🛡 End-to-End Web Security Architecture: FortiWeb WAF + FortiGate in Reverse Proxy Mode
Recently completed a comprehensive lab implementation and full documentation of a production-grade web security architecture using FortiWeb as a Web Application Firewall behind FortiGate, deployed on PNETLAB with KVM-based VMs.
🔹 Traffic Flow Architecture:
Client → FortiGate (WAN/VIP) → FortiWeb (WAF Inspection) → Apache2 Real Server → Response back to Client
🔹 Key Implementation Highlights:
✅ Linux Web Server hardening with Apache2 and static IP configuration via Netplan
✅ FortiWeb interface setup across three segments (Real Server / Client-LAN / Management)
✅ Complete WAF policy chain: Virtual IP → Server Pool → Virtual Server → Server Policy
✅ FortiGate perimeter configuration with DNAT Virtual IP (100.100.100.50 → 192.168.100.50)
✅ Firewall policy with full session logging for HTTP/HTTPS/PING traffic
✅ CLI-based traffic logging activation on FortiWeb (a step many engineers miss!)
✅ End-to-end verification through Forward Traffic logs on both devices
🔹 Why Reverse Proxy Mode?
It provides deep HTTP/HTTPS inspection, granular WAF policy enforcement, and clean separation between perimeter firewalling (FortiGate) and application-layer protection (FortiWeb) — a layered defense approach aligned with Zero Trust principles.
🔹 Key Lesson Learned:
The order of WAF policy configuration matters → Virtual IP must exist before the Server Pool, which must exist before the Virtual Server, which must exist before the Server Policy. Skipping the sequence breaks the binding chain.
💼 Currently exploring new opportunities in Network & Cybersecurity Engineering — open to on-site, hybrid, or remote roles. I deliver hands-on services in network design, firewall deployment (Fortinet, Cisco), WAF implementation, ICS/OT security (IEC 62443, NIST), and infrastructure hardening.
#CyberSecurity #FortiWeb #FortiGate #WAF #NetworkSecurity #Fortinet #ReverseProxy #InfoSec #OpenToWork #NetworkEngineer #PenetrationTesting #ICS #OTSecurity
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Recently completed a comprehensive lab implementation and full documentation of a production-grade web security architecture using FortiWeb as a Web Application Firewall behind FortiGate, deployed on PNETLAB with KVM-based VMs.
🔹 Traffic Flow Architecture:
Client → FortiGate (WAN/VIP) → FortiWeb (WAF Inspection) → Apache2 Real Server → Response back to Client
🔹 Key Implementation Highlights:
✅ Linux Web Server hardening with Apache2 and static IP configuration via Netplan
✅ FortiWeb interface setup across three segments (Real Server / Client-LAN / Management)
✅ Complete WAF policy chain: Virtual IP → Server Pool → Virtual Server → Server Policy
✅ FortiGate perimeter configuration with DNAT Virtual IP (100.100.100.50 → 192.168.100.50)
✅ Firewall policy with full session logging for HTTP/HTTPS/PING traffic
✅ CLI-based traffic logging activation on FortiWeb (a step many engineers miss!)
✅ End-to-end verification through Forward Traffic logs on both devices
🔹 Why Reverse Proxy Mode?
It provides deep HTTP/HTTPS inspection, granular WAF policy enforcement, and clean separation between perimeter firewalling (FortiGate) and application-layer protection (FortiWeb) — a layered defense approach aligned with Zero Trust principles.
🔹 Key Lesson Learned:
The order of WAF policy configuration matters → Virtual IP must exist before the Server Pool, which must exist before the Virtual Server, which must exist before the Server Policy. Skipping the sequence breaks the binding chain.
💼 Currently exploring new opportunities in Network & Cybersecurity Engineering — open to on-site, hybrid, or remote roles. I deliver hands-on services in network design, firewall deployment (Fortinet, Cisco), WAF implementation, ICS/OT security (IEC 62443, NIST), and infrastructure hardening.
