FortiGate ™

Version 4.0
Administration Guide

Visit http://support.fortinet.com to register your FortiGate product. By registering you can receive product updates, technical support, and FortiGuard services.

FortiGate Administration Guide Version 4.0 24 April 2009 01-400-89802-20090424 © Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Contents
Introduction ............................................................................................ 21
Fortinet products .......................................................................................................... 21 About this document .................................................................................................... 21 Document conventions ................................................................................................ 24 IP addresses............................................................................................................. CLI constraints.......................................................................................................... Cautions, Notes and Tips ......................................................................................... Typographical conventions ....................................................................................... 24 24 24 25

Registering your Fortinet product............................................................................... 25 Customer service and technical support.................................................................... 25 Training .......................................................................................................................... 26 Fortinet documentation ............................................................................................... 26 Tools and Documentation CD................................................................................... 26 Fortinet Knowledge Center ...................................................................................... 26 Comments on Fortinet technical documentation ..................................................... 26

What’s new in FortiOS 4.0 ..................................................................... 27
FortiOS 4.0 FortiGate models and features supported ............................................. 28 UTM features grouped under new UTM menu............................................................ 29 Data Leak Prevention.................................................................................................... 29 Application Control....................................................................................................... 29 SSL content scanning and inspection ........................................................................ 29 WAN Optimization......................................................................................................... 30 Endpoint control ........................................................................................................... 30 Network Access Control (NAC) quarantine ................................................................ 30 IPS extensions............................................................................................................... 31 DoS policies for applying IPS sensors...................................................................... NAC quarantine in DoS Sensors .............................................................................. Adding IPS sensors to a DoS policy from the CLI .................................................... One-arm IDS (sniffer mode) ..................................................................................... IPS interface policies for IPv6 ............................................................................... IPS Packet Logging .................................................................................................. 31 31 32 32 33 33

Enhanced Antispam Engine (ASE).............................................................................. 33 WCCP v2 support.......................................................................................................... 33 “Any” interface for firewall policies ............................................................................ 35 Global view of firewall policies .................................................................................... 35 Identity-based firewall policies .................................................................................... 35 Web filtering HTTP upload enhancements ................................................................. 36

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

3

Contents

Traffic shaping enhancements .................................................................................... 36 Firewall load balancing virtual IP changes................................................................. 36 User session persistence.......................................................................................... 36 Health Check Monitor ............................................................................................... 36 Load balancing server monitor ................................................................................. 36 Per-firewall policy session TTL ................................................................................... 37 Gratuitous ARP for virtual IPs ..................................................................................... 37 Changes to protection profiles .................................................................................... 37 Changes to content archiving...................................................................................... 37 Customizable web-based manager pages.................................................................. 37 Administration over modem ........................................................................................ 38 Auto-bypass and recovery for AMC bridge module .................................................. 38 Rogue Wireless Access Point detection..................................................................... 38 Configurable VDOM and global resource limits......................................................... 38 User authentication monitor ........................................................................................ 39 OCSP and SCEP certificate over HTTPS .................................................................... 39 Adding non-standard ports for firewall authentication ............................................. 39 Dynamically assigning VPN client IP addresses from a RADIUS record ................ 40 DHCP over route-based IPSec VPNs........................................................................... 40 SNMP upgraded to v3.0 ................................................................................................ 40 File Quarantine .............................................................................................................. 41 Customizable SSL VPN web portals ........................................................................... 41 Logging improvements ................................................................................................ 41 Web filtering HTTP POST traffic (blocking or comforting HTTP post traffic) .......................................................................................................... 41

Web-based manager .............................................................................. 43
Common web-based manager tasks........................................................................... 44 Connecting to the web-based manager.................................................................... Changing your FortiGate administrator password .................................................... Changing the web-based manager language........................................................... Changing administrative access to your FortiGate unit ............................................ Changing the web-based manager idle timeout ....................................................... Connecting to the FortiGate CLI from the web-based manager ............................... 44 45 46 46 47 47

Button bar features ....................................................................................................... 47 Contacting Customer Support..................................................................................... 48 Backing up your FortiGate configuration ................................................................... 48 Using FortiGate Online Help ........................................................................................ 49 Searching the online help ......................................................................................... 50

4

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Contents

Logging out ................................................................................................................... 52 Web-based manager pages.......................................................................................... 52 Using the web-based manager menu....................................................................... Using web-based manager lists................................................................................ Adding filters to web-based manager lists ................................................................ Using page controls on web-based manager lists .................................................... Using column settings to control the columns displayed .......................................... Using filters with column settings.............................................................................. 52 53 53 57 58 59

Web-based manager icons........................................................................................... 60

System Status ........................................................................................ 63
Status page.................................................................................................................... 63 Viewing system status .............................................................................................. 63 Changing system information ..................................................................................... 78 Configuring system time ........................................................................................... 78 Changing the FortiGate unit host name.................................................................... 78 Changing the FortiGate firmware ................................................................................ 79 Upgrading to a new firmware version ....................................................................... 80 Reverting to a previous firmware version ................................................................. 80 Viewing operational history ......................................................................................... 81 Manually updating FortiGuard definitions.................................................................. 82 Viewing Statistics.......................................................................................................... 83 Viewing the session list............................................................................................. 83 Viewing Content Archive information on the Statistics widget .................................. 84 Viewing the Attack Log ............................................................................................. 85 Topology ........................................................................................................................ 87 Adding a subnet object ............................................................................................. 89 Customizing the topology diagram ........................................................................... 90

Managing firmware versions................................................................. 91
Backing up your configuration .................................................................................... 92 Backing up your configuration through the web-based manager ............................. 92 Backing up your configuration through the CLI......................................................... 92 Backing up your configuration to a USB key ............................................................ 93 Testing firmware before upgrading............................................................................. 94 Upgrading your FortiGate unit..................................................................................... 95 Upgrading to FortiOS 4.0 through the web-based manager..................................... 95 Upgrading to FortiOS 4.0 through the CLI ................................................................ 96 Verifying the upgrade................................................................................................ 97 Reverting to a previous firmware image..................................................................... 98 Downgrading to a previous firmware through the web-based manager ................... 98 Verifying the downgrade ........................................................................................... 99 Downgrading to a previous firmware through the CLI .............................................. 99
FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

5

Contents

Restoring your configuration..................................................................................... 101 Restoring your configuration settings in the web-based manager.......................... 101 Restoring your configuration settings in the CLI ..................................................... 101

Using virtual domains.......................................................................... 103
Virtual domains ........................................................................................................... 103 Benefits of VDOMs ................................................................................................. 103 VDOM configuration settings .................................................................................. 104 Global configuration settings .................................................................................. 107 Enabling VDOMs ......................................................................................................... 108 Configuring VDOMs and global settings .................................................................. 109 VDOM licenses ....................................................................................................... Creating a new VDOM............................................................................................ Working with VDOMs and global settings............................................................... Adding interfaces to a VDOM ................................................................................. Inter-VDOM links .................................................................................................... Assigning an interface to a VDOM.......................................................................... Assigning an administrator to a VDOM................................................................... Changing the management VDOM......................................................................... 109 110 111 113 113 114 115 116

Configuring global and VDOM resource limits ........................................................ 116 VDOM resource limits............................................................................................. 117 Global resource limits ............................................................................................. 118

System Network ................................................................................... 119
Interfaces ..................................................................................................................... 119 Switch Mode ........................................................................................................... Interface settings .................................................................................................... Creating an 802.3ad aggregate interface ............................................................... Creating a redundant interface ............................................................................... Configuring DHCP on an interface ......................................................................... Configuring an interface for PPPoE........................................................................ Configuring Dynamic DNS on an interface ............................................................. Configuring a virtual IPSec interface ...................................................................... Configuring interfaces with CLI commands ............................................................ Administrative access to an interface ..................................................................... Interface MTU packet size ...................................................................................... Secondary IP Addresses ........................................................................................ 122 123 127 128 130 131 132 133 134 135 135 136

Configuring zones....................................................................................................... 138 Configuring the modem interface.............................................................................. 139 Configuring modem settings ................................................................................... Redundant mode configuration............................................................................... Standalone mode configuration .............................................................................. Adding firewall policies for modem connections ..................................................... Connecting and disconnecting the modem............................................................. Checking modem status ......................................................................................... 140 142 143 144 144 144

6

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Contents

Configuring Networking Options............................................................................... 145 DNS Servers........................................................................................................... 146 Dead gateway detection ......................................................................................... 146 Web Proxy.................................................................................................................... 147 Routing table (Transparent Mode)............................................................................. 149 Transparent mode route settings............................................................................ 149 VLAN overview ............................................................................................................ 150 FortiGate units and VLANs ..................................................................................... 151 VLANs in NAT/Route mode ........................................................................................ 151 Rules for VLAN IDs................................................................................................. 152 Rules for VLAN IP addresses ................................................................................. 152 Adding VLAN subinterfaces.................................................................................... 153 VLANs in Transparent mode...................................................................................... 154 Rules for VLAN IDs................................................................................................. 156 Transparent mode virtual domains and VLANs ...................................................... 156 Troubleshooting ARP Issues .................................................................................. 157

System Wireless................................................................................... 159
FortiWiFi wireless interfaces ..................................................................................... 159 Channel assignments ................................................................................................. 160 IEEE 802.11a channel numbers ............................................................................. 160 IEEE 802.11b channel numbers ............................................................................. 160 IEEE 802.11g channel numbers ............................................................................. 161 Wireless settings......................................................................................................... 162 Adding a wireless interface..................................................................................... 163 Wireless MAC Filter .................................................................................................... 165 Managing the MAC Filter list................................................................................... 166 Wireless Monitor ......................................................................................................... 167 Rogue AP detection .................................................................................................... 168 Viewing wireless access points .............................................................................. 168

System DHCP ....................................................................................... 171
FortiGate DHCP servers and relays .......................................................................... 171 Configuring DHCP services ....................................................................................... 172 Configuring an interface as a DHCP relay agent.................................................... 173 Configuring a DHCP server .................................................................................... 173 Viewing address leases.............................................................................................. 175 Reserving IP addresses for specific clients ............................................................ 175

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

7

Contents

System Config ...................................................................................... 177
HA ................................................................................................................................. 177 HA options .............................................................................................................. Cluster members list ............................................................................................... Viewing HA statistics .............................................................................................. Changing subordinate unit host name and device priority...................................... Disconnecting a cluster unit from a cluster ............................................................. Configuring SNMP .................................................................................................. Configuring an SNMP community........................................................................... Fortinet MIBs .......................................................................................................... Fortinet and FortiGate traps.................................................................................... Fortinet and FortiGate MIB fields............................................................................ Replacement messages list.................................................................................... Changing replacement messages .......................................................................... Mail replacement messages ................................................................................... HTTP replacement messages ................................................................................ FTP replacement messages................................................................................... NNTP replacement messages................................................................................ Alert Mail replacement messages........................................................................... Spam replacement messages ................................................................................ Administration replacement message..................................................................... Authentication replacement messages................................................................... FortiGuard Web Filtering replacement messages .................................................. IM and P2P replacement messages....................................................................... Endpoint control replacement message ................................................................. NAC quarantine replacement messages ................................................................ SSL VPN replacement message ............................................................................ Replacement message tags ................................................................................... 177 180 182 183 184 186 186 188 189 192 195 196 197 197 198 199 199 200 200 201 202 203 204 204 205 205

SNMP............................................................................................................................ 185

Replacement messages ............................................................................................. 194

Operation mode and VDOM management access ................................................... 206 Changing operation mode ...................................................................................... 206 Management access............................................................................................... 207

System Admin ...................................................................................... 209
Administrators............................................................................................................. 209 Viewing the administrators list ................................................................................ Configuring an administrator account ..................................................................... Configuring regular (password) authentication for administrators .......................... Configuring remote authentication for administrators ............................................. Configuring PKI certificate authentication for administrators .................................. 211 212 214 214 220

Admin profiles ............................................................................................................. 222 Viewing the admin profiles list ................................................................................ 224 Configuring an admin profile................................................................................... 225

8

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Contents

Central Management................................................................................................... 226 Settings ........................................................................................................................ 228 Monitoring administrators.......................................................................................... 229 FortiGate IPv6 support ............................................................................................... 230 Customizable web-based manager ........................................................................... 231

System Certificates.............................................................................. 243
Local Certificates ....................................................................................................... 244 Generating a certificate request.............................................................................. Downloading and submitting a certificate request .................................................. Importing a signed server certificate....................................................................... Importing an exported server certificate and private key ........................................ Importing separate server certificate and private key files...................................... 245 246 247 247 248

Remote Certificates .................................................................................................... 248 Importing Remote (OCSP) certificates ................................................................... 249 CA Certificates ............................................................................................................ 249 Importing CA certificates......................................................................................... 250 CRL............................................................................................................................... 251 Importing a certificate revocation list ...................................................................... 251

System Maintenance............................................................................ 253
About the Maintenance menu .................................................................................... 253 Backing up and restoring........................................................................................... 254 Basic backup and restore options........................................................................... Upgrading and downgrading firmware.................................................................... Upgrading and downgrading firmware through FortiGuard .................................... Configuring advanced options ................................................................................ 255 259 259 260

Managing configuration revisions............................................................................. 261 Using script files ......................................................................................................... 262 Creating script files ................................................................................................. 263 Uploading script files............................................................................................... 264 Configuring FortiGuard Services .............................................................................. 264 FortiGuard Distribution Network ............................................................................. 264 FortiGuard services ................................................................................................ 265 Configuring the FortiGate unit for FDN and FortiGuard subscription services .............................................................................................. 266 Troubleshooting FDN connectivity ........................................................................... 271 Updating antivirus and attack definitions................................................................. 271 Enabling push updates............................................................................................... 273 Enabling push updates when a FortiGate unit IP address changes ....................... 273 Enabling push updates through a NAT device ....................................................... 274 Adding VDOM Licenses.............................................................................................. 276
FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

9

Contents

Router Static ........................................................................................ 277
Routing concepts ....................................................................................................... 277 How the routing table is built .................................................................................. How routing decisions are made ........................................................................... Multipath routing and determining the best route ................................................... Route priority ......................................................................................................... Blackhole Route...................................................................................................... 278 278 278 279 279

Static Route ................................................................................................................ 280 Working with static routes ...................................................................................... 280 Default route and default gateway ......................................................................... 281 Adding a static route to the routing table ............................................................... 284 Policy Route ............................................................................................................... 285 Adding a policy route .............................................................................................. 286 Moving a policy route.............................................................................................. 287

Router Dynamic.................................................................................... 289
RIP ................................................................................................................................ 289 Viewing and editing basic RIP settings................................................................... 290 Selecting advanced RIP options............................................................................. 292 Configuring a RIP-enabled interface....................................................................... 293 OSPF ............................................................................................................................ 294 Defining an OSPF AS—Overview .......................................................................... Configuring basic OSPF settings............................................................................ Selecting advanced OSPF options ......................................................................... Defining OSPF areas.............................................................................................. Specifying OSPF networks ..................................................................................... Selecting operating parameters for an OSPF interface .......................................... 295 296 298 299 300 301

BGP .............................................................................................................................. 302 Viewing and editing BGP settings........................................................................... 303 Multicast....................................................................................................................... 304 Viewing and editing multicast settings .................................................................... 305 Overriding the multicast settings on an interface.................................................... 306 Multicast destination NAT ....................................................................................... 306 Bi-directional Forwarding Detection (BFD) .............................................................. 307 Configuring BFD ..................................................................................................... 307 Customizable routing widgets ................................................................................... 309 Access List.............................................................................................................. Distribute List .......................................................................................................... Key Chain ............................................................................................................... Offset List................................................................................................................ Prefix List ................................................................................................................ Route Map .............................................................................................................. 309 310 310 311 312 312

10

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Contents

Router Monitor ..................................................................................... 315
Viewing routing information ...................................................................................... 315 Searching the FortiGate routing table....................................................................... 317

Firewall Policy ...................................................................................... 319
How list order affects policy matching ..................................................................... 319 Moving a policy to a different position in the policy list ........................................... 320 Multicast policies ........................................................................................................ 321 Viewing the firewall policy list ................................................................................... 321 Configuring firewall policies ...................................................................................... 323 Adding authentication to firewall policies ................................................................ Identity-based firewall policy options (non-SSL-VPN) ............................................ IPSec firewall policy options ................................................................................... Configuring SSL VPN identity-based firewall policies............................................. Endpoint Compliance Check options...................................................................... 327 328 330 331 336

DoS policies................................................................................................................. 337 Viewing the DoS policy list...................................................................................... 337 Configuring DoS policies ........................................................................................ 338 Firewall policy examples ............................................................................................ 339 Scenario one: SOHO-sized business ..................................................................... 339 Scenario two: enterprise-sized business ................................................................ 342

Firewall Address .................................................................................. 345
About firewall addresses............................................................................................ 345 Viewing the firewall address list................................................................................ 346 Configuring addresses ............................................................................................... 347 Viewing the address group list .................................................................................. 348 Configuring address groups...................................................................................... 348

Firewall Service .................................................................................... 351
Viewing the predefined service list ........................................................................... 351 Viewing the custom service list................................................................................. 356 Configuring custom services..................................................................................... 357 Viewing the service group list ................................................................................... 359 Configuring service groups ....................................................................................... 359

Firewall Schedule................................................................................. 361
Viewing the recurring schedule list........................................................................... 361 Configuring recurring schedules .............................................................................. 362 Viewing the one-time schedule list ........................................................................... 362 Configuring one-time schedules ............................................................................... 363

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

11

Contents

Firewall Virtual IP ................................................................................. 365
How virtual IPs map connections through FortiGate units..................................... 365 Inbound connections............................................................................................... 365 Outbound connections............................................................................................ 368 VIP requirements .................................................................................................... 369 Viewing the virtual IP list............................................................................................ 369 Configuring virtual IPs................................................................................................ 370 Adding a static NAT virtual IP for a single IP address ............................................ Adding a static NAT virtual IP for an IP address range .......................................... Adding static NAT port forwarding for a single IP address and a single port ..................................................................................................... Adding static NAT port forwarding for an IP address range and a port range ..................................................................................................... Adding dynamic virtual IPs ..................................................................................... Adding a virtual IP with port translation only........................................................... 372 373 375 377 378 379

Virtual IP Groups......................................................................................................... 380 Viewing the VIP group list .......................................................................................... 380 Configuring VIP groups.............................................................................................. 380 IP pools ........................................................................................................................ 381 IP pools and dynamic NAT ..................................................................................... 382 IP Pools for firewall policies that use fixed ports..................................................... 382 Source IP address and IP pool address matching.................................................. 382 Viewing the IP pool list ............................................................................................... 383 Configuring IP Pools................................................................................................... 383 Double NAT: combining IP pool with virtual IP........................................................ 384 Adding NAT firewall policies in transparent mode .................................................. 386

Firewall Load Balance ......................................................................... 389
How load balancer works ........................................................................................... 389 Configuring virtual servers ........................................................................................ 390 Configuring real servers............................................................................................. 392 Configuring health check monitors........................................................................... 393 Monitoring the servers ............................................................................................... 395

Firewall Protection Profile................................................................... 397
What is a protection profile?...................................................................................... 397 Adding a protection profile to a firewall policy ........................................................ 398 Default protection profiles ......................................................................................... 398 Viewing the protection profile list ............................................................................. 399

12

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Contents

SSL content scanning and inspection ...................................................................... 399 Supported FortiGate models................................................................................... 400 Setting up certificates to avoid client warnings ....................................................... 400 Configuring SSL content scanning and inspection ................................................. 402 Configuring a protection profile ................................................................................ 404 Protocol recognition options ................................................................................... Anti-Virus options.................................................................................................... IPS options ............................................................................................................. Web Filtering options .............................................................................................. FortiGuard Web Filtering options............................................................................ Spam Filtering options ............................................................................................ Data Leak Prevention Sensor options .................................................................... Application Control options ..................................................................................... Logging options ...................................................................................................... 405 407 411 411 413 416 419 420 421

Traffic Shaping ..................................................................................... 423
Guaranteed bandwidth and maximum bandwidth ................................................... 423 Traffic priority.............................................................................................................. 424 Traffic shaping considerations.................................................................................. 424 Configuring traffic shaping ........................................................................................ 425

SIP support ........................................................................................... 427
VoIP and SIP ................................................................................................................ 427 The FortiGate unit and VoIP security ........................................................................ 429 SIP NAT.................................................................................................................. 429 How SIP support works .............................................................................................. 431 Configuring SIP ........................................................................................................... 432 Enabling SIP support and setting rate limiting from the web-based manager ........ Enabling SIP support from the CLI ......................................................................... Enabling SIP logging .............................................................................................. Enabling advanced SIP features in an application list ............................................ 432 433 434 434

AntiVirus ............................................................................................... 439
Order of operations..................................................................................................... 439 Antivirus tasks ............................................................................................................ 440 FortiGuard antivirus ................................................................................................ 441 Antivirus settings and controls ................................................................................. 441 File Filter ...................................................................................................................... 443 Built-in patterns and supported file types................................................................ Viewing the file filter list catalog.............................................................................. Creating a new file filter list..................................................................................... Viewing the file filter list .......................................................................................... Configuring the file filter list..................................................................................... 443 444 444 445 445

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

13

Contents

File Quarantine ............................................................................................................ 446 Viewing the File Quarantine list .............................................................................. Viewing the AutoSubmit list .................................................................................... Configuring the AutoSubmit list .............................................................................. Configuring quarantine options............................................................................... 447 448 449 449

Viewing the virus database information ................................................................... 451 Viewing and configuring the grayware list ............................................................... 452 Antivirus CLI configuration........................................................................................ 453

Intrusion Protection ............................................................................. 455
About intrusion protection......................................................................................... 455 Intrusion Protection settings and controls............................................................... 456 When to use Intrusion Protection............................................................................ 456 Signatures.................................................................................................................... 456 Viewing the predefined signature list ...................................................................... 457 Using display filters................................................................................................. 458 Custom signatures...................................................................................................... 459 Viewing the custom signature list ........................................................................... 459 Creating custom signatures .................................................................................... 459 Protocol decoders....................................................................................................... 460 Viewing the protocol decoder list ............................................................................ 460 Upgrading the IPS protocol decoder list ................................................................. 461 IPS sensors.................................................................................................................. 461 Viewing the IPS sensor list ..................................................................................... Adding an IPS sensor ............................................................................................. Configuring IPS sensors ......................................................................................... Configuring filters.................................................................................................... Configuring pre-defined and custom overrides....................................................... Packet logging ........................................................................................................ 461 462 462 464 465 467

DoS sensors ................................................................................................................ 469 Viewing the DoS sensor list .................................................................................... 470 Configuring DoS sensors........................................................................................ 470 Understanding the anomalies ................................................................................. 472 Intrusion protection CLI configuration ..................................................................... 472

Web Filter.............................................................................................. 475
Order of web filtering.................................................................................................. 475 How web filtering works ............................................................................................. 475 Web filter controls....................................................................................................... 476

14

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

.................................................................... Creating a new banned word list ...........................................................................................................................................................................fortinet................... Viewing the local ratings list.............................. Adding words to the banned word list.... 495 Order of spam filtering ..............................com/ • Feedback 15 .............. Creating a new web content block list ...... Configuring the web content block list ..................... URL formats........................................... Viewing the URL filter list.............................................................................................................................................................................................................................. Creating local categories ....................................................................................................................................................................................................................................Contents Web content block ............................................................................................................0 Administration Guide 01-400-89802-20090424 http://docs......... Viewing the web content exempt list............ Configuring the antispam email address list ........................ Viewing the antispam IP address list ..................................... Configuring FortiGuard Web Filtering ................................................................. 496 Banned word ....................................................................... Category block CLI configuration.................................................................................................................................................................................................. 498 Viewing the banned word list catalog ......................................... Configuring the web content exempt list....................................... Viewing the URL filter list catalog ....................................................................................................................... Configuring local ratings ........................................................................................................................................................................................... Viewing the antispam banned word list .................................. Creating a new web content exempt list ................................................................................................................. Viewing the web content exempt list catalog ............................. 479 479 479 480 481 482 482 483 484 484 485 485 486 487 488 488 489 491 491 492 493 URL filter ................................................... Viewing the web content block list ............................................................................................................................... 487 Antispam......................................................... Viewing the antispam IP address list catalog ........................................................................................................... 495 Anti-spam filter controls ................................................ Adding an antispam IP address................................................... 495 Antispam..........................................................Web Filter .. 478 Viewing the web content block list catalog ................................................................. Configuring the URL filter list ...... Configuring administrative override rules .................................................................................................. Moving URLs in the URL filter list ..................... 501 FortiGate Version 4........ Viewing the antispam email address list........................................................................ Creating a new URL filter list .............................................................................. Viewing the override list................................................................................. 483 FortiGuard ............................. Viewing the antispam email address list catalog ............................................................................................................................................................... 498 499 499 500 501 501 502 503 503 504 504 505 IP address and email address black/white lists .......... Creating a new antispam IP address list ...................................... Creating a new antispam email address list ................................................................................................................................................................

... 532 Auto Key ............ 544 Concentrator .......... 511 Adding and configuring a DLP sensor ................................................................................... 511 Viewing the DLP sensor list .................................. 519 Viewing the DLP compound rule list ......................................................................................................................................................................... 527 IPSec VPN ...................... 520 Adding and configuring DLP compound rules ............................................................ Creating a new phase 2 configuration ................................................................................................ 507 Example regular expressions .........................................0 Administration Guide 01-400-89802-20090424 http://docs............................................................ 523 FortiGuard application control database................ 523 Viewing the application control lists..................................... 520 Application Control......................................fortinet............................................................................................... 515 Viewing the DLP rule list.............................................................. 545 FortiGate Version 4................................................................................................................. 524 Configuring an application control list ................................................................................................................................................................................Contents Advanced antispam configuration ......................................................................................................................... 512 Adding or editing a rule in a DLP sensor .................................................................................................... 531 Policy-based versus route-based VPNs ...............................................................................................................................................................................................................com/ • Feedback 16 .................................................. 531 Overview of IPSec VPN configuration.......................................................................................................................................................................................................................................................................................................................................... 505 config spamfilter mheader .............................................................................................................. 524 Creating a new application control list ............................. 534 536 538 539 Manual Key ............................... 523 What is application control? ............................................................................................................................................... 525 Adding or configuring an application control list entry ... 533 Creating a new phase 1 configuration ........................................ 541 Creating a new manual key configuration ......................................... Defining phase 1 advanced settings............................................................................................ 542 Internet browsing configuration ... 516 DLP Compound Rules .............................................................. 506 Using wildcards and Perl regular expressions .......... Defining phase 2 advanced settings.................................................................... 544 Defining concentrator options ............................................................................................................................ 508 Data Leak Prevention..................................... 526 Application control statistics.................. 506 Perl regular expression formats...................................... 515 Adding or configuring DLP rules ........ 513 DLP Rules ..... 545 Monitoring VPNs ...................................................................... 505 config spamfilter dnsbl .................................................................................................................................................................. 511 DLP Sensors....................................................................................................

................. SSL VPN user groups......................... Configuring a user group .................................................................................................................................................................................................................. 571 RADIUS .................................................................................... Advanced tab.......................................................................... Tunnel Mode widget ............................................................................ 581 PKI ........................................... 551 ssl....................................................................fortinet....................................................................................................................................................................................................................................................................................................................................... 578 Directory Service................................................ 549 SSL VPN............................................................................................................ 556 556 558 559 559 563 564 User ..............................................................................................................................................................................................................................................root ......................................................................................... 567 Getting started ........ Connection Tool widget ............................................................................................................... Bookmarks widget ...................................................... Configuring FortiGuard Web filtering override options.. 551 Configuring SSL VPN ........................................... 567 Local user accounts .............................. 554 General tab ........................................................................................ 568 Remote ......................................................................... 547 PPTP configuration using CLI commands ............. 547 PPTP configuration using FortiGate web-based manager.............................................................................................................................. 575 TACACS+ ................. 575 Configuring an LDAP server .......................................User authentication.................................................................................................................................................................................................................................................................................................................................... 573 LDAP .........................................................Contents PPTP VPN ............................................................................................................... 582 User Group ........................... Session Information widget........... 553 SSL VPN web portal.......... 572 Dynamically assigning VPN client IP addresses from a RADIUS record.... 581 Configuring peer users and peer groups ......................................................................... Viewing the User group list ............................................................................. 578 Configuring TACACS+ servers................................................... Directory Service user groups ....................................................... 571 Configuring a RADIUS server......................................................................................................................................................................................................................... 554 Default web portal configurations ...................0 Administration Guide 01-400-89802-20090424 http://docs...................................................... 583 Firewall user groups ....................... 568 Configuring Local user accounts ......... Adding and editing widgets.............................................................. FortiGate Version 4.................................................................................................................................................................................................................................................................................... 579 Configuring a Directory Service server ........ 552 Monitoring SSL VPN sessions........................com/ • Feedback 584 585 585 586 586 589 17 ..................................................................

.......... FortiGate models that support WAN optimization......................................................................................................... 591 Firewall user monitor list ............................................................................................................. 605 How list order affects rule matching.................................................................................. NAC quarantine and DLP ................................................. 591 592 593 594 595 595 596 596 NAC quarantine and the Banned User list.......... 606 Moving a rule to a different position in the rule list............................................................................................................................................................... Configuring NAC quarantine.............................................................................................................................. 599 Frequently asked questions about FortiGate WAN optimization .............................................................................................................................................. WAN optimization rules and firewall policies ......................... 620 Configuring peer to peer WAN optimization ........................................................................Contents Options................................................................................................. 608 Web caching ....................................................................... 617 Peer to peer WAN optimization............................... 617 Configuring client/server (active-passive) WAN optimization .......................................................................................................................................................................................................................0 Administration Guide 01-400-89802-20090424 http://docs............................... 610 Web cache only topology..................................................................................................................................... 611 611 612 614 Client/server or active passive WAN optimization.. 627 Secure tunnelling . IM user monitor list ... WAN optimization Transparent mode.............................................................. 623 Byte caching........................................ 620 About WAN optimization addresses ................................................................................................................. SSL VPN monitor list ............. 630 18 FortiGate Version 4....................................................................................................................... 602 602 603 603 604 604 Configuring WAN optimization .. IPSEC monitor list............................... 599 Overview of FortiGate WAN optimization ......................................................................... 625 SSL offloading and reverse proxy web caching for an internet web server....................... NAC quarantine and DLP replacement messages ................ The Banned User list .............................................................................. 601 WAN optimization tunnels............. Configuring peer to peer web caching ..........................................................................................................fortinet.............. Configuring client/server (active-passive) web caching........ 630 WAN optimization over IPSec VPN ............................. Configuring web cache only WAN optimization ......................................................................................................................... 624 SSL offloading for WAN optimization and web caching ........................................................................... Authentication Groups .................................................... 595 WAN optimization and web caching .............................................. 590 Monitor .................. 622 Protocol optimization .......... 624 Example configuration: SSL offloading for a WAN optimization tunnel ............................................................................................................................................................................................................................................................................................................... 607 Configuring a WAN optimization rule ................................................................................... WAN optimization peer authentication....com/ • Feedback ...................................

................................................................... 647 FortiGuard Analysis and Management Service................................................................... Data Leak Prevention log ..... Traffic log .............................................................................................................................................. Event log........................................................... Attack log (IPS)................................................................. 649 High Availability cluster logging ................................... 635 Details about WAN optimization peer authentication.... 638 Endpoint control ........... Spam filter log..................... Logging to a FortiGuard Analysis server ................ 643 Monitoring endpoints ........ Logging to a Syslog server ........................................................................................................................................... 650 Logging to a FortiAnalyzer unit ..........................................com/ • Feedback 19 .......................................................................0 Administration Guide 01-400-89802-20090424 http://docs.................................. 632 About partition labels ............................................................. 650 651 652 653 654 654 655 657 658 659 660 660 660 661 661 661 Log types ..................................................... Testing the FortiAnalyzer configuration ....................................................................................... 642 Viewing and configuring the software detection list .............................................. 650 Storing logs ............ 630 Configuring WAN optimization storage ........................................................................................................................................................... 636 Monitoring WAN optimization............................................................................................................................ 633 WAN optimization and HA..................................................................... Logging to WebTrends ....... 634 Configuring peers .................................................. 641 Viewing FortiClient required version information . 631 Example WAN optimization iSCSI configuration ....................................................................... 641 Configuring endpoint control ............................................................................................................................................................................................................................................................................................................................................. Connecting to FortiAnalyzer using Automatic Discovery ..................................................................................................................... 644 Log&Report ........................................................................... 649 Log severity levels .......................................................................................................................................................... 657 FortiGate Version 4................................................................................................................................................................................................................................ Logging to memory ............................................................................................... 634 Configuring authentication groups ............................................................. Example configuration: logging all FortiGate traffic ...................................................................................................................................................... Application Control log.................. 642 Configuring FortiClient required version and installer download ................................................................................................................................................................................................. Antivirus log ................................................................................................................................................... 637 Changing web cache settings........ Web filter log...............................................................................Contents WAN optimization with FortiClient ....................................... 648 FortiGuard Analysis and Management Service portal web site ...................fortinet. 647 FortiGate logging ....................

............................................................................... 665 Column settings ......................................... Accessing logs stored on the FortiGuard Analysis server ....... Accessing logs stored on the FortiAnalyzer unit..................................................................................................................................................... 664 Customizing the display of log messages............... Configuring spam email message content archiving .fortinet....... 672 Reports........................................................................... FortiAnalyzer report schedules .................................................................... 670 Configuring Alert Email ..... 666 Filtering log messages......................................................................... 673 674 677 677 Index.................................................................................................................. 662 662 663 664 Viewing log information ............................................................................................ 667 Content Archive .......... 662 Accessing logs stored in memory .................................................................................................................................com/ • Feedback ............................................ 673 Viewing basic traffic reports................................ 679 20 FortiGate Version 4...............................................................................................................................................................................................................Contents Accessing Logs............................................................................................. Printing your FortiAnalyzer report .............................................................................................................................. 667 Content archiving and data leak prevention ........................................................................................................................ Viewing FortiAnalyzer reports.................... Configuring VoIP content archiving ................................................. Accessing logs stored on the hard disk ....................................... 668 668 669 670 Alert Email ............................ Viewing content archives ..........................0 Administration Guide 01-400-89802-20090424 http://docs....................................................................................................................................................................

integrated multi-threat protection. including complex attacks favored by cybercriminals. This chapter contains the following sections: • • • • • • Fortinet products About this document Document conventions Registering your Fortinet product Customer service and technical support Fortinet documentation Fortinet products Fortinet's portfolio of security gateways and complementary products offers a powerful blend of ASIC-accelerated performance. active/passive) for maximum network uptime. VPN. SIP.com/products. while providing a flexible. go to www. content. comprehensive protection against network. without degrading network availability and uptime. For more information on the Fortinet product family. in-depth threat intelligence.Introduction Fortinet products Introduction Ranging from the FortiGate®-50 series for small businesses to the FortiGate-5000 series for large enterprises. and constantly updated.0 Administration Guide provides detailed information for system administrators about FortiGate™ web-based manager and FortiOS options and how to use them. This unique combination delivers network. service providers and carriers.com/ • Feedback 21 . the FortiGate line combines the FortiOS™ security operating system with FortiASIC™ processors and other hardware to provide a high-performance array of security and networking functions including: • • • • • • • • • firewall. About this document This FortiGate Version 4.323.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet. and SCCP) Layer 2/3 routing multiple redundant WAN interface options FortiGate appliances provide cost-effective. and traffic shaping Intrusion Prevention system (IPS) antivirus/antispyware/antimalware web filtering antispam application control (for example. FortiGate platforms include sophisticated networking features. such as high availability (active/active. This guide also contains some information about the FortiGate CLI. and telecommunications carriers. content. managed service providers.fortinet. FortiGate Version 4. and virtual domain capabilities to separate various networks requiring different security policies. and application security for enterprises of all sizes. and application-level threats. scalable path for expansion. IM and P2P) VoIP support (H.

