Lab 1.1 Routing and DMZ

1. First is to make sure that fw01 is set to the right network adapter in this case there should be three adapters:

2. Using the default credentials to login, the next step is to set the hostname:

   configure
   set system host-name fw1-jude
   commit 
   save
   exit
   

3. Next logout and log back in so the hostname can take effect

4. Check the interface assignment using the following command:

    show interfaces
   

5. If any of the interfaces have an dhcp assignment delete it using:

   configure delete interfaces ethernet eth# address dhcp

6. Next is to give each interface a description using the following commands:

   configure
   set interfaces ethernet eth0 description SEC350-WAN
   set interfaces ethernet eth1 description JUDE-DMZ
   set interfaces ethernet eth2 description JUDE-LAN
   commit 
   save
   exit
   

7. Then give each interface its assinged IP address usign the following command

   configure
   set interfaces ethernet eth0 address 10.0.17.119/24
   set interfaces ethernet eth1 address 172.16.50.2/29
   set interfaces ethernet eth1 address 172.16.150.2/24
   commit 
   save
   exit
   

8. Next is to inform the SEC350-WAN interface how to get to the internet using the following commands:

   configure
   set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
   set system name-server 10.0.17.2
   commit 
   save
   exit
   

9. lastly make sure that fw1 can ping google.com

Configuring fw01 for NAT and DNS Forwarding on fw01

1. To configure fw01 for NAT and DNS Forwarding on fw01 run the following commands:

   configure
   set nat source rule 10 description "NAT FROM DMZ to WAN"
   set nat source rule 10 outbound-interface eth0
   set nat source rule 10 source address 172.16.50.0/29
   set nat source rule 10 translation address masquerade
   commit
   save
   exit
   

Configuring fw01 for DNS forwarding

1. to configure fw01 for DNS forwarding run the following commands:

   configure
   set service dns forwarding listen-address 172.16.50.2
   set service dns forwarding allow-from 172.16.50.0/29
   set service dns forwarding system
   commit
   save
   exit
   

Lab 2.2 - Syslog Organization on log01

Configuring fw01 for NAT and DNS Forwarding on fw01 (LAN)

1. To configure fw01 for NAT and DNS Forwarding on fw01 run the following commands:

   configure
   set nat source rule 20 description "NAT FROM LAN to WAN"
   set nat source rule 20 outbound-interface eth0
   set nat source rule 20 source address 172.16.150.0/24
   set nat source rule 20 translation address masquerade
   commit
   save
   exit
   

Configuring fw01 for DNS forwarding(LAN)

1. to configure fw01 for DNS forwarding run the following commands:

   configure
   set service dns forwarding listen-address 172.16.150.2
   set service dns forwarding allow-from 172.16.150.0/24
   set service dns forwarding system
   commit
   save
   exit
   

Logging Authorization Events

1. adjust the vyos configuration to send authentication messages from fw01 to log01

   configure
   set system syslog host 172.15.50.5 facility authpriv level info
   commit
   save
   

2. Exit out of vyos repeatedly until login

How to change password:

1. Restart machine
2. when presented with the VyOS GNU GRUB console screen, choose the *Lost password change option
3. from there it will ask if you want to reset the password and you just follow the prompts from there.

Lab 3.1 Segmentation 1

   configure
   set service dns forwarding allow-from 172.16.200.0/28
   set nat source rule 30 description "NAT FROM MGMT to WAN"
   set nat source rule 30 outbound-interface eth0
   set nat source rule 30 source address 172.16.200.0/28
   set nat source rule 30 translation address masquerade
   commit
   save

RIP on FW1

   set protocols rip interface eth2
   set protocols rip network 172.16.50.0/29

Update client logging configurations

   configure
   delete system syslog host 172.16.50.5
   commit
   save
   exit

Lab 4.1 Network Firewalls 1

Create and Link Zones

• Create and link firewall zones to interfaces (eth0, eth1, eth2)

   set zone-policy zone WAN interface eth0
   set zone-policy zone DMZ interface eth1
   set zone-policy zone LAN interface eth2
   commit 
   save
  

Creating Firewalls for WAN-to-DMZ and DMZ-to-WAN

• Next we need to create the firewalls for the zones, and disallow all traffic that isn't defined.

