say 4
Mbps.
First, we define a traffic shaper object in which we specify the bandwidth limitations
(upload and download) and the traffic priority. Then we create a traffic shaping policy in
which we define the source and destination of the traffic on which we want to apply
shaping and also we select the traffic shaper object we created earlier. Then we apply
this traffic shaping policy to a firewall policy.

4. SSL inspection
We use SSL inspection to inspect encrypted web traffic as it can be infected with a virus.
There are two different types of FortiGate SSL inspection: Certificate Inspection and
Deep Inspection
When you use SSL certificate inspection, FortiGate inspects the SSL handshake when a
session with a web server starts. By doing this, FortiGate verifies the identity of the web
server. FortiGate can verify the validity of the web server's SSL certificate. This involves
checking things like, if the certificate is issued by a trusted Certificate Authority and
expiration date of the certificate.
When you use SSL deep inspection, FortiGate decrypts the web traffic and inspects the
content to find threats and block them. If the content is safe, FortiGate re-encrypts the
traffic. Deep inspection not only protects from attacks that use HTTPS, it also protects
from other commonly used SSL-encrypted protocols such as SMTPS, FTPS.
5. DNS filtering
FortiGate/FTD acts as a bridge between your devices and the external DNS servers. You
configure DNS filtering profiles and these profiles can define categories of domains that
you want to block or allow (e.g., gambling, social media, malware).
So when a device on your network tries to access a website, its DNS request goes
through the DNS filter and the requested domain name is inspected against the
categories defined in the DNS filter profile. Depending on the profile configuration, If
the domain belongs to an allowed category, FortiGate allows the DNS request to
proceed. If the domain belongs to a blocked category (e.g. Malware), the firewall blocks
the request. and then the user might see an error message or be redirected to a block
page depending on the configuration.

6. DoS prevention
Besides protecting against threats, the IPS engine is also responsible for defending
against DoS attacks because FortiGate/FTD can detect a variety of L3 (such as a sudden
increase in ICMP packets can be a sign of a Ping Flood attack) and L4 anomalies (such as
a large volume of TCP SYN packets)
for e.g. in FortiGate/FTD we can stop DoS attacks by defining the upper threshold of
specific kinds of traffic (such as ICMP, TCP, UDP based). like, we can define that this
many max SYN/UDP/ICMP messages will be allowed per second

7. File filter
A file filter can be configured to control the flow of different types of files passing
through the firewall. This is done by setting up rules that specify which file types are
allowed or blocked.
Supports file types are such is exe, gif, html, iso, mp3, pdf, torrent etc.
PACKET FLOW: -
STEP 1: Ingress
Firstly, the incoming packets are processed by the TCP/IP stack. Then if DoS policies
have been configured, the packet must pass through these as well and IP integrity
header checking is done. IP header checking reads the packet headers to verify if the
packet is a valid TCP, UDP, ICMP packet. if the packet headers are valid, they are
allowed. Also Incoming IPsec packets that match configured IPsec tunnels are
decrypted and sent to the next step.

STEP 2: Kernel
Once a packet makes it through the ingress steps, the FortiOS kernel (core of the
operating system) performs different checks to decide what happens to the packet: -
1. Routing:
the routing table is checked to decide the interface to be used by the packet as it leaves
the FortiGate.
2. Stateful inspection/session management:
The first packet of a new session triggers stateful inspection. This process analyzes the
packet headers (TCP SYN flags, source/destination IP, ports, protocol) to identify an
already existing session. Other incoming packets belonging to the same session are
handled more efficiently by using the established session information.
3. SSL VPN:
SSL VPN packets are decrypted and routed to a designated SSL VPN interface.

STEP 3: UTM/NGFW: If the policy matching the packet includes security profiles, then
the packet undergoes Unified Threat Management or Next Generation Firewall (NGFW)
processing. In this step, FortiGate engine performs various security inspections based on
the configured security profiles to identify and block security threats in real-time. for
e.g. Packets undergo botnet checking to make sure they are not destined for known
botnet addresses. Also in this step, the packets go through various inspections such as
Intrusion Prevention, Application Control or Web Filtering, if they have been configured.