Using virtual domains describes how to use virtual domains to operate your FortiGate unit as multiple virtual FortiGate units. host name. and changing the operation mode. Web-based manager introduces the features of the FortiGate web-based manager. Firewall. System Status. You should review this section before upgrading your FortiGate firmware because it contains important information about how to properly back up your current configuration settings and what to do if the upgrade is unsuccessful. System DHCP explains how to configure a FortiGate interface as a DHCP server or DHCP relay agent. This section also describes status changes that you can make. VDOM and Global configuration settings apply only to a FortiGate unit operating with virtual domains enabled. and Using virtual domains. The administration guide describes web-based manager functions in the same order as the web-based manager (or GUI) menu. each item in the System. You can also find more information about FortiOS from the same FortiGate page. and Log&Report are all described in single chapters.com/ • Feedback . It also includes information about how to use the web-based manager online help. At a glance you can view the current system status of the FortiGate unit including serial number. and explains how to connect to it. and system time.0 Administration Guide 01-400-89802-20090424 http://docs. System Config contains procedures for configuring HA and virtual clustering. as well as from the Fortinet Knowledge Center. Following these chapters. Endpoint Control. system resource usage. UTM. configuring SNMP and replacement messages. Then User. Managing Firmware.0. Finally this section describes the topology viewer that is available on all FortiGate models except those with model numbers 50 and 60. The information in this document is also available in a slightly different form as FortiGate web-based manager online help. WAN optimization. FortiGuard license information.0 lists and describes some of the new features and changes in FortiOS Version 4. The document begins with several chapters that provide an overview to help you start using the product: the FortiGate web-based manager. No distinction is made between these configuration settings when virtual domains are not enabled. System Wireless describes how to configure the Wireless LAN interface on a FortiWiFi-60 unit. including changing the unit firmware. VDOM and Global icons appear in this administration guide to indicate that a chapter or section is part of either the VDOM or Global configuration. Managing firmware versions describes upgrading and managing firmware versions. which effectively provides multiple separate firewall and routing services to multiple networks.About this document Introduction This section of the guide contains a brief explanation of the structure of the guide. Router. and gives an overview of each chapter.fortinet. This administration guide contains the following chapters: • • What’s new in FortiOS 4. and VPN menus gets a separate chapter. • • • • • • • 22 FortiGate Version 4. System Network explains how to configure physical and virtual interfaces and DNS settings on the FortiGate unit. The most recent version of this document is available from the FortiGate page of the Fortinet Technical Documentation web site. The document concludes with a detailed index. System Status describes the System Status page. You can also access the CLI from this page. uptime. alert messages and network statistics. the dashboard of your FortiGate unit.

fortinet.0 Administration Guide 01-400-89802-20090424 http://docs. and web administration ports. defining general administrative settings such as language. SIP support includes some high-level information about VoIP and SIP and describes how FortiOS SIP support works and how to configure the key SIP features. AntiVirus explains how to enable antivirus options when you create a firewall protection profile. Web Filter explains how to configure web filter options when a firewall protection profile is created. enable FortiGuard services and FortiGuard Distribution Network (FDN) updates. use revision control. System Certificates explains how to manage X. and enter a license key to increase the maximum number of virtual domains.Introduction About this document • System Admin guides you through adding and editing administrator accounts. Firewall Address describes how to configure addresses and address groups for firewall policies. defining admin profiles for administrators. Application Control describes how to configure the application control options associated with firewall protection profiles. • • • • • • • • • • • • • • • • • • • • FortiGate Version 4. Firewall Service describes available services and how to configure service groups for firewall policies. A static route causes packets to be forwarded to a destination other than the factory configured default gateway. Firewall Schedule describes how to configure one-time and recurring schedules for firewall policies. The list displays the entries in the FortiGate routing table.509 security certificates used by various FortiGate features such as IPSec VPN and administrator authentication. Traffic Shaping how to create traffic shaping instances and add them to firewall policies. Firewall Protection Profile describes how to configure protection profiles for firewall policies. Router Static explains how to define static routes and create route policies. Router Monitor explains how to interpret the Routing Monitor list. Intrusion Protection explains how to configure IPS options when a firewall protection profile is created. Router Dynamic explains how to configure dynamic protocols to route traffic through large or complex networks. Antispam explains how to configure spam filter options when a firewall protection profile is created. Firewall Load Balance describes how to use FortiGuard load balancing to intercept incoming traffic and balance it across available servers. Firewall Virtual IP describes how to configure and use virtual IP addresses and IP pools. and VLAN subinterfaces. Data Leak Prevention explains how use FortiGate data leak prevention to prevent sensitive data from leaving your network. timeouts.com/ • Feedback 23 . zones. System Maintenance details how to back up and restore the system configuration using a management computer or a USB disk. Firewall Policy describes how to add firewall policies to control connections and traffic between FortiGate interfaces. configuring central management using the FortiGuard Analysis and Management Service or FortiManager.

and view the basic reports available through the web-based manager. Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment. such as <address_ipv4>. often tailored to your workplace activity.com/ • Feedback . PPTP VPN explains how to use the web-based manager to specify a range of IP addresses for PPTP clients. Endpoint control describes how to use FortiGate end point control to enforce the use of FortiClient End Point Security (Enterprise Edition) in your network. Cautions. view log files. CLI constraints CLI constraints. SSL VPN provides information about basic SSL VPN settings. • • • • • • Document conventions Fortinet technical documentation uses the conventions described below. 24 FortiGate Version 4. available at http://ietf. but usually focused on an alternative. notes and tips.org/rfc/rfc1918. optional method. IP addresses To avoid publication of public IP addresses that belong to Fortinet or any other organization. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets. such as a shortcut.fortinet. WAN optimization and web caching describes how to use FortiGate units to improve performance and security of traffic passing between locations on your wide area network (WAN) or over the Internet by applying WAN optimization and web caching. to perform a step.Document conventions Introduction • IPSec VPN provides information about the tunnel-mode and route-based (interface mode) Internet Protocol Security (IPSec) VPN options available through the webbased manager. Log&Report describes how to enable logging. Tip: Highlights useful additional information. CLI constraint conventions are described in the CLI Reference document for each product. User describes how to control access to network resources through user authentication.0 Administration Guide 01-400-89802-20090424 http://docs. the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet.txt?number-1918. indicate which data types or string patterns are acceptable input for a given parameter or variable value. Notes and Tips Fortinet technical documentation uses the following guidance and styles for cautions. Note: Also presents useful information.

fortinet. see “VDOM configuration settings” on page 104. such as firmware updates. visit the Fortinet Technical Support web site at https://support.com. To learn about the technical support services that Fortinet provides. see the Fortinet Knowledge Center article Registration Frequently Asked Questions. or check box label Keyboard entry Navigation Emphasis CLI input Type a name for the remote VPN peer or client. config system dns set primary <address_ipv4> end FGT-602803030703 # get system settings comments : (null) opmode : nat <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.fortinet.com.com/ • Feedback 25 .</H4> Visit the Fortinet Technical Support web site. technical support. For details. Go to VPN > IPSEC > Auto Key (IKE). configure them easily. such as Central_Office_1.fortinet. https://support. HTTP connections are not secure and can be intercepted by a third party. For a list of required information. and operate them reliably in your network. and FortiGuard Antivirus and other FortiGuard services. The chapter or section contains Global configuration settings. From Minimum log level. The chapter or section contains VDOM configuration settings. CLI output File content Hyperlink Publication Registering your Fortinet product Before you begin.com. a network diagram. You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file.fortinet. see “Global configuration settings” on page 107. see the Fortinet Knowledge Center article What does Fortinet Technical Support require in order to best assist the customer? FortiGate Version 4. require product registration.Introduction Registering your Fortinet product Typographical conventions Fortinet documentation uses the following typographical conventions: Table 1: Typographical conventions in Fortinet technical documentation Convention Example Button. take a moment to register your Fortinet product at the Fortinet Technical Support web site. menu. field. For more information.0 Administration Guide 01-400-89802-20090424 http://docs. text box. and other specific information. https://support. Customer service and technical support Fortinet Technical Support provides services designed to make sure that you can install your Fortinet products quickly. select Notification. see the FortiGate Administration Guide. Many Fortinet customer services.

In addition to the Fortinet Technical Documentation web site. technical notes.com/ • Feedback .com. and certifications to verify your knowledge level. or email them at training@fortinet. For the most current versions of Fortinet documentation. Tools and Documentation CD The documentation for your product is available on the Fortinet Tools and Documentation CD shipped with your product. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide.fortinet. as well as additional technical documentation such as technical notes. you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD.fortinet. examples. To learn about the training services that Fortinet provides.com.0 Administration Guide 01-400-89802-20090424 http://docs. such as troubleshooting and how-to articles. Fortinet documentation The Fortinet Technical Documentation web site. a glossary.com.fortinet. visit the Fortinet Technical Documentation web site. Comments on Fortinet technical documentation Please send information about any errors or omissions in this or any Fortinet technical document to techdoc@fortinet.training. Visit the Fortinet Knowledge Center at http://kc. and more.com.Training Introduction Training Fortinet Training Services provides classes that orient you quickly to your new equipment.com. http://docs.fortinet. 26 FortiGate Version 4. provides the most up-to-date versions of Fortinet publications. The documents on this CD are current at shipping time.com. http://docs. and on the Fortinet Knowledge Center. visit the Fortinet Training Services web site at http://campus. Fortinet Knowledge Center The Fortinet Knowledge Center provides additional Fortinet technical documentation.fortinet. FAQs.

0 What’s new in FortiOS 4.0 FortiGate models and features supported UTM features grouped under new UTM menu Data Leak Prevention Application Control SSL content scanning and inspection WAN Optimization Endpoint control Network Access Control (NAC) quarantine IPS extensions • • • • • • • • • • • • • • • • • • • • • • • • • DoS policies for applying IPS sensors NAC quarantine in DoS Sensors Adding IPS sensors to a DoS policy from the CLI One-arm IDS (sniffer mode) IPS interface policies for IPv6 IPS Packet Logging Enhanced Antispam Engine (ASE) WCCP v2 support “Any” interface for firewall policies Global view of firewall policies Identity-based firewall policies Web filtering HTTP upload enhancements Traffic shaping enhancements Firewall load balancing virtual IP changes Per-firewall policy session TTL Gratuitous ARP for virtual IPs Changes to protection profiles Changes to content archiving Customizable web-based manager pages Administration over modem Auto-bypass and recovery for AMC bridge module Rogue Wireless Access Point detection Configurable VDOM and global resource limits User authentication monitor OCSP and SCEP certificate over HTTPS FortiGate Version 4.com/ • Feedback 27 .0 This section lists and describes some of the new features and changes in FortiOS Version 4.What’s new in FortiOS 4.fortinet.0 Administration Guide 01-400-89802-20090424 http://docs. • • • • • • • • • FortiOS 4.0.

5001A-SW** 110C. All FortiGate models that support a single-width AMC slot can also be configured to support iSCSI to cache WAN Optimization data to an external iSCSI storage device.fortinet. Table 2 shows the FortiGate models that support some of the major new FortiOS 4. 111C.com/ • Feedback . 3810A. 28 FortiGate Version 4. 310B. 620B.0 • • • • • • • • Adding non-standard ports for firewall authentication Dynamically assigning VPN client IP addresses from a RADIUS record DHCP over route-based IPSec VPNs SNMP upgraded to v3.0 on the following FortiGate models: • • • • • • • • • 30B 50B 51B WiFi-50B 60B WiFi-60B 100A 11C 111C • • • • • • • • • 200A 224B 300A 310B 400A 500A 620B 800.0 All Models that support FortiOS 4. 1000AFA2 • • • • • • • • • 3016B 3600 3600A 3810A 5001SX 5001FA2 5001A-SW 5001A-DW 5005FA2 Note: The information in this section is subject to change.FortiOS 4.0 *WAN optimization is available on FortiGate-51B and 111C models because these models include high-capacity internal hard disks. 3600A.0 All Models that support FortiOS 4. 3600A. 620B. **WAN optimization is available on FortiGate-310B. Table 2: New FortiOS 4.0 features are available on all models except for the FortiGate-30 model which supports a reduced feature set. 111C*.0 features. 310B**. 3600A**.0 FortiGate models and features supported What’s new in FortiOS 4. 5005FA2 All Models that support FortiOS 4. 3810A. and 5001A-SW models because these models include a single-width AMC slot. You do not need to install an ASM module in the single-width AMC slot to configure and use iSCSI. 5001A-DW. To support WAN optimization you can install a FortiGate-ASM-S08 module or FortiGate-ASM-SAS module in the single-width AMC slot and use the hard disk in the ASM-S08 module or a SAS disk array connected to the ASM-SAS module for WAN optimization.0 Administration Guide 01-400-89802-20090424 http://docs. 800F 1000A.0 File Quarantine Customizable SSL VPN web portals Logging improvements Web filtering HTTP POST traffic (blocking or comforting HTTP post traffic) FortiOS 4. 3016B**.0 feature support Feature WAN optimization SSL Content Scanning and Inspection Date Leak Prevention (DLP) End Point Control NAC Quarantine FortiGate Models 51B*. 3016B. 3016B. 620B**. 3810A**. 5001ASW.0 FortiGate models and features supported You can install and run FortiOS 4. All other new FortiOS 4.

Data Leak Prevention The new Data Leak Prevention (DLP) feature protects sensitive information from being transmitted via web. data leak prevention (DLP). Web Filter. see “Application Control” on page 523.com/ • Feedback 29 . P2P. IMAPS. Web Filter. as well as the new Data Leak Prevention and Application Control features are grouped under a new UTM menu.0 Administration Guide 01-400-89802-20090424 http://docs. spam filtering. for example. For more information. You can create application control lists that specify what action will be taken with the traffic of the applications you need to manage.0 UTM features grouped under new UTM menu UTM features grouped under new UTM menu AntiVirus. The FortiGate unit can recognize the network traffic generated by more than 70 applications. web filtering. which you can enable in firewall protection profiles. Application Control The new Application Control UTM feature allows your FortiGate unit to detect and take action against network traffic depending on the application generating the traffic. The following FortiGate models support SSL content scanning and inspection: • • • • • 110C 111C 310B 602B 3016B FortiGate Version 4. You can also create multiple application control lists. You define rules and compound rules to detect possible data leaks and specify the action to take in response. and VoIP functionality has been integrated into application control. IM user monitoring has moved to User > Monitor > IM User Monitor. email or file transfer protocols. Using SSL content scanning and inspection. you configure all UTM features separately for each VDOM except for the Antivirus quarantine and grayware configuration. Rules and compound rules are combined into DLP sensors. Intrusion Protection. Most IM.fortinet. All the familiar Antivirus. and AntiSpam. You specify the application control list in the protection profile applied to the network traffic you need to monitor. see “Data Leak Prevention” on page 511. each tailored to a particular network. and AntiSpam features are available here. Intrusion Protection. Based on FortiGate Intrusion Protection protocol decoders. and SMTPS traffic. POP3S. you can apply antivirus scanning. application control is a more userfriendly and powerful way to use Intrusion Protection features to log and manage the behavior of application traffic passing through the FortiGate unit. Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if the traffic uses non-standard ports or protocols. SSL content scanning and inspection FortiGate models that include hardware supporting SSL acceleration now also support SSL content scanning and inspection.What’s new in FortiOS 4. and content archiving to HTTPS. IM user control has moved to User > Local > IM. For more information. FortiGuard web filtering. If you enable virtual domains.

For more information. these files are cached to more efficiently serve downloads to multiple end points. For more information. web caching.0 Administration Guide 01-400-89802-20090424 http://docs. You can also use IPS Senors and DoS Sensors to block communication between the source and destination of an attack. 30 FortiGate Version 4. The FortiGate unit gathers information from client PCs when they use a firewall policy with the Enable Endpoint Compliance Check option enabled. Endpoint control The new Endpoint Compliance feature (also called endpoint control) replaces the FortiOS 3. FortiGate administrators can view the users and interfaces on the banned users list and manually remove them from the list to restore normal access. The FortiGate unit retrieves FortiClient software and antivirus updates from the FortiGuard Distribution Network.com/ • Feedback . The Endpoint Compliance feature also provides monitoring.0 provides new Network Access Control (NAC) quarantine features that you can use with Antivirus and intrusion protection to block (or quarantine) users or FortiGate interfaces when a virus is found or an attack is detected by an IPS Sensor or a DoS Sensor.fortinet. Go to Endpoint Control > FortiClient to see the software and antivirus signature versions that the endpoint control feature enforces. see “Endpoint control” on page 641 and “Endpoint Compliance Check options” on page 336. see “WAN optimization and web caching” on page 599. see “NAC quarantine and the Banned User list” on page 595. Network Access Control (NAC) quarantine FortiOS 4. Data Leak Preventions (DLP) also includes features similar to NAC quarantine that you can use to block users who send content that matches a DLP sensor.0 • • • • 3600A 3810A 5005FA2 5001A. If the FortiGate unit contains a hard disk drive. For information about NAC quarantine. secure tunneling and SSL acceleration. see “SSL content scanning and inspection” on page 399. The FortiGate unit adds blocked users and interfaces to the banned users list.WAN Optimization What’s new in FortiOS 4. For more information. You can enforce the use of FortiClient End Point Security (Enterprise Edition) in your network and ensure that clients have both the most recent version of the FortiClient software and the most up-to-date antivirus signatures.0 Check FortiClient Installed and Running firewall options. WAN Optimization You can use the new FortiGate WAN Optimization feature to improve performance and security across a WAN by applying a number of related techniques including protocol and application-based data compression and optimization data deduction (a technique that reduces how often the same data is transmitted across the WAN).

You can configure the anomaly to quarantine the source address of the attack (attacker) or both the source and destination address of the attack (both).0 includes the following new IPS features: • • • • • • DoS policies for applying IPS sensors NAC quarantine in DoS Sensors Adding IPS sensors to a DoS policy from the CLI One-arm IDS (sniffer mode) IPS interface policies for IPv6 IPS Packet Logging DoS policies for applying IPS sensors In FortiOS 4. see “DoS policies” on page 337. • • For more information.0. This arrangement has the following benefits: • Protection from denial of service attacks is more effective because these attacks can be detected and blocked before the firewall sees the packets. IPS can inspect traffic that is not normally processed by the firewall.0 IPS extensions IPS extensions FortiOS 4. All attacking traffic can be filtered out before being accepted by firewall policies.What’s new in FortiOS 4. including traffic that is: • • • • normally dropped by the firewall (for example. DoS policies deliver packets to the IPS before they are accepted by firewall policies.com/ • Feedback 31 . So system resources are not affected by denial of service attacks. NAC quarantine in DoS Sensors From the FortiGate CLI you can now configure NAC quarantine for each anomaly in a DoS Sensor. flood. broadcast. and multicast traffic) matched by a deny policy (deny policies do not include protection profiles) not matched by any firewall policy. config ips DoS edit new_DoS-sensor config anomaly edit "tcp_dst_session" set status enable set quarantine {attacker | both | none} set quarantine-expiry 600 set threshold 5000 end FortiGate Version 4. DoS policies are independent from firewall policies and are used to associate DoS sensors with traffic that reaches a FortiGate interface. you can now apply IPS Denial of Service (DoS) sensors to traffic on interfaces by creating DoS policies. packets with invalid headers) using a protocol not normally processed by firewall policies (for example.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.

com/ • Feedback . enter the following CLI commands: config system interface edit port5 32 FortiGate Version 4. if you enable logging in the DoS and IPS sensors.0 Administration Guide 01-400-89802-20090424 http://docs. you can now configure a FortiGate unit to operate as an IDS appliance by sniffing packets for attacks without actually receiving and otherwise processing the packets.0 Adding IPS sensors to a DoS policy from the CLI You can now add an IPS Sensor to a DoS policy from the CLI. The CLI command for configuring DoS policies is config firewall interface-policy. To configure one-arm IDS. One-arm IDS cannot block traffic. In sniffer mode. Then you can add DoS policies for that FortiGate interface that include DoS sensors and optionally IPS sensors to detect attacks in the traffic that the FortiGate interface receives from the hub or switch SPAN port.IPS extensions What’s new in FortiOS 4. config firewall interface-policy edit 5 set ips-sensor-status enable set ips-sensor all_default_pass end One-arm IDS (sniffer mode) Using the one-arm intrusion detection system (IDS). Figure 1: One-arm IDS topology Internet Hub or switch SPAN port Internal network To enable sniffer mode on a FortiGate unit port5 interface. you enable sniffer mode on a FortiGate interface and connect that interface to a hub or to the SPAN port of a switch that is processing network traffic. the interface receives packets accepted by DoS policies only. the FortiGate unit records log messages for all detected attacks. All packets not received by DoS policies are dropped.fortinet. All packets received by DoS policies go through IPS inspection and are dropped when this inspection detects attacks. However. The following command syntax shows how to add an example IPS sensor called all-default_pass to a DoS policy with policy ID 5 that was previously added from the web-based manager.

the FortiGate unit maintains a web cache server list in the WCCP database. The FortiGate unit supports WCCP v2 by transparently redirecting selected types of traffic to a group of cache servers.0 includes a new Antispam Engine (ASE) that can be updated from the FortiGuard Distribution Network to add new antispam techniques without requiring a FortiOS firmware update. thus reducing transmission costs and downloading time.com/ • Feedback 33 . This traffic includes user requests to view pages on Web servers and the replies to those requests.What’s new in FortiOS 4. When WCCP is enabled. you can add IPS Sensors to IPv6 interface-based policies: config firewall interface-policy6 edit 1 set interface "port1” set srcaddr6 "all" set dstaddr6 "all" set service6 "ANY" set ips-sensor-status enable set ips-sensor "all_default" end IPS Packet Logging For FortiOS 4. the cache server sends the user that page.0 Enhanced Antispam Engine (ASE) set ips-sniffer-mode enable end IPS interface policies for IPv6 Similar to interface-based DoS policies for IPv4. Enhanced Antispam Engine (ASE) FortiOS 4. In FortiOS version 4.fortinet. To configure WCCP support you use the config system wccp command to enable WCCP support.0 Administration Guide 01-400-89802-20090424 http://docs. caches a copy of it. When these WCCP-enabled firewall policies accept traffic. When a user requests a page from a web server. FortiGate Version 4. If the cache server has a copy of the requested page in storage. the cache server retrieves the requested page.0 IPS packet logging has been enhanced to allow sending log messages to a FortiAnalyzer unit or the FortiGuard Analysis and Manager Service. For more information. The FortiGate unit uses the information in the WCCP database to determine the cache server to redirect the traffic to. see “Packet logging” on page 467.0. You can also update the ASE manually using the following CLI command: execute restore ase {ftp | sftp} <filename> <server> <userid> WCCP v2 support You can now use WCCP v2 to configure a FortiGate unit to optimize web traffic. Otherwise. you can use the FortiGate CLI command config firewall interface-policy6 to add IPv6 interface-based policies. the FortiGate unit sends that request to a cache server (also called a web-cache server). the traffic is re-directed to a cache server. and forwards it to the user. Then you enable WCCP for firewall policies using the wccp keyword. Also if you are storing IPS packets logs in FortiGate memory new CLI commands are available to control the amount of memory to available and the number of packets that are saved when logging packets.

0-255.255. 0. This IP address 0.0 to 239.0 server-list <server_ipv4mask> group-address The IP multicast address used by the cache servers. If HASH {HASH | MASK | any} assignment-method is any the cache server determines the assignment method 2 Add a firewall policy to enable WCCP for traffic accepted by the firewall policy. 1 Default An IP address known to all cache servers. Maximum length is 8 characters. and this IP address must be added to the configuration of the cache servers. 1 Start WCCP and configure WCCP database settings: config system wccp edit <service-id> set router-id <interface_ipv4> set server-list <server_ipv4mask> set group-address <ip_mulicast_ipv4> set password <password> set forward-method {GRE | L2 | any} set return-method {GRE | L2 | any} set assignment-method {HASH | MASK | any} next end Variable authentication {disable | enable} <service-id> router-id <interface_ipv4> Description Enable or disable using use MD5 authentication for the WCCP configuration.com/ • Feedback 34 .0. you configure WCCP separately for each virtual domain.0 identifies a FortiGate interface IP address to the cache servers.0 Finally you must configure interfaces connected to WCCP cache servers to accept wccp messages.0.0. group-address must be from 224.0. If the cache servers can connect to different FortiGate interfaces.0 means the FortiGate unit ignores multicast WCCP traffic. If virtual domains are enabled. If return-method is any the cache server determines the return method. Otherwise. <interface_ipv4> can be 0.0. The MD5 authentication password.0. If forward-method is any the cache server determines the forward method.0.0.WCCP v2 support What’s new in FortiOS 4. Specifies how the FortiGate unit forwards traffic to cache servers.255. If all cache servers connect to the same FortiGate interface.0. 0.fortinet. To configure WCCP You configure WCCP from the CLI.0.255. 0 for HTTP. you must set router-id to a single IP address.0. config firewall policy Edit <policy_id> (configure the firewall policy) set wccp {enable | disable} FortiGate Version 4.0.0. Specifies how a cache server declines a redirected packet and return it to the firewall.0 0. GRE password <password_str> forward-method {GRE | L2 | any} return-method {GRE | L2 | any} GRE assignment-method Specifies which assignment method the FortiGate prefers. The IP addresses of the cache servers.0 Administration Guide 01-400-89802-20090424 http://docs.0.0.0 0. and the FortiGate unit uses the IP address of that interface as the router-id.

You can also switch to Global View to list all firewall policies in order according to a sequence number. If you have firewall policies with Any as source or destination. you can permit different schedules or services and apply different protection profiles to different user groups.fortinet. Figure 2: Example global view including an “any” firewall policy Identity-based firewall policies FortiOS 4. In FortiOS 4. see “Viewing the firewall policy list” on page 321. FortiGate Version 4.What’s new in FortiOS 4. only the global view is available. If you add a firewall policy with the source or destination interface set to any.0 you could display firewall policies organized by source and destination interfaces.com/ • Feedback 35 . For more information. Any firewall policy that requires authentication is now known as an identitybased policy.0 Administration Guide 01-400-89802-20090424 http://docs. The sequence number indicates the order of the policies in the policy list.0 this is called Section View. see “Identity-based firewall policy options (non-SSL-VPN)” on page 328.0 supports firewall policy authentication in a more flexible way than earlier releases. The Policy ID remains independent of the sequence number. For more information. Global view of firewall policies In FortiOS 3. config system interface edit <interface_name) (configure the interface) set wccp {enable | disable} next edit <interface_name) (configure the interface) set wccp {enable | disable} next end “Any” interface for firewall policies You can now define a firewall policy where the source or destination interface is any. the firewall will match the policy with packets to or from any interface.0 “Any” interface for firewall policies next end 3 Configure the interfaces that connected to cache servers to accept WCCP traffic. Optionally. When you rearrange the policy order the sequence number changes. see “Viewing the firewall policy list” on page 321. For more information.

config firewall vip. To configure load balance VIPs.0 Web filtering HTTP upload enhancements You can use web filtering to block HTTP uploads or. User session persistence When you create a virtual server. you first define virtual servers. 36 FortiGate Version 4. see “Configuring health check monitors” on page 393. Load balancing server monitor A new monitor page (go to Firewall > Load Balance > Monitor) shows the status of each virtual server and real server. see “Monitoring the servers” on page 395.fortinet. Traffic shaping enhancements Traffic shaping settings are now configured outside the firewall policy under the Traffic Shaper menu. see “Web Filtering options” on page 411. In FortiOS 4. see “Traffic Shaping” on page 423. but is otherwise unchanged.0 Administration Guide 01-400-89802-20090424 http://docs. see “Firewall Load Balance” on page 389. P2P traffic shaping is configured in the protection profile with separate settings for each direction. For more information. You can configure multiple traffic shapers and add them to different firewall policies. domain and other properties of the cookie.0. For more information. For more information. You select the health check monitors in the virtual server configuration.0. For more information. This is a new option in the Web Filter part of the protection profile. optionally. you can now enable user session persistence by using an HTTP cookie or the SSL session ID. The Health Check Monitor tab has moved to the Load Balance page from the Virtual IP page. In previous releases of FortiOS. go to Firewall > Load Balance. Then you define real servers and associate them with the virtual servers. In the CLI configuration for a VIP. you can set the duration. Health Check Monitor As in FortiOS 3.com/ • Feedback . to send cached file data slowly to prevent the server from timing out during file scanning.Web filtering HTTP upload enhancements What’s new in FortiOS 4. server load balance Virtual IPs (VIPs) are configured separately from other VIPs. you can define health check monitors. Firewall load balancing virtual IP changes In FortiOS 4. you created VIP mappings between one or more real servers and an external IP address. For more information.0.

You can set the time interval between sending ARP packets. hide. see “Configuring a protection profile” on page 404. if you are a super_admin. The default setting for session-ttl in a firewall policy is 0. you can now use the session-ttl keyword of the config firewall policy command to control the session time to live (TTL) time for communication sessions accepted by a firewall policy. Changes to content archiving You now configure full and summary content archiving in DLP sensors. which means use the default session TTL as set by the config system session-ttl command.0 Administration Guide 01-400-89802-20090424 http://docs. the display is static. FortiGate Version 4. The range for the firewall policy session TTL is 300 to 604800 seconds. In standard operation mode. For information about FortiOS 4. config firewall vip edit new_vip (configure the virtual IP) set gratuitous-arp-interval <interval_seconds> end Changes to protection profiles New configuration settings have been added to protection profiles.fortinet. see “Customizable web-based manager” on page 231. Use the following command syntax in the CLI to configure sending of ARP packets by a virtual IP. Customizing the display allows you to vary or limit the GUI layout to fulfill different administrator roles. Gratuitous ARP for virtual IPs You can configure sending of ARP packets to maintain connectivity of virtual IPs where other routers clear their ARP table periodically. The default session TTL setting is 3600 seconds. For a complete description of FortiOS 4. and familiar configuration settings in protection profiles have been reorganized. and arrange widgets/menus/items according to your specific requirements. Related to changes to content archiving. There are also several configuration widgets which you can enable for CLI-only options that are not displayed by default.What’s new in FortiOS 4.0 content archiving.com/ • Feedback 37 . you can customize the FortiGate web-based manager (or GUI) to show. the information displayed by the Statistics widget on the system dashboard has also changed. The customized GUI layouts are stored as part of the administrator admin profile. Other content archiving settings are also available in protection profiles and from Application Control in the CLI. see “Content Archive” on page 667.0 Per-firewall policy session TTL Per-firewall policy session TTL If required by a network or by the services to be provided by a FortiGate unit.0 protection profiles. Set the interval to 0 to disable sending ARP packets. See “Statistics” on page 71. Customizable web-based manager pages In addition to configuring administrators with varying levels of access to different parts of the FortiGate unit configuration. For more information.

In previous releases of FortiOS. In this example. the FortiGate-ASM-CX4 module is installed in slot 1: config system amc set sw1 asm-cx4 set watchdog-recovery [enable | disable} set watchdog-recovery-period <holddown_time> end The watchdog-recovery-period keyword determines the length of the hold-down period during which the software watchdog monitors critical software processes before concluding they have stabilized. Maximums for system-wide (global) resources applied globally and the resources were equally accessible to each VDOM. Also.0 Administration Guide 01-400-89802-20090424 http://docs. see “Configuring global and VDOM resource limits” on page 116 FortiGate Version 4. config system dialinsvr set status enable set server-ip <ip_address> set client-ip <ip_address> set usrgrp "grp1" set allowaccess ping https ssh http telnet set modem-dev external end Auto-bypass and recovery for AMC bridge module If you have installed one of the FortiGate-ASM-FX2 or FortiGate-ASM-CX4 AMC bridge modules. see “Rogue AP detection” on page 168.0 Administration over modem You can now use the following CLI command to configure a FortiGate modem interface so that you can dial into the modem and administer the FortiGate unit. Rogue Wireless Access Point detection FortiWifi-50B and FortiWifi-60B units can now use rogue access point detection to scan for wireless access points. maximum values for resources belonging to virtual domains (VDOMs) applied equally to each VDOM.fortinet. Configurable VDOM and global resource limits FortiGate units have upper limits for resources such as firewall policies.com/ • Feedback 38 . you can set global resource limits to control the impact of various features on system performance. For more information. This limits the impact of each VDOM on other VDOMs due to resource contention and enables you to provide tiered services to your customers. protection profiles and VPN tunnels.0.Administration over modem What’s new in FortiOS 4. For more information. you can control resource allocation to each VDOM. you can use the CLI to configure how the bridge module recovers from switching to bridge mode because of a failure with the FortiGate unit hardware or software process. Note: AMC bridge mode is only supported in Transparent mode. In FortiOS 4. These limits vary by model.

You use this command only to add more non-standard authentication ports. HTTPS. HTTP. you could use the following commands to add HTTP authentication on ports 8080 and 8008 and Telnet authentication on port 4523: config user setting config auth-ports edit 1 set port 8080 FortiGate Version 4. the list includes the user name. or Telnet TCP ports (21. OCSP and SCEP certificate over HTTPS FortiGate units now support OCSP and SCEP communication between FortiGate units and SCEP servers over HTPPS. and the authentication method used by the FortiGate unit for the user. You can add multiple non-standard port tables.0 User authentication monitor User authentication monitor You can now go to User > Authentication > User Authentication Monitor to view a list of currently authenticated users. the user’s source IP Address. how long the user has been authenticated (duration). or NTLM. HTTP. when a communication session is accepted by an identity-based firewall policy. see “Monitor” on page 591. You can now use the following command if your firewall users need to authenticate with the FortiGate unit and if they use a non-standard port for FTP. and 23 respectively). user group. or Telnet sessions. And. For more information. by default. For each authenticated user. see “System Certificates” on page 243. 443. or Telnet protocol to enter a user name and password before being able to communicate through the FortiGate unit. how long until the user’s session times out (time-left).What’s new in FortiOS 4. 80. Adding non-standard ports for firewall authentication By default. HTTPS. <port_integer> is the non-standard TCP authentication port number. if some users on your network web browse using HTTP on ports 8080 and 8008 and use telnet on port 4523. HTTPS. The SCEP URLs that you add to the FortiGate System Certificate configuration can be HTTPS URLs or URLs supported by your SCEP server. Adding non-standard authentication ports does not change the standard authentication port for any protocol. For example. firewall authentication (FW-auth).fortinet. config user setting config auth-ports edit <auth_port_table_id_int> set port <port_integer> set type { ftp | http | https | telnet } end end end Where <auth_port_table_id_int> is any integer. The standard authentication port is still valid and cannot be changed. HTTP. users can authenticate only with a communication session that uses the standard FTP. the user must authenticate with the firewall by using the FTP.com/ • Feedback 39 . You can sort and filter the information on the authentication monitor according to any of the columns in the monitor. The authentication methods can be FSAE. the amount of traffic through the FortiGate unit caused by the user (traffic volume).0 Administration Guide 01-400-89802-20090424 http://docs. For more information.

For more information. see “DHCP-IPSec” on page 540.com/ • Feedback . DHCP is also available to dialup clients on route-based IPSec VPNs. you could use DHCP to assign IP addresses to dialup clients on policy-based IPSec VPNs only. SNMP upgraded to v3. Set Phase 1 to Dialup User. and PPTP VPN sessions can now assign IP addresses to remote users by getting the IP address to assign from a RADIUS record. each VDOM has a different non-standard authentication port configuration. DHCP over route-based IPSec VPNs In previous releases of FortiOS. IPSec. 2 Configure Phase 2 settings. Enter the IP Range and Netmask that dialup clients will use and the Default Gateway that dialup clients should use. In FortiOS 4.fortinet.0 provides up-to-date information and status reporting about the hardware running on your network.0 SNMP v3. 4 Configure an ACCEPT firewall policy with the virtual IPSec interface as source and the local private network as destination. see Dynamically assigning VPN client IP addresses from a RADIUS record. 3 Configure a DHCP server on the virtual IPSec interface. Dynamically assigning VPN client IP addresses from a RADIUS record SSL VPN tunnel mode.0 set type next end edit 2 set port set type next end edit 3 set port set type end end http 8008 http 4523 telnet If your FortiGate unit is operating with virtual domains enabled. select DHCP-IPsec.0. In the Advanced Settings. For more information. The configuration differs only slightly from that of a route-based dialup VPN with static IP addresses. Remote Gateway must be set to Dialup User.Dynamically assigning VPN client IP addresses from a RADIUS record What’s new in FortiOS 4. 1 Configure Phase 1 settings.0 Administration Guide 01-400-89802-20090424 http://docs. Set the server Type to DHCP. 40 FortiGate Version 4.

including: • • • • • • • event log for VPN tunnel up/down (IPSec. see “Web Filtering options” on page 411. PPTP VPNs). SSL.fortinet.What’s new in FortiOS 4.0 File Quarantine For more information.0 Administration Guide 01-400-89802-20090424 http://docs. This reduces the number of logs that can be stored. Web filtering HTTP POST traffic (blocking or comforting HTTP post traffic) You can now block or provide client comforting for HTTP-POST activity by selecting the HTTP POST Action in a protection profile. see “SSL VPN web portal” on page 554. local and remote IP addresses event log for VPN tunnel re-key event log for VPN tunnel periodic statistics (configurable period) logs for new Data Leak Prevention feature attacks detected by IPS inclusion of Admin Profile in Administrator login event log increase in memory of log entries increased to 1024 bytes from 512 bytes to reduce the number of truncated logs. see “Viewing the File Quarantine list” on page 447. see “Log&Report” on page 647. FortiGate Version 4. File Quarantine The Quarantine tab is renamed File Quarantine to distinguish it from the NAC Quarantine feature that quarantines traffic. Customizable SSL VPN web portals You can now create multiple SSL VPN web portal configurations to enable different types of web portal functionality and control the different web portal look and feel configurations. For more information. Logging improvements Logs provide more information about the FortiGate unit operation. For more information. For more information. see “SNMP” on page 185. For more information. including authenticated user name.com/ • Feedback 41 .

