WEBVTT

1
00:00:00.040 --> 00:00:04.000
<v Speaker 1>Okay, let's unpack this. Imagine you're standing before this vast,

2
00:00:04.440 --> 00:00:07.919
<v Speaker 1>complex digital fortress, right and you've been handed the sort

3
00:00:07.919 --> 00:00:11.119
<v Speaker 1>of secret language to command it, not with you know,

4
00:00:11.439 --> 00:00:15.240
<v Speaker 1>flashy graphics or easy buttons, but with these precise, almost

5
00:00:15.279 --> 00:00:20.320
<v Speaker 1>surgical text instructions. Today we're diving deep into the very

6
00:00:20.359 --> 00:00:23.800
<v Speaker 1>heart of network control, the forty OS seven point four

7
00:00:23.839 --> 00:00:28.000
<v Speaker 1>point zero command line interface, the CLI. We've been digging

8
00:00:28.079 --> 00:00:31.399
<v Speaker 1>through this huge reference guide for all these commands, and honestly,

9
00:00:31.800 --> 00:00:33.640
<v Speaker 1>it's a real gold mine of information.

10
00:00:33.920 --> 00:00:36.399
<v Speaker 2>Absolutely, and our mission for you today isn't just to

11
00:00:37.320 --> 00:00:39.679
<v Speaker 2>rattle off every single command line by line. That wouldn't

12
00:00:39.719 --> 00:00:41.799
<v Speaker 2>be very helpful. Instead, we want to pull out those

13
00:00:41.840 --> 00:00:45.119
<v Speaker 2>crucial nuggets of insight. We'll explore what this really detailed

14
00:00:45.119 --> 00:00:48.200
<v Speaker 2>control actually means for your network security, for management. Think

15
00:00:48.240 --> 00:00:51.960
<v Speaker 2>of it as uncovering the maybe surprising capabilities hidden inside

16
00:00:52.000 --> 00:00:54.280
<v Speaker 2>what looks like a pretty dense technical manual showing you

17
00:00:54.359 --> 00:00:57.320
<v Speaker 2>how you can command your network with well incredible precisions.

18
00:00:57.399 --> 00:01:00.799
<v Speaker 1>Okay, so at its core, then what is this CLS

19
00:01:00.880 --> 00:01:03.359
<v Speaker 1>seven point four point zero. Why is it so so fundamental,

20
00:01:03.479 --> 00:01:04.879
<v Speaker 1>especially for managing a forty gate?

21
00:01:05.120 --> 00:01:07.640
<v Speaker 2>Well, it's basically your direct conversation with the forty Gate

22
00:01:07.760 --> 00:01:11.359
<v Speaker 2>unit itself. You know, Fortinite's network security appliance, the kind

23
00:01:11.359 --> 00:01:14.599
<v Speaker 2>of brain of your network defense. The CLI lets you

24
00:01:14.640 --> 00:01:18.439
<v Speaker 2>configure and manage the device right down at the foundational level.

25
00:01:19.040 --> 00:01:22.719
<v Speaker 2>And what's really fascinating, I think is that the CLI syntax,

26
00:01:22.760 --> 00:01:26.640
<v Speaker 2>the language itself, it's generated directly from the forty Gate

27
00:01:26.680 --> 00:01:29.560
<v Speaker 2>models running the forty US seven point four point zero schema.

28
00:01:29.640 --> 00:01:32.640
<v Speaker 2>It's an internal blueprint the KEEMA. Yeah, so it's like

29
00:01:32.680 --> 00:01:36.280
<v Speaker 2>you're speaking the device's native language. It gives you this

30
00:01:36.280 --> 00:01:39.120
<v Speaker 2>this unparalleled level of control.

31
00:01:39.000 --> 00:01:43.920
<v Speaker 1>That sounds incredibly powerful. But does every single forty Gate

32
00:01:44.000 --> 00:01:47.519
<v Speaker 1>unit understand every command you might type in? Or do

33
00:01:47.519 --> 00:01:48.599
<v Speaker 1>you just have to sort of guess?

34
00:01:48.719 --> 00:01:51.200
<v Speaker 2>Ah, that's a great question, and no, not really not.

35
00:01:51.280 --> 00:01:54.400
<v Speaker 2>All commands and options are universally available across all models. So,

36
00:01:54.439 --> 00:01:57.599
<v Speaker 2>for instance, configuring a hardware switch, that's only possible if

37
00:01:57.640 --> 00:02:00.239
<v Speaker 2>your specific forty Gate model actually has the heart where

38
00:02:00.239 --> 00:02:01.480
<v Speaker 2>switched chip set installed.

39
00:02:01.599 --> 00:02:02.120
<v Speaker 1>Makes sense.

40
00:02:02.200 --> 00:02:05.000
<v Speaker 2>Yeah, and if you try an unavailable command, the CLI

41
00:02:05.040 --> 00:02:07.319
<v Speaker 2>will just tell you you'll get an error message right away.