#CyberSecurity #FortiWeb #FortiGate #WAF #NetworkSecurity #Fortinet #ReverseProxy #InfoSec #OpenToWork #NetworkEngineer #PenetrationTesting #ICS #OTSecurity
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤2
Network Security Channel
Practice Security+ without friction.pdf
🎯 Built a Free CompTIA Security+ (SY0-701) Practice Exam Simulator — No Friction, No Sign-up
As part of giving back to the cybersecurity community, I've put together a free, browser-based practice exam simulator for anyone preparing for the CompTIA Security+ SY0-701 certification. Whether you're starting your InfoSec journey or sharpening your fundamentals, this tool is built to mirror the real exam experience.
🔹 What's Inside:
✅ 300 original practice questions covering all 5 official SY0-701 domains
✅ Practice Mode — instant feedback and detailed explanations after every answer, so you learn as you go
✅ Exam Mode — fully timed simulation with no feedback until submission, matching real test conditions
✅ Flexible session sizing — choose 10, 20, 50, or 90 questions per run
✅ Domain targeting — practice all five domains or focus on weak areas
✅ Performance analytics — domain-by-domain score breakdown and incorrect-answer review
✅ Browser session persistence — refresh-safe progress, no account required
🔹 Domain Coverage (Weighted to Match the Real Exam):
📘 1.0 General Security Concepts — 12%
📘 2.0 Threats, Vulnerabilities, and Mitigations — 22%
📘 3.0 Security Architecture — 18%
📘 4.0 Security Operations — 28%
📘 5.0 Security Program Management and Oversight — 20%
🔹 Why This Matters:
Most quality exam prep tools sit behind paywalls or require lengthy sign-ups. I wanted something that respects the learner's time — open the page, pick a domain, start practicing. That's it.
🔹 Key Lesson From Building It:
The hardest part of certification prep isn't memorizing acronyms (SLA vs. ISA, TPM vs. HSM, CASB vs. SWG…) — it's training your reasoning under timed pressure. A timer + explanations + domain breakdown is what bridges that gap.
💼 Currently exploring new opportunities in Network & Cybersecurity Engineering — open to on-site, hybrid, or remote roles. I deliver hands-on services in network design, firewall deployment (Fortinet, Cisco), WAF implementation, ICS/OT security (IEC 62443, NIST), and infrastructure hardening.
#CyberSecurity #SecurityPlus #CompTIA #SY0701 #InfoSec #CertificationPrep #NetworkSecurity #OpenToWork #NetworkEngineer #CyberCareer #ContinuousLearning
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
As part of giving back to the cybersecurity community, I've put together a free, browser-based practice exam simulator for anyone preparing for the CompTIA Security+ SY0-701 certification. Whether you're starting your InfoSec journey or sharpening your fundamentals, this tool is built to mirror the real exam experience.
🔹 What's Inside:
✅ 300 original practice questions covering all 5 official SY0-701 domains
✅ Practice Mode — instant feedback and detailed explanations after every answer, so you learn as you go
✅ Exam Mode — fully timed simulation with no feedback until submission, matching real test conditions
✅ Flexible session sizing — choose 10, 20, 50, or 90 questions per run
✅ Domain targeting — practice all five domains or focus on weak areas
✅ Performance analytics — domain-by-domain score breakdown and incorrect-answer review
✅ Browser session persistence — refresh-safe progress, no account required
🔹 Domain Coverage (Weighted to Match the Real Exam):
📘 1.0 General Security Concepts — 12%
📘 2.0 Threats, Vulnerabilities, and Mitigations — 22%
📘 3.0 Security Architecture — 18%
📘 4.0 Security Operations — 28%
📘 5.0 Security Program Management and Oversight — 20%
🔹 Why This Matters:
Most quality exam prep tools sit behind paywalls or require lengthy sign-ups. I wanted something that respects the learner's time — open the page, pick a domain, start practicing. That's it.
🔹 Key Lesson From Building It:
The hardest part of certification prep isn't memorizing acronyms (SLA vs. ISA, TPM vs. HSM, CASB vs. SWG…) — it's training your reasoning under timed pressure. A timer + explanations + domain breakdown is what bridges that gap.