0 Administration Guide 01-400-89802-20090424 http://docs.0 42 FortiGate Version 4.com/ • Feedback .Web filtering HTTP POST traffic (blocking or comforting HTTP post traffic) What’s new in FortiOS 4.fortinet.

you can connect to the FortiGate web-based manager to configure and manage the FortiGate unit. but by default appears in English on first use. Figure 3: Example FortiGate-3810A web-based manager dashboard (default configuration) FortiGate Version 4. You can configure the FortiGate unit for HTTP and HTTPS web-based administration from any FortiGate interface. The recommended minimum screen resolution for the management computer is 1280 by 1024. To connect to the web-based manager you require a FortiGate administrator account and password. The web-based manager supports multiple languages. or GUI) of your FortiGate unit.0 Administration Guide 01-400-89802-20090424 http://docs.Web-based manager Web-based manager This section describes the features of the user-friendly web-based manager administrative interface (sometimes referred to as a graphical user interface.com/ • Feedback 43 .fortinet. Using HTTP or a secure HTTPS connection from any management computer running a web browser.

The web-based manager also includes detailed context-sensitive online help. You can use the web-based manager menus. The system dashboard provides an easy entry point to the CLI console that you can use without exiting the web-based manager.fortinet. you require: FortiGate Version 4. The saved configuration can be restored at any time. as well as additional CLIonly settings.0 Administration Guide 01-400-89802-20090424 http://docs. Configuration changes made using the web-based manager take effect immediately without resetting the FortiGate unit or interrupting service. You can back up your configuration at any time using the Backup Configuration button on the button bar. The dashboard displays information such as the current FortiOS firmware version. Selecting Online Help on the button bar displays help for the current web-based manager page.com/ • Feedback 44 .Common web-based manager tasks Web-based manager You can go to System > Status to view detailed information about the status of your FortiGate unit on the system dashboard. operation mode. and system resources. and configuration pages to configure most FortiGate settings. It also shows whether the FortiGate unit is connected to a FortiAnalyzer unit and a FortiManager unit or other central management services. This section describes: • • • • • • • • • • • • • Common web-based manager tasks Changing your FortiGate administrator password Changing the web-based manager language Changing administrative access to your FortiGate unit Changing the web-based manager idle timeout Connecting to the FortiGate CLI from the web-based manager Button bar features Contacting Customer Support Backing up your FortiGate configuration Using FortiGate Online Help Logging out Web-based manager pages Web-based manager icons Common web-based manager tasks This section describes the following common web-based manager tasks: • • • • • • Connecting to the web-based manager Changing your FortiGate administrator password Changing the web-based manager language Changing administrative access to your FortiGate unit Changing the web-based manager idle timeout Connecting to the FortiGate CLI from the web-based manager Connecting to the web-based manager To connect to the web-based manager. The button bar is located in the upper right corner of the web-based manager. connected interfaces. antivirus and IPS definition versions. lists. You can use the FortiGate command line interface (CLI) to configure the same FortiGate settings that you can configure from the web-based manager.

Web-based manager Common web-based manager tasks • • • • a FortiGate unit connected to your network according to the instructions in the QuickStart Guide and Install Guide for your FortiGate unit the IP address of a FortiGate interface that you can connect to a computer with an Ethernet connection to a network that can connect to the FortiGate unit a supported web browser. (remember to include the “s” in https://). 4 Select Login. To support a secure HTTPS authentication method. 2 Select the Change Password icon and enter a new password.fortinet. This web-based manager page lists the administrator accounts that can log into the FortiGate unit. The credentials entered are encrypted before they are sent to the FortiGate unit. If you choose to accept the certificate permanently. The first warning prompts you to accept and optionally install the FortiGate unit’s selfsigned security certificate. To change an administrator account password 1 Go to System > Admin > Administrators.com/ • Feedback 45 . You should add a password to the admin administrator account to prevent anybody from logging into the FortiGate and changing configuration options. Note: See the Fortinet Knowledge Center article Recovering lost administrator account passwords if you forget or lose an administrator account password and cannot log into your FortiGate unit. This warning occurs because the FortiGate unit redirects the connection.168. Changing your FortiGate administrator password By default you can log into the web-based manager by using the admin administrator account and no password. When you connect. Just before the FortiGate login page is displayed.1. browse to https://192. For example. Select OK to continue logging in.168. If you do not accept the certificate. a second warning informs you that the FortiGate certificate distinguished name differs from the original request. the FortiGate unit ships with a selfsigned security certificate. 3 Type the password for the administrator account in the Password field. the warning is not displayed again.99. the FortiGate unit refuses the connection. This is an informational message. FortiGate Version 4.99. See the Knowledge Center articles Supported Windows web browsers and Using a Macintosh and the web-based manager.1. the FortiGate unit displays two security warnings in a browser. which is offered to remote clients whenever they initiate a HTTPS connection to the FortiGate unit. the FortiGate login page appears. 3 Select OK. To connect to the web-based manager 1 Start your web browser and browse to https:// followed by the IP address of the FortiGate unit interface that you can connect to. 2 Type admin or the name of a configured administrator in the Name field. For improved security you should regularly change the admin administrator account password and the passwords for any other administrator accounts that you add. If you accept the certificate.0 Administration Guide 01-400-89802-20090424 http://docs. if the IP address is 192. The default configuration includes the admin administrator account.

or French. Spanish. select the web-based manager display language. Simplified Chinese. 2 Under display settings. Figure 4: System > Admin > Settings displayed in Simplified Chinese Changing administrative access to your FortiGate unit Through administrative access an administrator can connect to the FortiGate unit to view and change configuration settings.com/ • Feedback . see “System Admin” on page 209. For more information about adding administrators. Japanese.Common web-based manager tasks Web-based manager Note: You can also add new administrator accounts by selecting Create New. For best results. you should select the language that the management computer operating system uses.fortinet. The default configuration of your FortiGate unit allows administrative access to one or more of the interfaces of the unit as described in your FortiGate unit QuickStart Guide and Install Guide. 3 Select Apply. Traditional Chinese. Korean. Changing the web-based manager language You can change the web-based manager to display language in English. You can change administrative access by: • • • • enabling or disabling administrative access from any FortiGate interface enabling or disabling securing HTTPS administrative access to the web-based manager (recommended) enabling or disabling HTTP administrative access to the web-based manager (not recommended) enabling or disabling secure SSH administrative access to the CLI (recommended) 46 FortiGate Version 4. All web-based manager pages are displayed with the selected language. To change the web-based manager language 1 Go to System > Admin > Settings. changing administrator account passwords and related configuration settings. The web-based manager displays the dashboard in the selected language.0 Administration Guide 01-400-89802-20090424 http://docs.

0 Administration Guide 01-400-89802-20090424 http://docs. you can use the CLI to enter diagnose commands and perform other advanced operations that are not available from the web-based manager. 3 Select Apply. 3 Select one or more Administrative Access types for the interface. Connecting to the FortiGate CLI from the web-based manager You can connect to the FortiGate CLI from the web-based manager dashboard by using the CLI console widget. Button bar features The button bar in the upper right corner of the web-based manager provides access to several important FortiGate features. Changing the web-based manager idle timeout By default. To change administrative access to your FortiGate unit 1 Go to System > Network > Interface. the web-based manager disconnects administrative sessions if no activity takes place for 5 minutes. To change the web-based manager idle timeout 1 Go to System > Admin > Settings. For more information. This idle timeout is recommended to prevent someone from using the web-based manager from a PC that is logged into the web-based manager and then left unattended.com/ • Feedback 47 .Web-based manager Button bar features • enabling or disabling SSH or Telnet administrative access to the CLI (not recommended). You can use the CLI to configure all configuration options available from the web-based manager. 2 Locate and select the CLI Console. 4 Select OK. However. As well. To connect to the FortiGate CLI from the web-based manager 1 Go to System > Status. you can use the following steps to change this idle timeout. Some configuration options are available only from the CLI. For more information about the FortiGate CLI see the FortiGate CLI Reference. see “CLI Console” on page 73.fortinet. For more information about changing administrative access see “Administrative access to an interface” on page 135. 2 Choose an interface for which to change administrative access and select Edit. Selecting the CLI console logs you into the CLI. FortiGate Version 4. 2 Change the Idle Timeout minutes as required.

if your FortiGate unit has a USB port and you have connected a USB disk to it (see “Formatting USB Disks” on page 261). a management station. Backing up your FortiGate configuration The Backup Configuration button opens a dialog box for backing up your FortiGate configuration to: • • the local PC that you are using to manage the FortiGate unit. To register a Fortinet product. You must register your Fortinet product to receive product updates. and FortiGuard services. 48 FortiGate Version 4. This can be a FortiManager unit or the FortiGuard Analysis and Management Service. This option changes depending on your central management configuration (see “Central Management” on page 226). see “Backing up and restoring” on page 254. From this page you can: • • • • • • visit the Fortinet Knowledge Center log into Customer Support (Support Login) register your Fortinet product (Product Registration) view Fortinet Product End of Life information find out about Fortinet Training and Certification visit the FortiGuard Center. technical support.Contacting Customer Support Web-based manager Figure 5: Web-based manager button bar Contact Customer Support Online Help Logout Back up your FortiGate Configuration Contacting Customer Support The Contact Customer Support button opens the Fortinet Support web page in a new browser window. • For more information.0 Administration Guide 01-400-89802-20090424 http://docs.com/ • Feedback . a USB disk. go to Product Registration and follow the instructions.fortinet.

If you are not operating your FortiGate unit with virtual domains enabled. Most help pages also contain hyperlinks to related topics.fortinet. The online help is organized in the same way as the FortiGate web-based manager and the FortiGate Administration Guide. The online help system also includes a number of links that you can use to find additional information. Print the current online help page. Figure 7: A context-sensitive online help page (content pane only) Show Navigation Previous Next Bookmark Print Email Show Navigation Open the online help navigation pane.Web-based manager Using FortiGate Online Help Figure 6: Backing up your FortiGate configuration Using FortiGate Online Help The Online Help button displays context-sensitive online help for the current web-based manager page.com/ • Feedback 49 .0 Administration Guide 01-400-89802-20090424 http://docs.com if you have comments on or corrections for the online help or any other Fortinet technical documentation product. VDOM and Global configuration settings apply only to a FortiGate unit operating with virtual domains enabled. you can ignore the VDOM and Global icons. The online help page that is displayed is called a content pane and contains information and procedures related to the current web-based manager page. Previous Next Email Print FortiGate Version 4. and search to access all of the information in the online help. Display the previous page in the online help. index. From the navigation pane you can use the online help table of contents. Display the next page in the online help Send an email to Fortinet Technical Documentation at techdoc@fortinet. FortiGate context-sensitive online help topics also include a VDOM or Global icon to indicate whether the web-based manager page is for VDOM-specific or global configuration settings. see “Using virtual domains” on page 103. For more information about virtual domains.

the more likely the help page includes useful or detailed information about the word or words that you are searching for. see “Global configuration settings” on page 107. Index Search Show in Contents Searching the online help Using the online help search.fortinet. For information about Global configuration settings. You cannot use the Bookmark icon to add an entry to your favorites list if you are viewing online help from Internet Explorer running on a management PC with Windows XP and service pack 2 installed. the search finds only those help pages that contain all of the words that you entered. see “VDOM configuration settings” on page 104. From the online help. You can use the index to find information in the online help. The help pages found by the search are ranked in order of relevance. When you select help for a VDOM configuration settings web-based manager page the help display includes the VDOM icon. select Online Help in the button bar in the upper right corner of the web-based manager. You can navigate through the table of contents to find information in the online help. For more information. and to use the search feature. The higher the ranking.Using FortiGate Online Help Web-based manager Bookmark Add an entry for this online help page to your browser bookmarks or favorites list to make it easier to find useful online help pages. or hyperlinks to find information in the online help. Help pages with the search words in the help page title are ranked highest.com/ • Feedback . you can search for one word or multiple words in the full text of the FortiGate online help system.0 Administration Guide 01-400-89802-20090424 http://docs. When you select help for a Global configuration settings web-based manager page the help display includes the Global icon. Display the online help search. • 50 FortiGate Version 4. search. The online help is organized in the same way as the FortiGate web-based manager and the FortiGate Administration Guide. Please note the following: • If you search for multiple words. Display the online help index. see “Searching the online help” on page 50. The search does not find help pages that only contain one of the words that you entered. You can select Show in Contents to display the location of the current help page within the table of contents. select Show Navigation. the table of contents may not be visible or the table of contents may be out of sync with the current help page. If you have used the index. To view the online help table of contents or index. For information about VDOM configuration settings. Figure 8: Online help page with navigation pane and content pane Contents Index Search Show in Contents Contents Display the online help table of contents.

enter one or more words to search for and then press the Enter key on your keyboard or select Go. • To search in the online help system 1 From any web-based manager page. Display the Search tab. authentication.fortinet. The search results pane lists the names of all the online help pages that contain all the words that you entered. You can work around this using the * wildcard (for example by searching for window*). authenticates. to make it easier to find useful online help pages. 4 In the search field. if you search for windows the search may not find pages containing the word window. 2 Select Show Navigation. Alt+8 Alt+9 FortiGate Version 4. Table 3: Online help navigation keys Key Alt+1 Alt+2 Alt+3 Alt+4 Alt+5 Alt+7 Function Display the table of contents. if you search for auth* the search finds help pages containing auth. authenticate.com/ • Feedback 51 .Web-based manager Using FortiGate Online Help • You can use the asterisk (*) as a search wildcard character that is replaced by any number of characters. Figure 9: Searching the online help system Go Search Field Search Results Using the keyboard to navigate in the online help You can use the keyboard shortcuts listed in Table 3 to display and find information in the online help. Go to the previous page. In some cases the search finds only exact matches. Print the current online help page. Add an entry for this online help page to your browser bookmarks or favorites list. For example. For example. Go to the next page. Send an email to Fortinet Technical Documentation at techdoc@fortinet. 3 Select Search.com if you have comments on or corrections for the online help or any other Fortinet technical documentation product. Select a name from the list to display that help page. select the online help button. Display the index.0 Administration Guide 01-400-89802-20090424 http://docs. and so on.

When you select one of the submenu items. Log out before you close the browser window. To view a different tab. see “Changing the web-based manager idle timeout” on page 47. Configure FortiGate static and dynamic routing and view the router monitor. FortiGate Version 4. such as System. select the tab. such as network interfaces. the submenu item and the tab. for example: 1 Go to System > Network > Interface. Web-based manager pages The web-based manager interface consists of a menu and pages. intrusion protection. certificates. the associated page opens at its first tab. The procedures in this manual direct you to a page by specifying the menu item. web filtering.0 Administration Guide 01-400-89802-20090424 http://docs. Configure antivirus and antispam protection. Figure 10: Parts of the web-based manager (shown for the FortiGate-50B) Tabs Page Button bar Menu Using the web-based manager menu The web-based manager menu provides access to configuration options for all major FortiGate features (see Figure 10 on page 52). the web-based manager expands to reveal a submenu. you remain logged in until the idle timeout (default 5 minutes) expires.com/ • Feedback Router Firewall UTM 52 . Many of the pages have multiple tabs.Logging out Web-based manager Logging out The Logout button immediately logs you out of the web-based manager. data leak prevention. administrators. and application control. virtual domains. System Configure system settings. system time and set system options. If you simply close the browser or leave the web-based manager.fortinet. To change the timeout. DHCP services. Also configure virtual IP addresses and IP pools. Configure firewall policies and protection profiles that apply network protection features. High Availability (HA). When you select a menu item.

firewall policies. IM. depending on the list you will usually be able to: • • • select Create New to add a new item to the list select the Edit icon for a list item to view and change the settings of the item select the Delete icon for a list item to delete the item. Configure logging and alert email. Configure monitoring of Firewall. administrators. Adding filters to web-based manager lists You can add filters to control the information that is displayed by the following complex lists: • Session list (see “Viewing the session list” on page 83) FortiGate Version 4. Figure 12: A web-based manager list (read only access) View For more information. and others. Usually items cannot be deleted if they have been added to another configuration. to delete a user that has been added to a user group you must first remove the user from the user group (see Figure 11).Web-based manager Web-based manager pages VPN User Configure IPSec and SSL virtual private networking.com/ • Feedback 53 . SSL. and Banned Users. and configure software detection patterns. you will only be able to view the items on the list (see Figure 12). users. For example.fortinet. Configure user accounts for use with firewall policies that require user authentication. IPSec. see “Admin profiles” on page 222. and Windows AD. Endpoint control Log&Report Using web-based manager lists Many of the web-based manager pages contain lists. LDAP. TACACS+. PPTP is configured in the CLI.0 Administration Guide 01-400-89802-20090424 http://docs. If you log in as an administrator with an admin profile that allows Read-Write access to a list. View log messages and reports. There are lists of network interfaces. Also configure external authentication servers such as RADIUS. view FortiClient configuration information. you must first find the configuration settings that the item has been added to and remove the item from them. Figure 11: A web-based manager list (read-write access) Delete Edit If you log in as an administrator with an admin profile that allows Read Only access to a list. Configure end points. The delete icon will not be available if the item cannot be deleted.

You can add filters to make it easier to find specific sessions. and configure the filter for that column. 54 FortiGate Version 4. or by selecting NOT to display information that does not match the filter.Web-based manager pages Web-based manager • • • • • • Firewall policy and IPv6 policy lists (see “Viewing the firewall policy list” on page 321) Intrusion protection predefined signatures list (see “Viewing the predefined signature list” on page 457) Firewall user monitor list (see “Firewall user monitor list” on page 591) IPSec VPN Monitor (see “IPSEC monitor list” on page 592) Endpoint control list of known endpoints (see “Monitoring endpoints” on page 644) Log and report log access list (see “Accessing Logs” on page 662). action set to drop. See “Using filters with column settings” on page 59 for more information. On firewall policy. Note: Filter settings are stored in the FortiGate configuration and will be maintained the next time that you access any list for which you have added filters. From the Edit Filters window you can select any column name to filter.com/ • Feedback . You can also add filters for one or more columns at a time. For example.fortinet. and. you configure filters by specifying what to filter on and whether to display information that matches the filter. you can combine filters with column settings to provide even more control of the information displayed by the list. Different filter styles are available depending on the type of information displayed in individual columns. For example. predefined signature and log and report log access lists. IPv6 policy. select Details on the Sessions line to view the communications sessions that the FortiGate unit is currently processing. The filter icon remains gray for unfiltered columns and changes to green for filtered columns. Filters are useful for reducing the number of entries that are displayed on a list so that you can focus on the information that is important to you. in the Statistics section. you can go to System > Status. In all cases. A busy FortiGate unit may be processing hundreds or thousands of communications sessions. You can add a Policy ID filter to display only the sessions for a particular Policy ID or range of Policy IDs. Figure 13: An intrusion protection predefined signatures list filtered to display all signatures containing “apache” with logging enabled. You add filters to a web-based manager list by selecting any filter icon to display the Edit Filters window.0 Administration Guide 01-400-89802-20090424 http://docs. and severity set to high Filter added to display names that include “apache” No filter added The filter configuration is retained after leaving the web-based manager page and even after logging out of the web-based manager or rebooting the FortiGate unit. you might be looking for all communications sessions being accepted by a specific firewall policy.

FortiGate Version 4. firewall policy IDs. For example.fortinet. To specify a range.1.1. select Details. To view the session list. go to System > Status. The text string can be blank and it can also be very long. for example 25-50. filtering ignores <string but not < string). names and log messages) you can filter by a text string. Figure 14: A session list with a numeric filter set to display sessions with source IP address in the range of 1. a filter is enabled for the Source Address column.1.1.1-1. In the Statistics section.11.1. Figure 14 shows a numeric filter configured to control the source addresses that are displayed on the session list.com/ • Feedback 55 . The filter is configured to display only source addresses in the range of 1. You can also specify whether to match the capitalization (case) of the text string. that contains the text string.1. or that does not equal or does not contain the text string. or port numbers) you can filter by a single number or a range of numbers. &. beside Sessions. Filtering also ignores matched opening and closing < and > characters and any characters inside them (for example.1.0 Administration Guide 01-400-89802-20090424 http://docs. filtering ignores characters following a < unless the < is followed by a space (for example. separate the top and bottom values of the range with a hyphen.1. You can also filter information that is an exact match for the text string (equals).Web-based manager Web-based manager pages Filters for columns that contain numbers If the column includes numbers (for example. > and so on. However. filtering ignores <string> but does not ignore >string>). The text string can also contain special characters such as <.2. you could configure a source address column to display only entries for a single IP address or for all addresses in a range of addresses.2 Filters for columns containing text strings If the column includes text strings (for example. IP addresses. In this example.

0 Administration Guide 01-400-89802-20090424 http://docs.Web-based manager pages Web-based manager Figure 15: A firewall policy list filter set to display all policies that do not include a source address with a name that contains “My_Address” Filters for columns that can contain only specific items For columns that can contain only specific items (for example. You can also set the level filter to display log messages with multiple severity levels. In this case. You can filter log messages according to date range and time range.fortinet. 56 FortiGate Version 4. a log message severity or a pre-defined signature action) you can select a single item from a list. you can only filter on a single selected item. Figure 16: An intrusion protection predefined signature list filter set to display all signatures with Action set to block Custom filters Other custom filters are also available.com/ • Feedback .

Endpoint control list of known endpoints (see “Monitoring endpoints” on page 644) Figure 18: Page controls Previous Page First Page Total Number of Pages Last Page Next Page Current Page (enter a page number to display that page) First Page Previous Page Display the first page of items in the list.0 Administration Guide 01-400-89802-20090424 http://docs. error. Display the previous page of items in the list. or warning Using page controls on web-based manager lists The web-based manager includes page controls to make it easier to view lists that contain more items than you can display on a typical browser window. These page controls are available for the following lists: • • • • • • • • • • session list (see “Viewing the session list” on page 83) Router Monitor (see “Router Monitor” on page 315) intrusion protection predefined signatures list (see “Viewing the predefined signature list” on page 457) web filtering lists (see “Web Filter” on page 475) antispam lists (see “Antispam” on page 495) Firewall user monitor list (see “Firewall user monitor list” on page 591) IPSec VPN Monitor (see “IPSEC monitor list” on page 592) Banned user list (see “NAC quarantine and the Banned User list” on page 595) log and report log access lists (see “Accessing Logs” on page 662). FortiGate Version 4.com/ • Feedback 57 .fortinet. critical.Web-based manager Web-based manager pages Figure 17: A log access filter set to display all log messages with level of alert.

For example if there are 5 pages of items and you enter 3. you can change interface list column headings to display only the IP/Netmask. and interface Type for each interface. Similarly. select the column headings to be displayed and then select the Right Arrow to move them to the “Show these fields in this order” list. You can enter a page number and press Enter to display the items on that page.com/ • Feedback . To change column settings on a list that supports it. Total Number of Pages Next Page Last Page Using column settings to control the columns displayed Using column settings.fortinet. The number of pages of list items that you can view. MAC address. page 3 of the sessions will be displayed. • • • • • • • Network interface list (see “Interfaces” on page 119) Firewall policy and IPv6 policy (see “Viewing the firewall policy list” on page 321) Intrusion protection predefined signatures list (see “Viewing the predefined signature list” on page 457) Firewall user monitor list (see “Firewall user monitor list” on page 591) IPSec VPN Monitor (see “IPSEC monitor list” on page 592) Endpoint control list of known endpoints (see “Monitoring endpoints” on page 644) Log and report log access lists (see “Accessing Logs” on page 662). you can change column settings to control the information columns that are displayed for the list and to control the order in which they are displayed. For example. From Available fields. 58 FortiGate Version 4. On the following web-based manager pages that contain complex lists. you can format some web-based manager lists so that information that is important to you is easy to find and less important information is hidden or less distracting. to hide column headings. Display the last page of items in the list. Use Move Up and Move Down to change the order in which to display the columns. MTU. Display the next page of items in the list. use the Left Arrow to move them back to the Available fields list.Web-based manager pages Web-based manager Current Page The current page number of list items that are displayed. Note: Any changes that you make to the column settings of a list are stored in the FortiGate configuration and will display the next time that you access the list.0 Administration Guide 01-400-89802-20090424 http://docs. select Column Settings.

set Column Settings to only display Applications and Name. predefined signature. Then apply a filter to Applications so that only selected applications are listed.fortinet. IPv6 policy.com/ • Feedback 59 . firewall user monitor.Web-based manager Web-based manager pages Figure 19: Example of interface list column settings Left Arrow Right Arrow Figure 20: A FortiGate-5001SX interface list with column settings changed Using filters with column settings On firewall policy. For example.0 Administration Guide 01-400-89802-20090424 http://docs. you might want to sort the list by application so that all signatures for each application are grouped together. FortiGate Version 4. you can go to Intrusion Protection > Signature > Predefined and configure the Intrusion Protection predefined signatures list to show only the names of signatures that protect against vulnerabilities for a selected application. IPSec monitor and log and report log access lists you can combine filters with column settings to provide even more control of the information displayed by the list. To do this. In the pre-defined signatures list you can also sort the list by different columns.

The tooltip for this icon displays the Description or Comments field for this table entry. Table 4: web-based manager icons Icon Name Description Administrative The administrative status of a FortiGate interface is down status down and the interface will not accept traffic. For example. Delete an item.fortinet. This icon appears in the Administrators list if your admin profile enables you to give write permission to administrators. Edit a configuration. Pause the mouse pointer over the icon to view the tooltip. Delete Description Disconnect from cluster Download Edit Enter a VDOM Enter a virtual domain and use the web-based manager to configure settings for the virtual domain. Administrative The administrative status of a FortiGate interface is up and status up the interface accepts traffic. Web-based manager icons The web-based manager has icons in addition to buttons to help you to interact with your FortiGate unit. Disconnect a FortiGate unit from a functioning HA cluster.Web-based manager icons Web-based manager Figure 21: A pre-defined signatures list displaying pre-defined signatures for the Veritas and Winamp applications For more information. 60 FortiGate Version 4. This icon appears in lists where the item can be deleted and you have edit permission for the item. This icon is used in (closed) some dialog boxes and lists. on a URL filter list you can use this icon to remove all URLs from the current URL filter list. Change Password Clear Change the administrator password. Download information from a FortiGate unit. Clear all or remove all entries from the current list. Expand Arrow Expand this section to reveal more fields. see “Adding filters to web-based manager lists” on page 53.0 Administration Guide 01-400-89802-20090424 http://docs. There are tooltips to assist you in understanding the function of most icons. This icon appears in lists where you have write permission for the item. For example. you can download certificates and debug logs.com/ • Feedback . Table 4 describes the icons that are available in the web-based manager.

Add a new item to a list so that it precedes the current item. For example. Change the position of an item in a list. View detailed information about an item. View the next page of a list. This icon is used in (open) some dialog boxes and lists. Refresh Update the information on this page.com/ • Feedback 61 . you can use this icon to view details about certificates. for example firewall policies. See “Adding filters to web-based manager lists” on page 53. and DoS Sensors.0 Administration Guide 01-400-89802-20090424 http://docs. View View a configuration. First page Insert before View the first page of a list. Used in lists when the order of items in the list is significant. View the last page of a list. and DoS Sensors.fortinet. IPS Sensors. Last page Move to Next page Previous page View the previous page of a list. Filter Set a filter on one or more columns in this table. View details FortiGate Version 4. for example firewall policies.Web-based manager Web-based manager icons Table 4: web-based manager icons (Continued) Icon Name Description Expand Arrow Close this section to hide some fields. IPS Sensors. This icon appears in lists instead of the Edit icon when you have read-only access to a web-based manager list. Used in lists when the order of items in the list is significant.

Web-based manager icons Web-based manager 62 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback .

If you enable virtual domains (VDOMs) on the FortiGate unit. This includes information such as URLs visited. and viruses caught. To view more specialized HA status information for the cluster.com/ • Feedback 63 . see “Using virtual domains” on page 103. see “HA” on page 177. alert messages and network statistics. The Topology viewer is not available when VDOMs are enabled. FortiGate administrators whose admin profiles permit write access to system configuration can change or update FortiGate unit information. the System Status page includes basic high availability (HA) cluster status such as including the name of the cluster and the cluster members including their host names. system resource usage. the dashboard of your FortiGate unit. This section describes: • • • • • • • Status page Changing system information Changing the FortiGate firmware Viewing operational history Manually updating FortiGuard definitions Viewing Statistics Topology Status page View the System Status page. When the FortiGate unit is part of an HA cluster.0 Administration Guide 01-400-89802-20090424 http://docs. For information on admin profiles. Go to System > Status to view the System Status page. For details. also known as the system dashboard. see “Admin profiles” on page 222. uptime. Note: Your browser must support Javascript to view the System Status page. Note: The information on the System Status page applies to the whole HA cluster. FortiGate Version 4. see “Admin profiles” on page 222.fortinet. Viewing system status The System Status page displays by default when you log in to the web-based manager. FortiGuard™ license information. emails sent and received.System Status Status page System Status This section describes the System Status page. For more information on admin profiles. go to System > Config > HA. At a glance you can view the current system status of the FortiGate unit including serial number. FortiGate administrators whose admin profiles permit write access to system configuration can change or update FortiGate unit information. not just the Master unit. For more information. for a snapshot of the current operating status of the FortiGate unit. the status page is available globally and system status settings are configured globally for the entire FortiGate unit.

You can select which widgets to display. Select to close the display. Figure 23: A minimized display Widget title Disclosure arrow History Edit Refresh Close Widget Title Disclosure arrow History Edit Refresh Close Shows the name of the display Select to maximize or minimize the display. The available dashboard widgets are: 64 FortiGate Version 4. Not available for all widgets. Optionally select Back to Default to restore the historic System Status page configuration. Position your mouse over a display’s titlebar to see your available options for that display. and if they are minimized or maximized.com/ • Feedback . Any widgets currently on the System Status page will be greyed out in the Add Content menu. your admin profile must permit read access to system configuration.Status page System Status To view this page. as you can only have one of each display on the System Status page. Select to update the displayed information. where they are located on the page. The System Status page is customizable.IPS definitions. see “Admin profiles” on page 222.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet. The options vary slightly from display to display. Figure 22: System Status page Select Add Content to add any of the widgets not currently shown on the System Status page. you can modify system information and update FortiGuard . You will be prompted to confirm the action. Select to show an expanded set of data. Each display has an icon associated with it for easy recognition when minimized.AV and FortiGuard . If you also have system configuration write access. Select to change settings for the display. For information on admin profiles.

and minutes since the FortiGate unit was started.fortinet. For more information. Select Configure to configure the HA status for this unit.com/ • Feedback 65 . If the FortiGate unit is in HA mode. The time in days. Active-Passive or Active-Active indicate the unit is operating in HA mode. The serial number is specific to the FortiGate unit and does not change with firmware upgrades.0 Administration Guide 01-400-89802-20090424 http://docs. see “HA” on page 177. see “HA” on page 177. Select Change to change the host name. For more information. see “Configuring system time” on page 78. The host name of the current FortiGate unit. hours. HA Status Host Name Cluster Name FortiGate Version 4. this field is not displayed. The current date and time according to the FortiGate unit’s internal clock. Select Change to change the time or configure the FortiGate unit to get the time from an NTP server. For more information. For more information. Standalone indicates the unit is not operating in HA mode. The name of the HA cluster for this FortiGate unit. The FortiGate unit must be operating in HA mode to display this field. see “Changing the FortiGate unit host name” on page 78.System Status Status page • • • • • • • • • • • System Information License Information Unit Operation System Resources Alert Message Console Statistics CLI Console Top Sessions Top Viruses Top Attacks Traffic History System Information Go to System > Status to find System Information. The status of high availability for this unit. Figure 24: System Information Serial Number Uptime System Time The serial number of the FortiGate unit.

Status of virtual domains on your FortiGate unit. Virtual Domain Current Administrators License Information License Information displays the status of your technical support contract and FortiGuard subscriptions. The FortiGate unit updates the license information status indicators automatically when attempting to connect to the FortiGuard Distribution Network (FDN). For more information. Select Details to view more information about each administrator that is currently logged in. and orange if the FDN is reachable but the license has expired. Operation Mode The operating mode of the current FortiGate unit. see “Using virtual domains” on page 103. FortiGuard Subscriptions status indicators are green if the FDN was reachable and the license was valid during the last connection attempt. For more information. Information displayed about each member includes host name. For more information. IP address from which they are connecting. The FortiGate unit must be operating in HA mode with virtual domains enabled to display these fields. See “Configuring FortiClient required version and installer download” on page 642. see “HA” on page 177. Except for model 224B in switch view. serial number. The role of each FortiGate unit in virtual cluster 1 and virtual cluster 2. your session will be terminated and you will need to log in again. Selecting any of the Configure options will take you to the Maintenance page. type of connection. For more information. and whether the unit is a primary (master) or subordinate (slave) unit in the cluster. grey if the FortiGate unit cannot connect to the FDN. 66 FortiGate Version 4. The format for the firmware version is Select Update to change the firmware. Each virtual domain can be operating in either NAT mode or Transparent mode. The number of administrators currently logged into the FortiGate unit.Status page System Status Cluster Members The FortiGate units in the HA cluster. see “Upgrading to a new firmware version” on page 80. FortiClient Version The currently version of FortiClient uploaded to your FortiGate unit used for endpoint control. and when they logged in. a FortiGate unit can operate in NAT mode or Transparent mode. this field shows the operating mode of the current virtual domain.com/ • Feedback . Select Change to switch between NAT and Transparent mode. Select enable or disable to change the status of virtual domains feature. The FortiGate unit must be operating in HA mode with virtual domains disabled to display this field. Multiple VDOM operation is not available on a FortiGate-224B unit in switch view. see “System Maintenance” on page 253. This field appears if you can upload a FortiClient image onto your FortiGate unit. see “HA” on page 177. For more information. Virtual Cluster 1 Virtual Cluster 2 Firmware Version The version of the current firmware installed on the FortiGate unit. The additional information includes user name.0 Administration Guide 01-400-89802-20090424 http://docs. For more information. see “Changing operation mode” on page 206 If virtual domains are enabled.fortinet. If you enable or disable virtual domains.

select Update. you can select Renew two renew the license. This ID is used to validate your license for subscription services such as the FortiGuard Analysis and Management Service. see “Manually updating FortiGuard definitions” on page 82. you can select Renew two renew the license. If Not Registered appears. select Update.0 Administration Guide 01-400-89802-20090424 http://docs. license issue date and service status. If your license has expired. The maximum number of virtual domains the unit supports with the current license. For high-end FortiGate. see “Manually updating FortiGuard definitions” on page 82. Contact your local reseller. license expiry date and service status. The FortiGuard Intrusion Prevention System (IPS) license version. To update the definitions manually. and reachability status. you can select the Purchase More link to purchase a license key through Fortinet technical support to increase the maximum number of VDOMs.System Status Status page Figure 25: License Information Support Contract The Fortinet technical support contract number and expiry date. select Update.fortinet. If your license has expired. The currently installed version of the antispam rule set. The currently installed version of the IPS attack definitions. The FortiGuard Web Filtering license. For more information. or registration status. If Expired appears.com/ • Feedback 67 . you can select Renew two renew the license. To update the definitions manually. To update the rule set manually. Virtual Domain VDOMs Allowed FortiGate Version 4. license issue date and service status. FortiGuard Subscriptions AntiVirus AV Definitions Intrusion Protection IPS Definitions Web Filtering Antispam AS Rule Set Analysis and The FortiGuard Analysis and Management Service license. you can select Renew two renew the license. see “Manually updating FortiGuard definitions” on page 82. See “Adding VDOM Licenses” on page 276. select Renew for information on renewing your technical support contract. The FortiGuard Antispam license type. license expiry date and service status. For more information. The FortiGuard Antivirus version. If your license has expired. Management Service license expiry date. select Register to register the unit. If your license has expired. The currently installed version of the FortiGuard Antivirus definitions. Services Account ID Select “change“ to enter a different Service Account ID. For more information.