42
00:02:07.480 --> 00:02:10.280
<v Speaker 2>But you're definitely not left guessing. You can use a

43
00:02:10.319 --> 00:02:13.840
<v Speaker 2>simple question mark just to check the available commands right

44
00:02:13.840 --> 00:02:17.120
<v Speaker 2>where you are on the hierarchy. Oh handy very Or

45
00:02:17.159 --> 00:02:19.159
<v Speaker 2>you can type tree to get a full view of

46
00:02:19.199 --> 00:02:23.680
<v Speaker 2>all commands, which can be well, a bit overwhelming sometimes

47
00:02:23.879 --> 00:02:26.439
<v Speaker 2>but really useful for discovery. You can even narrow it

48
00:02:26.439 --> 00:02:29.400
<v Speaker 2>down like typing tree system just for system stuff, or

49
00:02:29.400 --> 00:02:33.360
<v Speaker 2>tree diagnose and tree execute for those specific types of commands.

50
00:02:33.759 --> 00:02:36.759
<v Speaker 2>The key thing is understanding what your specific forty gate

51
00:02:36.840 --> 00:02:39.719
<v Speaker 2>model can do and then knowing how to ask it,

52
00:02:39.840 --> 00:02:42.240
<v Speaker 2>how to query it directly to unlock all its power.

53
00:02:42.719 --> 00:02:45.879
<v Speaker 1>Okay, so with this direct line of communications setup, how

54
00:02:45.879 --> 00:02:49.159
<v Speaker 1>does fortos help you defend your network against well, everything

55
00:02:49.159 --> 00:02:52.599
<v Speaker 1>that's out there today. The threats are always changing. Let's

56
00:02:52.599 --> 00:02:55.680
<v Speaker 1>maybe start with proactively shutting down dangers, right.

57
00:02:55.680 --> 00:02:59.159
<v Speaker 2>Proactive defense. So when we look at the config antivirus

58
00:02:59.159 --> 00:03:03.520
<v Speaker 2>profile command, the real insight isn't just about basic virus scanning.

59
00:03:03.759 --> 00:03:07.639
<v Speaker 2>It's the incredible granularity you get beyond just enabling av scan.

60
00:03:08.039 --> 00:03:12.919
<v Speaker 2>You can configure services like outbreak prevention, integrate with external

61
00:03:12.919 --> 00:03:16.039
<v Speaker 2>block list services, use fort and agent for network detection

62
00:03:16.159 --> 00:03:19.520
<v Speaker 2>and response, even tap into ford a sandbox for really

63
00:03:19.520 --> 00:03:22.479
<v Speaker 2>advanced threat analysis in the cloud. This isn't just about

64
00:03:22.479 --> 00:03:26.159
<v Speaker 2>blocking known viruses anymore. It's about building this multi layered

65
00:03:26.199 --> 00:03:27.719
<v Speaker 2>adaptive defense strategy.

66
00:03:27.800 --> 00:03:30.439
<v Speaker 1>Okay, now here's something that really caught my eye. Content

67
00:03:30.479 --> 00:03:34.000
<v Speaker 1>disarm and reconstruction or CDR. You mentioned it's not just

68
00:03:34.039 --> 00:03:37.000
<v Speaker 1>blocking a file, it's actively sanitizing it. What kind of

69
00:03:37.120 --> 00:03:40.039
<v Speaker 1>dangers can it strip away? What's the big idea there?

70
00:03:40.159 --> 00:03:43.680
<v Speaker 2>Exactly? That's the profound insight with CDR. It shits your

71
00:03:43.680 --> 00:03:48.599
<v Speaker 2>defense from just detection and blocking to active intelligent neutralization. So,

72
00:03:48.840 --> 00:03:52.479
<v Speaker 2>for example, inside an anti virus profile for its HTTP traffic,

73
00:03:52.840 --> 00:03:56.199
<v Speaker 2>you can enable content disarm. This lets the fortigate literally

74
00:03:56.240 --> 00:03:59.639
<v Speaker 2>go inside the file and neutralize embedded threats by stripping

75
00:03:59.680 --> 00:04:03.000
<v Speaker 2>out potentially malicious bits like what specifically, Well, it can

76
00:04:03.039 --> 00:04:07.879
<v Speaker 2>disable things like PowerPoint action events and office docs, or

77
00:04:08.000 --> 00:04:12.039
<v Speaker 2>JavaScript code hidden in PDF documents, even PDF actions that

78
00:04:12.120 --> 00:04:14.560
<v Speaker 2>might try to launch other programs or run scripts. It's

79
00:04:14.639 --> 00:04:17.839
<v Speaker 2>quite clever. The real takeaway is it goes beyond just

80
00:04:17.959 --> 00:04:21.560
<v Speaker 2>stopping a suspicious file. It actually modifies the content to

81
00:04:21.560 --> 00:04:23.639
<v Speaker 2>make it safe, so you get the information you need,

82
00:04:24.000 --> 00:04:25.279
<v Speaker 2>just without the hidden dangers.

83
00:04:25.720 --> 00:04:28.759
<v Speaker 1>Okay, so you can disarm files literally take the sting out.

84
00:04:28.920 --> 00:04:31.319
<v Speaker 1>But what about just controlling the types of files allowed

85
00:04:31.360 --> 00:04:31.839
<v Speaker 1>in or out.

86
00:04:32.000 --> 00:04:34.639
<v Speaker 2>Yeah, that's where it canfig file filter profile comes in.