💼 Currently exploring new opportunities in Network & Cybersecurity Engineering — open to on-site, hybrid, or remote roles. I deliver hands-on services in network design, firewall deployment (Fortinet, Cisco), WAF implementation, ICS/OT security (IEC 62443, NIST), and infrastructure hardening.
#CyberSecurity #SecurityPlus #CompTIA #SY0701 #InfoSec #CertificationPrep #NetworkSecurity #OpenToWork #NetworkEngineer #CyberCareer #ContinuousLearning
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Network Security Channel
1777790686123.pdf
🔍 Active Directory Enumeration Walkthrough: Mapping a Domain with pywerview
Just published a hands-on lab write-up demonstrating how an authenticated attacker with low-privileged credentials can enumerate a full Active Directory environment using pywerview — the Python port of the legendary PowerView module — and uncover real privilege escalation paths from a single foothold.
🔹 Lab Scenario:
Starting credentials: raj / Password@1 against the ignite.local domain. From this minimal access, mapping out users, groups, computers, delegation settings, ACLs, GPOs, and trust relationships — entirely over LDAP.
🔹 Key Findings Uncovered Through Enumeration:
✅ Domain Admin discovery — identified the aaru account via --admin-count filter (adminCount=1, member of Domain Admins)
✅ Kerberoastable SPN — the kavish account exposed via --spn, configured with TRUSTED_TO_AUTH_FOR_DELEGATION against a SQL server (constrained delegation w/ protocol transition)
✅ Unconstrained Delegation hosts — flagged via --unconstrained (a classic path to DC compromise)
✅ Backup Operators abuse path — user shivam enumerated as a member, opening NTDS.dit dump potential
✅ Trust enumeration — bidirectional forest trust to pentest.local discovered via get-netdomaintrust
✅ Domain policy extraction — password length, complexity, lockout thresholds, and Kerberos ticket lifetimes all readable from SYSVOL
🔹 pywerview Modules Demonstrated:
get-netdomain, get-netuser, get-netgroup, get-netgroupmember, get-netcomputer, get-netshare, get-netsession, get-netloggedon, get-netou, get-netsite, get-netsubnet, get-netgpo, get-domainpolicy, invoke-userhunter, invoke-processhunter, invoke-checklocaladminaccess, get-objectacl, get-netdomaintrust
🔹 Why This Matters for Defenders:
Every red-team finding above is a blue-team checklist item. Misconfigured delegation, stale adminCount=1 flags, over-privileged Backup Operators, and SPN sprawl on user accounts are the silent killers of AD environments. You can't harden what you can't see.
🔹 Key Lesson From the Lab:
A single low-privileged user is enough to map your entire domain, identify Tier 0 assets, and build a full attack graph — without ever touching a tool that triggers EDR. LDAP queries are noisy only if you're watching for them.
💼 Currently exploring new opportunities in Network & Cybersecurity Engineering — open to on-site, hybrid, or remote roles. I deliver hands-on services in network design, firewall deployment (Fortinet, Cisco), Active Directory hardening, ICS/OT security (IEC 62443, NIST), penetration testing, and infrastructure hardening.
#CyberSecurity #ActiveDirectory #RedTeam #PenetrationTesting #pywerview #PowerView #ADSecurity #LDAP #Kerberoasting #PrivilegeEscalation #InfoSec #BlueTeam #OpenToWork #NetworkSecurity #OffensiveSecurity
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Just published a hands-on lab write-up demonstrating how an authenticated attacker with low-privileged credentials can enumerate a full Active Directory environment using pywerview — the Python port of the legendary PowerView module — and uncover real privilege escalation paths from a single foothold.
🔹 Lab Scenario:
Starting credentials: raj / Password@1 against the ignite.local domain. From this minimal access, mapping out users, groups, computers, delegation settings, ACLs, GPOs, and trust relationships — entirely over LDAP.