   set firewall name WAN-to-DMZ default-action drop
   set firewall name DMZ-to-WAN default-action drop
   set firewall name WAN-to-DMZ enable-default-log 
   set firewall name DMZ-to-WAN enable-default-log
  

• To assign these firewalls to zones run:

   set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN 
   set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ 
  

Allow HTTP Traffic

• allow HTTP traffic by creating a rule for the WAN-to-DMZ firewall

  set firewall name WAN-to-DMZ rule 10 action accept
  set firewall name WAN-to-DMZ rule 10 description "Allow HTTP from WAN to DMZ"
  set firewall name WAN-to-DMZ rule 10 destination address 172.16.50.3
  set firewall name WAN-to-DMZ rule 10 destination port 80
  set firewall name WAN-to-DMZ rule 10 protocol tcp
  

Allow Outbound Traffic

• allow outbound traffic by creating a rule for the DMZ-to-WAN firewall

  set firewall name DMZ-to-WAN rule 1 action accept
  set firewall name DMZ-to-WAN rule 1 state established enable
  

• Now ping should work. Make sure to delete the welcome.conf file from /etc/httpd/conf.d/, and create an index.html file with a basic header in /var/www/html/

Point-to-Point LAN and DMZ configurations

LAN-to-DMZ

  set firewall name LAN-to-DMZ default-action 'drop'
  set firewall name LAN-to-DMZ enable-default-log

  set firewall name LAN-to-DMZ rule 1 action 'accept'
  set firewall name LAN-to-DMZ rule 1 state established 'enable'

  set firewall name LAN-to-DMZ rule 10 action 'accept'
  set firewall name LAN-to-DMZ rule 10 destination address '172.16.50.3'
  set firewall name LAN-to-DMZ rule 10 destination port '80'
  set firewall name LAN-to-DMZ rule 10 protocol 'tcp'

  set firewall name LAN-to-DMZ rule 20 action 'accept'
  set firewall name LAN-to-DMZ rule 20 destination port '22'
  set firewall name LAN-to-DMZ rule 20 protocol 'tcp'
  set firewall name LAN-to-DMZ rule 20 source address '172.16.150.10'

DMZ-to-LAN

  set firewall name DMZ-to-LAN default-action 'drop'
  set firewall name DMZ-to-LAN enable-default-log

  set firewall name DMZ-to-LAN rule 1 action 'accept'
  set firewall name DMZ-to-LAN rule 1 state established 'enable'

  set firewall name DMZ-to-LAN rule 10 action 'accept'
  set firewall name DMZ-to-LAN rule 10 description 'wazuh agent communications with wazuh server'
  set firewall name DMZ-to-LAN rule 10 destination address '172.16.200.10'
  set firewall name DMZ-to-LAN rule 10 destination port '1514,1515'
  set firewall name DMZ-to-LAN rule 10 protocol 'tcp'

Point-to-Point WAN and LAN configurations

LAN-to-WAN

  set firewall name LAN-to-WAN default-action 'drop'
  set firewall name LAN-to-WAN enable-default-log

  set firewall name LAN-to-WAN rule 1 action 'accept'

WAN-to-LAN

  set firewall name WAN-to-LAN default-action 'drop'
  set firewall name WAN-to-LAN enable-default-log

  set firewall name WAN-to-LAN rule 1 action 'accept'
  set firewall name WAN-to-LAN rule 1 state established 'enable'

Policy Zones

LAN

  set zone-policy zone LAN from DMZ firewall name 'DMZ-to-LAN'
  set zone-policy zone LAN from WAN firewall name 'WAN-to-LAN'
  set zone-policy zone LAN interface 'eth2'

WAN

  set zone-policy zone WAN from DMZ firewall name 'DMZ-to-WAN'
  set zone-policy zone WAN from LAN firewall name 'LAN-to-WAN'
  set zone-policy zone WAN interface 'eth0'

DMZ

  set zone-policy zone DMZ from LAN firewall name 'LAN-to-DMZ'
  set zone-policy zone DMZ from WAN firewall name 'WAN-to-DMZ'
  set zone-policy zone DMZ interface 'eth1'