87
00:04:34.879 --> 00:04:38.000
<v Speaker 2>It gives you another really impressive layer of control. You

88
00:04:38.000 --> 00:04:40.439
<v Speaker 2>can set up rules to manage file transfers across a

89
00:04:40.480 --> 00:04:44.759
<v Speaker 2>whole bunch of protocols HTTP, FTP, SMTP, even SSH and others.

90
00:04:45.240 --> 00:04:47.759
<v Speaker 2>You can specify if a rule applies to incoming files,

91
00:04:47.920 --> 00:04:51.920
<v Speaker 2>outgoing files, or just any direction. And here's a neat detail.

92
00:04:52.279 --> 00:04:56.079
<v Speaker 2>You can configure rules to specifically match password protected files.

93
00:04:56.240 --> 00:04:59.120
<v Speaker 1>Oh interesting because those often get used to hide things.

94
00:04:58.959 --> 00:05:01.800
<v Speaker 2>Right exactly common devas tactic. Or you can just filter

95
00:05:01.920 --> 00:05:04.439
<v Speaker 2>any file type so you get really fine tuned control

96
00:05:04.480 --> 00:05:06.759
<v Speaker 2>over what kinds of data can cross your network boundary.

97
00:05:06.959 --> 00:05:10.759
<v Speaker 1>That covers what comes in, but protecting sensitive info leaving

98
00:05:10.800 --> 00:05:14.079
<v Speaker 1>the network. That's huge for businesses. How does data loss

99
00:05:14.079 --> 00:05:16.800
<v Speaker 1>prevention fit in with the cli DLP?

100
00:05:17.560 --> 00:05:20.439
<v Speaker 2>For that, you'd look under config DLP. This features all

101
00:05:20.480 --> 00:05:24.560
<v Speaker 2>about protecting your sensitive data, your intellectual property. You can

102
00:05:24.600 --> 00:05:28.439
<v Speaker 2>define custom data type entries using things like regular expressions,

103
00:05:28.639 --> 00:05:32.120
<v Speaker 2>so you can create really specific patterns for say, credit

104
00:05:32.120 --> 00:05:35.360
<v Speaker 2>card numbers or maybe internal project codes. Very specific YEP,

105
00:05:35.560 --> 00:05:38.120
<v Speaker 2>and the config DLP editionary lets you build lists of

106
00:05:38.160 --> 00:05:41.279
<v Speaker 2>specific words or phrases to look for with smart options

107
00:05:41.319 --> 00:05:43.680
<v Speaker 2>like ignore case so you catch variations.

108
00:05:43.759 --> 00:05:46.199
<v Speaker 1>But the real power in DLP, as I understand it,

109
00:05:46.240 --> 00:05:49.439
<v Speaker 1>is the finger printing That sounds like it takes precision

110
00:05:49.480 --> 00:05:51.560
<v Speaker 1>to a whole new level. How does that work? What's

111
00:05:51.560 --> 00:05:53.079
<v Speaker 1>the fundamental shift.

112
00:05:52.720 --> 00:05:58.639
<v Speaker 2>It offers precisely DLP fingerprinting. The config DLP fp doc

113
00:05:58.720 --> 00:06:02.360
<v Speaker 2>source command is where this really shines. It lets you

114
00:06:02.399 --> 00:06:06.720
<v Speaker 2>create a DLP fingerprint database by having the fortigate actually

115
00:06:06.759 --> 00:06:10.079
<v Speaker 2>go out and access a file server directly. It scans

116
00:06:10.160 --> 00:06:12.279
<v Speaker 2>the files on that server. You tell it which one's

117
00:06:12.319 --> 00:06:14.680
<v Speaker 2>using a file pattern, maybe with wildcards like the order,

118
00:06:15.040 --> 00:06:17.720
<v Speaker 2>and then it creates this unique digital fingerprint for each

119
00:06:17.800 --> 00:06:21.439
<v Speaker 2>sensitive file. You can schedule this scanning daily, weekly, monthly,

120
00:06:21.800 --> 00:06:24.560
<v Speaker 2>or maybe just once its startup. Now the really profound

121
00:06:24.560 --> 00:06:27.879
<v Speaker 2>insight here, the shift it represents is moving DLP from

122
00:06:27.959 --> 00:06:30.920
<v Speaker 2>being a broad, sometimes inaccurate keyword.

123
00:06:30.519 --> 00:06:33.279
<v Speaker 1>Search right lots of false positives, sometimes.

124
00:06:32.920 --> 00:06:37.040
<v Speaker 2>Exactly moving from that to a highly accurate content aware defense.

125
00:06:37.480 --> 00:06:40.120
<v Speaker 2>It knows the exact file content it needs to protect.

126
00:06:40.439 --> 00:06:43.600
<v Speaker 2>This allows organizations to protect IP and sensitive data with

127
00:06:43.680 --> 00:06:47.560
<v Speaker 2>almost surgical precision. It drastically cuts down on those false

128
00:06:47.600 --> 00:06:51.160
<v Speaker 2>positives and ensures real data integrity. It's also smart about

129
00:06:51.160 --> 00:06:54.439
<v Speaker 2>managing the fingerprint database. Options like keep modified mean if

130
00:06:54.439 --> 00:06:56.879
<v Speaker 2>a file changes, the old fingerprint is kept alongside the

131
00:06:56.879 --> 00:06:58.000
<v Speaker 2>new one, giving you a history.