Pause the mouse pointer over the interface to view the name. that interface is connected. an illustration of the FortiGate unit’s front panel shows the status of the unit’s Ethernet network interfaces. Figure 26: Unit Operation (FortiGate-800) Figure 27: Unit Operation (FortiGate 30B with FGAMS) Figure 28: Unit Operation (FortiGate 3810A) 68 FortiGate Version 4. no graphic is shown. You can only have one management and one logging/analyzing method displayed for your FortiGate unit. event logging. If you select Reboot or ShutDown. a pop-up window opens allowing you to enter the reason for the system event. The graphic for each will change based on which method you choose. For more information on Event Logging. netmask and current status of the interface. If none are selected.com/ • Feedback .fortinet.Status page System Status Unit Operation In the Unit Operation area.0 Administration Guide 01-400-89802-20090424 http://docs. If a network interface is green. IP address. see “Event log” on page 659. Note: Your reason will be added to the Disk Event Log if disk logging. and admin events are enabled.

0 Administration Guide 01-400-89802-20090424 http://docs. The icon on the link between the FortiGate unit graphic and the FortiGuard Analysis Service graphic indicates the status of their OFTP connection. The interfaces are named for the module. See “Central Management” on page 226. pause the mouse over the icon for that interface. If your FortiGate unit supports Advanced Mezzanine Card (AMC) modules and if you have installed an AMC module containing network interfaces (for example. and AMC-DW2/1 is the first network interface on the DW2 module.fortinet.. such as the ASM-S08 module. An ‘X’ on a red icon indicates there is no connection. An ‘X’ on a red icon indicates there is no connection. and the interface. Shutdown FortiGate Version 4. Reboot Select to shutdown and restart the FortiGate unit. See “Logging to a FortiAnalyzer unit” on page 650. For example AMC-SW1/3 is the third network interface on the SW1 module. The names and WAN1 / WAN2 / 1 / 2 / number of these interfaces vary by model. See “FortiGuard Analysis and Management Service” on page 648. the IP address and netmask. the FortiGate-ASM-FB4 contains 4 interfaces) these interfaces are added to the interface status display.. The icon on the link between the FortiGate unit graphic and the FortiManager graphic indicates the status of the connection. A tooltip displays the full name of the interface. Grey indicates there is no connection. A check mark on a green icon indicates there is OFTP communication. the speed of the interface. ASM-S08 is visible as well as a horizontal bar and percentage indicating how full the hard disk is. Select the FortiGuard Analysis Service graphic to configure remote logging to the FortiGuard Analysis Service. Select the FortiAnalyzer graphic to configure remote logging tot he FortiAnalyzer unit on your FortiGate unit. Green indicates the interface is connected. . FortiAnalyzer FortiGuard Analysis Service FortiManager FortiGuard The icon on the link between the FortiGate unit graphic and the Management Service FortiGuard Analysis and Management Service graphic indicates the status of the connection. and also prompted to enter a reason for the shutdown that will be entered into the logs. For more information about the configuration and status of an interface. AMC-DW1/1. AMC modules support hard disks as well. Select the FortiManager graphic to configure central management on your FortiGate unit. An ‘X’ on a red icon indicates there is no connection. A check mark on a green icon indicates there is OFTP communication. its alias if one is configured. Select the FortiGuard Analysis and Management Service graphic to configure central management on your FortiGate unit.System Status Status page INT / EXT / DMZ / HA / The network interfaces on the FortiGate unit.. the status of the link. When a hard disk is installed. You will be prompted to enter a reason for the reboot that will be entered into the logs. A check mark on a green icon indicates there is communication. See “Central Management” on page 226. Select to shutdown the FortiGate unit. .com/ • Feedback 69 . A check mark on a green icon indicates there is communication between the two units. The icon on the link between the FortiGate unit graphic and the FortiAnalyzer graphic indicates the status of their OFTP connection. You will be prompted for confirmation.. An ‘X’ on a red icon indicates there is no connection. AMC-SW1/1. The icon below the interface name indicates its up/down status by 3/4 color. and the number of sent and received packets.

network security events. sessions. Figure 29: System Resources History A graphical representation of the last minute of CPU.0 Administration Guide 01-400-89802-20090424 http://docs. such as CPU and memory (RAM) usage. select the Refresh icon. The web-based manager displays CPU usage for core processes only. Any System Resources that are not displayed on the status page can be viewed as a graph by selecting the History icon. 70 FortiGate Version 4. This is available only if you have configured logging to a FortiAnalyzer unit. This page also shows the virus and intrusion detections over the last 20 hours. Alert Message Console Alert messages help you track system events on your FortiGate unit such as firmware changes. Memory usage for management processes (for example. To see the most recent CPU and memory usage. see “Viewing operational history” on page 81. Disk Usage The current status of the FortiGate unit disk space used. CPU Usage Memory Usage FortiAnalyzer Usage The current status of the FortiAnalyzer disk space used by this FortiGate unit’s quota. This is available only if you have a hard disk on your FortiGate unit. The current CPU status displayed as a dial gauge and as a percentage. and network usage. The web-based manager displays memory usage for core processes only. For more information. displayed as a pie chart and a percentage. You can use the System Resources edit menu to select not to display this information. Each message shows the date and time that the event occurred. CPU usage for management processes (for example. for HTTPS connections to the web-based manager) is excluded.Status page System Status System Resources The System Resources widget displays basic FortiGate unit resource usage.com/ • Feedback . for HTTPS connections to the web-based manager) is excluded. memory. displayed as a pie chart and a percentage. or virus detection events. The current memory (RAM) status displayed as a dial gauge and as a percentage.fortinet.

which is located at the top of the pop-up window.fortinet. Select Edit to display Custom Alert Display options that offer the following customizations for your alert message display: • • • Do not display system shutdown and restart. Found a new FortiAnalyzer Shows that the FortiGate unit has either found or lost Lost the connection to FortiAnalyzer the connection to a FortiAnalyzer unit. Depending on model and configuration. New firmware is available from FortiGuard An updated firmware image is available to be downloaded to this FortiGate unit. See “Logging to a FortiAnalyzer unit” on page 650. The named administrator downgraded the firmware to an older version on either the active or non-active partition. See the descriptions of content archive and attack log for details.System Status Status page Figure 30: Alert Message Console The following types of messages can appear in the Alert Message Console: System restart Firmware upgraded by <admin_name> Firmware downgraded by <admin_name> FortiGate has reached connection limit for <n> seconds The system restarted. To clear alert messages. Various configuration settings are required to actually collect data for the statistics widget.0 Administration Guide 01-400-89802-20090424 http://docs. FortiGate Version 4. or backed up to an external source such as a syslog server. To investigate an area that draws your attention. saved locally. The antivirus engine was low on memory for the duration of time shown. The named administrator upgraded the firmware to a more recent version on either the active or non-active partition. select History to view the list of alerts in a new window. For detailed procedures involving the Statistics list. Do not display conserve mode messages Statistics The Statistics widget is designed to allow you to see at a glance what is happening on your FortiGate unit with regards to network traffic and attack attempts. The information displayed in the statistics widget is derived from log messages that can be saved to a FortiAnalyzer unit. select Details for a detailed list of the most recent activity. You can use this data to see trends in network activity or attacks over time. This will acknowledge and hide all current alert messages from your FortiGate unit. Do not display firmware upgrade and downgrade.com/ • Feedback 71 . content can be blocked or can pass unscanned under these conditions. You can quickly see the amount and type of traffic as well as any attack attempts on your system. see “Viewing Statistics” on page 83. The restart could be due to operator action or power off/on cycling. select the History icon and then select Clear Alert Messages. If there is insufficient space for all of the messages within the Alert Message Console widget.

72 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.Status page System Status Figure 31: Statistics Refresh Reset Close Figure 32: Statistics Refresh Reset Close Since Reset Sessions The date and time when the counts were last reset. Reset the Content Archive and Attack Log statistic counts to zero. See “Viewing the session list” on page 83. Counts are reset when the FortiGate unit reboots. The number of communications sessions being handled by the FortiGate unit. or when you select Reset.fortinet. Select Details for detailed information.com/ • Feedback .

The Details pages list the 20 most recent items. You can copy (CTRL-C) and paste (CTRL-V) text from or to the CLI Console. Also displays the number of sessions matched by DLP. providing the time. You must also add the protection profile to a firewall policy. and Detach. the Details pages provide a link to Log & Report > Log Config > Log Settings. select it to automatically log in to the admin account you are currently using in the web-based manager. This number may not indicate that data has been lost or leaked. For more information. a protection profile can also collect statistics for IMAPS. If your FortiGate unit supports SSL content scanning and inspection. You configure the FortiGate unit to collect content archive data for the statistics widget by configuring protection profiles to display content meta-information on the system dashboard. By default meta-data is collected and displayed on the statistics widget for all protocols. FTP. Every time a DLP log message is recorded. Create or edit a protection profile and configure Data Leak Prevention Sensor > Display content meta-information on the system dashboard and select the protocols to collect statistics for. You can configure a protection profile to collect statistics for HTTP. see “SSL content scanning and inspection” on page 399. When the firewall policy receives sessions for the selected protocols. POP3. see “Data Leak Prevention Sensor options” on page 419. these statistics will not be accurate. incoming email also includes POP3S and IMAPS and outgoing email also includes SMTPS. If logging to a FortiAnalyzer unit is not configured. and whose metadata has been content archived.fortinet. POP3S. source. For more information. and SMTP traffic. To configure a protection profile. and SMTP is outgoing email. Figure 33: CLI Console Customize The two controls located on the CLI Console widget’s title bar are Customize. To use the console. meta-data is added to the statistics widget. HTTPS. You can also configure displaying meta-information on the system dashboard for these IM protocols. email. see “Adding or editing a rule in a DLP sensor” on page 513. The Email statistics are based on email protocols. By default meta-data is collected and displayed on the statistics widget for all of these protocols. IMAP. FortiGate Version 4. spam email messages. and blocked URLs that the FortiGate unit has intercepted. If your FortiGate unit supports SSL content scanning and inspection. ICQ.0 Administration Guide 01-400-89802-20090424 http://docs. DLP collects meta-data about all sessions matched by DLP sensors and records this meta-data in the DLP log. FTP and IM traffic that has passed through the FortiGate unit.com/ • Feedback 73 . DLP data loss detected actually displays the number of sessions that have matched DLP sensors added to protection profiles. MSN. If incoming or outgoing email does not use these protocols. The Details pages list the last 64 items of the selected type and provides links to the FortiAnalyzer unit where the archived traffic is stored. For more information. destination and other information. and SMTPS traffic. The IM statistics are based on the AIM. attacks. If you are using DLP for content summary or full content archiving the DLP data loss detected number can get very large. CLI Console The System Status page can include a CLI. the DLP data loss detected number increases. go to Firewall > Protection Profile. Attack Log A summary of viruses. POP3 and IMAP traffic is registered as incoming email.System Status Status page Content Archive A summary of the HTTP. and Yahoo! protocols. HTTPS.

com/ • Feedback . Select the current color swatch next to this label. Figure 34: Customize CLI Console window Preview Text A preview of your changes to the CLI Console’s appearance. The default size is 10 points. and this slightly impacts the FortiGate unit performance. Attach moves the CLI console widget back onto the System Status page. 74 FortiGate Version 4. you can enter commands by typing them into either the console emulation area or the external command input field. it is not collecting data. or the port address. Select the current color swatch next to this label. The Top Sessions display polls the kernel for session information. Background Use external command input box Console buffer length Enter the number of lines the console buffer keeps in memory. The two controls on the detached CLI Console are Customize and Attach. For this reason when this display is not shown on the dashboard. information is only stored in memory.fortinet. Select to display a command input field below the normal console emulation area. When this option is enabled. The sort criteria being used is displayed in the top right corner. Font Size Select a font from the list to change the display font of the CLI Console. Select the size of the font. When the display is shown.0 Administration Guide 01-400-89802-20090424 http://docs. and not impacting system performance. Valid numbers range from 20 to 9999. then select a color from the color palette to the right to change the color of the text in the CLI Console. The sessions are sorted by their source or destination IP address.Status page System Status Detach moves the CLI Console widget into a pop-up window that you can resize and reposition. Customize allows you to change the appearance of the console by defining fonts and colors for the text and background. Top Sessions Top Sessions displays either a bar graph or a table showing the IP addresses that have the most sessions open on the FortiGate unit. then select a color from the color palette to the right to change the color of the background in the CLI Console.

if any. click on the bar.fortinet. with the filters set to only show the selected information.0 Administration Guide 01-400-89802-20090424 http://docs. that applies to the session how long until the session expires which virtual domain the session belongs to To view detailed information about a single session bar in the chart. Figure 35: Top sessions bar graph showing destination IP addresses Last updated Number of active sessions Sort Criteria Change to a detailed table view Criteria of Top Sessions (Source IP Address) Number of sessions displayed The Top Sessions display is not part of the default dashboard display. including: • • • • • • the session protocol such as tcp or udp source address and port destination address and port the ID of the policy. To return to the chart display. This changes the Top Sessions display to a table format. The display will change to the table format. select Return. Selecting edit for Top Sessions allows changes to the: • • • refresh interval sort criteria to change between source and destination addresses of the sessions number of top sessions to show FortiGate Version 4.System Status Status page Note: Rebooting the FortiGate unit will reset the Top Session statistics to zero. The table displays more detailed information about sessions than the chart display. To view detailed information about all displayed sessions at once. It can be displayed by selecting Add Content > Top Sessions. without opening a new window. select Details.com/ • Feedback 75 .

For example port 443 would resolve to HTTPS. You will still be able to select the manual refresh option on the Top Sessions title bar. If this occurs. Display UserName is available only when the sort criteria is Source Address. Resolve Service is only available when the sort criteria is Destination Port. Choose to display 5. will continue to be displayed as the port address. 10. and selecting Top Viruses from the drop down menu. The Top Viruses display is not part of the default dashboard display. Display UserName Resolve Host Name Resolve Service Display Format Top Sessions to Show Refresh Interval Top Viruses Top Viruses displays a bar graph representing the virus threats that have been detected most frequently by the FortiGate unit. Select to resolve a port addresses into their commonly associated service names. 15. Select to resolve the IP address to the host name. and how many times it was detected.0 Administration Guide 01-400-89802-20090424 http://docs. Selecting the edit icon for Top Viruses allows changes to the: • refresh interval FortiGate Version 4. Choose one of: • Chart • Table Select the number of sessions to display. Select how the Top Session information is displayed. try increasing the refresh interval or disabling the automatic refresh. if available. Selecting 0 will disable the automatic refresh of the display. Shorter refresh intervals may impact the performance of your FortiGate unit. when it was last detected. The refresh interval range is from 10 to 240 seconds. but only displays up to 20 in the GUI. Choose one of: • Source Address • Destination Address • Port Address Select to include the username associated with this source IP address.Status page System Status Figure 36: Edit menu for Top Sessions Sort Criteria Select the method used to sort the Top Sessions on the System Status display. Any port address without a service. The system stores up to 1024 entries.com/ • Feedback 76 . Resolve Host Name is not available when the sort criteria is Destination Port. In the table display format this will be a separate column. Select how often the display is updated. Selecting the history icon opens a window that displays up to the 20 most recent viruses that have been detected with information including the virus name. It can be displayed by selecting Add Content.fortinet. or 20 sessions.

Figure 37: Traffic History Interface being monitored Interface kbit/s The interface that is being monitored . and selecting Apply. This feature can help you locate peaks in traffic that you need to address as well as their frequency.0 Administration Guide 01-400-89802-20090424 http://docs. The traffic leaving the FortiGate unit on this interface is indicated with a dark green line. and month. when it was last detected. The FortiGate unit stores up to 1024 entries. choosing the interface from the drop down menu. Last 60 Minutes Last 24 Hours Last 30 Days Traffic In Traffic Out FortiGate Version 4. The scale varies based on traffic levels to allow it to show traffic levels no matter how little or how much traffic there is. The Top Attacks display is not part of the default dashboard display. You can change the interface being monitored by selecting Edit.fortinet. Doing this will clear all the traffic history data. and how many times it was detected. duration. The traffic entering the FortiGate unit on this interface is indicated with a thin red line. Selecting the Edit icon for Top Attacks allows changes to the: • • refresh interval top attacks to show Traffic History The traffic history display shows the traffic on one selected interface over the last hour. Certain trends may be easier to spot in one graph over the others. It can be displayed by selecting Add Content > Top Attacks from the drop down menu.com/ • Feedback 77 . and other information. Only one interface at a time can be monitored. Selecting the history icon opens a window that displays up to the 20 most recent attacks that have been detected with information including the attack name. The units of the traffic graph. but only displays up to 20 in the web-based manager.System Status Status page • top viruses to show Top Attacks Top Attacks displays a bar graph representing the most numerous attacks detected by the FortiGate unit. filled in with light green. day. Three graphs showing the traffic monitored on this interface of the FortiGate unit over different periods of time.

clock for daylight saving changes Set Time Synchronize with NTP Server Server Sync Interval Select to set the FortiGate system date and time to the values you set in the Hour. Figure 38: Time Settings System Time Refresh Time Zone The current FortiGate system date and time. Year. Administrators whose admin profiles permit system configuration write access can change the FortiGate unit host name. Select the current FortiGate system time zone. Specify how often the FortiGate unit should synchronize its time with the NTP server. For example. Configuring system time 1 Go to System > Status.Changing system information System Status Changing system information FortiGate administrators whose admin profiles permit write access to system configuration can change the system time. Update the display of the current FortiGate system date and time. select Change on the System Time line. For example FGT8002805030003 would be a FortiGate-800 unit. Changing the FortiGate unit host name The FortiGate host name appears on the Status page and in the FortiGate CLI prompt. Month and Day fields.com/ • Feedback .ntp. a setting of 1440 minutes causes the FortiGate unit to synchronize its time once a day. 3 Select the time zone and then either set the date and time manually or configure synchronization with an NTP server. see http://www. Minute. The host name is also used as the SNMP system name. Select to use an NTP server to automatically set the system date and time. Automatically adjust Select to automatically adjust the FortiGate system clock when your time zone changes between daylight saving time and standard time. You must specify the server and synchronization interval. For information about SNMP.fortinet. Second. Enter the IP address or domain name of an NTP server. host name and the operation mode for the VDOM. The default host name is the FortiGate unit serial number. To find an NTP server that you can use. 2 In the System Information section.0 Administration Guide 01-400-89802-20090424 http://docs.org. 78 FortiGate Version 4. see “SNMP” on page 185.

you will need to register your FortiGate unit with Customer Support. 1 Go to System > Status. 2 In the Host Name field of the System Information section.com/ • Feedback 79 . and the FortiGuard Network see “System Maintenance” on page 253. For more information about using the USB disk. Upgrade File Upgrade Partition more info FortiGate Version 4. The number of the partition being updated. This field is available only if your FortiGate unit has more than one firmware partition. The new host name is displayed in the Host Name field. Browse to the location of the firmware image on your local hard disk. a local USB disk. or the FortiGuard Network. 4 Select OK.fortinet. This field is available for local hard disk and USB only. and is added to the SNMP System Name. For more information go to http://support. type a new host name.com or contact Customer Support. Possible sources include Local Hard Disk. Select to go to the FortiGuard Center to learn more about firmware updates through the FortiGuard network. To change the FortiGate unit host name If the host name is longer than 16 characters. Figure 39: Firmware Upgrade/Downgrade Upgrade From Select the firmware source from the drop down list of available sources. but the truncated host name will be displayed on the CLI and other places it is used. you should use a unique host name to distinguish the unit from others in the cluster. and in the CLI prompt. USB.fortinet. Note: To access firmware updates for your FortiGate model. Changing the FortiGate firmware FortiGate administrators whose admin profiles permit maintenance read and write access can change the FortiGate firmware. select Change. it will be displayed as being truncated and end with a “~”.0 Administration Guide 01-400-89802-20090424 http://docs.System Status Changing the FortiGate firmware Note: If the FortiGate unit is part of an HA cluster. The full host name will be displayed under System > Status. Firmware images can be transferred from a number of sources including a local hard disk. and FortiGuard Network. 3 In the New Name field.

web content lists. If you are reverting to a previous FortiOS™ version (for example. closes all sessions. you might not be able to restore the previous configuration from the backup configuration file. with patch 1. Y is the minor version number. 5 Type the path and filename of the firmware image file.0 Administration Guide 01-400-89802-20090424 http://docs. refer to Firmware version on System > Status > System Information.Z” where X is the major version number. restarts. This process takes a few minutes. To determine what version firmware you have. see “Configuring FortiGuard Services” on page 264. For information. 4 In the System Information section. upgrades to the new firmware version. For information about updating antivirus and attack definitions. Log in to the site and go to Firmware Images > FortiGate. select Update on the Firmware Version line.fortinet. use the procedure “To update antivirus and attack definitions” on page 272 to make sure that antivirus and attack definitions are up to date.0. Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. For more information about managing firmware. 3 Go to System > Status. Back up your FortiGate unit configuration to preserve this information. see “About the Maintenance menu” on page 253.1 is major version 4. and displays the FortiGate login.Changing the FortiGate firmware System Status Firmware changes either upgrade to a newer version or revert to an earlier version. 8 Go to System > Status and check the Firmware Version to confirm that the firmware upgrade is successfully installed.Y. To upgrade the firmware using the web-based manager 1 Copy the new firmware image file to your management computer. 7 Log into the web-based manager. 2 Log into the web-based manager as the super admin. 80 FortiGate Version 4. Reverting to a previous firmware version Use the following procedure to revert your FortiGate unit to a previous firmware version. Use the following procedure to upgrade the FortiGate unit to a newer firmware version. or an administrator account that has system configuration read and write privileges. The FortiGate unit uploads the firmware image file. reverting from FortiOS v3. see “Managing firmware versions” on page 91. and Z is the patch number. After you install new firmware. email filtering lists.com/ • Feedback . Upgrading to a new firmware version When an update for your FortiGate unit is available.0 to FortiOS v2.8). This also reverts the FortiGate unit to its factory default configuration and deletes IPS custom signatures. or select Browse and locate the file. Follow the appropriate procedure to change your firmware. 9 Update antivirus and attack definitions. and changes to replacement messages. you can update your unit with the new firmware version. The firmware images for FortiGate units are available at the Fortinet Technical Support web site. The version is in the format of “X. For example firmware version 4. 6 Select OK.

9 Restore your configuration. 2 Select History in the upper right corner of the System Resources section. To view the operational history 1 Go to System > Status. Log in to the site and go to Firmware Images > FortiGate. and displays the FortiGate login. 4 In the System Information section. reverts to the old firmware version. The FortiGate unit uploads the firmware image file. To revert to a previous firmware version using the web-based manager 1 Copy the firmware image file to your management computer.com/ • Feedback 81 . This process takes a few minutes. 10 Update antivirus and attack definitions. resets the configuration. or select Browse and locate the file. 6 Select OK. see “About the Maintenance menu” on page 253.0 Administration Guide 01-400-89802-20090424 http://docs.System Status Viewing operational history Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. The firmware images for FortiGate units are available at the Fortinet Technical Support web site. restarts. For information about restoring your configuration. Note the refresh rate is 3 second intervals for the graphs. 2 Log into the web-based manager as the super admin. 5 Type the path and filename of the firmware image file. After you install new firmware. FortiGate Version 4. 7 Log into the web-based manager. use the procedure “To update antivirus and attack definitions” on page 272 to make sure that antivirus and attack definitions are up to date. 3 Go to System > Status. or an administrator account that has system configuration read and write privileges. Viewing operational history The System Resource History page displays six graphs representing different system resources and protection activity over time. 8 Go to System > Status and check the Firmware Version to confirm that the firmware is successfully installed.fortinet. select Update on the Firmware Version line. see “To update antivirus and attack definitions” on page 272. For information about antivirus and attack definitions.

and antispam rule set at any time from the License Information section of the System Status page. Number of Viruses detected over the preceding interval. Number of sessions over the preceding interval. CPU usage for the preceding interval. in the AV Definitions. 6 Go to System > Status to confirm that the version information for the selected definition or rule set has updated. This takes about 1 minute. To update FortiGuard antivirus definitions. IPS Definitions. Intrusion Protection definitions. 3 In the License Information section. Number of intrusion attempts detected over the preceding interval. Memory usage for the preceding interval. IPS definitions.fortinet. select Update. The FortiGate unit updates the AV definitions. Network utilization for the preceding interval. Manually updating FortiGuard definitions You can update your FortiGuard antivirus database. see “Configuring FortiGuard Services” on page 264.Manually updating FortiGuard definitions System Status Figure 40: Sample system resources history Time Interval CPU Usage History Memory Usage History Session History Network Utilization History Virus History Intrusion History Select the time interval for the graphs to display.com/ • Feedback .0 Administration Guide 01-400-89802-20090424 http://docs. 2 Start the web-based manager and go to System > Status. or antispam rule set manually 1 Download the latest update file from Fortinet support site and copy it to the computer that you use to connect to the web-based manager. 5 Select OK to copy the update file to the FortiGate unit. or AS Rule Set field of the FortiGuard Subscriptions. 4 Select Browse and locate the update file or type the path and filename. 82 FortiGate Version 4. Note: For information about configuring automatic FortiGuard updates.

page 3 of the sessions will be displayed. for example. Update the session list.fortinet. Figure 41: Session list Virtual Domain Select a virtual domain to list the sessions being processed by that virtual domain. select Details on the Sessions line. The number following the ‘/’ is the number of pages of sessions.0 Administration Guide 01-400-89802-20090424 http://docs. You can select the Details link beside each traffic type to view more information. The total number sessions. The destination IP address of the connection. Select to reset any display filters that may have been set. tcp. 2 In the Statistics section. HTTPS.com/ • Feedback 83 . The destination port of the connection. Select to go to the next page of sessions. or icmp. The icon at the top of all columns except #. FTP and IM traffic through the FortiGate unit. content archiving and network protection activity. and Expiry. The service protocol of the connection. email. The source IP address of the connection. Select All to view sessions being processed by all virtual domains. The source port of the connection. Select to go to the first displayed page of current sessions. See “Adding filters to web-based manager lists” on page 53. udp. To view the session list 1 Go to System > Status. Viewing the session list From the Statistics section of the System Status page. When selected it brings up the Edit Filter dialog allowing you to set the display filters by column. Select to go to the last displayed page of current sessions. you can view statistics about HTTP.System Status Viewing Statistics Viewing Statistics The System Status Statistics provide information about sessions. For example if there are 5 pages of sessions and you enter 3. This is only available if virtual domains are enabled. Select to go to the page of sessions immediately before the current page Enter the page number of the session to start the displayed session list. For more information see “Using virtual domains” on page 103. Refresh Icon First Page Previous Page Page Next Page Last Page Total Clear All Filters Filter Icon Protocol Source Address Source Port Destination Address Destination Port FortiGate Version 4.

FTP and IM traffic through the FortiGate unit.fortinet. select Details for HTTP. select Details for Email. in seconds. Date and Time From To Subject The time that the email passed through the FortiGate unit. Viewing Email content information 1 Go to System > Status. for example). Date and Time From URL The time when the URL was accessed. HTTPS. You can select Reset on the header of the Statistics section to clear the content archive and attack log information and reset the counts to zero. The time. You can select the Details link beside each traffic type to view more information. Viewing Content Archive information on the Statistics widget From the Statistics widget of the System Status page. Your admin profile must include read and write access to System Configuration. email. The recipient’s email address.com/ • Feedback . The sender’s email address. Viewing HTTP content information 1 Go to System > Status.0 Administration Guide 01-400-89802-20090424 http://docs. The IP address from which the URL was accessed. you can view statistics about HTTP. before the connection expires. 2 In the Content Archive section.Viewing Statistics System Status Policy ID Expiry (sec) Delete icon The number of the firewall policy allowing this session or blank if the session involves only one FortiGate interface (admin session. Stop an active communication session. The URL that was accessed. 2 In the Content Archive section. The subject line of the email. 84 FortiGate Version 4.

select Details for FTP.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet. The protocol used in this IM session. Viewing viruses caught 1 Go to System > Status. You can select Reset on the header of the Statistics section to clear the content archive and attack log information and reset the counts to zero. The User ID that logged into the FTP server. 2 In the Content Archive section. attacks detected. You can select the Details link beside each attack type to view more information. FortiGate Version 4. The names of files that were downloaded. You can view statistics about viruses caught. 2 In the Content Archive section. The IP address of the FTP server that was accessed. The names of files that were uploaded. spam email detected. 2 In the Attack Log section. you can view statistics about the network attacks that the FortiGate unit has stopped. The local address for this transaction.com/ • Feedback 85 . The kind of IM traffic this transaction is. You can also view information about sessions matched by DLP rules. and URLs blocked. Date / Time Protocol Kind Local Remote Direction The time of access. select Details for AV. Viewing the Attack Log From the Statistics section of the System Status page.System Status Viewing Statistics Viewing archived FTP content information 1 Go to System > Status. select Details for IM. The remote address for this transaction If the file was sent or received. Date and Time Destination User Downloads Uploads The time of access. Viewing IM content information 1 Go to System > Status.

SMTP. The source address of the session.fortinet. The host that attempted to view the URL. The type of attack that was detected and prevented. POP or IMAP. such as HTTP. 2 In the Attack Log section. Date and Time From->To IP From->To Email Accounts Service SPAM Type The time that the spam was detected. select Details for Web. select Details for Spam. The host that attempted to view the URL.com/ • Feedback . Viewing spam email detected 1 Go to System > Status. POP or IMAP. The target host of the attack. select Details for IPS. The URL that was blocked. 2 In the Attack Log section. select Details for DLP. The intended recipient’s email address or IP address. 2 In the Attack Log section. The intended recipient’s email address or IP address. Viewing attacks blocked 1 Go to System > Status.Viewing Statistics System Status Date and Time From To Service Virus The time when the virus was detected. The name of the virus that was detected. The URL that was blocked. The sender’s email address or IP address. The sender and intended recipient email addresses. The type of spam that was detected. The sender and intended recipient IP addresses. Date and Time From URL Blocked The time that the attempt to access the URL was detected. Date and Time From To Service Attack The time that the attack was detected. Viewing URLs blocked 1 Go to System > Status. 2 In the Attack Log section. 86 FortiGate Version 4. Date and Time Service Source From URL Blocked From To The time that the attempt to access the URL was detected. The service type. such as POP or HTTP. The source of the attack. The service type. Viewing the sessions matched by DLP 1 Go to System > Status.0 Administration Guide 01-400-89802-20090424 http://docs. such as SMTP. The sender’s email address or IP address. The service type. The service type.

Drag the viewport rectangle within the viewport control to determine which part of the drawing area the viewport displays. but not delete it. The viewport control. Figure 42: Topology page Zoom/Edit controls Text object Subnet object FortiGate unit object Viewport Viewport control Viewport and viewport control The viewport displays only a portion of the drawing area.The Topology viewer is not available if Virtual Domains (VDOMs) are enabled. The Topology page consists of a large canvas upon which you can draw a network topology diagram of your FortiGate installation. FortiGate unit object The FortiGate unit is a permanent part of the topology diagram. The FortiGate unit object shows the link status of the unit’s interfaces. Select the interface to view its IP address and netmask.0 Administration Guide 01-400-89802-20090424 http://docs. The darker rectangle represents the viewport.System Status Topology Topology The Topology page provides a way to diagram and document the networks connected to your FortiGate unit. You can move it.fortinet.com/ • Feedback 87 . Green indicates the interface is up. FortiGate Version 4. Go to System > Status > Topology to view the system topology. Gray indicates the interface is down. at the bottom right of the topology page. represents the entire drawing area. The “+” and “-” buttons in the viewport control have the same function as the Zoom in and Zoom out controls. if assigned.

Zoom out. Select to finish editing the diagram. Exit. Add a subnet object to the diagram. Zoom in.com/ • Feedback . Save changes first. Customize. This button expands the toolbar to show the editing controls described below: Save changes made to the diagram. See “Customizing the topology diagram” on page 90. Drag. Select to display a smaller portion of the drawing area in the viewport. See “Adding a subnet object” on page 89. Select the object(s) to delete and then select this control or press the Delete key. Select this control and then click on the diagram where you want to place the text object. making objects appear smaller. Note: If you switch to any other page in the web-based manager without saving your changes. This has the same effect as moving the viewport rectangle within the viewport control. Select. The toolbar contracts to show only the Refresh and Zoom controls. Select to change the colors and the thickness of lines used in the drawing. Select to begin editing the diagram. Type the text and then click outside the text box.Topology System Status Zoom and Edit controls The toolbar at the top left of the Topology page shows controls for viewing and editing the topology diagram. Select to display a larger portion of the drawing area in the viewport. The subnet object is based on the firewall address that you select. Table 5: Zoom and Edit controls for Topology Refresh the displayed diagram. your changes are lost. and is connected by a line to the interface associated with that address. Select this control and then drag objects in the diagram to arrange them. Delete. Objects within the rectangle are selected when you release the mouse button. Scroll. Select this control and then drag the drawing area background to move the viewport within the drawing area. 88 FortiGate Version 4. making objects appear larger.0 Administration Guide 01-400-89802-20090424 http://docs. Insert Text.fortinet. Select this control and then drag to create a selection rectangle.

If Type is Subnet / IP Range. Create a new firewall address and add a subnet object based on that address to the topology diagram.com/ • Feedback 89 . address groups. Addresses. Select the interface or zone to associate with this address. Alternatively. enter IP range start address. followed by a forward slash and then the subnet mask. followed by a hyphen (-) and the IP range end address. you can select the Add Subnet control to define a subnet object. The object has the name of the firewall address and is connected by a line to the interface associated with that address. Enter a name to identify the firewall address. enter the firewall IP address. enter the fully qualified domain name. If Type is FQDN. Figure 43: Adding an existing subnet to the topology diagram Figure 44: Adding a new subnet to the topology diagram Select from existing address/group Create a subnet object based on an existing firewall address. Select the interface or zone to associate with this address. and virtual IPs must have unique names to avoid confusion in firewall policies. If the field already displays a name. Enter a name to identify the firewall address. If the address is currently used in a firewall policy. see “Firewall Address” on page 345. you can choose only the interface selected in the policy. Address Name Connect to interface New addresses Address Name Type Subnet / IP Range FQDN Connect to interface FortiGate Version 4. address groups. and virtual IPs must have unique names to avoid confusion in firewall policies. Select the type of address: Subnet/IP Range or FQDN. The object is drawn and connected by a line to the interface associated with the address. For more information about firewall addresses.System Status Topology Adding a subnet object While editing the topology diagram.fortinet. The address is associated with the interface you choose.0 Administration Guide 01-400-89802-20090424 http://docs. Addresses. changing the setting changes the interface or zone associated with this existing address.