STEP 4: The packet is now in the process of exiting the FortiGate. Before exiting,
outgoing packets that are entering an IPsec VPN tunnel are encrypted and encapsulated.
Finally, packets are processed by the TCP/IP stack and exit the fortigate.

FTD
Mainly, other than the below three features (security profiles), rest of the
features work almost in the same in FTD.

SSL Inspection
Cisco FTD utilizes SSL inspection, also known as TLS (Transport Layer Security)
inspection, to gain deeper control and visibility into encrypted traffic going through your
network. Here's how it works:
1. Decryption Methods:
 FTD offers two main SSL decryption methods:
o Decrypt and Re-Sign (Default): FTD acts as a Man-in-the-Middle (MitM). It
establishes a secure tunnel with the client device and the server,
decrypting the traffic in between and re-encrypting it with its own
certificate before forwarding.
o Decrypt-No Re-Sign: FTD decrypts the traffic but doesn't re-encrypt it. This
method requires client devices to trust the FTD certificate for successful
communication.

2. Inspection and Enforcement:

  Once the decrypted the traffic content becomes visible to FTD, it allows for:
o Intrusion Prevention (IPS): FTD's IPS engine can inspect the decrypted
content for malicious activity.
o Application Control: FTD's Application Identification (AppId) can identify
applications within the decrypted traffic, enabling granular control
through policies.
o Malware Detection: FTD can scan the decrypted content for malware
threats.

3. SSL Decryption Policies:

 SSL decryption policies are configured within FMC. These policies define:
o Traffic Selection: Specify which traffic (source/destination, protocols) to
subject to decryption.
o Decryption Method: Choose between Decrypt and Re-Sign or Decrypt-No
Re-Sign.
o Certificate Management: Manage certificates used for re-encryption (if
applicable) to ensure trust between FTD and client devices.

Application Control and Visibility

Cisco FTD utilizes Application Control and Visibility (AVC) to gain deep insights into
network traffic and enforce granular control over applications traversing your network.
Here's a breakdown of how it works:
1. Application Identification:
 FTD uses a powerful technology called Application Identification (AppId) to
recognize different applications embedded within network traffic.
 AppId relies on various techniques like Deep Packet Inspection (DPI) to analyze
traffic patterns, ports, and protocols used by specific applications.
  FTD has a vast library of pre-defined application signatures, allowing it to identify
a wide range of applications, including popular business tools, social media
platforms, and more.
2. Visibility and Monitoring:
 Once applications are identified by AppId, FTD provides comprehensive visibility
into the application activity. You can:
o View Application Usage: Track bandwidth consumption, number of
connections, and overall application traffic on your network.
o Identify Risky Applications: Spot unauthorized or potentially malicious
applications that might pose security threats.
o Troubleshoot Performance Issues: Gain insights into application
performance to identify bottlenecks and optimize network resources.
3. Application Control Policies:
 Using AppId, FTD allows you to implement control over applications. You can
create Application Control policies to:
o Allow: Permit specific applications deemed essential for business
operations.
o Block: Restrict access to undesirable applications like social media or
gaming platforms to enhance productivity or mitigate security risks.
o Limit: Control bandwidth usage for specific applications to prioritize
critical business traffic.

IPS
An IPS can detect and block malicious network activity by analyzing the network traffic
and blocking potential threats.
To identify and block malicious traffic, FTD uses its IPS engine and Intrusion Policies: -
An Intrusion Policy is a collection of IPS signatures that define what the IPS engine scans
when the sensor is applied to a firewall policy. Each signature has predefined actions,
such as block, allow and monitor attributed to it.
The IPS engine uses two main detection techniques which are Protocol decoders and
Signatures: -
1. FTD uses protocol decoders to detect irregular traffic patterns that are not according
to established protocol standards. This allows the firewall, for example, to identify any
HTTP packets that are against the HTTP protocol standard.
2. After FTD identifies the protocol, it uses signatures to check for malicious traffic.
Signatures are entries in a database that include very specific details about known
threats. The IPS engine examines the network traffic and looks for matches in the
database. When it finds a match, the IPS takes the action configured for that specific
signature.