132
00:06:58.000 --> 00:06:58.759
<v Speaker 1>Oh that's useful.

133
00:06:58.959 --> 00:07:01.399
<v Speaker 2>Yeah, and move the lead. It keeps it tidy. You

134
00:07:01.439 --> 00:07:04.480
<v Speaker 2>can even configure how it handles hating its maxim size,

135
00:07:04.519 --> 00:07:07.800
<v Speaker 2>whether it should stop adding or remove modified than oldest

136
00:07:07.920 --> 00:07:11.000
<v Speaker 2>or just remove oldest. It's incredibly sophisticated.

137
00:07:11.399 --> 00:07:15.079
<v Speaker 1>That sounds extremely powerful for preventing data leaks. Are there

138
00:07:15.120 --> 00:07:19.319
<v Speaker 1>any common maybe pitfalls or unexpected benefits people find when

139
00:07:19.360 --> 00:07:20.720
<v Speaker 1>they implement something like this.

140
00:07:21.319 --> 00:07:23.759
<v Speaker 2>Well, a common pitfall can be the initial setup time.

141
00:07:24.120 --> 00:07:27.879
<v Speaker 2>You really have to carefully identify your sensitive data sources first.

142
00:07:28.240 --> 00:07:31.439
<v Speaker 2>That takes effort, But the unexpected benefit often it's a

143
00:07:31.519 --> 00:07:34.879
<v Speaker 2>huge reduction in false positives compared to traditional DLP methods.

144
00:07:35.160 --> 00:07:38.560
<v Speaker 2>That means less alert fatigue for your security teams ye,

145
00:07:39.120 --> 00:07:41.879
<v Speaker 2>and a much clearer view of the actual data risks.

146
00:07:41.920 --> 00:07:45.480
<v Speaker 2>It really focuses you on proven leakage attempts, not just

147
00:07:45.519 --> 00:07:46.199
<v Speaker 2>potential ones.

148
00:07:46.279 --> 00:07:49.439
<v Speaker 1>Okay, that makes sense, less noise, more signal exactly, so

149
00:07:49.480 --> 00:07:51.360
<v Speaker 1>we've seen you can control what files come and go

150
00:07:51.439 --> 00:07:54.600
<v Speaker 1>even disarm them. But a real fortress also controls who

151
00:07:54.600 --> 00:07:57.000
<v Speaker 1>gets in and where they can go. How do the

152
00:07:57.000 --> 00:07:59.959
<v Speaker 1>CLI commands help define access and traffic flow?

153
00:08:00.399 --> 00:08:04.240
<v Speaker 2>Right? That's absolutely critical, and the config firewall policy commands

154
00:08:04.439 --> 00:08:06.920
<v Speaker 2>are really the backbone of all your network traffic control.

155
00:08:07.560 --> 00:08:10.199
<v Speaker 2>Think of each policy as a rule in your rule book.

156
00:08:10.439 --> 00:08:14.040
<v Speaker 2>It specifies an action, should this traffic be accepted, denied,

157
00:08:14.560 --> 00:08:18.519
<v Speaker 2>or maybe directed into an IPsec VPN tunnel for secure communication.

158
00:08:19.120 --> 00:08:21.319
<v Speaker 2>And what's key is that you can layer on a

159
00:08:21.360 --> 00:08:24.439
<v Speaker 2>whole suite of security profiles onto any traffic that matches

160
00:08:24.439 --> 00:08:30.600
<v Speaker 2>a policy. Antivirus, application control, DLP, web filtering, IPS.

161
00:08:30.000 --> 00:08:31.879
<v Speaker 1>All the tools we've been talking about pretty much.

162
00:08:31.920 --> 00:08:34.080
<v Speaker 2>Yeah, you apply them right there in the policy. You

163
00:08:34.080 --> 00:08:36.840
<v Speaker 2>can even set a policy expiring time for temporary access,

164
00:08:37.200 --> 00:08:39.799
<v Speaker 2>or mark specific traffic as captive portal exempt if it

165
00:08:39.799 --> 00:08:43.000
<v Speaker 2>shouldn't need to log in. It's about crafting incredibly precise

166
00:08:43.080 --> 00:08:44.840
<v Speaker 2>rules for every single data flow.

167
00:08:44.960 --> 00:08:48.879
<v Speaker 1>Okay, that's the flow. What about authentication itself? Verifying users?

168
00:08:48.960 --> 00:08:51.960
<v Speaker 2>Good point. The configure authentication commands give you really robust

169
00:08:52.080 --> 00:08:55.679
<v Speaker 2>control over identity. You can define authentication rules that apply

170
00:08:55.720 --> 00:08:59.519
<v Speaker 2>to specific protocols, maybe just HTTP or FTP, and you

171
00:08:59.519 --> 00:09:02.200
<v Speaker 2>can choose if authentication is it based, meaning you know,

172
00:09:02.279 --> 00:09:04.840
<v Speaker 2>once one user from an IP authenticates, others from that

173
00:09:04.840 --> 00:09:05.879
<v Speaker 2>same IP are let.