0 Administration Guide 01-400-89802-20090424 http://docs.fortinet. select the Customize button to open the Topology Customization window. Reset all topology diagram settings to default.Topology System Status Customizing the topology diagram In System > Status > Topology. One of: A solid color selected in Background Color. If you selected Upload My Image for Background. The size of the drawing in pixels. A map of the United States. Select the color of connecting lines between subnet objects and interfaces. resize the diagram to fit within the image.S. 90 FortiGate Version 4.com/ • Feedback . A map of the world. If you selected an image as Background. Select the color of the border region outside your diagram. Map World Map Upload My Image Background Color Image path Exterior Color Line Color Line Width Reset to Default A simulated topology diagram showing the effect of the selected appearance options. Select the thickness of connecting lines. Upload the image from Image Path Select the color of the diagram background. enter the path to your image. Modify the settings as needed and select OK when you are finished. or use the Browse button to find it. Figure 45: Topology Customization window Preview Canvas Size Resize to Image Background Solid U.

Follow the steps below: • • • • • Download and review the release notes for the patch release.com/ • Feedback 91 . Install the patch release using the procedure “Testing firmware before upgrading” on page 94.Managing firmware versions Managing firmware versions Fortinet recommends reviewing this section before upgrading because it contains important information about how to properly back up your current configuration settings and what to do if the upgrade is unsuccessful.0 Administration Guide 01-400-89802-20090424 http://docs. For more information. If you enable virtual domains (VDOMs) on the FortiGate unit. Fortinet releases patch releases—maintenance release builds that resolve important issues. (such as remotely backing up to a FortiManager unit). system firmware versions are configured globally. For more information. Download the patch release.fortinet. or the What’s New chapter of this guide when a new firmware maintenance release is released. see “System Maintenance” on page 253. Installing a patch release without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues. With FortiOS 4. FortiGate Version 4. you can also configure your FortiGate unit to use NAT while in transparent mode.0. Both contain valuable information about the changes and new features that may cause issues with the current configuration. Back up the current configuration. Test the patch release until you are satisfied that it applies to your configuration. Fortinet strongly recommends reviewing the release notes for the patch release before upgrading the firmware. Configuring NAT in Transparent mode. This section describes: • • • • • Backing up your configuration Testing firmware before upgrading Upgrading your FortiGate unit Reverting to a previous firmware image Restoring your configuration Note: For more information about the settings that are available on the Backup and Restore page. You should also review the FortiGate Upgrade Guide when a new firmware version is released. see “Using virtual domains” on page 103. In addition to firmware images. see the Fortinet Knowledge Center article.

such as a FortiManager unit or a FortiGuard Analysis and Management server. FortiManager. 2 Select to back up the configuration to either a Local PC. FortiGuard Analysis and Management server. If you want to encrypt your configuration file to save VPN certificates.Backing up your configuration Managing firmware versions Backing up your configuration Caution: Always back up your configuration before installing a patch release.com/ • Feedback .0 MR7 and want to restore those configuration settings.fortinet. or the USB key. If you have the FortiGuard Analysis and Management Service configured. For more information about the individual commands used in the following procedure. a FortiManager unit. You can back up configuration settings to a local PC. or resetting configuration to factory defaults. 3 Select Backup. you can also back up your configuration to the FortiGuard Analysis and Management server. When backing up your configuration in the CLI. The following procedure describes how to properly back up your current configuration in the web-based manager. If you have virtual domains. Backing up your configuration through the CLI You can back up your configuration file using a TFTP or FTP server. Fortinet recommends backing up all configuration settings from your FortiGate unit before upgrading to FortiOS 4. select the Encrypt configuration file check box. or FortiGuard (if your FortiGate unit is configured for FortiGuard Analysis and Management Service). or to a USB key. 4 Save the file. To back up your configuration file through the web-based manager 1 Go to System > Maintenance > Backup & Restore. see the FortiGate CLI Reference.0. To back up your configuration file through the CLI 1 Enter the following to back up the configuration file to a USB key: execute backup config usb <backup_filename> <encrypt_passwd> 92 FortiGate Version 4. and then enter it again to confirm. This ensures all configuration settings are still available if you require downgrading to FortiOS 3. upgrading/downgrading firmware. there are limitations to what certain administrators are allowed to back up. you can choose to back up the entire configuration (execute backup full-config) or part of the configuration (execute backup config). enter a password. You can also back up to a FortiGuard Analysis and Management server if you have FortiGuard Analysis and Management Service enabled. Backing up your configuration through the web-based manager You can back up your configuration to a variety of locations. For more information.0 Administration Guide 01-400-89802-20090424 http://docs. The following procedure describes how to back up your current configuration in the CLI and assumes that you are familiar with the following commands. see the FortiGate CLI Reference.

proceed with upgrading to FortiOS 4.fortinet. If you want to encrypt your configuration file to save VPN certificates.0. ensure that the USB key is inserted in the FortiGate unit’s USB port. To back up your configuration to the USB key 1 Go to System > Maintenance > Backup & Restore. After successfully backing up your configuration file. When backing up a configuration file to a USB key.0 Administration Guide 01-400-89802-20090424 http://docs.com/ • Feedback 93 . The FAT16 format is the only supported partition type. select the Encrypt configuration file check box. 2 Select USB Disk from Backup configuration to list. enter a password. FortiGate Version 4. either from the CLI or the web-based manager. you can back up your current configuration to a USB key. and then enter it again to confirm. see “Formatting USB Disks” on page 261.Managing firmware versions Backing up your configuration 2 Enter the following to back up the configuration file to a TFTP or FTP server: execute backup config {tftp | ftp} <backup_filename> <tftp_server_ipaddress> <ftp server [:ftp port] <ftp_username> <ftp_passwd> <encrypt_passwd> 3 Enter the following to back up the configuration to a FortiGuard Analysis and Management server: execute backup config management-station <comment> To back up the entire configuration file through the CLI Enter the following to back up the entire configuration file: execute backup full-config {tftp | ftp | usb} <backup_filename> <backup_filename> <tftp_server_ipaddress> <ftp server [:ftp port] <ftp_username> <ftp_passwd> <encrypt_passwd> Backing up your configuration to a USB key If your FortiGate unit has a USB port. verify that the USB key is formatted as a FAT16 disk. Before proceeding. For more information. 3 Select Backup.

A firmware image is tested by installing it from a system reboot. The following procedure assumes that you have already downloaded the firmware image to your management computer. You can use the following procedure for either a regular firmware image or a patch release. The following procedure does not permanently install the firmware.1. and then saving it to system memory. 7 Type G to get the new firmware image from the TFTP server. [Q]: Quit menu and continue to boot with default firmware. the FortiGate unit reboots and you must log in and repeat steps 5 to 6 again. [F]: Format boot device. After the firmware is saved to system memory. 5 Enter the following to restart the FortiGate unit.0 Administration Guide 01-400-89802-20090424 http://docs.168. The following message appears: Enter Local Address [192.fortinet. the following message appears: [G]: Get firmware image from TFTP server. If you successfully interrupt the startup process.com/ • Feedback .168]: 8 Type the address of the TFTP server and press Enter. When the following message appears. To test the firmware image before upgrading 1 Copy the new firmware image file to the root directory of the TFTP server. it operates using the firmware originally installed on the FortiGate unit. the next time the FortiGate unit restarts. you can familiarize yourself with the new features and changes to existing features. 4 Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected. [H]: Display this list of options. 3 Log in to the CLI.188]: 94 FortiGate Version 4. 2 Start the TFTP server. You can install the firmware permanently by using the procedures in “Upgrading your FortiGate unit” on page 95. as well as understand how your configuration works with the firmware. The following message appears: Enter TFTP server address [192. execute reboot 6 As the FortiGate unit reboots. immediately press any key to interrupt the system startup: Press any key to display configuration menu… You have only three seconds to press any key. If you do not press a key soon enough.Testing firmware before upgrading Managing firmware versions Testing firmware before upgrading You may want to test the firmware that you need to install before upgrading to a new firmware version. By testing the firmware.1. or to a maintenance or patch release. the FortiGate unit operates using the firmware with the current configuration. a series of system startup messages appears.168.

The following message appears: Enter File Name [image. To upgrade to FortiOS 4. 2 Log in to the web-based manager. The following procedure describes how to upgrade to FortiOS 4. If the upgrade was not successful. available for downgrading or upgrading. such as FortiOS 3. This option enables you to have two firmware images.0 Administration Guide 01-400-89802-20090424 http://docs.0 through the web-based manager 1 Download the firmware image file to your management computer.com/ • Feedback 95 . and your FortiGate unit has a hard drive. The CLI upgrade procedure reverts all current firewall configurations to factory default settings. Fortinet recommends using the CLI to upgrade to FortiOS 4. A patch release is a firmware image that resolves specific issues. but make sure you do not use an IP address of another device on the network. you can use the Boot alternate firmware option located in System > Maintenance > Backup and Restore. or select Browse and locate the file.out]: 10 Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and the following appears: Save as Default firmware/Backup firmware/Run image without saving: [D/B/R] 11 Type R.0 in the web-based manager. FortiGate Version 4. You can install a patch release whether or not you upgraded to the current firmware version. Upgrading your FortiGate unit If your upgrade is successful. The FortiGate unit starts running the new firmware image with the current configuration. 3 Go to System > Status and locate the System Information widget. Upgrading to FortiOS 4. 5 Enter the path and filename of the firmware image file.0. 4 Beside Firmware Version.0 through the web-based manager Caution: Always back up your configuration before installing a patch release. you can reboot the FortiGate unit and resume using the original firmware.fortinet. The FortiGate firmware image installs and saves to system memory. This IP address connects the FortiGate unit to the TFTP server. When you have completed testing the firmware. or resetting configuration to factory defaults. go to “Reverting to a previous firmware image” on page 98.Managing firmware versions Upgrading your FortiGate unit 9 Type the internal IP address of the FortiGate unit. You can also use the following procedure when installing a patch release. select Update. This IP address must be on the same network as the TFTP server.0.0 MR7 and FortiOS 4. but does not contain new features or changes to existing features. upgrading/downgrading firmware.

if the firmware image file name is image. Loading FortiGate firmware using TFTP for CLI procedure. for additional information about upgrading firmware in the CLI. After logging back in to the web-based manager. Upgrading to FortiOS 4. Note: After upgrading to FortiOS 4.1. perform an “Update Now” to retrieve the latest AV/NIDS signatures from the FortiGuard Distribution Network (FDN) as these signatures included in the firmware may be older than those currently available on the FDN.1. 2 Start the TFTP server. you should save the configuration settings that carried forward. The following procedure assumes that you have already downloaded the firmware image to your management computer.168. upgrades to the new firmware version. and displays the FortiGate login. enter: execute restore image. The following procedure uses a TFTP server to upgrade the firmware. See the Fortinet Knowledge Center article. or resetting configuration to factory defaults. See the FortiGate Administration Guide for more information about updating AV/NIDS signatures. To upgrade to FortiOS 4.0 through the CLI 1 Copy the new firmware image file to the root directory of the TFTP server. For example. clear the browser’s cache and log in to the web-based manager. restarts. 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit: execute restore image <name_str> <tftp_ipv4> Where <name_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of the TFTP server.168. The CLI upgrade procedure reverts all current firewall configurations to factory default settings.Upgrading your FortiGate unit Managing firmware versions 6 Select OK. The FortiGate unit uploads the firmware image file.0 through the CLI Caution: Always back up your configuration before installing a patch release.0 MR7.0 Administration Guide 01-400-89802-20090424 http://docs. upgrading/downgrading firmware. 3 Log in to the CLI. 4 Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected. When the upgrade is successfully installed: • • ping to your FortiGate unit to verify there is still a connection.fortinet.out 192. Some settings may have carried forward from FortiOS 3.168 The FortiGate unit responds with a message similar to the following: This operation will replace the current firmware version! Do you want to continue? (y/n) FortiGate Version 4. such as certain IPS group settings.0.com/ • Feedback 96 . while others may not have.168.out and the IP address of the TFTP server is 192. This process may take a few minutes. Go to System > Maintenance > Backup and Restore to save the configuration settings that carried forward.

8 Enter the following command to confirm the firmware image installed successfully: get system status 9 To update antivirus and attack definitions from the CLI. and restarts. if you go to System > Network > Options you can see your DNS settings carried forward from your FortiOS 3.0 MR7 configuration settings. 7 Reconnect to the CLI.Managing firmware versions Upgrading your FortiGate unit 6 Type y. The FortiGate unit uploads the firmware image file.0 MR7 configuration settings have been carried forward.com/ • Feedback 97 . You should also verify that administrative access settings carried forward as well. For example. You can verify your configuration settings by: • • going through each menu and tab in the web-based manager using the show shell command in the CLI. You should verify what configuration settings carried forward. enter the following: execute update-now If you want to update antivirus and attack definitions from the web-based manager instead.0 Administration Guide 01-400-89802-20090424 http://docs. Verifying your configuration settings allows you to familiarize yourself with the new features and changes in FortiOS 4.0.fortinet. log in to the web-based manager and go to System > Maintenance > FortiGuard. FortiGate Version 4. Verifying the upgrade After logging back in to the web-based manager. most of your FortiOS 3. This process takes a few minutes. upgrades to the new firmware version.

see “Backing up your configuration” on page 92. The FortiGate unit uploads the firmware image file. 6 Log in to the web-based manager. 4 Select OK. When downgrading to a previous firmware. 3 Enter the path and filename of the firmware image file. 98 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs. Go to System > Status to verify that the firmware version under System Information has changed to the correct firmware. resets the configuration. or when resetting to factory defaults.0) if the upgrade was not successfully installed. For more information. The following procedures describe how to properly downgrade to a previous firmware image using either the web-based manager or CLI. reverts to the old firmware version. or select Browse and locate the file. Are you sure you want to continue? 5 Select OK. FortiOS 3.com/ • Feedback . The following are included in this topic: • • • Downgrading to a previous firmware through the web-based manager Downgrading to a previous firmware through the CLI Restoring your configuration Downgrading to a previous firmware through the web-based manager Caution: Always back up your configuration before installing a patch release.0. select Update.. If you created additional settings in FortiOS 4. The following message appears: This version will downgrade the current firmware version. for example. make sure to back up the current configuration before downgrading.Reverting to a previous firmware image Managing firmware versions Reverting to a previous firmware image You may need to revert to a previous firmware image (or version. only the following settings are retained: • • • • • • • • operation mode Interface IP/Management IP route static table DNS settings VDOM parameters/settings admin user account session helpers system accprofiles. and displays the FortiGate login. This process takes a few minutes.fortinet. restarts. To downgrade through the web-based manager 1 Go to System > Status and locate the System Information widget. and include steps on how to restore your previous configuration. 2 Beside Firmware Version. upgrading/downgrading.

For example.Managing firmware versions Reverting to a previous firmware image Verifying the downgrade After successfully downgrading to a previous firmware. The downgrade may change your configuration settings to default settings.1. Downgrading to a previous firmware through the CLI Caution: Always back up your configuration before installing a patch release. verify your connections and settings. or when resetting to factory defaults. upgrading/downgrading. For more information.0 Administration Guide 01-400-89802-20090424 http://docs. make sure your administration access settings and internal network IP address are correct. The following procedure assumes that you have already downloaded the firmware image to your management computer.168.0. 4 Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected. When downgrading to a previous firmware.out 192. see “Backing up your configuration” on page 92. only the following settings are retained: • • • • • • • • operation mode Interface IP/Management IP route static table DNS settings VDOM parameters/settings admin user account session helpers system accprofiles. 3 Log in to the CLI.com/ • Feedback 99 . if the firmware image file name is image.168 The FortiGate unit responds with the message: This operation will replace the current firmware version! Do you want to continue? (y/n) FortiGate Version 4. 2 Start the TFTP server. To downgrade through the CLI 1 Copy the new firmware image file to the root directory of the TFTP server. enter: execute restore image tftp image. make sure you back up your configuration before downgrading.out and the IP address of the TFTP server is 192. If you have created additional settings in FortiOS 4.1.168. 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit: execute restore image tftp <name_str> <tftp_ipv4> Where <name_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of the TFTP server.fortinet. If you are unable to connect to the web-based manager.168.

This operation will downgrade the current firmware version! Do you want to continue? (y/n) 7 Type y. The FortiGate unit uploads the firmware image file. After the file uploads. resets the configuration to factory defaults. The FortiGate unit reverts to the old firmware version. 8 Reconnect to the CLI. This process takes a few minutes. 100 FortiGate Version 4. including its default IP address. and restarts. After the FortiGate unit uploads the firmware. Check image OK. you need to reconfigure your IP address since the FortiGate unit reverts to default settings.Reverting to a previous firmware image Managing firmware versions 6 Type y.com/ • Feedback .0 Administration Guide 01-400-89802-20090424 http://docs. See your install guide for configuring IP addresses. 9 Enter the following command to confirm the firmware image installed successfully: get system status See “Restoring your configuration” on page 101 to restore you previous configuration settings.fortinet. a message similar to the following is displayed: Get image from tftp server OK.

This may take a few minutes since the FortiGate unit will reboot. You can also use the following procedures for restoring your configuration after installing a current patch release or maintenance release. 3 Log in to the CLI. 2 Start the TFTP server.com/ • Feedback 101 . FortiManager or FortiGuard (if your FortiGate unit is configured for FortiGuard Analysis and Management Service).0 Administration Guide 01-400-89802-20090424 http://docs.Managing firmware versions Restoring your configuration Restoring your configuration Your configuration settings may not carry forward after downgrading to a previous firmware. To restore configuration settings in the CLI 1 Copy the backed-up configuration file to the root directory of the TFTP server. To restore configuration settings in the web-based manager 1 Log in to the web-based manager. You can restore your configuration settings for a previous firmware with the configuration file you saved before upgrading to FortiOS 4. Restoring your configuration settings in the CLI The following procedure restores your previous firmware configuration settings in the CLI. You can verify that the configuration settings are restored by logging in to the web-based manager and going through the various menus and tabs. 4 If required. Restoring your configuration settings in the web-based manager The following procedure restores your previous firmware configuration settings in the web-based manager. 6 Select Restore. 5 Enter the location of the file or select Browse to locate the file. The FortiGate unit restores the configuration settings.fortinet. 4 Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected. enter your password for the configuration file. FortiGate Version 4.0. 3 Select to restore the configuration from either a Local PC. 2 Go to System > Maintenance > Backup & Restore.

. After the file uploads. For example.1.168 and the password is ghrffdt123: execute restore allconfig confall 192. Rebooting. similar to the following.fortinet. or log in to the web-based manager.com/ • Feedback . This may take a few minutes. The FortiGate unit uploads the backed up configuration file.168 ghrffdt123 The FortiGate unit responds with the message: This operation will overwrite the current settings and the system will reboot! Do you want to continue? (y/n) 6 Type y. if the backed up configuration file is confall and the IP address of the TFTP server is 192.168 ## Restoring files. Use the CLI show shell command to verify your settings are restored.. 102 FortiGate Version 4.1. All done. a message.1.168..Restoring your configuration Managing firmware versions 5 Enter the following command to copy the backed -up configuration file to restore the file on the FortiGate unit: execute restore allconfig <name_str> <tftp_ipv4> <passwrd> Where <name_str> is the name of the backed up configuration file and <tftp_ipv4> is the IP address of the TFTP server and <passwrd> is the password you entered when you backed up your configuration settings.0 Administration Guide 01-400-89802-20090424 http://docs. is displayed: Getting file confall from tftp server 192.168.168..

They can connect only to network resources that communicate with the management virtual domain. user authentication.com/ • Feedback 103 . but you can change it. this feature enables the organization to manage its own configuration. you configure virtual domains globally for the FortiGate unit.fortinet. and how to use VDOMs to operate your FortiGate unit as multiple virtual units. FDN-based updates and NTPbased time setting use addresses and routing in the management VDOM to communicate with the network. If the VDOM is created to serve an organization. Benefits of VDOMs Some benefits of VDOMs are: • • • Easier administration Continued security maintenance Savings in physical space and power Easier administration VDOMs provide separate security domains that allow separate zones.Using virtual domains Virtual domains Using virtual domains This section describes virtual domains (VDOMs) along with some of their benefits. separate organizations. For more information. Also you can assign an administrator account restricted to that VDOM. For more information. alert email. routing. This section describes: • • • • Virtual domains Enabling VDOMs Configuring global and VDOM resource limits Configuring VDOMs and global settings Virtual domains Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. Management systems such as SNMP. To get started working with virtual domains. The management VDOM is set to root by default. A single FortiGate unit is then flexible enough to serve multiple departments of an organization. see “Changing the management VDOM” on page 116. logging. firewall policies. see “Enabling VDOMs” on page 108. By default. VLAN subinterfaces. each FortiGate unit has a VDOM named root. zones. If you enable VDOMs on the FortiGate unit. FortiGate Version 4. firewall policies. routing settings. This VDOM includes all of the FortiGate physical interfaces. and VPN settings. and VPN configurations. see “VDOM configuration settings” on page 104.0 Administration Guide 01-400-89802-20090424 http://docs. modem. Using VDOMs can also simplify administration of complex configurations because you do not have to manage as many routes or firewall policies at one time. or to act as the basis for a service provider’s managed security service.

it is confined to that VDOM. For more information on VLANs. For more information on VDOMs. can be selected independently for each VDOM. however their packets go through all the same security measures as on physical interfaces.0 Administration Guide 01-400-89802-20090424 http://docs. one protection profile configuration. The packet then arrives at another VDOM on a different interface. 50. VDOMs count toward the maximum number of FortiGate units allowed by the FortiAnalyzer unit’s license. The operating mode. This can lead to security issues or far-reaching configuration errors. Inter-VDOMs change this behavior in that they are internal interfaces. VDOM configuration settings To configure and use VDOMs. For high-end FortiGate models. will apply only to that VDOM and limit potential down time. as well as antivirus and attack databases. 104 FortiGate Version 4. see “Global configuration settings” on page 107. you can create firewall policies for connections between VLAN subinterfaces or zones in the VDOM. An admin on one VDOM cannot change information on another VDOM. no shipping. firewall policies. you must enable virtual domain configuration. Note: During configuration on a FortiAnalyzer unit. However. see the FortiGate VLANs and VDOMs Guide. They take no extra physical space—you are limited only by the size of the license you buy for your VDOMs. see “VLAN overview” on page 150. but it must pass through another firewall before entering the VDOM. Any configuration changes. zones. and potential errors. You can configure a VDOM by adding VLAN subinterfaces. see “Enabling VDOMs” on page 108. The total number of devices registered can be seen on the FortiAnalyzer unit’s System Status page under License Information.Virtual domains Using virtual domains Continued security maintenance When a packet enters a VDOM. VDOMs also share firmware versions. most FortiGate units supports a maximum of 10 VDOMs in any combination of NAT/Route and Transparent modes. one web filter configuration. Without VDOMs. you can purchase a license key to increase the maximum number of VDOMs to 25. and very few changes to existing networking. You can also move physical interfaces from the root VDOM to other VDOMs and move VLAN subinterfaces from one VDOM to another. you can go to System > Status and look at Virtual Domain in the License Information section to see the maximum number of virtual domains supported on your FortiGate unit. a packet must pass through a firewall on a physical interface. one antivirus configuration. and VPN settings. To travel between VDOMs. For a complete list of shared configuration settings. This means there is one intrusion prevention configuration. Packets do not cross the virtual domain border internally. and so on. Savings in physical space and power Increasing VDOMs involves no extra hardware. administrators can easily access settings across the FortiGate unit. For more information see “VDOM licenses” on page 109. 100 or 250. The remainder of the FortiGate unit’s functionality is global—it applies to all VDOMs on the unit. If virtual domain configuration is enabled and you log in as the default super_admin. routing settings. Both VDOMs are on the same FortiGate unit.com/ • Feedback . In a VDOM. By default. administrator permissions are specific to one VDOM.fortinet. NAT/Route or Transparent. For more information.

but must first select which VDOM to configure.com/ • Feedback 105 .0 Administration Guide 01-400-89802-20090424 http://docs. The default super_admin can also access these settings. IP pool Load Balance Protection Profile UTM AntiVirus File Filter Intrusion Protection Web Filter AntiSpam Data Leak Prevention “File Filter” on page 443 “Intrusion Protection” on page 455 “Web Filter” on page 475 “Antispam” on page 495 “Data Leak Prevention” on page 511 “Firewall Policy” on page 319 “Firewall Address” on page 345 “Firewall Service” on page 351 “Firewall Schedule” on page 361 “Firewall Virtual IP” on page 365 “Virtual IP Groups” on page 380 “IP pools” on page 381 “Firewall Load Balance” on page 389 “Firewall Protection Profile” on page 397 “Router Static” on page 277 “Router Dynamic” on page 289 “Router Monitor” on page 315 FortiGate Version 4.fortinet. A regular VDOM administrator sees only these settings. Table 6: VDOM configuration settings Configuration Object System Network Zone Network Web Proxy “Configuring zones” on page 138 “Web Proxy” on page 147 For more information. see Network Routing Table “Routing table (Transparent Mode)” on page 149 (Transparent mode) Network Modem Wireless Settings Wireless MAC Filter Wireless Monitor Wireless Rogue AP DHCP service “Configuring the modem interface” on page 139 “Wireless settings” on page 162 “Wireless MAC Filter” on page 165 “Wireless Monitor” on page 167 “Rogue AP detection” on page 168 “Configuring DHCP services” on page 172 DHCP Address Leases “Viewing address leases” on page 175 Config Operation mode “Changing operation mode” on page 206 (NAT/Route or Transparent) Config Management IP “Changing operation mode” on page 206 (Transparent mode) Router Static Dynamic Monitor Firewall Policy Address Service Schedule Virtual IP Virtual IP Group Virtual IP.Using virtual domains Virtual domains The following configuration settings are exclusively part of a virtual domain and are not shared between virtual domains.

see “Application Control” on page 523 106 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.Virtual domains Using virtual domains Table 6: VDOM configuration settings (Continued) Configuration Object Application Control VPN IPSec PPTP SSL User Local Remote Directory Service PKI User Group Options Monitor Log&Report Logging configuration Alert E-mail Event Log Log access Content Archive Report Access “FortiGate logging” on page 647 (Memory only) “Configuring Alert Email” on page 672 (Send alert email for the following) “Event log” on page 659 “Accessing Logs” on page 662 (Memory only) “Content Archive” on page 667 “Reports” on page 673 “Local user accounts” on page 568 “Remote” on page 571 “Directory Service” on page 579 “PKI” on page 581 “User Group” on page 583 “Settings” on page 228 “Monitoring administrators” on page 229 “IPSec VPN” on page 531 “PPTP VPN” on page 547 “SSL VPN” on page 551 For more information.com/ • Feedback .fortinet.

0 Administration Guide 01-400-89802-20090424 http://docs. see Network Interfaces and “Interfaces” on page 119 and “VLAN overview” on page 150 VLAN subinterfaces (You configure interfaces as part of the global configuration but each interface and VLAN subinterface belongs to a VDOM. When virtual domains are enabled.Using virtual domains Virtual domains Global configuration settings The following configuration settings affect all virtual domains. only accounts with the default super_admin profile can access global settings. For more information. Table 7: Global configuration settings Configuration Object System Status System Time Status Host name Status Firmware version “Configuring system time” on page 78 “Changing the FortiGate unit host name” on page 78 “Upgrading to a new firmware version” on page 80 (System Status page) or “Managing firmware versions” on page 91.fortinet. You add interfaces to VDOMs as part of the global configuration. where applicable Wireless Settings “DNS Servers” on page 146 “Dead gateway detection” on page 146 “Settings” on page 228 and “Getting started .com/ • Feedback 107 .User authentication” on page 567 “Settings” on page 228 “Settings” on page 228 “Wireless settings” on page 162 FortiGate Version 4.) Network Options DNS Network Options Dead gateway detection Admin Settings Idle and authentication time-out Admin Settings Webbased manager language Admin Settings LCD panel PIN.

3 In System Information. enter: config system global. Alternatively. you can enable multiple VDOM operation on the FortiGate unit.0 Administration Guide 01-400-89802-20090424 http://docs. You can also add administrators to VDOMs. You can now log in again as admin. To enable virtual domains 1 Log in to the web-based manager on a super_admin profile account.fortinet. VDOM administrators cannot add or configure administrator accounts.) “Reports” on page 673 “Reports” on page 673 Enabling VDOMs Using the default admin administration account. see “Wireless MAC Filter” on page 165 “Wireless Monitor” on page 167 “Rogue AP detection” on page 168 “HA” on page 177 “SNMP” on page 185 “Replacement messages” on page 194 “Administrators” on page 209 (You can add global administrators.com/ • Feedback . next to Virtual Domain select Enable. The FortiGate unit logs you off. the web-based manager and the CLI are changed as follows: 108 FortiGate Version 4. 2 Go to System > Status.Enabling VDOMs Using virtual domains Table 7: Global configuration settings (Continued) Configuration Object Wireless MAC Filter Wireless Monitor WIreless Rogue AP Config HA Config SNMP Config Replacement messages Admin Administrators For more information.) “Admin profiles” on page 222 “Central Management” on page 226 Admin profiles Admin Central Management configuration Certificates Configuration backup and restore Scripts FDN update configuration UTM AntiVirus Log&Report Log Configuration Alert E-mail Report Config Report Access “System Certificates” on page 243 “Backing up and restoring” on page 254 “Using script files” on page 262 “FortiGuard Distribution Network” on page 264 “AntiVirus” on page 439 “FortiGate logging” on page 647 (Remote and Syslog) “Configuring Alert Email” on page 672 (Alert email account settings. through the CLI. set vdom-admin When virtual domains are enabled.

High-end FortiGate models support the purchase of a VDOM license key from customer service to increase their maximum allowed VDOMs to 25. Super_admin profile accounts can configure all VDOM configurations. the current virtual domain is displayed at the bottom left of the screen.for 1 VDOM Super_admin profile administrator account yes yes yes yes yes yes . or 500. One or more administrators can be set up for each VDOM.fortinet.for all VDOMs VDOM licenses All FortiGate units. Selecting Global exits the current VDOM.for all VDOMs yes . If your are using a super_admin profile account. Configuring 250 or more VDOMs will result in reduced system performance.Using virtual domains Configuring VDOMs and global settings • • • • • • • Global and per-VDOM configurations are separated. Table 8: Admin VDOM permissions Tasks Regular administrator account Read only permission View global settings Configure global settings Create or delete VDOMs Configure multiple VDOMs Assign interfaces to a VDOM Create VLANs Assign an administrator to a VDOM Create additional admin accounts Create and edit protection profiles yes no no no no no no no no Read/write permission yes no no no no yes . Availability of the associated tasks depends on the permissions of the admin. When virtual domains are enabled.for 1 VDOM yes . A new VDOM entry appears under the System option. 250. There is no operation mode selection at the Global level. you can perform all tasks. Table 6 shows what roles can perform which tasks. Configuring VDOMs and global settings A VDOM is not useful unless it contains at least two physical interfaces or virtual subinterfaces for incoming and outgoing traffic. Only super_admin profile accounts can view or configure global options. 50. and a new Global option appears. the tasks available to you depend on whether you have read only or read/write permissions. Within a VDOM.0 Administration Guide 01-400-89802-20090424 http://docs. in the format Current VDOM: <name of the virtual domain>. reduced dashboard menu options are available. 100. support 10 VDOMs by default. however. If you are using a regular admin account. except the 30B. these admin accounts cannot edit settings for any VDOMs for which they are not set up. FortiGate Version 4.for 1 VDOM no yes .for all VDOMs yes yes .com/ • Feedback 109 .

In the License Information area Virtual Domains. go to System > Status under Global Configuration. VDOMs Allowed shows the maximum number of VDOMs allowed. you must first create them. To use additional VDOMs. For example. 250. go to System > Maintenance > License. To verify the new VDOM license. To obtain a VDOM license key 1 Log in to your FortiGate unit using the admin account. 5 You will be taken to the Fortinet customer support web site where you can log in and purchase a license key for 25. Creating a new VDOM By default. When using multiple VDOMs. 100. Tip: If you do not have a System > Maintenance > License tab. if three FortiGate units are registered on the FortiAnalyzer unit and they contain a total of four VDOMs. 2 Go to System > Status. every FortiGate unit has a root VDOM that is visible when VDOMs are enabled. This VDOM resource management will result in better FortiGate unit performance. Note: VDOMs created on a registered FortiGate unit are recognized as real devices by any connected FortiAnalyzer unit. These resources include system memory. Other accounts such as other super_admin profile accounts may also have sufficient privileges to install VDOM licenses. 110 FortiGate Version 4. and CPU. 50. 7 In the License Key field. you cannot run Unified Threat Management (UTM) features such as proxies. For more information.0 Administration Guide 01-400-89802-20090424 http://docs. the total number of registered FortiGate units on the FortiAnalyzer unit is seven. 6 When you receive your license key. For more information.Configuring VDOMs and global settings Using virtual domains Table 9: VDOM support by FortiGate model FortiGate model 30B Low and mid-range models High-end models Support VDOMs no yes yes Default VDOM maximum 0 10 10 Maximum VDOM license 0 10 500 Note: Your FortiGate unit has limited resources that are divided amongst all configured VDOMs. or antivirus—your FortiGate unit can only provide basic firewall functionality. 4 Under License Information > Virtual Domains. see “VDOM resource limits” on page 117. 3 Record your FortiGate unit serial number as shown in “System Information” on page 65. it can be useful to assign fewer resources to some VDOMs and more resources to others. When running 250 or more VDOMs. The FortiAnalyzer unit includes VDOMs in its total number of registered devices. select Purchase More. web filtering.fortinet. see the FortiAnalyzer Administration Guide. your FortiGate model does not support more than 10 VDOMs.com/ • Feedback . enter the 32-character license key you received from Fortinet customer support. 8 Select Apply. or 500 VDOMs.

To improve performance with multiple VDOMs. 6 Optionally enter a comment for the VDOM. Figure 46: New Virtual Domain To create a new VDOM 1 Log in as a super_admin profile admin. the FortiGate unit will generate an error. 4 Select Create New. 7 Select OK. or other VDOMs Note: The VDOM names vsys_ha and vsys_fgfm are in use by the FortiGate unit. If you attempt to name a new VDOM vsys_ha or vsys_fgfm. switch interfaces. as demonstrated by the appearance of the VDOM option under System. you cannot enable UTM features such as proxies. select System > VDOM. see “VDOM resource limits” on page 117. A name cannot contain spaces. “-”. you may experience reduced performance. This name cannot be changed. To work with virtual domains. Working with VDOMs and global settings When you log in as admin and virtual domains are enabled. and antivirus due to limited resources. 3 Go to System > VDOM. VDOMs cannot have the same names as interfaces. up to a maximum of 11 characters. A name can have no more than 11 characters.Using virtual domains Configuring VDOMs and global settings VDOM names have the following restrictions: • • • • Only letters. Also when creating large numbers of VDOMs. Note: When creating 250 or more VDOMs. web filtering. FortiGate Version 4. see “Enabling VDOMs” on page 108. the FortiGate unit is automatically in global configuration. For more information. up to a maximum of 63 characters. zones.com/ • Feedback 111 . 2 Ensure VDOMs are enabled. 5 Enter a name for the new VDOM. numbers.0 Administration Guide 01-400-89802-20090424 http://docs. and “_” are allowed.fortinet.

Configuring VDOMs and global settings

Using virtual domains

Figure 47: VDOM list Disabled VDOM

Management VDOM Create New Select to add a new VDOM. Enter the new VDOM name and select OK. The VDOM must not have the same name as an existing VDOM, VLAN or zone. The VDOM name can have a maximum of 11 characters and must not contain spaces. Change the management VDOM to the selected VDOM in the list. The management VDOM is then grayed out in the Enable column. The default management VDOM is root. For more information, see “Changing the management VDOM” on page 116. Select to save your changes to the Management VDOM. There are three states this column can be in. • A green check mark indicates this VDOM is enabled, and that you can select the Enter icon to change to that VDOM. • An empty check box indicates this VDOM is disabled. When disabled, the configuration of that VDOM is preserved. The Enter icon is not available. • A grayed-out check box indicates this VDOM is the management VDOM. It cannot be deleted or changed to disabled; it is always active. The name of the VDOM. The VDOM operation mode, either NAT or Transparent. When a VDOM is in Transparent mode, SNMP can display the management address, address type and subnet mask for that VDOM. For more information, see “SNMP” on page 185. The interfaces associated with this VDOM, including virtual interfaces. Every VDOM includes an SSL VPN virtual interface named for that VDOM. For the root VDOM this interface is ssl.root. Comments added by an admin when this VDOM was created. Delete the VDOM. The Delete icon appears only when there are no configuration objects associated with that VDOM. For example, you must remove all referring interfaces, profiles, and so on before you can delete the VDOM. If the icon does not appear and you do not want to delete all the referring configuration, you can disable the VDOM instead. The disabled VDOM configuration remains in memory, but the VDOM is not usable until it is enabled. Change the description of the VDOM. The name of the VDOM cannot be changed. Enter the selected VDOM. After entering a VDOM you will only be able to view and change settings specific to that VDOM.