🔹 Key Findings Uncovered Through Enumeration:
✅ Domain Admin discovery — identified the aaru account via --admin-count filter (adminCount=1, member of Domain Admins)
✅ Kerberoastable SPN — the kavish account exposed via --spn, configured with TRUSTED_TO_AUTH_FOR_DELEGATION against a SQL server (constrained delegation w/ protocol transition)
✅ Unconstrained Delegation hosts — flagged via --unconstrained (a classic path to DC compromise)
✅ Backup Operators abuse path — user shivam enumerated as a member, opening NTDS.dit dump potential
✅ Trust enumeration — bidirectional forest trust to pentest.local discovered via get-netdomaintrust
✅ Domain policy extraction — password length, complexity, lockout thresholds, and Kerberos ticket lifetimes all readable from SYSVOL
🔹 pywerview Modules Demonstrated:
get-netdomain, get-netuser, get-netgroup, get-netgroupmember, get-netcomputer, get-netshare, get-netsession, get-netloggedon, get-netou, get-netsite, get-netsubnet, get-netgpo, get-domainpolicy, invoke-userhunter, invoke-processhunter, invoke-checklocaladminaccess, get-objectacl, get-netdomaintrust
🔹 Why This Matters for Defenders:
Every red-team finding above is a blue-team checklist item. Misconfigured delegation, stale adminCount=1 flags, over-privileged Backup Operators, and SPN sprawl on user accounts are the silent killers of AD environments. You can't harden what you can't see.
🔹 Key Lesson From the Lab:
A single low-privileged user is enough to map your entire domain, identify Tier 0 assets, and build a full attack graph — without ever touching a tool that triggers EDR. LDAP queries are noisy only if you're watching for them.
💼 Currently exploring new opportunities in Network & Cybersecurity Engineering — open to on-site, hybrid, or remote roles. I deliver hands-on services in network design, firewall deployment (Fortinet, Cisco), Active Directory hardening, ICS/OT security (IEC 62443, NIST), penetration testing, and infrastructure hardening.
#CyberSecurity #ActiveDirectory #RedTeam #PenetrationTesting #pywerview #PowerView #ADSecurity #LDAP #Kerberoasting #PrivilegeEscalation #InfoSec #BlueTeam #OpenToWork #NetworkSecurity #OffensiveSecurity
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
🛡 Wazuh Mastery Pack · 01 of 15 — Installation & Setup
The single most repeated question from juniors picking up Wazuh:
"Where do I even start?"
This first cheat sheet gets a Wazuh stack from zero to producing alerts in under 30 minutes — Manager, Indexer, Dashboard, Agents, all the ports you must open, and the verification one-liners I run before walking away from any new install.
A few non-obvious things people miss on day one:
- The all-in-one assistant script (wazuh-install.sh -a) is a lab/PoC tool — don't ship it to prod
- /var/ossec/wazuh-install-files.tar contains your initial creds. Move it to a vault. Lose it = full reinstall.
- Prefer TCP/1514 over UDP for event ingest — UDP silently drops events under load
- Always run /var/ossec/bin/wazuh-control configtest before restarting the manager
If you're starting your Wazuh journey this week, this one is for you.
#Wazuh #SIEM #SOC #CyberSecurity #BlueTeam #InfoSec #OpenToWork
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
The single most repeated question from juniors picking up Wazuh:
"Where do I even start?"
This first cheat sheet gets a Wazuh stack from zero to producing alerts in under 30 minutes — Manager, Indexer, Dashboard, Agents, all the ports you must open, and the verification one-liners I run before walking away from any new install.
A few non-obvious things people miss on day one:
- The all-in-one assistant script (wazuh-install.sh -a) is a lab/PoC tool — don't ship it to prod
- /var/ossec/wazuh-install-files.tar contains your initial creds. Move it to a vault. Lose it = full reinstall.
- Prefer TCP/1514 over UDP for event ingest — UDP silently drops events under load
- Always run /var/ossec/bin/wazuh-control configtest before restarting the manager
If you're starting your Wazuh journey this week, this one is for you.
#Wazuh #SIEM #SOC #CyberSecurity #BlueTeam #InfoSec #OpenToWork
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1