174
00:09:05.759 --> 00:09:08.159
<v Speaker 1>Through for a while presumably yeah, usually.

175
00:09:07.919 --> 00:09:11.080
<v Speaker 2>For a session or time period. Or if it's transaction based,

176
00:09:11.080 --> 00:09:15.960
<v Speaker 2>meaning every new connection needs fresh authentication. Then within authentication

177
00:09:16.039 --> 00:09:18.679
<v Speaker 2>schemes you've got a ton of methods, traditional ones like

178
00:09:18.799 --> 00:09:25.279
<v Speaker 2>NTLM basic digest, but also more modern centralized options like FSSO, FORTINEX,

179
00:09:25.360 --> 00:09:28.440
<v Speaker 2>single sign on or RSSO for Radius single sign on.

180
00:09:28.559 --> 00:09:30.360
<v Speaker 1>Right, the single sign on approaches.

181
00:09:30.120 --> 00:09:33.279
<v Speaker 2>Yeah, they centralize user identity across lots of different services.

182
00:09:33.679 --> 00:09:36.480
<v Speaker 2>You can also use client certificates or a SANAMEL for

183
00:09:36.799 --> 00:09:40.600
<v Speaker 2>federated identity. And a really critical option here is require

184
00:09:40.679 --> 00:09:45.759
<v Speaker 2>TIFA that lets you enable or disable two factor authentication essential.

185
00:09:45.399 --> 00:09:47.519
<v Speaker 1>These days, absolutely, And you can.

186
00:09:47.360 --> 00:09:51.240
<v Speaker 2>Fine tune captive portals certificate authentication settings, even down to

187
00:09:51.240 --> 00:09:54.240
<v Speaker 2>the cooking max age for how long an authentication session lasts.

188
00:09:54.320 --> 00:09:57.639
<v Speaker 1>So once someone is authenticated, how do you manage access

189
00:09:57.759 --> 00:10:01.080
<v Speaker 1>to specific internal things like be an internal web server?

190
00:10:01.159 --> 00:10:02.399
<v Speaker 1>You need to expose securely.

191
00:10:02.759 --> 00:10:07.000
<v Speaker 2>Ah, that's exactly the job for config firewall access proxy.

192
00:10:07.440 --> 00:10:10.000
<v Speaker 2>Think of it like a secure gatekeeper and intermediary. It

193
00:10:10.039 --> 00:10:12.519
<v Speaker 2>sits in front of your reel servers and forwards the traffic,

194
00:10:13.039 --> 00:10:16.080
<v Speaker 2>so your internal servers are never directly exposed to the

195
00:10:16.679 --> 00:10:17.440
<v Speaker 2>wild internet.

196
00:10:17.519 --> 00:10:19.600
<v Speaker 1>A buffer essentially kinda yeah.

197
00:10:19.600 --> 00:10:23.159
<v Speaker 2>A secure proxy. You define virtual host names that users

198
00:10:23.159 --> 00:10:25.720
<v Speaker 2>connect to. You can set up load balancing for your

199
00:10:25.720 --> 00:10:28.679
<v Speaker 2>real servers behind it to distribute the load. You can

200
00:10:28.840 --> 00:10:33.159
<v Speaker 2>enforce strong SSL cipher suites and minimum maximum TLS versions

201
00:10:33.399 --> 00:10:37.000
<v Speaker 2>slmnvers sl max version for the connection to the proxy

202
00:10:37.480 --> 00:10:39.960
<v Speaker 2>and for SSH traffic going through it. You can even

203
00:10:40.080 --> 00:10:43.080
<v Speaker 2>enable or disable SUSH host key validation for the real

204
00:10:43.120 --> 00:10:46.039
<v Speaker 2>servers it connects to. That's vital for trust preventing man

205
00:10:46.080 --> 00:10:46.840
<v Speaker 2>in the middle attacks.

206
00:10:47.000 --> 00:10:50.080
<v Speaker 1>Right, making sure it's talking to the legitimate server exactly. Okay,

207
00:10:50.120 --> 00:10:52.840
<v Speaker 1>this level of control is well, it's incredible, but it

208
00:10:52.840 --> 00:10:54.919
<v Speaker 1>doesn't mean much if you don't know what's actually happening

209
00:10:54.960 --> 00:10:55.559
<v Speaker 1>on your network.

210
00:10:55.639 --> 00:10:55.840
<v Speaker 2>Right.

211
00:10:56.240 --> 00:10:59.799
<v Speaker 1>What tools does the CLI offer for visibility seeing the action?

212
00:11:00.240 --> 00:11:03.480
<v Speaker 2>Visibility is absolutely key? You're right. The config alert mail

213
00:11:03.519 --> 00:11:05.720
<v Speaker 2>setting is a good starting point. It lets you set

214
00:11:05.759 --> 00:11:08.960
<v Speaker 2>up automated email alerts for a really wide range of events,

215
00:11:09.480 --> 00:11:13.440
<v Speaker 2>things like your vour to guard licenses about to expire.