Management Virtual Domain

Apply Enable

Name Operation Mode

Interfaces

Comments Delete icon

Edit icon Enter icon

112

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Using virtual domains

Configuring VDOMs and global settings

Adding interfaces to a VDOM
A VDOM must contain at least two interfaces to be useful. These can be physical or virtual interfaces such as VLAN subinterfaces. By default, all physical interfaces are in the root virtual domain. VLAN subinterfaces often need to be in a different VDOM than their physical interface. To do this, the super administrator must first create the VDOM, create the VLAN subinterface, and then assign the VLAN to the correct VDOM. VDOMs can only be added in global settings, and not within VDOMs. For information on creating VLAN subinterfaces, see “Adding VLAN subinterfaces” on page 153.

Inter-VDOM links
An inter-VDOM link is a pair of interfaces that enable you to communicate between two VDOMs internally without using a physical interface. Inter-VDOM links have the same security as physical interfaces, but allow more flexible configurations that are not limited by the number of physical interfaces on your FortiGate unit. As with all virtual interfaces, the speed of the link depends on the CPU load, but generally it is faster than physical interfaces. There are no MTU settings for inter-VDOM links. DHCP support includes interVDOM links. A packet can pass through an inter-VDOM link a maximum of three times. This is to prevent a loop. When traffic is encrypted or decrypted, it changes the content of the packets and this resets the inter-VDOM counter. However, using IPIP or GRE tunnels does not reset the counter. In HA mode, inter-VDOM links must have both ends of the link within the same virtual cluster. DHCP over IPSec is supported for inter-VDOM links, however regular DHCP services are not available. To view inter-VDOM links, go to System > Network > Interface. When an inter-VDOM link is created, it automatically creates a pair of virtual interfaces that correspond to the two internal VDOMs. Each of the virtual interfaces is named using the inter-VDOM link name with an added “0” or “1”. So if the inter-VDOM link is called “vlink” the interfaces are “vlink0” and “vlink1”. Select the Expand Arrow beside the VDOM link to display the virtual interfaces.

Note: Inter-VDOM links cannot refer to a domain that is in transparent mode.

Figure 48: VDOM link interfaces

To create an inter-VDOM link 1 Log in as admin. 2 Go to System > Network > Interface.
FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

113

Configuring VDOMs and global settings

Using virtual domains

3 Select the arrow on the Create New button. 4 Select VDOM link. You will see the New VDOM Link screen.
Figure 49: New VDOM link

5 Enter the name for the new VDOM link, up to a maximum of 11 characters. The name must not contain any spaces or special characters. Hyphens (“-”) and underlines (“_”) are allowed. Remember that the name will have a “0” or “1” attached to the end for the actual interfaces. 6 Configure VDOM link “0”. 7 Select the VDOM from the menu that this interface will connect to. 8 Enter the IP address and netmask for this interface. 9 Select the administrative access method or methods. Keep in mind that PING, TELNET, and HTTP are less secure methods. 10 Optionally enter a description for this interface. 11 Repeat steps 7 through 10 for VDOM link “1”. 12 Select OK to save your configuration and return to the System > Interface screen.

Assigning an interface to a VDOM
The following procedure describes how to reassign an existing interface from one virtual domain to another. It assumes VDOMs are enabled and more than one VDOM exists. You cannot delete a VDOM if it is used in any configurations. For example, if an interface is assigned to that VDOM, you cannot delete the VDOM. You cannot remove an interface from a VDOM if the interface is included in any of the following configurations: • • • • • • DHCP server zone routing firewall policy IP pool proxy arp (only accessible through the CLI).

114

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Using virtual domains

Configuring VDOMs and global settings

Before removing these configurations, it is recommended that you back up your configuration, so you can restore it if you want to create this VDOM at a later date. Delete the items in this list or modify them to remove the interface before proceeding.
Note: You can reassign or remove an interface or subinterface once the Delete icon is displayed. Absence of the icon means that the interface is being used in a configuration somewhere.

Tip: You can disable a VDOM instead of deleting it. Your configuration will be preserved, saving time you would otherwise need to remove and reconfigure it.

To assign an interface to a VDOM 1 Log in as admin. 2 Go to System > Network > Interface. 3 Select Edit for the interface that you want to reassign. 4 Select the new virtual domain for the interface. 5 Configure other settings as required and select OK. For more information, see “Interface settings” on page 123. The interface is assigned to the VDOM. Existing firewall IP pools and virtual IP addresses for this interface are deleted. You should manually delete any routes that include this interface, and create new routes for this interface in the new VDOM. Otherwise your network traffic will not be properly routed. For more information on creating static routes, see “Router Static” on page 277.

Assigning an administrator to a VDOM
If you are creating a VDOM to serve an organization that will be administering its own resources, you need to create an administrator account for that VDOM. A VDOM admin can change configuration settings within that VDOM but cannot make changes that affect other VDOMs on the FortiGate unit. A regular administrator assigned to a VDOM can log in to the web-based manager or the CLI only on interfaces that belong to that VDOM. The super administrator can connect to the web-based manager or CLI through any interface on the FortiGate unit that permits management access. Only the super administrator or a regular administrator of the root domain can log in by connecting to the console interface.
Note: If an admin account is assigned to a VDOM, that VDOM cannot be deleted until that account is assigned to another VDOM or removed.

To assign an administrator to a VDOM 1 Log in as the super_admin. 2 Ensure that virtual domains are enabled. For more information, see “Enabling VDOMs” on page 108. 3 Go to System > Admin >Administrators. 4 Create a new administrator account or select the Edit icon of an existing administrator account. 5 Go to the Virtual Domain list.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

115

Configuring global and VDOM resource limits

Using virtual domains

6 Select the VDOM that this administrator manages. Administrators are assigned to a specific VDOM when the account is created unless they are super_admin administrators. For more information, see “Configuring an administrator account” on page 212. 7 Configure other settings as required. For detailed information, see “Configuring an administrator account” on page 212. 8 Select OK.

Changing the management VDOM
The management VDOM on your FortiGate unit is where some default types of traffic originate, including: • • • • • SNMP logging alert email FDN-based updates NTP-based time setting.

Before you change the management VDOM, ensure that virtual domains are enabled on the system dashboard screen. For more information, see “Enabling VDOMs” on page 108. Only one VDOM can be the management VDOM at any given time. Global events are logged with the VDOM set to the management VDOM.
Note: You cannot change the management VDOM if any administrators are using RADIUS authentication.

To change the management VDOM 1 Go to System > VDOM. 2 From the list of VDOMs, select the VDOM to be the new management VDOM. This list is located to the immediate left of the Apply button. 3 Select Apply to make the change. At the prompt, confirm the change. Management traffic will now originate from the new management VDOM.

Configuring global and VDOM resource limits
FortiGate units have upper limits for resources such as firewall policies, protection profiles and VPN tunnels. These limits vary by model. In general, the more VDOMs the FortiGate unit supports, the greater the impact on resource limits. In previous releases of FortiOS, maximum values for resources belonging to virtual domains (VDOMs) applied equally to each VDOM. Maximums for system-wide (global) resources applied globally and the resources were equally accessible to each VDOM. If you are a super administrator, you can control resource allocation to each VDOM. This limits the impact of each VDOM on other VDOMs due to resource competition. Also, you can set global resource limits to control the impact of various features on system performance.

116

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Using virtual domains

Configuring global and VDOM resource limits

Note: The resource limits vary for different FortiGate models. The resource limits are increased when two or more FortiGates are in HA mode due to the increased resources that are available to the HA cluster.

VDOM resource limits
You can configure VDOM resource limits when you create a new VDOM or edit an existing VDOM. These resource limits are restricted by the FortiGate global limits in that the total of each resource across all VDOMs cannot exceed the global limit. You can optionally set a guaranteed minimum level of resources that will be available to the VDOM. This will ensure that other VDOMs do not use all of an available resource. To configure VDOM resource limits 1 Go to System > VDOM. 2 Select Create New, enter a name and then select OK, or select the Edit icon of an existing VDOM. 3 Modify the values described in the table below as required. 4 Select OK.
Figure 50: Configuring VDOM resource limits

Resource Maximum Guaranteed Current

Description of the resource. Enter the maximum amount of the resource allowed for this VDOM. This amount might not be available due to usage of this resource type by other VDOMs. Enter the minimum amount of the resource available to this VDOM regardless of usage by other VDOMs. The amount of the resource that this VDOM currently uses.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

117

Configuring global and VDOM resource limits

Using virtual domains

If you enter a value that is not valid, the web-based manager displays the range of valid values.

Global resource limits
To ensure system performance, you can set global resource limits that are less than the maximums set by your unit’s hardware. Your configured maximum value for any resource must be greater than amount of the resource already in use and greater than the sum of all VDOM guaranteed resource values. To view or set global resource limits, go to System > VDOM > Global Resources. Select the Edit icon to change any settings.
Figure 51: Configuring global resource limits

Resource Configured Maximum Default Maximum Edit icon

Description of the resource. The maximum amount of the resource allowed. This amount matches the default maximum until you change it. The default maximum value for this resource. This value depends on the unit hardware limitations.

Current Usage The amount of the resource currently in use. Change the configured maximum for this resource. The Edit Global Resource Limits dialog box lists the valid range of values for the configured maximum. For some resources, you can set the maximum to zero to set no limit. Reset the configured maximum to the default maximum value.

Reset icon

118

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

System Network
This section describes how to configure your FortiGate unit to operate in your network. Basic network settings include configuring FortiGate interfaces and DNS settings. More advanced configuration includes adding VLAN subinterfaces and zones to the FortiGate network configuration. If you enable virtual domains (VDOMs) on the FortiGate unit, you configure most system network settings globally for the entire FortiGate unit. For example, all interface settings, including adding interfaces to VDOMs, are part of the global configuration. However, zones, the modem interface, and the Transparent mode routing table are configured separately for each virtual domain. For details, see “Using virtual domains” on page 103. This section describes: • • • • • • • • • Interfaces Configuring zones Configuring the modem interface Configuring Networking Options Web Proxy Routing table (Transparent Mode) VLAN overview VLANs in NAT/Route mode VLANs in Transparent mode
Note: Unless stated otherwise, the term interface can refer to either a physical FortiGate interface or to a virtual FortiGate VLAN subinterface.

Note: If you can enter both an IP address and a netmask in the same field, you can use the short form of the netmask. For example, 192.168.1.100/255.255.255.0 can also be entered as 192.168.1.100/24.

Interfaces
In NAT/Route mode, go to System > Network > Interface to configure FortiGate interfaces. You can: • • • • • • • modify the configuration of a physical interface add and configure VLAN subinterfaces aggregate several physical interfaces into an IEEE 802.3ad interface (models 300A, 400A, 500A, and 800 or higher) combine physical interfaces into a redundant interface add wireless interfaces (FortiWiFi models) and service set identifiers (SSIDs) (see “Adding a wireless interface” on page 163) add and configure VDOM links (see “Inter-VDOM links” on page 113) view loopback interfaces

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

119

Interfaces

System Network

• •

configure the modem (see “Configuring the modem interface” on page 139) change which information about the interfaces is displayed

For information about VLANs, see “FortiGate units and VLANs” on page 151.
Figure 52: Interface list - regular admin view

Figure 53: Interface list - admin view with virtual domains enabled

Create New

Select Create New to create a VLAN subinterface. On models 800 and higher, you can also create an IEEE 802.3ad aggregated interface. When VDOMs are enabled, selecting the Create New arrow enables you to create new Inter-VDOM links. For more information see “Inter-VDOM links” on page 113. Select to change between switch mode and interface mode. Switch mode combines the internal interfaces into one switch with one address. Interface mode gives each internal interface its own address. Before switching modes, all configuration settings that point to ‘internal’ interfaces must be removed. This option is visible on models 100A and 200A for Rev2.0 and higher. Switch mode is also visible on the FortiGate-60B and FortiWiFi-60B. For more information see “Switch Mode” on page 122. Select to make the two backplane interfaces visible as port9 and port10. Once visible these interfaces can be treated as regular physical interfaces. This option is available only on 5000 models. Select to change the which columns of information about the network interfaces is displayed. For more information, see “Column Settings” on page 122. The tooltip for this icon displays the Description field for this interface. For more information see “Interface settings” on page 123.

Switch Mode

show backplane interfaces Column Settings

Description icon

120

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

Name

The names of the physical interfaces on your FortiGate unit. This includes any alias names that have been configured. The name, including number, of a physical interface depends on the model. Some names indicate the default function of the interface such as Internal, External and DMZ. Other names are generic such as port1. FortiGate models numbered 50 and 60 provide a modem interface. Also models with a USB port support a connected modem. See “Configuring the modem interface” on page 139. The oob/ha interface is the FortiGate-4000 out of band management interface. You can connect to this interface to manage the FortiGate unit. This interface is also available as an HA heartbeat interface. On FortiGate models 300A, 310B, 400A, 500A, 620B, and 800 or higher, if you combine several interfaces into an aggregate interface, only the aggregate interface is listed, not the component interfaces. The same is true for redundant interfaces. See “Creating an 802.3ad aggregate interface” on page 127 or “Creating a redundant interface” on page 128. If you have added VLAN subinterfaces, they also appear in the name list, below the physical or aggregated interface to which they have been added. See “VLAN overview” on page 150. If you have loopback virtual interfaces configured you will be able to view them. You can only edit these interfaces in the CLI. For more information on these interfaces see “Configuring interfaces with CLI commands” on page 134 or the config system interface command in the FortiGate CLI Reference. If you have software switch interfaces configured, you will be able to view them. You can only edit these interfaces in the CLI. For more information on these interfaces see “Configuring interfaces with CLI commands” on page 134 or the config system switch-interface command in the FortiGate CLI Reference. If virtual domain configuration is enabled, you can view information only for the interfaces that are in your current virtual domain, unless you are using the super admin account. If VDOMs are enabled, you will be able to create, edit, and view inter-VDOM links. For more information see “Inter-VDOM links” on page 113. If you have interface mode enabled on a FortiGate model 100A or 200A Rev2.0 or higher or on the FortiGate-60B and FortiWiFi-60B models, you will see multiple internal interfaces. If switch mode is enabled, there will only be one internal interface. For more information see “Switch Mode” on page 122. If your FortiGate unit supports AMC modules and have installed an AMC module containing interfaces (for example, the FortiGate-ASM-FB4 contains 4 interfaces) these interfaces are added to the interface status display. The interfaces are named AMC-SW1/1, AMC-DW1/2, and so on. SW1 indicates it is a single width or double width card respectively in slot 1. The last number “/1” indicates the interface number on that card - for the ASM-FB4 card there would be “/1” through “/4”. The current IP address/netmask of the interface. In VDOM mode, when VDOMs are not all in NAT or Transparent mode some values may not be available for display and will be displayed as “-” instead. When IPv6 Support on GUI is enabled, IPv6 addresses may be displayed in this column. The administrative access configuration for the interface. See “Administrative access to an interface” on page 135. The administrative status for the interface. If the administrative status is a green arrow, the interface is up and can accept network traffic. If the administrative status is a red arrow, the interface is administratively down and cannot accept traffic. To change the administrative status, select Bring Down or Bring Up. The status of physical connection. The status of a non-physical interface will always be down. The MAC address of the interface. Shows the addressing mode of this interface such as manual, DHCP, or PPPoE. The maximum number of bytes per transmission unit. Anything over 1500 are jumbo frames. See “Interface MTU packet size” on page 135.

IP/Netmask

Access Administrative Status

Link Status MAC Mode MTU

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

121

Interfaces

System Network

Secondary IP Type

Any secondary IPs for this interface. The type of the interface. Valid types include: • Physical - a physical network interface, including modem • VLAN - a virtual network interface • Aggregate - a group of interfaces • Redundant - a group of interfaces • VDOM Link - a pair of virtual interface that join two VDOMs • Pair - one two interfaces that are joined together, such as 2 VDOM links The virtual domain to which the interface belongs. This column is visible only to the super admin and only when virtual domain configuration is enabled. The identification number of the VLAN. Non-VLAN interface entries will be blank. Delete, edit, or view an entry.

Virtual Domain VLAN ID Delete, edit, and view icons

Column Settings
Go to System > Network > Column Settings to change which information about the interfaces is displayed. The VDOM field is only available for display when VDOMs are enabled.
Figure 54: Column Settings

Available fields Show these fields in this order Right arrow Left arrow Move up Move down

The list of fields (columns) not currently being displayed. The list of fields (columns) currently being displayed. They are displayed in order. Top to bottom of the list will be displayed left to right on screen respectively. Move selected fields to the Show these fields in this order list. Move selected fields to the Available fields list. Move selected item up in the Show these fields in this order list. The corresponding column is moved to the left on the network interface display. Move selected item down in the Show these fields in this order list. The corresponding column is moved to the right on the network interface display.

Switch Mode
The internal interface is a switch with either four or six physical interface connections, depending on the FortiGate model. Normally the internal interface is configured as a single interface shared by all physical interface connections - a switch.

122

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

The switch mode feature has two states - switch mode and interface mode. Switch mode is the default mode with only one interface and one address for the entire internal switch. Interface mode allows you to configure each of the internal switch physical interface connections separately. This allows you to assign different subnets and netmasks to each of the internal physical interface connections. FortiGate models 100A and 200A Rev2.0 and higher have four internal interface connections. The FortiGate-60B and FortiWifi-60B have six internal interface connections. Consult your release notes for the most current list of supported models for this feature. Selecting Switch Mode on the System > Network > Interface screen displays the Switch Mode Management screen.
Caution: Before you are able to change between switch mode and interface mode all references to ‘internal’ interfaces must be removed. This includes references such as firewall policies, routing, DNS forwarding, DHCP services, VDOM interface assignments, and routing. If they are not removed, you will not be able to switch modes, and you will see an error message. Figure 55: Switch Mode Management

Switch Mode Interface Mode

Select Switch Mode. Only one internal interface is displayed. This is the default mode. Select Interface Mode. All internal i nterfaces on the switch are displayed as individually configurable interfaces.

Switch Mode can also be configured using CLI commands. For more information see the FortiGate CLI Reference.

Interface settings
Go to System > Network > Interface and select Create New. Selecting the Create New arrow enables you to create Inter-VDOM links. For more information on Inter-VDOM links, see “Inter-VDOM links” on page 113. Some types of interfaces such as loopback interfaces can only be configured using CLI commands. For more information, see “Configuring interfaces with CLI commands” on page 134 or the FortiGate CLI Reference To be able to configure a DHCP server on an interface, that interface must have a static IP address. You cannot create a virtual IPSec interface on this screen, but you can specify its endpoint addresses, enable administrative access and provide a description if you are editing an existing interface. For more information, see “Configuring a virtual IPSec interface” on page 133.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

123

Interfaces

System Network

Figure 56: Create New Interface settings

Figure 57: Edit Interface settings

124

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

Figure 58: Edit Interface settings

Name Alias

Enter a name for the interface. You cannot change the name of an existing interface. Enter another name for the interface that will easily distinguish this interface from another. This is available only for physical interfaces where where you cannot configure the name. The alias can be a maximum of 15 characters. The alias name is not part of the interface name, but it will appear in brackets beside the interface name. It will not appears in logs. The type of the interfaces. When creating a new interface, this is VLAN by default. On models 300A, 400A, 500A, 800 and higher, you can create VLAN, 802.3ad Aggregate, and Redundant interfaces. • On FortiGate 100A and 200A models of Rev2.0 and higher and on all 60B models, software switch is a valid type. You cannot edit this type in the GUI. • FortiWiFi models support up to four SSIDs by adding up to three wireless interfaces (for a total of four wireless interfaces). Other models support creation of VLAN interfaces only and have no Type field. You cannot change the type of an existing interface. Select the name of the physical interface on which to create the VLAN. Once created, the VLAN subinterface is listed below its physical interface in the Interface list. You cannot change the interface of an existing VLAN subinterface. This field is only displayed when Type is set to VLAN. Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. You cannot change the VLAN ID of an existing VLAN subinterface. The VLAN ID can be any number between 1 and 4094 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch connected to the VLAN subinterface. For more information, see “VLAN overview” on page 150. This field is only displayed when Type is set to VLAN.

Type

Interface

VLAN ID

Virtual Domain Select the virtual domain to which this VLAN subinterface belongs. Admin accounts with super-admin profile can change the VDOM for a VLAN when VDOM configuration is enabled. For more information, see “Using virtual domains” on page 103.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

125

Interfaces

System Network

Physical Interface Members

This section has two different forms depending on the interface type: • Software switch interface - this section is a display-only field showing the interfaces that belong to the software switch virtual interface • 802.3ad aggregate or Redundant interface - this section includes available interface and selected interface lists to enable adding or removing interfaces from the interface. Select interfaces from this list to include in the grouped interface - either redundant or aggregate interface. Select the right arrow to add an interface to the grouped interface. These interfaces are included in the aggregate or redundant interface. Select the left arrow to remove an interface from the grouped interface. For redundant interfaces, the interfaces will be activated during failover from the top of the list to the bottom Select the type of addressing mode as Manual, DHCP, or PPPoE. To configure a static IP address for the interface, select Manual. By default, low-end models are configured to DHCP addressing mode with Override Internal DNS and Retrieve default Gateway from DHCP server both enabled. These settings allow for easy out-of-the-box configuration. You can also configure the interface for dynamic IP address assignment. For more information, see “Configuring DHCP on an interface” on page 130 or “Configuring an interface for PPPoE” on page 131. Enter the IP address/subnet mask in the IP/Netmask field. The IP address must be on the same subnet as the network to which the interface connects. Two interfaces cannot have IP addresses on the same subnet. This field is only available when Manual addressing mode is selected. Select DDNS to configure a Dynamic DNS service for this interface. For more information, see “Configuring Dynamic DNS on an interface” on page 132. To enable dead gateway detection, enter the IP address of the next hop router on the network connected to the interface and select Enable. For more information, see “Dead gateway detection” on page 146. Select to enable explicit web proxying on this interface. When enabled, this interface will be displayed on System > Network > Web Proxy under Listen on Interfaces and web traffic on this interface will be proxied according to the Web Proxy settings. For more information, see “Web Proxy” on page 147.

Available Interfaces Selected interfaces

Addressing mode

IP/Netmask

DDNS Ping Server

Explicit Web Proxy

Administrative Select the types of administrative access permitted on this interface. Access HTTPS PING HTTP SSH SNMP TELNET Allow secure HTTPS connections to the web-based manager through this interface. Interface responds to pings. Use this setting to verify your installation and for testing. Allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party. Allow SSH connections to the CLI through this interface. Allow a remote SNMP manager to request SNMP information by connecting to this interface. See “Configuring SNMP” on page 186. Allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party.

126

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

MTU

To change the MTU, select Override default MTU value (1 500) and enter the MTU size based on the addressing mode of the interface • 68 to 1 500 bytes for static mode • 576 to 1 500 bytes for DHCP mode • 576 to 1 492 bytes for PPPoE mode • up to 16 110 bytes for jumbo frames (on FortiGate models that support jumbo frames) • NP2-accelerated interfaces support a jumbo frame limit of 16 000 bytes • FA2-accelerated interfaces do not support jumbo frames This field is available only on physical interfaces. VLANs inherit the parent interface MTU size by default. For more information on MTU and jumbo frames, see “Interface MTU packet size” on page 135. Add additional IP addresses to this interface. Select the blue arrow to expand or hide the section. See “Secondary IP Addresses” on page 136. Enter a description up to 63 characters.

Secondary IP Address Description

Administrative Select either Up (green arrow) or Down (red arrow) as the status of this interface. Status Up indicates the interface is active and can accept network traffic. Down indicates the interface is not active and cannot accept traffic. Note: In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces to match the new MTU.

To configure a specific type of interface, refer to the appropriate section. To configure: • • • • an aggregate interface, see “Creating an 802.3ad aggregate interface” on page 127. a redundant interface, see “Creating a redundant interface” on page 128. a VLAN subinterface, see “FortiGate units and VLANs” on page 151. a wireless interface, see “Adding a wireless interface” on page 163.

Creating an 802.3ad aggregate interface
You can aggregate (combine) two or more physical interfaces to increase bandwidth and provide some link redundancy. An aggregate interface provides more bandwidth but also creates more points of failure than redundant interfaces. The interfaces must connect to the same next-hop routing destination. Support of the IEEE standard 802.3ad for link aggregation is part of FortiGate firmware on models 300A, 310B, 400A, 500A, 620B, and models 800 and higher. An interface is available to be an aggregate interface if: • • • • • • • • • it is a physical interface, not a VLAN interface it is not already part of an aggregate or redundant interface it is in the same VDOM as the aggregated interface it does not have a IP address and is not configured for DHCP or PPPoE it does not have a DHCP server or relay configured on it it does not have any VLAN subinterfaces it is not referenced in any firewall policy, VIP, IP Pool or multicast policy it is not an HA heartbeat interface it is not one of the FortiGate 5000 series backplane interfaces

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

127

Interfaces

System Network

Note: You can add an accelerated interface (FA2 interfaces) to an aggregate link, but you will lose the acceleration. For example, if you aggregate two accelerated interfaces you will get slower throughput than if the two interfaces were separate.

Note: FortiGate-5000 backplane interfaces have to be made visible before they can be added to an aggregate or a redundant interface.

When an interface is included in an aggregate interface, it is not listed on the System > Network > Interface screen. You cannot configure the interface individually and it is not available for inclusion in firewall policies, VIPs, IP pools, or routing.
Figure 59: Settings for an 802.3ad aggregate interface

To create an 802.3ad Aggregate interface 1 Go to System > Network > Interface. 2 Select Create New. 3 In the Name field, enter a name for the aggregated interface. The interface name must be different from any other interface, zone or VDOM. 4 From the Type list, select 802.3ad Aggregate. 5 In the Available Interfaces list, select each interface that you want to include in the aggregate interface and move it to the Selected Interfaces list. 6 If this interface operates in NAT/Route mode, you need to configure addressing for it. For information about dynamic addressing, see: • “Configuring DHCP on an interface” on page 130 • “Configuring an interface for PPPoE” on page 131 7 Configure other interface options as required. 8 Select OK.

Creating a redundant interface
You can combine two or more physical interfaces to provide link redundancy. This feature allows you to connect to two or more switches to ensure connectivity in the event one physical interface or the equipment on that interface fails.

128

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

In a redundant interface, traffic is only going over one interface at any time. This differs from an aggregated interface where traffic is going over all interfaces for increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration. FortiGate firmware on models 300A, 310B, 400A, 500A, 620B, and models 800 and higher implements redundant interfaces. An interface is available to be in a redundant interface if: • • • • • • • • • it is a physical interface, not a VLAN interface it is not already part of an aggregated or redundant interface it is in the same VDOM as the redundant interface it has no defined IP address and is not configured for DHCP or PPPoE it has no DHCP server or relay configured on it it does not have any VLAN subinterfaces it is not referenced in any firewall policy, VIP, IP Pool or multicast policy it is not monitored by HA it is not one of the FortiGate 5000 series backplane interfaces
Note: FortiGate-5000 backplane interfaces have to be made visible before they can be added to an aggregate or a redundant interface.

When an interface is included in a redundant interface, it is not listed on the System > Network > Interface page. You cannot configure the interface individually and it is not available for inclusion in firewall policies, VIPs, IP pools, or routing.
Figure 60: Settings for a redundant interface

To create a redundant interface 1 Go to System > Network > Interface. 2 Select Create New. 3 In the Name field, enter a name for the redundant interface. The interface name must different from any other interface, zone or VDOM. 4 From the Type list, select Redundant Interface.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

129

Only displayed if you selected Edit.com/ • Feedback . Only displayed if Status is connected. Configuring DHCP on an interface If you configure an interface to use DHCP. To configure DHCP on an interface 1 Go to System > Network > Interface. These settings allow for easy out-of-the-box configuration. 6 If this interface operates in NAT/Route mode.interface was unable to retrieve an IP address and other settings from the DHCP server. The interface is configured with the IP address and any DNS server addresses and default gateway address that the DHCP server provides. Select Status to refresh the addressing mode status message.interface attempts to connect to the DHCP server. select DHCP.0 Administration Guide 01-400-89802-20090424 http://docs. In a failover situation. see: • “Configuring DHCP on an interface” on page 130 • “Configuring an interface for PPPoE” on page 131 7 Configure other interface options as required. netmask. Figure 61: Interface DHCP settings Status Displays DHCP status messages as the FortiGate unit connects to the DHCP server and gets addressing information. 8 Select OK. Only displayed if Status is connected. and other settings from the DHCP server.fortinet. Obtained IP/Netmask Renew 130 FortiGate Version 4. the FortiGate unit automatically broadcasts a DHCP request. • connected . By default.interface retrieves an IP address. you need to configure addressing for it. • connecting . 3 In the Addressing mode section.No activity. For information about dynamic addressing. Select to renew the DHCP license for this interface. select each interface that you want to include in the redundant interface and move it to the Selected Interfaces list. low-end models are configured to DHCP addressing mode with Override Internal DNS and Retrieve default Gateway from DHCP server both enabled. the interface activated will be the next interface down the Selected Interfaces list. • failed . Status can be one of: • initializing . The IP address and netmask leased from the DHCP server.Interfaces System Network 5 In the Available Interfaces list. 2 Select Create New or select the Edit icon of an existing interface.

The IP address of the gateway defined by the DHCP server. and if Receive default gateway from server is selected. Only displayed if you selected Edit.fortinet. Disable this option if you are configuring the interface offline. On low end models. Enter the administrative distance for the default gateway retrieved from the DHCP server. To configure an interface for PPPoE 1 Go to System > Network > Interface. the FortiGate unit automatically broadcasts a PPPoErequest. No activity. 2 Select Create New or select the Edit icon of an existing interface. Only displayed if Status is connected. The default distance for the default gateway is 1. 3 In the Addressing mode section. Only displayed if Status is connected. you can override the internal DNS only on the management VDOM. Default Gateway Distance Retrieve default gateway from server Override internal DNS Connect to Server Configuring an interface for PPPoE If you configure the interface to use PPPoE. Figure 62: Interface PPPoE settings Status Displays PPPoE status messages as the FortiGate unit connects to the PPPoE server and gets addressing information. A lower administrative distance indicates a more preferred route. Enable to use the DNS addresses retrieved from the DHCP server instead of the DNS server IP addresses on the DNS page. specifies the relative priority of a route when there are multiple routes to the same destination. When configuring the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE request.. The administrative distance. initial discovery timeout and PPPoE Active Discovery Terminate (PADT). Select Status to refresh the addressing mode status message. Enable so that the interface automatically attempts to connect to a DHCP server. select PPPoE. initializing FortiGate Version 4. Enable to retrieve a default gateway IP address from the DHCP server.System Network Interfaces Expiry Date The time and date when the leased IP address and netmask is no longer valid. Enabled by default on low-end models. The default gateway is added to the static routing table. Status can be one of the following 4 messages. this is enabled by default. FortiGate units support many PPPoE RFC features (RFC 2516) including unnumbered IPs. an integer from 1-255.0 Administration Guide 01-400-89802-20090424 http://docs.com/ • Feedback 131 . do not enable Connect to Server. When VDOMs are enabled.

2 Go to System > Network > Interface. The default gateway is added to the static routing table. Distance Enter the administrative distance for the default gateway retrieved from the PPPoE server. Only displayed if Status is connected. it will retry three times at one minute intervals and then change to retrying at three minute intervals. If at any time your Fortigate unit cannot contact the DDNS server. 5 Enter DDNS configuration information. This is to prevent flooding the DDNS server. Enable Connect to Server so that the interface automatically attempts to connect to a PPPoE server when you select OK or Apply. If your ISP has assigned you a block of IP addresses. Set initial PADT timeout to 0 to disable. Enter the time to wait before starting to retry a PPPoE discovery. The interface was unable to retrieve an IP address and other information from the PPPoE server. 3 Select Create New. Initial PADT timeout Enter Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds. failed Reconnect User Name Password Unnumbered IP Initial Disc Timeout Enter Initial discovery timeout. you can use a DDNS service to update Internet DNS servers when the IP address for the domain changes. an integer from 1-255. specifies the relative priority of a route when there are multiple routes to the same destination. 132 FortiGate Version 4. 4 Enable DDNS. Disable this option if you are configuring the interface offline. A lower administrative distance indicates a more preferred route. When VDOMs are enabled. Specify the IP address for the interface. Use this timeout to shut down the PPPoE session if it is idle for this number of seconds. Enable to replace the DNS server IP addresses on the System DNS page with the DNS addresses retrieved from the PPPoE server. To configure DDNS on an interface 1 Get the DDNS configuration information from your DDNS service. Retrieve default gateway from server Override internal DNS Connect to server Configuring Dynamic DNS on an interface When the FortiGate unit has a static domain name and a dynamic public IP address. When the status is connected. PADT must be supported by your ISP.fortinet. Select to reconnect to the PPPoE server.com/ • Feedback . netmask. The PPPoE account password. The administrative distance. and other settings from the PPPoE server. The interface retrieves an IP address. Enable to retrieve a default gateway IP address from a PPPoE server. this IP address can be the same as the IP address of another interface or can be any IP address. Dynamic DNS is available only in NAT/Route mode.0 Administration Guide 01-400-89802-20090424 http://docs.Interfaces System Network connecting connected The interface is attempting to connect to the PPPoE server. The PPPoE account user name. The default distance for the default gateway is 1. use one of them. PPPoE connection information is displayed. Otherwise. you can override the internal DNS only on the management VDOM.

FortiGate Version 4. You also select a physical or VLAN interface from the Local Interface list. Enter the user name to use when connecting to the DDNS server. Select the VDOM of the IPSec interface. These two addresses must not be used anywhere else in the network.com/ • Feedback 133 .0 Administration Guide 01-400-89802-20090424 http://docs. Enter the password to use when connecting to the DDNS server. see • • • • • “Overview of IPSec VPN configuration” on page 531 “Auto Key” on page 533 or “Manual Key” on page 541 configure IP addresses for the local and remote endpoints of the IPSec interface so that you can run dynamic routing over the interface or use ping to test the tunnel enable administrative access through the IPSec interface enter a description for the interface Go to System > Network > Interface and select Edit on an IPSec interface to: Figure 64: Virtual IPSec interface settings Name Virtual Domain IP Remote IP The name of the IPSec interface.System Network Interfaces Figure 63: DDNS service configuration Server Domain Username Password Select a DDNS server to use. enter IP addresses for the local and remote ends of the tunnel. The client software for these services is built into the FortiGate firmware. The FortiGate unit can connect only to one of these services. Enter the fully qualified domain name of the DDNS service. The virtual IPSec interface is listed as a subinterface of that interface by going to System > Network > Interface. Configuring a virtual IPSec interface You create a virtual IPSec interface by selecting IPSec Interface Mode by going to VPN > IPSec > Auto Key or VPN > IPSec > Manual Key when you create a VPN.fortinet. For more information. If you want to use dynamic routing with the tunnel or be able to ping the tunnel interface.

Interfaces

System Network

Administrative Access HTTPS PING HTTP SSH SNMP TELNET Description

Select the types of administrative access permitted on this interface. Allow secure HTTPS connections to the web-based manager through this interface. Allow the interface to respond to pings. Use this setting to verify your installation and for testing. Allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party. Allow SSH connections to the CLI through this interface. Allow a remote SNMP manager to request SNMP information by connecting to this interface. See “Configuring SNMP” on page 186. Allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party. Enter a description of the interface. It can be up to 63 characters.

Configuring interfaces with CLI commands
While nearly all types of interfaces can be configured from the GUI interface, a few, such as loopback and soft switch interface, can only be configured using CLI commands. Virtual interfaces are not connected to any physical devices or cables outside the FortiGate unit. They allow additional connections inside the FortiGate unit, which allow for more complex configurations. Virtual interfaces also have the added benefit of speed. Depending on the CPU load, virtual interfaces are consistently faster than physical interfaces.

Loopback interface
A loopback interface is an ‘always up’ virtual interface that is not connected to any other interfaces. Loopback interfaces connect to a Fortigate unit’s interface IP address without depending on a specific external port. A loopback interface is not connected to hardware, so it is not affected by hardware problems. As long as the FortiGate unit is functioning, the loopback interface is active. This ‘always up’ feature is useful in dynamic routing where the Fortigate unit relies on remote routers and the local Firewall policies to access to the loopback interface. The CLI command to configure a loopback interface called loop1 with an IP address of 10.0.0.10 is:

config system interface edit loop1 set type loopback set ip 10.0.0.10 255.255.255.0 end
For more information, see config system interface in the FortiGate CLI Reference.

Software switch interface
A software switch interface forms a simple bridge between two or more physical or wireless FortiGate interfaces. The interfaces added to a soft switch interface are called members. The members of a switch interface cannot be accessed as an individual interface after being added to a soft switch interface. They are removed from the system interface table.

134

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

Similar to aggregate interfaces, a soft switch interface functions like a normal interface. A soft switch interface has one IP address. You create firewall policies to and from soft switch interfaces and soft switch interfaces can be added to zones. There are some limitations; soft switch interfaces cannot be monitored by HA or used as HA heartbeat interfaces. To add interfaces to a software switch group, no configuration settings can refer to those interfaces. This includes default routes, VLANs, inter-VDOM links, and policies. You can view available interfaces on the CLI when entering the ‘set member ’ command by using ‘?’ or <TAB> to scroll through the available list. The CLI command to configure a software switch interface called soft_switch with port1, external and dmz interfaces is: config system switch-interface edit soft_switch set members port1 external dmz end For more information, see config system switch-interface in the FortiGate CLI Reference.

Administrative access to an interface
Administrative access is how an administrator can connect to the FortiGate unit to view and change configuration settings. Two methods of administrative access are HTTPS and SSH. You can allow remote administration of the FortiGate unit running in NAT/Route mode, but allowing remote administration from the Internet could compromise the security of the FortiGate unit. You should avoid this unless it is required for your configuration. To improve the security of a FortiGate unit that allows remote administration from the Internet: • • • • Use secure administrative user passwords. Change these passwords regularly. Enable secure administrative access to this interface using only HTTPS or SSH. Do not change the system idle timeout from the default value of 5 minutes (see “Settings” on page 228).

For more information on configuring administrative access in Transparent mode, see “Operation mode and VDOM management access” on page 206. To control administrative access to an interface 1 Go to System > Network > Interface. 2 Choose an interface and select Edit. 3 Select the Administrative Access methods for the interface. 4 Select OK.

Interface MTU packet size
To improve network performance, you can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits. Ideally, the MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets. If the packets that the FortiGate unit sends are larger than the smallest MTU, they are broken up or fragmented, which slows down transmission. Experiment by lowering the MTU to find an MTU size for optimum network performance.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

135

Interfaces

System Network

FortiGate models numbered 3 000 and higher support jumbo frames - frames larger than the traditional 1 500 bytes. Some models support a jumbo frame limit of 9 000 bytes while others support 16 110 bytes. NP2-accelerated interfaces support a jumbo frame limit of 16 000 bytes. FA2-accelerated interfaces do not support jumbo frames. Jumbo frames are much larger than the maximum standard Ethernet frames (packets) size of 1 500 bytes. As new Ethernet standards have been implemented (such as Gigabit Ethernet), 1 500 byte frames remain in the standard for backward compatibility. To be able to send jumbo frames over a route, all Ethernet devices on that route must support jumbo frames, otherwise your jumbo frames are not recognized and are dropped. If you have standard ethernet and jumbo frame traffic on the same interface, routing alone cannot route them to different routes based only on frame size. However you can use VLANs to make sure the jumbo frame traffic is routed over network devices that support jumbo frames. VLANs will inherit the MTU size from the parent interface. You will need to configure the VLAN to include both ends of the route as well as all switches and routers along the route. For more information on VLAN configurations, see the VLAN and VDOM guide. To change the MTU size of the packets leaving an interface 1 Go to System > Network > Interface. 2 Choose a physical interface and select Edit. 3 Below Administrative Access, select Override default MTU value (1 500). 4 Set the MTU size. If you select an MTU size larger than your FortiGate unit supports, an error message will indicate this. In this situation, try a smaller MTU size until the value is supported. Supported maximums are 16 110, 9 000, and 1 500.
Note: If you change the MTU, you need to reboot the FortiGate unit to update the MTU value of VLAN subinterfaces on the modified interface.

Note: In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces to match the new MTU.

See also

Secondary IP Addresses
An interface can be assigned more than one IP address. You can create and apply separate firewall policies for each IP address on an interface. You can also forward traffic and use RIP or OSPF routing with secondary IP addresses. There can be up to 32 secondary IP addresses per interface including primary, secondary, and any other IP addresses assigned to the interface. Primary and secondary IP addresses can share the same ping generator. The following restrictions must be in place before you are able to assign a secondary IP address: • • • A primary IP address must be assigned to the interface. The interface must use manual addressing mode. By default, IP addresses cannot be part of the same subnet. To allow interface subnet overlap use the CLI command:

136

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

config system global set allow-interface-subnet-overlap enable end You can use the CLI command config system interface to add a secondary IP address to an interface. For more information, see config secondaryip under system interface in the FortiGate CLI Reference.
Figure 65: Adding Secondary IP Addresses

IP/Netmask

Enter the IP address/subnet mask in the IP/Netmask field. The Secondary IP address must be on a different subnet than the Primary IP address. This field is only available in Manual addressing mode. To enable dead gateway detection, enter the IP address of the next hop router on the network connected to the interface and select Enable. See “Dead gateway detection” on page 146. Multiple addresses can share the same ping server. Select the types of administrative access permitted on the secondary IP. These can be different from the primary address. Allow secure HTTPS connections to the web-based manager through this secondary IP. Allow secondary IP to respond to pings. Use this setting to verify your installation and for testing. Allow HTTP connections to the web-based manager through this secondary IP. HTTP connections are not secure and can be intercepted by a third party. Allow SSH connections to the CLI through this secondary IP. Allow a remote SNMP manager to request SNMP information by connecting to this secondary IP. See “Configuring SNMP” on page 186. Allow Telnet connections to the CLI through this secondary IP. Telnet connections are not secure and can be intercepted by a third party. Select Add to add the configured secondary IP address to the secondary IP table. Addresses in this table are not added to the interface until you select OK or Apply. A table that displays all the secondary IP addresses that have been added to this interface. These addresses are not permanently added to the interface until you select OK or Apply. The identifying number of the secondary IP address. The IP address and netmask for the secondary IP. The IP address of the ping server for the address. The ping server can be shared by multiple addresses. Indicates if the ping server option is selected.

Ping Server

Administrative Access HTTPS PING HTTP SSH SNMP TELNET Add

Secondary IP table

# IP/Netmask Ping Server Enable

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

137

Configuring zones

System Network

Access Delete Icon

The administrative access methods for this address. They can be different from the primary IP address. Select to remove this secondary IP entry.

Note: It is recommended that after adding a secondary IP, you refresh the secondary IP table and verify your new address is listed. If not, one of the restrictions (have a primary IP address, use manual addressing mode, more than one IP on the same subnet, more than 32 IP addresses assigned to the interface, etc.) prevented the address from being added.

See also

Configuring zones
Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. You can configure policies for connections to and from a zone, but not between interfaces in a zone. You can add zones, rename and edit zones, and delete zones from the zone list. When you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the zone. Zones are configured from virtual domains. If you have added multiple virtual domains to your FortiGate configuration, make sure you are configuring the correct virtual domain before adding or editing zones.
Figure 66: Zone list

Create New Name Block intra-zone traffic Interface Members Edit/View icons Delete icon

Select to create a new zone. Names of the zones. Displays Yes if traffic between interfaces in the same zone is blocked and No if traffic between interfaces in the same zone is not blocked. Names of the interfaces added to the zone. Interface names depend on the FortiGate model. Edit or view a zone. Delete a zone.

To configure zone settings 1 Go to System > Network > Zone. 2 Select Create New or select the Edit icon for a zone. 3 Select name, and interfaces. 4 Select OK.

138

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Configuring the modem interface

Figure 67: Zone settings

Zone Name

Enter the name to identify the zone.

Block intra-zone traffic Select to block traffic between interfaces or VLAN subinterfaces in the same zone. Interface members Select the interfaces that are part of this zone. This list includes configured VLANs.

Configuring the modem interface
All FortiGate models with a USB interface support USB modems, and FortiGate-50 series and FortiGate-60 series modules include a serial modem port. In NAT/Route mode the modem can be in one of two modes: • • In redundant (backup) mode, the modem interface automatically takes over from a selected ethernet interface when that ethernet interface is unavailable. In standalone mode, the modem interface is the connection from the FortiGate unit to the Internet.

In redundant or standalone mode when connecting to the ISP, you can configure the FortiGate unit to automatically have the modem dial up to three dialup accounts until the modem connects to an ISP. Other models can connect to an external modem through a USB-to-serial converter. For these models, you must configure modem operation using the CLI. Initially modem interfaces are disabled, and must be enabled in the CLI to be visible in the web-based manager. See the system modem command in the FortiGate CLI Reference.
Note: The modem interface is not the AUX port. While the modem and AUX port may appear similar, the AUX port has no associated interface and is used for remote console connection. The AUX port is only available on FortiGate models 1000A, 1000AFA2, and 3000A. For more information, see the config system aux command in the FortiGate CLI Reference.

This section describes: • • • • • • Configuring modem settings Redundant mode configuration Standalone mode configuration Adding firewall policies for modem connections Connecting and disconnecting the modem Checking modem status

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

139

Configuring the modem interface

System Network

Configuring modem settings
Configure modem settings so that the FortiGate unit uses the modem to connect to your ISP dialup accounts. You can configure up to three dialup accounts, select standalone or redundant operation, and configure how the modem dials and disconnects. For FortiGate-60B and FortiWifi-60B models with modems, the modem can be a management interface. When enabled, a user can dial into the unit’s modem and perform administration actions as if logged in over one of the standard interfaces. This feature is enabled in the CLI using

config system dialinsvr.
If VDOMs are enabled, the modem can be assigned to one of the VDOMs just like the other interfaces. If the modem is disabled it will not appear in the interface list, and must be enabled from the CLI using: config system modem set status enable end

Note: You cannot configure and use the modem in Transparent mode.

Figure 68 shows the only the settings specific to standalone mode. The remaining settings are common to both standalone and redundant modes and are shown in Figure 69.
Figure 68: Modem settings (Standalone)

140

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Configuring the modem interface

Figure 69: Modem settings (Redundant)

Enable Modem Modem status Dial Now/Hang Up

Select to enable the FortiGate modem. Modem status can be: not active, connecting, connected, disconnecting, or hung up. (Standalone mode only) Select Dial Now to manually connect to a dialup account. If the modem is connected, you can select Hang Up to manually disconnect the modem. Select Standalone or Redundant mode. Select to dial the modem automatically if the connection is lost or the FortiGate unit is restarted. You cannot select Auto-dial if Dial on demand is selected. Select to dial the modem when packets are routed to the modem interface. The modem disconnects after the idle timeout period if there is no network activity. You cannot select Dial on demand if Auto-dial is selected. Enter the timeout duration in minutes. After this period of inactivity, the modem disconnects. Select the ethernet interface for which the modem provides backup service. (Redundant mode only) Enter the time (1-60 seconds) that the FortiGate unit waits before switching back to the primary interface from the modem interface, after the primary interface has been restored. The default is 1 second. Configure a higher value if you find the FortiGate unit switching repeatedly between the primary interface and the modem interface. The maximum number of times (1-10) that the FortiGate unit modem attempts to reconnect to the ISP if the connection fails. The default redial limit is 1. Select None to have no limit on redial attempts.

Mode Auto-dial (Standalone mode) Dial on demand (Standalone mode)

Idle timeout (Standalone mode) Redundant for (Redundant mode) Holddown Timer (Redundant mode) Redial Limit

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

141

Configuring the modem interface

System Network

Wireless Modem Usage History

Display a connected wireless modem if available. Display connections made on the modem interface. Information displayed about connections includes: • date and time • duration of the connection in hours, minutes, and seconds • IP address connected to • traffic statistics including received, sent, and total • current status of the connection Configure up to three dialup accounts. The FortiGate unit tries connecting to each account in order until a connection can be established. The active dialup account is indicated with a green check mark. The phone number required to connect to the dialup account. Do not add spaces to the phone number. Make sure to include standard special characters for pauses, country codes, and other functions as required by your modem to connect to your dialup account. The user name (maximum 63 characters) sent to the ISP. The password sent to the ISP.

Supported Modems Select to view a list of supported modems.

Dialup Account

Phone Number

User Name Password

To configure the modem in Redundant mode, see “Redundant mode configuration” on page 142. To configure the modem in Standalone mode, see “Standalone mode configuration” on page 143.

Redundant mode configuration
In redundant mode the modem interface backs up a selected ethernet interface. If that ethernet interface disconnects from its network, the modem automatically dials the configured dialup accounts. When the modem connects to a dialup account, the FortiGate unit routes IP packets normally destined for the selected ethernet interface to the modem interface. The FortiGate unit disconnects the modem interface and switches back to the ethernet interface when the ethernet interface is able to connect to its network. You can set a holddown timer that delays the switch back to the ethernet interface to ensure it is stable and fully active before switching the traffic. The modem will disconnect after a period of network inactivity set by the value in idle timeout. This saves money on dialup connection charges. For the FortiGate unit to be able to switch from an ethernet interface to the modem, you must select the name of the interface in the modem configuration and configure a ping server for that interface. You must also configure firewall policies for connections between the modem interface and other FortiGate interfaces.
Note: Do not add policies for connections between the modem interface and the ethernet interface that the modem is backing up.

To configure redundant mode 1 Go to System > Network > Modem. 2 Select Redundant mode. 3 Enter the following information:

142

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Configuring the modem interface

Redundant for Holddown timer Redial Limit Dialup Account 1 Dialup Account 2 Dialup Account 3

From the list, select the interface to back up. Enter the number of seconds to continue using the modem after the network connectivity is restored. Enter the maximum number of times to retry if the ISP does not answer. Enter the ISP phone number, user name and password for up to three dialup accounts.

4 Select Apply. 5 Configure a ping server for the ethernet interface the modem backs up. See “To add a ping server to an interface” on page 146. 6 Configure firewall policies for network connectivity through the modem interface. See “Adding firewall policies for modem connections” on page 144.

Standalone mode configuration
In standalone mode, the modem connects to a dialup account to provide a connection to the Internet. You can configure the modem to dial when the FortiGate unit restarts or when there are unrouted packets. You can also hang up or redial the modem manually. If the connection to the dialup account fails, the FortiGate unit will redial the modem. The modem redials the number of times specified by the redial limit, or until it connects to a dialup account. The modem will disconnect after a period of network inactivity set by the value in idle timeout. This saves money on dialup connection charges. You must configure firewall policies for connections between the modem interface and other FortiGate interfaces. You must also go to Router > Static to configure static routes to route traffic to the modem interface. For example, if the modem interface is acting as the FortiGate unit external interface you must set the device setting of the FortiGate unit default route to modem. To configure standalone mode 1 Go to System > Network > Modem. 2 Select Standalone mode. 3 Enter the following information:
Auto-dial Dial on demand Idle timeout Redial Limit Select if you want the modem to dial when the FortiGate unit restarts. Select if you want the modem to connect to its ISP whenever there are unrouted packets. Enter the timeout duration in minutes. After this period of inactivity, the modem disconnects. Enter the maximum number of times to retry if the ISP does not answer.

Dialup Account 1 Enter the ISP phone number, user name and password for up to three Dialup Account 2 dialup accounts. Dialup Account 3

4 Select Apply. 5 Configure firewall policies for network connectivity through the modem interface. See “Adding firewall policies for modem connections” on page 144.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

143

Configuring the modem interface

System Network

6 Go to Router > Static and set device to modem to configure static routes to route traffic to the modem interface. See “Adding a static route to the routing table” on page 284.

Adding firewall policies for modem connections
The modem interface requires firewall addresses and policies. You can add one or more addresses to the modem interface. For information about adding addresses, see “Configuring addresses” on page 347. You can configure firewall policies to control the flow of packets between the modem interface and the other interfaces on the FortiGate unit. For information on configuring firewall policies, see “Configuring firewall policies” on page 323.

Connecting and disconnecting the modem
Note: The modem must be in Standalone mode before connecting or disconnecting from a dialup account.

To connect to a dialup account 1 Go to System > Network > Modem. 2 Select Enable USB Modem. 3 Verify the information in Dialup Accounts. 4 Select Apply. 5 Select Dial Now. The FortiGate unit dials into each dialup account in turn until the modem connects to an ISP. To disconnect from a dialup account 1 Go to System > Network > Modem. 2 Select Hang Up to disconnect the modem.

Checking modem status
You can determine the connection status of your modem and which dialup account is active. If the modem is connected to the ISP, you can see the IP address and netmask. To check the modem status, go to System > Network > Modem. Modem status is one of the following:
not active connecting connected disconnecting hung up The modem is not connected to the ISP. The modem is attempting to connect to the ISP. The modem is connected to the ISP. The modem is disconnecting from the ISP. The modem has disconnected from the ISP. (Standalone mode only) The modem will not redial unless you select Dial Now.

A green check mark indicates the active dialup account. The IP address and netmask assigned to the modem interface appears on the System Network Interface screen of the web-based manager.

144

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Configuring Networking Options

Configuring Networking Options
Network options include DNS server and dead gateway detection settings. To configure network options 1 Go to System > Network > Options. 2 Enter primary and secondary DNS servers. 3 Enter local domain name. 4 Enter Dead Gateway Detection settings. 5 Select OK.
Figure 70: Configuring Networking Options - FortiGate models 200 and higher

Figure 71: Configuring Networking Options - FortiGate models 100 and lower

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

145

Configuring Networking Options

System Network

Obtain DNS server address This option applies only to FortiGate models 100 and lower. automatically Select to obtain the DNS server IP address when DHCP is used on an interface, also obtain the DNS server IP address. Available only in NAT/Route mode. You should also enable Override internal DNS in the DHCP settings of the interface. See “Configuring DHCP on an interface” on page 130. Use the following DNS server addresses Primary DNS Server Secondary DNS Server Local Domain Name Enable DNS forwarding from This option applies only to FortiGate models 100 and lower. Use the specified Primary DNS Server and Secondary DNS Server addresses. Enter the primary DNS server IP address. Enter the secondary DNS server IP address. Enter the domain name to append to addresses with no domain portion when performing DNS lookups. This option applies only to FortiGate models 100 and lower operating in NAT/Route mode. Select the interfaces that forward DNS requests they receive to the configured DNS servers. Dead gateway detection confirms connectivity using a ping server added to an interface configuration. For information about adding a ping server to an interface, see “Dead gateway detection” on page 146. Enter a number in seconds to specify how often the FortiGate unit pings the target. Enter the number of times that the ping test fails before the FortiGate unit assumes that the gateway is no longer functioning.

Dead Gateway Detection

Detection Interval Fail-over Detection

DNS Servers
Several FortiGate functions use DNS, including alert email and URL blocking. You can specify the IP addresses of the DNS servers to which your FortiGate unit connects. DNS server IP addresses are usually supplied by your ISP. You can configure FortiGate models numbered 100 and lower to obtain DNS server addresses automatically. To obtain these addresses automatically, at least one FortiGate unit interface must use the DHCP or PPPoE addressing mode. See “Configuring DHCP on an interface” on page 130 or “Configuring an interface for PPPoE” on page 131. FortiGate models 100 and lower can provide DNS Forwarding on their interfaces. Hosts on the attached network use the interface IP address as their DNS server. DNS requests sent to the interface are forwarded to the DNS server addresses that you configured or that the FortiGate unit obtained automatically.

Dead gateway detection
Dead gateway detection periodically pings a ping server to confirm network connectivity. Typically, the ping server is the next-hop router that leads to an external network or the Internet. The ping period (Detection Interval) and the number of failed pings that is considered to indicate a loss of connectivity (Fail-over Detection) are set in System > Network > Options. To apply dead gateway detection to an interface, you must configure a ping server for that interface. To add a ping server to an interface 1 Go to System > Network > Interface. 2 Choose an interface and select Edit. 3 Set Ping Server to the IP address of the next hop router on the network.
FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

146

System Network

Web Proxy

4 Select Enable. 5 Select OK.

Web Proxy
You can use the Web Proxy settings and FortiGate interface settings to enable explicit HTTP and HTTPS proxying on one or more interfaces. When enabled, the FortiGate unit becomes a web proxy server. All HTTP and HTTPS session received by interfaces with Explicit web proxy enabled are intercepted by the explicit web proxy relayed to their destinations. To use the explicit proxy, users must add the IP address of a FortiGate interface and the explicit proxy port number to the proxy configuration settings of their web browsers. On FortiGate units that support WAN optimization you can also enable web caching for the explicit proxy. For more information, see “Web caching” on page 610. To enable explicit web proxy on an interface, go to System > Network > Interface, select the interface, and enable explicit web proxy. If VDOMs are enabled, only interfaces that belong to the current VDOM and have explicit web proxy enabled will be displayed. If you enable the web proxy on an interface that has VLANs on it, the VLANs will only be enabled for web proxy if you manually enable each of them. Web proxy is not in the Global Network section when VDOMs are enabled.
Note: To enable protection profiles for explicit web proxy traffic, you must configure 2 VDOMs and use inter-VDOM routing to pass the web traffic between them.

Web proxies are configured for each VDOM when VDOMs are enabled. To configure web proxies go to System > Network > Web Proxy.
Figure 72: Configuring Web Proxy settings

Proxy FQDN

Enter the fully qualified domain name (FQDN) for the proxy server. This is the domain name to enter into browsers to access the proxy server. Enter the maximum length of an HTTP request. Larger requests will be rejected.

Max HTTP request length

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

147

Explicit web proxy is configured with the following options. The XFF HTTP header identifies the originating IP address of a web client or browser that is connecting through an HTTP proxy. When you go to System > Network > Web Proxy. 3 Select Enable explicit web proxy.Web Proxy System Network Max HTTP message length Add headers to Forwarded Requests Client IP Header Via Header X-forwarded-for Header Enter the maximum length of an HTTP message. but just forwards it to the destination.com/ • Feedback . Enable to include the X-Forwarded-For (XFF) HTTP header. Enable to include the Via Header from the original HTTP request. For example. Larger messages will be rejected. The port number of the proxy server would be the same as the Explicit web proxy Port configured step 6 below. 5 Go to System > Network > Web Proxy and select Enable Explicit Proxy. Front-end HTTPS Header Enable to include the Front-end HTTP Header from the original HTTPS request. Choose from either Reject or Best Effort. 148 FortiGate Version 4. The web proxy server will forward HTTP requests to the internal network. Note: Only interfaces that have explicit web proxy enabled and are in the current VDOM will be displayed. 1 Go to System > Network > Interface. and save the changes. it must be enabled separately for explicit web proxy. Enable the explicit web proxy. Transparent web proxy does not modify the web traffic in any way. The IP address of the proxy server would be the IP address of the FortiGate interface connected to their network (if the FortiGate unit is operating in NAT mode) or the management IP address (if the FortiGate unit is operating in transparent mode). Enter the explicit web proxy server port. If an interface has a VLAN subinterface configured. Select the action to take when the proxy server must handle an unknown HTTP version request or message. Enabled interfaces will be displayed independent of explicit web proxy being enabled or not on the Web Proxy screen. To use the explicit proxy. You can include the following headers in those requests: Enable to include the Client IP Header from the original HTTP request. 8888. users must add a proxy server to their web browser configuration. 4 Repeat to enable the explicit web proxy on all of the interfaces that users will connect to when web browsing. 2 Select an interface to enable the explicit web proxy for. The Reject option is more secure.fortinet. and the remote addresses it passed through to this point. 6 Enter a Port number for the explicit proxy. Explicit web proxy can modify web traffic to provide extra services and administration. Enable Explicit Web Proxy Port Listen on Interfaces Unknown HTTP version To enable the explicit web proxy on one or more interfaces To use the explicit web proxy. Displays the interfaces that are being monitored by the explicit web proxy server. Explicit Web Proxy Options Web proxies can be transparent or explicit. under Explicit web proxy you will see the interfaces that you enabled.0 Administration Guide 01-400-89802-20090424 http://docs. users must add this port to their web browser proxy configuration. 7 Select Apply to save your changes.

see “Web caching” on page 610.System Network Routing table (Transparent Mode) To enable web caching for the explicit web proxy You can enable web caching for the explicit web proxy on FortiGate units that support WAN optimization and web caching. Figure 73: Static routing table . but in Transparent Mode that static routing table is located at System > Network > Routing Table. 2 Select Create New. Position of the route in the routing table. You can also select the Edit icon of an existing route to modify it. 2 Go to System > Network > Routing Table. 4 Enter the Gateway IP address.fortinet. The destination IP address for the route. Remove a route. The netmask for the route. & Cache > Cache and select Enable Cache Explicit Proxy. Transparent mode route settings Configuring a static route in Transparent mode 1 Go to System > Network > Routing Table. Edit or view a route. Adding a static route in Transparent Mode 1 Ensure your FortiGate unit is in Transparent mode. 1 Use the procedure “To enable the explicit web proxy on one or more interfaces” on page 148 to enable the explicit web proxy 2 Go to WAN Opt.com/ • Feedback 149 . The administration distance or relative preferability of the route. 3 Enter the Destination IP and netmask.0 Administration Guide 01-400-89802-20090424 http://docs. For more details see “Changing operation mode” on page 206. 3 Select Create New.Transparent Mode Create New # IP Mask Gateway Distance Delete icon View/edit icon Move To icon Add a new static route. For more information. Change the position of a route in the list. An administration distance of 1 is most preferred. The IP address of the next hop router to which the route directs traffic. Web content requested by users using the explicit proxy are now cached by the FortiGate unit using the WAN optimization web cache. 3 Select Apply to save your changes. Routing table (Transparent Mode) In NAT/Route mode the static routing table is located at System > Routing > Static. FortiGate Version 4.

A VLAN segregates devices by adding 802. The communication among devices on a VLAN is independent of the physical network. Devices in VLAN 1 can connect with other devices in VLAN 1. Each VLAN is treated as a broadcast domain. 150 FortiGate Version 4.0. Gateway Enter the IP address of the next hop router to which the route directs traffic. regardless of their location. see the FortiGate VLANs and VDOMs Guide. 6 Select OK. Figure 74: Transparent mode route settings Destination IP /Mask Enter the destination IP address and netmask for the route. For more information on VLANs. servers.fortinet. An administration distance of 1 is most preferred. To create a default route. For an Internet connection. but still belong to the same VLAN. For example. set the IP and netmask to 0. The administration distance or relative preferability of the route.0 Administration Guide 01-400-89802-20090424 http://docs.0. VLAN tags are 4-byte frame extensions that contain a VLAN identifier as well as other information. and other network devices that communicate as if they were on the same LAN segment.0.VLAN overview System Network 5 Enter the administrative distance. A VLAN segregates devices logically instead of physically. but cannot connect with devices in other VLANs. Distance VLAN overview A VLAN is group of PCs. the workstations and servers for an accounting department could be scattered throughout an office or city and connected to numerous network segments.1Q VLAN tags to all of the packets sent and received by the devices in the VLAN. the next hop routing gateway routes traffic to the Internet.com/ • Feedback .

FortiGate units in NAT/Route mode can use VLANs for constructing VLAN trunks between an IEEE 802. Packets passing between devices in different VLANs must be handled by a layer-3 device such as router. and other firewall features for network and VPN traffic that is allowed to pass between security domains. FortiGate Version 4. such as the Internet.System Network VLANs in NAT/Route mode Figure 75: Basic VLAN topology Internet Untagged packets Router VL AN 1 VL AN 2 VL AN 1 VLAN switch VL AN 2 VLAN 1 network VLAN 2 Network FortiGate units and VLANs In a typical VLAN configuration. 802. firewall.1Q-compliant switch (or router) and the FortiGate units.fortinet. The FortiGate unit can also apply policies. Normally the FortiGate unit internal interface connects to a VLAN trunk on an internal switch.0 Administration Guide 01-400-89802-20090424 http://docs.com/ • Feedback 151 . and the external interface connects to an upstream Internet router. The FortiGate unit can then apply different policies for traffic on each VLAN that connects to the internal interface. The FortiGate unit can also remove VLAN tags from incoming VLAN packets and forward untagged packets to other networks. the FortiGate unit functions as a layer-3 device to control the flow of packets between VLANs.1Q-compliant VLAN layer-2 switches or layer-3 routers or firewalls add VLAN tags to packets. Packets passing between devices in the same VLAN are normally handled by layer-2 switches but can be handled by layer-3 devices. or layer-3 switch. Traffic from each security domain is given a different VLAN ID. Using VLANs. VLANs in NAT/Route mode Operating in NAT/Route mode. protection profiles. a single FortiGate unit can provide security services and control connections between multiple security domains. The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between security domains.

For example packets from the sending system VLAN ID#101 are delivered to the recipient system’s VLAN ID#101. Note: If you are unable to change your existing configurations to prevent IP overlap. This rule applies to both physical interfaces and to VLAN subinterfaces. multiple VLAN interfaces can have an IP address that is part of a subnet used by another interface. There is no internal connection or link between two VLAN subinterfaces with same VLAN ID. the FortiGate internal interface connects to a VLAN switch using an 802. If the IDs don’t match. enter the CLI command config system global and set allow-interfacesubnet-overlap enable to allow IP address overlap. the IP addresses of all interfaces must be on different subnets. Figure 64 shows a simplified NAT/Route mode VLAN configuration. The FortiGate unit can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags from incoming packets and add different VLAN tags to outgoing packets. The external interface is not configured with VLAN subinterfaces. it applies VLAN tags and forwards the packets to local ports and across the trunk to the FortiGate unit. two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. The FortiGate unit directs packets with VLAN IDs to subinterfaces with matching VLAN IDs.1Q trunk and is configured with two VLAN subinterfaces (VLAN 100 and VLAN 200). traffic will not be delivered. 152 FortiGate Version 4. you add VLAN subinterfaces that have VLAN IDs that match the VLAN IDs of packets in the VLAN trunk to the FortiGate internal interface. Their relationship is the same as the relationship between any two FortiGate network interfaces. However. you can add two or more VLAN subinterfaces with the same VLAN IDs to different physical interfaces. If you enter this command. This command is recommended for advanced users only.VLANs in NAT/Route mode System Network When constructing VLAN trunks. In this configuration. You can also define VLAN subinterfaces on all FortiGate interfaces.com/ • Feedback .fortinet. The FortiGate unit is configured with policies that allow traffic to flow between VLANs and from the VLANs to the external network. That is. The external interface connects to the Internet. When the VLAN switch receives packets from VLAN 100 and VLAN 200.0 Administration Guide 01-400-89802-20090424 http://docs. Rules for VLAN IP addresses IP addresses of all FortiGate interfaces cannot overlap. Rules for VLAN IDs In NAT/Route mode.

110.1.System Network VLANs in NAT/Route mode Figure 76: FortiGate unit in NAT/Route mode Internet Untagged packets External 172. 2 Select Create New. The VLAN ID can be any number between 1 and 4094. To add a VLAN subinterface in NAT/Route mode 1 Go to System > Network > Interface.1. as 0 and 4095 are reserved.2 FortiGate unit Internal 192. See “Interface settings” on page 123.0 Administration Guide 01-400-89802-20090424 http://docs. you can create VLAN subinterfaces for any virtual domain. If not.2.1Q-compliant router. VLAN subinterfaces to the physical interface that receives VLAN-tagged packets.1Q trunk Fa 0/24 Fa 0/9 Fa 0/3 VLAN switch VLAN 100 VLAN 200 VLAN 100 network 10.0 VLAN 200 network 10.21.fortinet.1.126 802. Note: A VLAN must not have the same name as a virtual domain or zone. 3 Enter a Name to identify the VLAN subinterface. Each VLAN subinterface must also be configured with its own IP address and netmask. 4 Select the physical interface that receives the VLAN packets intended for this VLAN subinterface. 7 Configure the VLAN subinterface settings. you can only create VLAN subinterfaces in your own VDOM.168.com/ • Feedback 153 . See “Using virtual domains” on page 103 for information about virtual domains. FortiGate Version 4.0 Adding VLAN subinterfaces The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.16. 5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. 6 If you are an administrator with a super-admin profile.

you can also use firewall policies to control connections between VLANs. The FortiGate unit adds the new VLAN subinterface to the interface that you selected in step 4. and other firewall features. If these VLAN subinterfaces have different VLAN IDs. In a typical configuration. This includes VLANs. If these VLAN subinterfaces have the same VLAN IDs. The VLAN subinterface removes the VLAN tag and assigns a destination interface to the packet based on its destination MAC address. a zone can contain one or more VLAN subinterfaces. or if you add more than two VLAN subinterfaces. such as authentication. the FortiGate unit can apply firewall policies and services. the FortiGate internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal VLANs. To add firewall policies for a VLAN subinterface After you add a VLAN subinterface you can add firewall policies for connections between a VLAN subinterface or from a VLAN subinterface to a physical interface. to traffic on an IEEE 802. When the FortiGate unit receives a VLAN tagged packet at an interface. 4 Configure firewall policies as required.1 VLAN trunk. the FortiGate unit applies firewall policies to the traffic on this VLAN. The destination VLAN ID is added to the packet by the FortiGate unit and the packet is sent to the VLAN trunk. If no other interfaces are configured for a VDOM. A virtual domain consists of two or more VLAN subinterfaces or zones. You can insert the FortiGate unit into the trunk without making changes to the network. For VLAN traffic to be able to pass between the FortiGate internal and external interface you add a VLAN subinterface to the internal interface and another VLAN subinterface to the external interface. In a virtual domain. The FortiGate external interface forwards tagged packets through the trunk to an external VLAN switch or router that can be connected to the Internet. The FortiGate unit can be configured to apply different policies for traffic on each VLAN in the trunk. 154 FortiGate Version 4. The firewall policies for the source and destination VLAN subinterface pair are applied to the packet.1 VLAN tags to segment your network traffic. protection profiles. If the network uses IEEE 802. you can configure a FortiGate unit to provide security for network traffic passing between different VLANs. VLANs in Transparent mode In Transparent mode. 1 Go to Firewall > Address. If the packet is accepted by the firewall. To support VLAN traffic in Transparent mode.fortinet. you add virtual domains to the FortiGate unit configuration. you can configure up to 255 VLANs in that VDOM.com/ • Feedback . Note: There is a maximum of 255 interfaces total allowed per VDOM in Transparent mode.VLANs in Transparent mode System Network 8 Select OK. 3 Go to Firewall > Policy. 2 Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets.0 Administration Guide 01-400-89802-20090424 http://docs. the packet is directed to the VLAN subinterface with the matching VLAN ID. the FortiGate unit forwards the packet to the destination VLAN subinterface. See “About firewall addresses” on page 345. Figure 77 shows a FortiGate unit operating in Transparent mode with 2 virtual domains and configured with three VLAN subinterfaces.

the FortiGate unit would provide virus scanning. Figure 78: FortiGate unit in Transparent mode Internet Router Untagged packets VLAN Switch VL AN 1 VL AN 2 VL AN 3 FortiGate unit in Transparent mode VLAN Trunk VL AN 1 VL AN 2 VL AN 3 VLAN Trunk VLAN Switch VLAN 1 VLAN 2 VLAN 3 VLAN 1 Network VLAN 2 Network VLAN 3 Network FortiGate Version 4.com/ • Feedback 155 . In this configuration.fortinet. web content filtering.System Network VLANs in Transparent mode Figure 77: FortiGate unit with two virtual domains in Transparent mode FortiGate unit VLAN1 Internal VLAN1 VLAN2 VLAN3 VLAN trunk root virtual domain VLAN1 VLAN1 External VLAN1 VLAN2 VLAN3 VLAN trunk VLAN Switch or router Internet VLAN2 VLAN Switch or router VLAN3 New virtual domain VLAN2 VLAN2 VLAN3 VLAN3 Figure 78 shows a FortiGate unit operating in Transparent mode and configured with three VLAN subinterfaces.0 Administration Guide 01-400-89802-20090424 http://docs. and other services to each VLAN.