216
00:11:13.480 --> 00:11:15.600
<v Speaker 2>You definitely want to know that before they do, oh yeah,

217
00:11:15.759 --> 00:11:20.879
<v Speaker 2>or FIPS and common criteria errors, FSSO agent disconnects, SSLVPN

218
00:11:20.919 --> 00:11:25.759
<v Speaker 2>authentication failures, violation, traffic logs, lots of things. You can

219
00:11:25.759 --> 00:11:29.320
<v Speaker 2>customize the from address username on the emails, set the

220
00:11:29.320 --> 00:11:31.960
<v Speaker 2>warning interval for how often you get notified. This means

221
00:11:31.960 --> 00:11:34.960
<v Speaker 2>you're proactively told about critical system health and security events,

222
00:11:35.120 --> 00:11:37.519
<v Speaker 2>often before they escalate into bigger problems.

223
00:11:37.159 --> 00:11:39.679
<v Speaker 1>Because you get alerts. But how do you judge how

224
00:11:39.759 --> 00:11:42.799
<v Speaker 1>bad something is? How does fortos help you prioritize when

225
00:11:42.799 --> 00:11:43.799
<v Speaker 1>alerts start flying.

226
00:11:43.960 --> 00:11:46.759
<v Speaker 2>That's where the configu lock threat weight settings are really insightful.

227
00:11:47.000 --> 00:11:50.360
<v Speaker 2>They let you assign different threat scores basically to different

228
00:11:50.399 --> 00:11:54.279
<v Speaker 2>security events. This gives you an immediate sense of the impact. So,

229
00:11:54.600 --> 00:11:57.799
<v Speaker 2>for example, under antivirus, you could set virus detected to

230
00:11:57.840 --> 00:12:00.000
<v Speaker 2>have a critical weight if it was blocked in long

231
00:12:00.919 --> 00:12:05.080
<v Speaker 2>or maybe four to sandbox finding confirmed malicious malware such

232
00:12:05.080 --> 00:12:08.399
<v Speaker 2>a malicious that could also carry a critical weight. This

233
00:12:08.519 --> 00:12:12.080
<v Speaker 2>helps you prioritize. You understand the true impact, moving beyond

234
00:12:12.120 --> 00:12:14.720
<v Speaker 2>just a log entry to an actual severity level. Your

235
00:12:14.720 --> 00:12:16.600
<v Speaker 2>team knows what to focus on first.

236
00:12:16.960 --> 00:12:20.080
<v Speaker 1>Okay, prioritizing alerts makes sense, But what about seeing the

237
00:12:20.080 --> 00:12:24.440
<v Speaker 1>traffic itself live for troubleshooting or just deep analysis.

238
00:12:24.519 --> 00:12:27.519
<v Speaker 2>Ah. For that, the config Firewalls Sniffer command is your

239
00:12:27.559 --> 00:12:30.679
<v Speaker 2>go to tool. It's like a powerful magnifying glass for

240
00:12:30.720 --> 00:12:33.480
<v Speaker 2>your network traffic. You can figure a sniffer to watch

241
00:12:33.519 --> 00:12:36.600
<v Speaker 2>traffic on a specific interface, maybe filtered by port or

242
00:12:36.679 --> 00:12:39.720
<v Speaker 2>specific protocol. But here's the really cool part. You can

243
00:12:39.759 --> 00:12:42.960
<v Speaker 2>also enable various security profiles like your av IPS web

244
00:12:42.960 --> 00:12:45.039
<v Speaker 2>filter profiles on the snipper itself.

245
00:12:45.080 --> 00:12:48.080
<v Speaker 1>Really, so you're inspecting the sniffed traffic exactly.

246
00:12:48.200 --> 00:12:51.480
<v Speaker 2>It effectively lets you apply security inspection to the traffic

247
00:12:51.519 --> 00:12:54.559
<v Speaker 2>you're observing in real time. This gives you an incredibly

248
00:12:54.639 --> 00:12:57.240
<v Speaker 2>detailed view of what's crossing that part of your network,

249
00:12:57.440 --> 00:13:00.480
<v Speaker 2>complete with security verdicts. On the fly. You can choose

250
00:13:00.480 --> 00:13:03.240
<v Speaker 2>whether to log traffic for all packets scene or maybe

251
00:13:03.279 --> 00:13:06.159
<v Speaker 2>just at on traffic that's traffic that actually triggered one

252
00:13:06.200 --> 00:13:09.679
<v Speaker 2>of those security profiles. It provides a deep, raw, sometimes

253
00:13:09.679 --> 00:13:11.320
<v Speaker 2>surprising look at the network's pulse.

254
00:13:11.679 --> 00:13:15.279
<v Speaker 1>Wow. Okay, that sounds incredibly useful for digging into tricky issues.

255
00:13:15.320 --> 00:13:17.879
<v Speaker 1>Here we is, so the CLI clearly gives you this

256
00:13:17.960 --> 00:13:21.600
<v Speaker 1>amazing toolkit for core security. But what about the bigger picture,

257
00:13:22.080 --> 00:13:25.799
<v Speaker 1>the wider network architecture, things like routing or even managing

258
00:13:25.840 --> 00:13:28.080
<v Speaker 1>other Fortant devices like forty switches.

259
00:13:28.399 --> 00:13:30.879
<v Speaker 2>Right, it definitely extends beyond just the single box. The

260
00:13:31.000 --> 00:13:33.559
<v Speaker 2>Configure router commands are key here. They let you set

261
00:13:33.639 --> 00:13:38.759
<v Speaker 2>up advanced routing protocols BGP, ospf RIP. These are the

262
00:13:38.799 --> 00:13:41.679
<v Speaker 2>languages routers used to talk to each other and figure

263
00:13:41.679 --> 00:13:45.000
<v Speaker 2>out the best pads for data across large networks. Or

264
00:13:45.080 --> 00:13:47.879
<v Speaker 2>you can just configure simple static routes for very specific,

265
00:13:48.240 --> 00:13:52.639
<v Speaker 2>unchanging traffic directions. And for some clever network address manipulation,

266
00:13:52.960 --> 00:13:56.919
<v Speaker 2>there's config firewall the NSS translation. This lets you define

267
00:13:56.919 --> 00:14:00.120
<v Speaker 2>IPv four or IPv six address translations that have and

268
00:14:00.159 --> 00:14:03.440
<v Speaker 2>within DNS replies. How does that work well. It effectively

269
00:14:03.519 --> 00:14:07.080
<v Speaker 2>lets you remap source or destination ips and subnets before

270
00:14:07.120 --> 00:14:09.480
<v Speaker 2>the connection even starts based on the DNS look up.

271
00:14:09.639 --> 00:14:13.799
<v Speaker 2>It's pretty useful for managing complex network topologies and reachability scenarios.

272
00:14:13.799 --> 00:14:16.879
<v Speaker 1>Interesting, and you mentioned managing other devices the FDA switches.

273
00:14:17.279 --> 00:14:19.120
<v Speaker 1>Sounds like the Forti gate can act as a central

274
00:14:19.120 --> 00:14:20.080
<v Speaker 1>command center for them.

275
00:14:20.200 --> 00:14:23.039
<v Speaker 2>Absolutely, that's a big part of the Fortinet security fabric concept.

276
00:14:23.399 --> 00:14:26.440
<v Speaker 2>The config Switch Controller commands provide that centralized management for

277
00:14:26.480 --> 00:14:29.960
<v Speaker 2>your FOURDA switches. Under configed switch Controller Global, you can

278
00:14:29.960 --> 00:14:33.320
<v Speaker 2>set system wide options like firmware provision on authorization.

279
00:14:33.600 --> 00:14:34.360
<v Speaker 1>What's that due?

280
00:14:34.440 --> 00:14:36.639
<v Speaker 2>It means when a new switch gets authorized to join

281
00:14:36.679 --> 00:14:39.919
<v Speaker 2>your network, the FORDA gate automatically pushes the correct firmware

282
00:14:39.960 --> 00:14:43.639
<v Speaker 2>to it. Great for keeping things consistent and secure. Automation

283
00:14:43.840 --> 00:14:44.320
<v Speaker 2>right there.

284
00:14:44.480 --> 00:14:44.799
<v Speaker 1>Nice?

285
00:14:45.000 --> 00:14:48.399
<v Speaker 2>Yeah. You can also configure things like bounce quarantine link

286
00:14:48.720 --> 00:14:51.960
<v Speaker 2>automatically reset the port if a device gets quarantined, and

287
00:14:52.000 --> 00:14:55.519
<v Speaker 2>the coranty mode itself can be byveland, shunting bad traffic

288
00:14:55.519 --> 00:14:58.919
<v Speaker 2>to a separate network segment, or by redirect, which cleverly

289
00:14:58.960 --> 00:15:02.039
<v Speaker 2>only redirects the core warrantine devices traffic towards the forty

290
00:15:02.039 --> 00:15:05.639
<v Speaker 2>gate for inspection. But what's really powerful giving you control

291
00:15:05.720 --> 00:15:08.879
<v Speaker 2>right down to the individual switch port is config Switch

292
00:15:08.919 --> 00:15:11.200
<v Speaker 2>Controller Dynamic Port Policy.

293
00:15:11.320 --> 00:15:12.240
<v Speaker 1>Dynamic policy.

294
00:15:12.320 --> 00:15:15.799
<v Speaker 2>Yeah. It lets you define policies based on matching criteria

295
00:15:16.120 --> 00:15:20.240
<v Speaker 2>like the device category discovered Interface tags M has addresses

296
00:15:20.360 --> 00:15:23.919
<v Speaker 2>even the hardware vendor or LLEDP information from the connected device,

297
00:15:24.440 --> 00:15:27.200
<v Speaker 2>and based on those matches, the policy can automatically apply

298
00:15:27.240 --> 00:15:29.840
<v Speaker 2>specific quality of service settings. A to two point one

299
00:15:30.000 --> 00:15:33.519
<v Speaker 2>x authentication rules, assign vlands. It can even bounce port

300
00:15:33.600 --> 00:15:37.159
<v Speaker 2>link basically flap the port administratively to clear old states

301
00:15:37.159 --> 00:15:38.480
<v Speaker 2>and apply new configurations.

302
00:15:38.720 --> 00:15:42.440
<v Speaker 1>Wow, that's incredibly granular. It adapts the port based on

303
00:15:42.480 --> 00:15:43.679
<v Speaker 1>what connects precisely.

304
00:15:43.759 --> 00:15:47.440
<v Speaker 2>It's about intelligent automated control that react to the devices

305
00:15:47.440 --> 00:15:48.679
<v Speaker 2>connected to your network edge.

306
00:15:48.759 --> 00:15:54.000
<v Speaker 1>Okay, that's seriously comprehensive control. Now what about managing network congestion,

307
00:15:54.480 --> 00:15:57.759
<v Speaker 1>ensuring critical apps get the bandwidth they need, especially when

308
00:15:57.759 --> 00:15:58.600
<v Speaker 1>things get busy.

309
00:15:58.840 --> 00:16:01.960
<v Speaker 2>Ah, that's the domain of traffic shaping. You find that

310
00:16:02.080 --> 00:16:05.240
<v Speaker 2>under config firewall shaper. Think of it like setting up

311
00:16:05.399 --> 00:16:08.600
<v Speaker 2>HOV lanes or express lanes on your digital highway. You

312
00:16:08.639 --> 00:16:11.039
<v Speaker 2>can configure a per ip shaper, for example, to limit

313
00:16:11.080 --> 00:16:14.279
<v Speaker 2>the maximum bandwidth and number of concurrent sessions for any

314
00:16:14.320 --> 00:16:17.600
<v Speaker 2>single IP address. Stops one user hogging everything.

315
00:16:17.799 --> 00:16:20.279
<v Speaker 1>Useful for guest networks maybe definitely.

316
00:16:20.279 --> 00:16:23.480
<v Speaker 2>But more broadly, config firewall shaper traffic shaper lets you

317
00:16:23.519 --> 00:16:27.200
<v Speaker 2>define overall traffic policies. You can set guaranteed bandwidth levels

318
00:16:27.200 --> 00:16:30.679
<v Speaker 2>for important traffic types and also maximum bandwidth limits. You

319
00:16:30.720 --> 00:16:34.039
<v Speaker 2>assign priority levels low, medium, high. You can even apply

320
00:16:34.080 --> 00:16:38.200
<v Speaker 2>different network quality markings like COS classes service or DSCP

321
00:16:38.559 --> 00:16:42.879
<v Speaker 2>differentiated services codepoint to traffic within these shaped limits. It

322
00:16:42.919 --> 00:16:45.360
<v Speaker 2>all ensures that even when your network is under heavy load,

323
00:16:45.519 --> 00:16:48.799
<v Speaker 2>your most critical applications, maybe voice or video calls or

324
00:16:48.840 --> 00:16:52.840
<v Speaker 2>important business apps, get the smooth, uninterrupted flow they require.

325
00:16:53.039 --> 00:16:56.679
<v Speaker 1>Okay, from the basic commands telling a fort gate how

326
00:16:56.679 --> 00:16:59.960
<v Speaker 1>to operate, all the way through intricate details like content

327
00:17:00.120 --> 00:17:05.359
<v Speaker 1>disarm and reconstruction, that sophisticated DLP fingerprinting, robust two factor authentication,

328
00:17:05.920 --> 00:17:09.839
<v Speaker 1>and even orchestrating entire networks of fort switches. This deep

329
00:17:09.920 --> 00:17:12.880
<v Speaker 1>diet has really shown just how much power, how much precision,

330
00:17:12.920 --> 00:17:16.559
<v Speaker 1>and frankly surprising depth, there is within the FORTYSCLI.

331
00:17:17.000 --> 00:17:19.640
<v Speaker 2>It really is more than just a configuration tool, isn't it.

332
00:17:19.640 --> 00:17:23.000
<v Speaker 2>It's like a language of ultimate control. It allows administrators,

333
00:17:23.079 --> 00:17:26.759
<v Speaker 2>allows you to tailor's security and network performance right down

334
00:17:26.799 --> 00:17:30.440
<v Speaker 2>to the finest details, and that precision translates into a

335
00:17:30.559 --> 00:17:35.039
<v Speaker 2>highly responsive, highly resilient digital infrastructure, one that's capable of

336
00:17:35.079 --> 00:17:38.559
<v Speaker 2>adapting to almost any thread or traffic condition you might encounter.

337
00:17:38.799 --> 00:17:42.680
<v Speaker 1>So, thinking bigger picture, then, what does this level of precision,

338
00:17:42.759 --> 00:17:46.480
<v Speaker 1>this granular control really mean for the future? For say,

339
00:17:46.720 --> 00:17:50.160
<v Speaker 1>smart self defending networks. How might this kind of detailed

340
00:17:50.200 --> 00:17:54.680
<v Speaker 1>control influence that ongoing push towards automation in cybersecurity. Could

341
00:17:54.759 --> 00:17:58.079
<v Speaker 1>we see systems one day actually writing and optimizing these

342
00:17:58.079 --> 00:18:01.559
<v Speaker 1>commands themselves, learning in a day acting automatically. We'll leave

343
00:18:01.559 --> 00:18:02.279
<v Speaker 1>that thought with you