Transparent mode virtual domains and VLANs VLAN subinterfaces are added to and associated with virtual domains. 4 Select the physical interface that receives the VLAN packets intended for this VLAN subinterface. 1 Go to Firewall > Address. You can add more virtual domains if you want to separate groups of VLAN subinterfaces into virtual domains. By default the FortiGate configuration includes one virtual domain. 6 Select which virtual domain to add this VLAN subinterface to. 2 Select Create New.com/ • Feedback . 3 Enter a Name to identify the VLAN subinterface.0 Administration Guide 01-400-89802-20090424 http://docs. For information on adding and configuring virtual domains. two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. See “Using virtual domains” on page 103 for information about virtual domains. Their relationship is the same as the relationship between any two FortiGate network interfaces. 9 Select Bring up to activate the VLAN subinterface. The FortiGate unit adds the new subinterface to the interface that you selected in step 4. and log settings.VLANs in Transparent mode System Network Rules for VLAN IDs In Transparent mode. 7 Configure the administrative access. see “Using virtual domains” on page 103 Adding a VLAN subinterface in Transparent mode Note: A VLAN must not have the same name as a virtual domain or zone. 156 FortiGate Version 4. To add firewall policies for a VLAN subinterface After you add a VLAN subinterface. you can add firewall policies for connections between VLAN subinterfaces or from a VLAN subinterface to a physical interface. To add a VLAN subinterface 1 Go to System > Network > Interface. you can add two or more VLAN subinterfaces with the same VLAN IDs to different physical interfaces. Note: There is a maximum of 255 VLANs allowed per interface in Transparent mode. 5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface.fortinet. named root. There is no internal connection or link between two VLAN subinterfaces with the same VLAN ID. 8 Select OK. However. See “Interface settings” on page 123 for more descriptions of these settings. and you can add as many VLAN subinterfaces as you require to this virtual domain.

the Fortigate unit allows duplicate ARP packets that resolve the delivery problems caused by duplicate ARP packets.com/ • Feedback 157 . 4 Add firewall policies as required. This is true especially in Transparent mode where ARP packets arriving on one interface are sent to all other interfaces. When ARP forwarding is enabled.System Network VLANs in Transparent mode 2 Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets. which is generally an attempt to hack into the network. For more secure solutions. Unstable switches may reset causing network traffic to slow down. see the FortiGate VLANs and VDOMs Guide. 3 Go to Firewall > Policy.fortinet. including VLAN subinterfaces. However. This instability can occur if the Layer 2 switch does not maintain separate MAC address tables for each VLAN. Normally ARP packets to pass through the FortiGate unit. See “About firewall addresses” on page 345. Some Layer 2 switches become unstable when they detect the same MAC address originating on more than one switch interface or from more than one VLAN. Duplicate ARP packets ARP traffic can cause problems such as duplicate ARP packets making the recipient device think the packets originated from two different device.0 Administration Guide 01-400-89802-20090424 http://docs. FortiGate Version 4. especially if it is sitting between a client and a server or between a client and a router. ARP Forwarding One solution to the duplicate ARP packet problem is to enable ARP forwarding. this also opens up your network to potential hacking attempts that spoof packets. Troubleshooting ARP Issues Address Resolution Protocol (ARP) traffic is vital to communication on a network and is enabled on FortiGate interfaces by default.

com/ • Feedback .fortinet.VLANs in Transparent mode System Network 158 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.

A FortiWiFi unit operating in client mode can also can only have one wireless interface. All FortiWiFi units can have up to 4 wireless interfaces. MAC filters and wireless monitor are configured separately for each virtual domain.11b (2. which is the default mode. This is called Monitoring mode.0 Administration Guide 01-400-89802-20090424 http://docs. see “Adding a wireless interface” on page 163. This section describes: • • • • • • FortiWiFi wireless interfaces Channel assignments Wireless settings Wireless MAC Filter Wireless Monitor Rogue AP detection FortiWiFi wireless interfaces FortiWiFi units support up to four wireless interfaces and four different SSIDs. Connect the FortiWiFi unit to another wireless network.fortinet. For details on adding wireless interfaces.4-GHz Band) WEP64 and WEP128 Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA).com/ • Feedback 159 . see “Using virtual domains” on page 103. Monitor access points within radio range. No access point or client operation is possible in this mode. For details. If you enable virtual domains (VDOMs) on the FortiGate unit. WPA2 and WPA2 Auto using pre-shared keys or RADIUS servers or • or • FortiWiFi units support the following wireless network standards: • • • • • FortiGate Version 4. IEEE 802.11a (5-GHz Band) IEEE 802. The majority of this section is applicable to all FortiWiFi units. You can designate the detected access points as Accepted or Rogue for tracking purposes. This is called Client mode.11g (2. This is called Access Point mode. But. you can enable monitoring as a background activity while the unit is in Access Point mode.System Wireless FortiWiFi wireless interfaces System Wireless This section describes how to configure the Wireless LAN interfaces on FortiWiFi units. Each wireless interface should have a different SSID and each wireless interface can have different security settings. You can configure the FortiWiFi unit to: • Provide an access point that clients with wireless network cards can connect to. System wireless settings are configured globally.4-GHz Band) IEEE 802.

Channels 9 through 11 can be used indoors and outdoors.fortinet.11b channel numbers Table 11 lists IEEE 802. 802. you have specific channels available to you.11b. The following tables list the channel assignments for wireless networks for each supported wireless protocol.11a wireless standard. Set the channel for the wireless network by going to System > Wireless > Settings. Table 10: IEEE 802. For more information see “Wireless settings” on page 162.com/ • Feedback .11a (5-GHz Band) channel numbers Channel number 34 36 38 40 42 44 46 48 52 56 60 64 149 153 157 161 Frequency (MHz) 5170 5180 5190 5200 5210 5220 5230 5240 5260 5280 5300 5320 5745 5765 5785 5805 • • • • • • • • Regulatory Areas Americas Europe • • • • • • • • • • • • • • • • • • • • • • • Taiwan Singapore Japan • IEEE 802.Channel assignments System Wireless Channel assignments Depending on the wireless protocol selected. Mexico is included in the Americas regulatory domain. depending on what region of the world you are in.11a channels supported for FortiWiFi products that support the IEEE 802. Channels 1 through 8 are for indoor use only.0 Administration Guide 01-400-89802-20090424 http://docs. 160 FortiGate Version 4. IEEE 802. You must make sure that the channel number complies with the regulatory standards of Mexico.11b channels.11a is only available on FortiWiFi-60B units.11a channel numbers Table 10 lists IEEE 802. All channels are restricted to indoor usage except in the Americas. where both indoor and outdoor use is permitted on channels 52 through 64 in the United States. All FortiWiFi units support 802.

fortinet. Table 12: IEEE 802.11g.11b channels.11g (2.System Wireless Channel assignments Table 11: IEEE 802.4-GHz Band) channel numbers Channel Frequency Regulatory Areas number (MHz) Americas EMEA CCK 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484 • • • • • • • • • • • ODFM CCK • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • Israel ODFM CCK Japan ODFM CCK • • • • • • • • • • • • • • ODFM • • • • • • • • • • • • • FortiGate Version 4.11b (2.0 Administration Guide 01-400-89802-20090424 http://docs.11g channel numbers Table 12 lists IEEE 802. All FortiWiFi products support 802.com/ • Feedback 161 .4-Ghz Band) channel numbers Channel number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Frequency (MHz) 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484 Regulatory Areas Americas • • • • • • • • • • • EMEA • • • • • • • • • • • • • • • • • • • • Israel Japan • • • • • • • • • • • • • • IEEE 802.

and all wireless interfaces use those settings. If you are operating your FortiWiFi unit in access point mode. That is.com/ • Feedback .Access Point mode Figure 80: FortiWiFi wireless parameters .Client mode Figure 81: FortiWiFi wireless parameters . radio settings are not configurable. Figure 79: FortiWiFi wireless parameters . By default the FortiWiFi unit includes one wireless interface. When operating the FortiWiFi unit in Client mode.0 Administration Guide 01-400-89802-20090424 http://docs.Monitoring mode 162 FortiGate Version 4.fortinet. you can add up to three virtual wireless interfaces. All wireless interfaces use the same wireless parameters. go to System > Wireless > Settings. called wlan. you configure the wireless settings once. see “Adding a wireless interface” on page 163.Wireless settings System Wireless Wireless settings To configure the wireless settings. For details on adding more wireless interfaces.

WPA2. while this will make it quicker to find and connect to the wireless network. Green checkmark icon indicates that the wireless interface broadcasts its SSID. Be aware what wireless cards or devices your users have as it may limit their use of the wireless network. select the interface name. This enables you to connect remote users to an existing network using wireless protocols.0 Administration Guide 01-400-89802-20090424 http://docs. The name of the wireless interface. WPA2 Auto or None. Scanning occurs while the access point is idle. Client — The FortiWiFi unit is set to receive transmissions from another access point. the larger the area the FortiWiFi will broadcast. Background scanning can reduce performance if the access point is busy. Select a channel for your wireless network or select Auto. wlan. see “Adding a wireless interface” on page 163. and Beacon Interval. If you want to keep the wireless signal to a small area. Set the transmitter power level. Channel. The wireless service set identifier (SSID) or network name for the wireless interface. The wireless interface security mode: WEP64. The FortiWiFi unit can connect to the internal network and act as a firewall to the Internet. The channels that you can select depend on the Geography setting. Decreasing the value will increase the number of beacons sent. A higher value decreases the number of beacons sent. See “Rogue AP detection” on page 168. This determines which channels are available. however it may delay some wireless clients from connecting if it misses a beacon packet.11g and users have 802. an Access Point and its clients must use the same SSID. Set the interval between beacon packets. See “Rogue AP detection” on page 168. Geography. For example. slowing throughput. WEP128. To modify wireless interface settings. Access Point — The FortiWiFi unit acts as an access point for wireless users to connect to send and receive information over a wireless network. Broadcasting the SSID makes it possible for clients to connect to your wireless network without first knowing the SSID. Ensure each wireless interface has a unique SSID. Radio settings — Access Point mode only Band Geography Channel Tx Power Beacon Interval Background Rogue AP Scan Wireless interface list — Access Point and Client modes Interface MAC Address SSID SSID Broadcast Security Mode Adding a wireless interface You can add up to three virtual wireless interfaces to your access point. they may not be able to use the wireless network. Select your country or region. Tx Power. See “Channel assignments” on page 160 for channel information. WPA. It enables multiple wireless network users access to the network without the need to connect to it physically. The higher the number.com/ • Feedback 163 . To communicate. These additional interfaces share the same wireless parameters configured for the WLAN interface for Band. Access Points broadcast Beacons or Traffic Indication Messages (TIM) to synchronize wireless networks. Perform the Monitoring mode scanning function while the unit is in Access Point mode.11b devices. if you configure the FortiWiFi unit for 802. The MAC address of the Wireless interface.System Wireless Wireless settings Operation Mode Select Change to switch operation modes. Note: You cannot switch to Client mode or Monitoring mode if you have added virtual wireless interfaces. These are listed in the Rogue AP list. The scan covers all wireless channels. it requires more overhead.fortinet. See “Channel assignments” on page 160 for channel information. enter a smaller number. FortiGate Version 4. This column is visible only in Access Point mode. For these modes. Monitoring — Scan for other access points. Select the wireless frequency band. To add more wireless interfaces in Access Point mode. there must be only one wireless interface.

Select Wireless. The name cannot be the same as an existing interface. Administrative Access 4 In the Wireless Settings section. Users who want to use the wireless network must configure their computers with this network name. If the interface is not broadcast.com/ • Feedback . The interface will be on the same subnet as the other interfaces.0 Administration Guide 01-400-89802-20090424 http://docs. SSID Broadcast Select to broadcast the SSID. The wireless interface can only be set as a manual address. 3 Complete the following: Name Type Address Mode Enter a name for the wireless interface. For better security.fortinet.Wireless settings System Wireless Note: You cannot add additional wireless interfaces when the FortiWiFi unit is in Client mode or Monitoring mode. Broadcasting the SSID enables clients to connect to your wireless network without first knowing the SSID. 2 Select Create New. complete the following and select OK: Figure 82: Wireless interface settings (WEP) Figure 83: Wireless interface settings (WAP) SSID Enter the wireless service set identifier (SSID) or network name for this wireless interface. this field does not appear. 164 FortiGate Version 4. If you choose not to broadcast the SSID. Set the administrative access for the interface. you need to inform users of the SSID so they can configure their wireless devices. Enter a valid IP address and netmask. To add a wireless interface 1 Go to System > Network > Interface. there is less chance of an unwanted user connecting to your wireless network. zone or VDOM. do not broadcast the SSID. If the FortiWiFi is running in Transparent mode.

Enter the security key.0 Administration Guide 01-400-89802-20090424 http://docs. If the user is not in the list. the FortiWiFi unit checks the MAC address of the user to the list you created. Select AES to use Advanced Encryption Standard (AES) encryption. The RTS threshold is the maximum size. RTS Threshold Set the Request to Send (RTS) threshold. If the packet size less than the threshold. Some implementations of WPA may not support AES. slowing data transmissions. WEP64 — 64-bit web equivalent privacy (WEP).com/ • Feedback 165 . AES is considered more secure that TKIP. Wireless MAC Filter To improve the security of your wireless network. To use WPA2 you must select a data encryption method and enter a pre-shared key containing at least eight characters or select a RADIUS server. WEP128 — 128-bit WEP. To use WPA2 Auto you must select a data encryption method You must also enter a pre-shared key containing at least 8 characters or select a RADIUS server. If you select a RADIUS server the wireless clients must have accounts on the RADIUS server. have the sending wireless device ask for clearance before sending larger transmissions. but also accepts wireless clients using WPA security. This field appears when selecting WEP64 or WEP128 security. WPA — Wi-Fi protected access (WPA) security. you define the wireless devices that can access the network based on their system MAC address. Key Data Encryption Select a data encryption method to be used by WPA. By enabling MAC address filtering. You must also enter a pre-shared key containing at least eight characters or select a RADIUS server. the user gains access to the network. Wireless users must use the same security mode to be able to connect to this wireless interface. Any wireless user can connect to the wireless network. you can enable MAC address filtering on the FortiWiFi unit. To use WEP64 you must enter a Key containing 10 hexadecimal digits (0-9 a-f) and inform wireless users of the key. You must configure the Radius server by going to User > RADIUS. Fragmentation Set the maximum size of a data packet before it is broken into smaller packets. If you select a RADIUS server the wireless clients must have accounts on the RADIUS server. For more information. of a packet that the FortiWiFi will accept without sending RTS/CTS packets to the sending wireless device. the FortiWiFi unit will fragment the transmission. WPA2 Auto — the same security features as WPA2. Select a RADIUS server name from the list. In some cases. however this is less likely. If the MAC address is on the approved list. in effect. Select TKIP to use the Temporal Key Integrity Protocol (TKIP). This field appears when selecting WPA. or WPA Auto. When a user attempts to access the wireless network. Pre-shared Key Enter the pre-shared key. RADIUS Server Select to use a RADIUS server when selecting WPA or WPA2 security. in bytes. or WPA2 Auto security. the user is rejected. A setting of 2346 bytes effectively disables this option. WPA2 — WPA with more security features. By changing this value from the default of 2346. the FortiWiFi unit will not fragment the transmission. To use WEP128 you must enter a Key containing 26 hexadecimal digits (0-9 a-f) and inform wireless users of the key. WPA2. None — has no security. larger packets being sent may cause collisions. reducing the chance of packet collisions. WPA2. If the packet is larger than Threshold the threshold. There can still be risk of smaller packet collisions.fortinet. You can use WPA or WPA2 Radius security to integrate your wireless network configuration with a RADIUS or Windows AD server.System Wireless Wireless MAC Filter Security mode Select the security mode for the wireless interface. A setting of 2346 bytes effectively disables this option. To use WPA you must select a data encryption method. see “RADIUS” on page 571. you can configure the FortiWiFi unit to. If you select a RADIUS server the wireless clients must have accounts on the RADIUS server. FortiGate Version 4.

go to System > Wireless > MAC Filter. Select to enable MAC filtering for the wireless interface.com/ • Feedback . you can configure the wireless interface to allow all connections except those in the MAC address list. Managing the MAC Filter list The MAC Filter list enables you to view the MAC addresses you have added to a wireless interface and their status. Figure 84: Wireless MAC filter list Interface MAC address List Access Enable Edit icon The name of the wireless interface. Edit the MAC address list for an interface. The list of MAC addresses in the MAC filter list for the wireless interface. Figure 85: Wireless interface MAC filter 3 Complete the following and select OK: 166 FortiGate Version 4. Similar to the allow list. To allow or deny wireless access to wireless clients based on the MAC address of the client wireless cards. you can create a deny list. Note you can configure one list per WLAN interface. It also enables you to edit and manage MAC Filter lists. To edit a MAC filter list 1 Go to System > Wireless > MAC Filter. 2 Select Edit for the wireless interface. either allow or deny.0 Administration Guide 01-400-89802-20090424 http://docs.Wireless MAC Filter System Wireless Alternatively. Using MAC address filtering makes it more difficult for a hacker using random MAC addresses or spoofing a MAC address to gain access to your network.fortinet. Allow or deny access to the listed MAC addresses for the wireless interface.

com/ • Feedback 167 . The frequency that the wireless interface is operating with. Wireless Monitor Go to System > Wireless > Monitor to view information about your wireless network. you can see who is connected to your wireless LAN.11b and 802. The strength of the signal from the client. The signal-to-noise ratio in deciBels calculated from signal strength and noise level. Signal Strength (dBm) Noise (dBm) S/N (dB) FortiGate Version 4. The name of the wireless interface.AP mode Figure 87: Wireless monitor . Enter the MAC address to add to the list.11g networks.fortinet. In Access Point mode. The received noise level. Figure 86: Wireless monitor . In Client mode. Add the entered MAC address to the list. you can see which access points are within radio range. Select one or more MAC addresses in the list and select Remove to deleted the MAC addresses from the list.11a interfaces and around 2. Should be around 5-GHz for 802.System Wireless Wireless Monitor List Access MAC Address Add Remove Select to allow or deny the addresses in the MAC Address list from accessing the wireless network.4GHz for 802.0 Administration Guide 01-400-89802-20090424 http://docs.Client mode Statistics AP Name / Name Frequency Statistical information about wireless performance for each wireless interface.

This is available in Monitoring mode. Only devices on the same radio band are listed. The IP address assigned to the connected wireless client.fortinet. 3 Select Monitoring and then select OK. It does not affect anyone’s ability to use these access points. Real-time details about the client wireless devices that can reach this FortiWiFi unit access point. The MAC address of the connected wireless client. go to System > Wireless > Settings. The name of the wireless interface that the client is connected to. 2 Enable Background Rogue AP Scan and then select Apply. 2 Select Change beside the current operation mode. MAC Address IP Address AP Name Neighbor AP list (Client mode) MAC Address SSID Channel Rate (M) RSSI Rogue AP detection Rogue Access Point Detection scans for wireless access points in Monitoring mode. Access points are listed in the Unknown Access Points list until you mark them as either Accepted or Rogue access points. The wireless radio channel that the access point uses.Rogue AP detection System Wireless Rx (KBytes) Tx (KBytes) Clients list (AP mode) The amount of data in kilobytes received this session. Real-time details about the access points that the client can receive. The MAC address of the connected wireless client. or in Access Point mode with Background Rogue AP Scan enabled.0 Administration Guide 01-400-89802-20090424 http://docs. 168 FortiGate Version 4. This designation helps you to track access points. Viewing wireless access points Go to System > Wireless > Rogue AP to view detected access points. The wireless service set identifier (SSID) that this access point broadcasts. 5 Select Apply. The received signal strength indication. 4 Select OK to confirm the mode change.com/ • Feedback . The data rate of the access point in Mbits/s. To enable background scanning 1 While in Access Point mode. The amount of data in kilobytes sent this session. a relative value between 0 (minimum) and 255 (maximum). You can also enable scanning in the background while the unit is in Access Point mode. To enable the monitoring mode 1 Go to System > Wireless > Settings.

none.fortinet. The data and time when the FortiWifi unit first detected the access point. The data rate of the access point. See the system wireless ap-status command in the FortiGate CLI Reference. or those detected less than one day ago. Inactive Access Points Select which inactive access points to show: all. none means no updates. The data and time when the FortiWifi unit last detected the access point.com/ • Feedback 169 .0 Administration Guide 01-400-89802-20090424 http://docs. The wireless radio channel that the access point uses. The wireless service set identifier (SSID) or network name for the wireless interface.System Wireless Rogue AP detection Figure 88: Rogue Access Point list Refresh Interval Refresh Set time between information updates. Online SSID MAC Address Channel Rate First Seen Last Seen Mark as ‘Rogue AP’ Forget AP A green checkmark indicates an active access point. Return item to Unknown Access Points list from Accepted Access Points list or Rogue Access Points list. Mark as ‘Accepted AP’ Select the icon to move this entry to the Accepted Access Points list. Select the icon to move this entry to the Rogue Access Points list. FortiGate Version 4. Signal Strength /Noise The signal strength and noise level. You can also enter information about accepted and rogue APs in the CLI without having to detect them first. The MAC address of the Wireless interface. Updates displayed information now. A grey X indicates that the access point is inactive. those detected less than one hour ago.

Rogue AP detection System Wireless 170 FortiGate Version 4.fortinet.com/ • Feedback .0 Administration Guide 01-400-89802-20090424 http://docs.

you can add a DHCP server for each network. The DHCP server must have appropriate routing so that its response packets to the DHCP clients arrive at the FortiGate unit. DHCP is configured separately for each virtual domain. To configure a DHCP server.fortinet. The interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses to the DHCP clients. You can configure one or more DHCP servers on any FortiGate interface. You can configure a FortiGate interface as a DHCP relay. DHCP services can also be configured through the Command Line Interface (CLI). You can configure an IPSec DHCP server on an interface that has either a static or a dynamic IP address. they can also obtain default gateway and DNS server settings. The routers must be configured for DHCP relay.0 Administration Guide 01-400-89802-20090424 http://docs. This section describes: • • • FortiGate DHCP servers and relays Configuring DHCP services Viewing address leases FortiGate DHCP servers and relays The DHCP protocol enables hosts to automatically obtain an IP address from a DHCP server. Note: You can configure a Regular DHCP server on an interface only if the interface has a static IP address. FortiGate Version 4. DHCP requests are passed through the FortiGate unit when it is in Transparent mode. A DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface. If you enable virtual domains (VDOMs) on the FortiGate unit. If an interface is connected to multiple networks via routers. DHCP is not available in Transparent mode.com/ • Feedback 171 . see “Configuring a DHCP server” on page 173. To configure a DHCP relay see “Configuring an interface as a DHCP relay agent” on page 173. A FortiGate interface or VLAN subinterface can provide the following DHCP services: • • • Basic DHCP servers for non-IPSec IP networks IPSec DHCP servers for IPSec (VPN) connections DHCP relay for regular Ethernet or IPSec (VPN) connections An interface cannot provide both a server and a relay for connections of the same type (regular or IPSec). For details. The IP range of each DHCP server must match the network address range. Optionally. The host computers must be configured to obtain their IP addresses using DHCP.System DHCP FortiGate DHCP servers and relays System DHCP This section describes how to use DHCP to provide convenient automatic network configuration for your clients. see “Using virtual domains” on page 103. See the FortiGate CLI Reference for more information.

1.FortiGate-200A shown Edit Delete Add DHCP Server Interface Server Name/ Relay IP Type Enable List of FortiGate interfaces.110 to 192. Note: An interface must have a static IP before you configure a DHCP server on it.168. Name of FortiGate DHCP server or IP address of DHCP server accessed by relay. on the Internal interface. In Transparent mode DHCP requests pass through the FortiGate unit. Figure 89: DHCP service list .1.1.168. icon 172 FortiGate Version 4. by default.com/ • Feedback . as follows: IP Range Netmask Default gateway Lease time DNS Server 1 192. Add DHCP Server Select to configure and add a DHCP server for this interface.Configuring DHCP services System DHCP Configuring DHCP services Go to System > DHCP > Service to configure DHCP services.1.fortinet. These settings are appropriate for the default Internal interface IP address of 192.168. a DHCP server is configured.1.168. On each FortiGate interface. Green check mark icon indicates that server or relay is enabled.255. Note: You can not configure DHCP in Transparent mode.0 Administration Guide 01-400-89802-20090424 http://docs.210 255. Expand each listed interface to view the Relay and Servers.168. you can configure a DHCP relay or add DHCP servers as needed. Type of DHCP relay or server: Regular or IPSec.99. If you change this address to a different network.99 You can disable or change this default DHCP Server configuration.99 7 days 192.0 192. you need to change the DHCP server settings to match. On FortiGate 50 and 60 series units.255.

Configuring a DHCP server The System > DHCP > Service screen gives you access to existing DHCP servers. 5 Select OK. To Configure a DHCP server 1 Go to System > DHCP > Service.0 Administration Guide 01-400-89802-20090424 http://docs. Figure 90: Edit DHCP relay settings for an interface Interface Name Type DHCP Server IP The name of the interface.System DHCP Configuring DHCP services Edit icon Delete icon Select to edit the DHCP relay or server configuration. Select the type of DHCP service required as either Regular or IPSEC. DHCP Relay Agent Select to enable the DHCP relay agent on this interface. 3 Select the Add DHCP Server icon to create a new DHCP server. or select the Edit icon beside an existing DHCP server to change its settings. Configuring an interface as a DHCP relay agent Go to System > DHCP > Service and select an edit icon to view or modify the DHCP relay configuration for an interface. Enter the IP address of the DHCP server that will answer DHCP requests from computers on the network connected to the interface. 2 Select blue arrow for the interface. FortiGate Version 4. 4 Configure the DHCP server. It is also where you configure new DHCP servers.fortinet.com/ • Feedback 173 . Select to delete the DHCP server.

com/ • Feedback .0 Administration Guide 01-400-89802-20090424 http://docs. the IP Range fields are greyed out. Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.Configuring DHCP services System DHCP Figure 91: DHCP Server options Name Enable Type Enter a name for the DHCP server. The lease time can range from 5 minutes to 100 days. Enter the netmask of the addresses that the DHCP server assigns. and Exclude Ranges. Select: • Server IP Range . • User-group defined method . These fields are greyed out when IP Assignment Mode is set to User-group defined method. Enable the DHCP server. Select Unlimited for an unlimited lease time or enter the interval in days. Determines how the IP addresses for DHCP are assigned. Enter the start and end for the range of IP addresses that this DHCP server assigns to DHCP clients.The IP addresses will be assigned via RADIUS through the user group used to authenticate the user. and the Exclude Ranges table and controls are not visible. and minutes after which a DHCP client must ask the DHCP server for new settings. Select Regular or IPSEC DHCP server. You cannot configure a Regular DHCP server on an interface that has a dynamic IP address. The remaining options in this table are advanced options. Enter the domain that the DHCP server assigns to DHCP clients. Select to configure advanced options. When User-group defined method is selected. See “Dynamically assigning VPN client IP addresses from a RADIUS record” on page 573.fortinet. IP Range Network Mask Default Gateway Domain Lease Time Advanced IP Assignment Mode 174 FortiGate Version 4.The server will assign the IP addresses as specified in IP Range. hours.

com/ • Feedback 175 . Enter the last IP address of the exclude range.0 article on the Fortinet Knowledge Center. No range can exceed 65536 IP addresses. see RFC 2132. DHCP Options and BOOTP Vendor Extensions.fortinet. The assigned IP address. Figure 92: Address leases list Interface Refresh IP MAC Expire Select interface for which to list leases. For detailed information about DHCP options. For more information. The MAC address of the device to which the IP address is assigned. Use the CLI config system dhcp reserved-address command. Add the IP addresses of one or two WINS servers that the DHCP server assigns to DHCP clients. regular Ethernet or IPSec. You can assign up to 200 IP addresses as reserved. Enter the first IP address of the exclude range. Option is an even number of hexadecimal characters and is not required for some option codes. FortiGate Version 4. The DHCP server always assigns the reserved address to that client.0 Administration Guide 01-400-89802-20090424 http://docs. Select Refresh to update Address leases list. Expiry date and time of the DHCP lease. Add an range of IP addresses to exclude. Code is the DHCP option code in the range 1 to 255. Reserving IP addresses for specific clients You can reserve an IP address for a specific client identified by the client device MAC address and the connection type. Enter up to three custom DHCP options that can be sent by the DHCP server. For more information see the FortiGate Maximum Values for FortiOS 3. Delete the exclude range.System DHCP Viewing address leases DNS Server 1 DNS Server 2 DNS Server 3 WINS Server 1 WINS Server 2 Option 1 Option 2 Option 3 Exclude Ranges Add Enter the IP addresses of up to 3 DNS servers that the DHCP server assigns to DHCP clients. You can add up to 16 exclude ranges of IP addresses that the DHCP server cannot assign to DHCP clients. Starting IP End IP Delete icon Viewing address leases Go to System > DHCP > Address Leases to view the IP addresses that the DHCP servers have assigned and the corresponding client MAC addresses. see the FortiGate CLI Reference.

Viewing address leases System DHCP 176 FortiGate Version 4.com/ • Feedback .fortinet.0 Administration Guide 01-400-89802-20090424 http://docs.

and Operation mode. HA is configured globally for the entire FortiGate unit. custom replacement messages. Changing operation mode is configured for each individual VDOM. For details. go to System > Config > HA. For complete information about how to configure and operate FortiGate HA clusters see the FortiGate HA Overview.com/ • Feedback 177 . HA is not available on FortiGate models 50A and 50AM.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet. HA. This section contains a brief description of HA web-based manager configuration options. including the FortiGate-50B. SNMP. see “Using virtual domains” on page 103. HA statistics. and replacement messages are configured globally for the entire FortiGate unit. For details. such as HA. SNMP.System Config HA System Config This section describes the configuration of several non-network features. and disconnecting cluster members. The following topics are included in this section: • • • • • HA options Cluster members list Viewing HA statistics Changing subordinate unit host name and device priority Disconnecting a cluster unit from a cluster HA options Configure HA options so that a FortiGate unit can join a cluster or to change the configuration of an operating cluster or cluster member. the HA cluster members list. This section describes: • • • • HA SNMP Replacement messages Operation mode and VDOM management access HA FortiGate high availability (HA) provides a solution for two key requirements of critical enterprise networking components: enhanced reliability and increased performance. If you enable virtual domains (VDOMs) on the FortiGate unit. If you enable virtual domains (VDOMs) on the FortiGate unit. FortiGate Version 4. HA is available on all other FortiGate models. To configure HA options so that a FortiGate unit can join an HA cluster. and the Fortinet Knowledge Center. the FortiGate HA Guide. see “Using virtual domains” on page 103.

fortinet. you are configuring HA virtual clustering. Figure 93: FortiGate-3810A unit HA configuration You can configure HA options for a FortiGate unit with virtual domains (VDOMs) enabled by logging into the web-based manager as the global admin administrator and then going to System > Config > HA. If one or more FortiGate unit interfaces is dynamically configured using DHCP or PPPoE you cannot switch to operate in HA mode.com/ • Feedback . 178 FortiGate Version 4. When you edit the HA configuration of the primary unit. If HA is already enabled. Also. Most virtual cluster HA options are the same as normal HA options. However. Other differences between configuration options for regular HA and for virtual clustering HA are described below and in the FortiGate HA Overview and the FortiGate HA Guide. virtual clusters include VDOM partitioning options. FortiGate HA is also not compatible with DHCP.HA System Config Note: FortiGate HA is not compatible with PPP protocols such as PPPoE. Note: If your FortiGate cluster uses virtual domains. go to System > Config > HA to display the cluster members list.0 Administration Guide 01-400-89802-20090424 http://docs. all changes are synchronized to the other cluster units. you cannot switch to operate in HA mode if one or more FortiGate unit interfaces is configured as a PPTP or L2TP client or if the FortiGate unit is configured for standalone session synchronization. Select Edit for the FortiGate unit with Role of master (also called the primary unit).

When the cluster is operating you can change the group name. Two clusters on the same network cannot have the same group name. if required. or Active-Active. one for each virtual cluster. In a virtual cluster configuration. If virtual domains are enabled you can select Active-Passive or Standalone.fortinet. Enter a name to identify the cluster. the unit with the highest device priority in a virtual cluster becomes the primary unit for that virtual cluster. the unit with the highest device priority usually becomes the primary unit. The group name change is synchronized to all cluster units. During HA negotiation. The group name must be the same for all cluster units before the cluster units can form a cluster. you must set all members of the HA cluster to the same HA mode. you can change the group name.com/ • Feedback 179 . You can select Standalone (to disable HA). Optionally set the device priority of the cluster unit. Each cluster unit can have a different device priority. each cluster unit can have two device priorities. You can accept the default group name when first configuring a cluster.0 Administration Guide 01-400-89802-20090424 http://docs. During HA negotiation. You can accept the default device priority when first configuring a cluster.System Config HA Figure 94: FortiGate-5001SX HA virtual cluster configuration Mode Select an HA mode for the cluster or return the FortiGate units in the cluster to standalone mode. Changes to the device priority are not synchronized. After a cluster is operating. The maximum length of the group name is 32 characters. The default group name is FGT-HA. When the cluster is operating you can change the device priority for different cluster units as required. Active-Passive. When configuring a cluster. Device Priority Group Name FortiGate Version 4.

The link failover causes the cluster to reroute the traffic being processed by that interface to the same interface of another cluster unit that still has a connection to the network. The root virtual domain must always be in virtual cluster 1. If a monitored interface fails or is disconnected from its network. see the FortiGate HA Overview. The heartbeat interface priority range is 0 to 512. You can accept the default heartbeat interface configuration if you connect one or both of the default heartbeat interfaces together. For more information about configuring VDOM partitioning. You can also view HA statistics for the cluster. The default is no password. This default configuration usually sets the priority of two heartbeat interfaces to 50. The heartbeat interface with the highest priority processes all heartbeat traffic. When the cluster is operating. the heartbeat interface with the lowest hash map order value processes all heartbeat traffic. If two or more heartbeat interfaces have the same priority. This limit only applies to FortiGate units with more than 8 physical interfaces. Two clusters on the same network must have different passwords. Enable Session Select to enable session pickup so that if the primary unit fails. pickup Session pickup is disabled by default. You can select up to 8 heartbeat interfaces. edit the HA configuration of primary unit. Heartbeat Interface VDOM partitioning Cluster members list You can display the cluster members list to view the status of an operating cluster and the status of the FortiGate units in the cluster. If you are configuring virtual clustering. you can set the virtual domains to be in virtual cluster 1 and the virtual domains to be in virtual cluster 2. The maximum password length is 15 characters. The password must be the same for all cluster units before the cluster units can form a cluster. From the cluster members list you can disconnect a unit from the cluster. the interface leaves the cluster and a link failover occurs. and download a debug log for any cluster unit.com/ • Feedback . You must select at least one heartbeat interface. You can accept the default password when first configuring a cluster. change the device priority and host name of subordinate units. Leave port monitoring disabled until the cluster is operating and then only enable port monitoring for connected interfaces.0 Administration Guide 01-400-89802-20090424 http://docs.HA System Config Password Enter a password to identify the cluster. the cluster unit and the device priority of the cluster unit.fortinet. For more information about configuring heartbeat interfaces. Select to enable or disable HA heartbeat communication for each interface in the cluster and set the heartbeat interface priority. see the FortiGate HA Overview. The default priority when you select a new heartbeat interface is 0. all sessions are picked up by the cluster unit that becomes the new primary unit. You can accept the default setting for session pickup and then chose to enable session pickup after the cluster is operating. This other cluster unit becomes the new primary unit. Port Monitor Select to enable or disable monitoring FortiGate interfaces to verify that the monitored interfaces are functioning properly and connected to their networks. 180 FortiGate Version 4. Port monitoring (also called interface monitoring) is disabled by default. This limit only applies to FortiGate units with more than 16 physical interfaces. The cluster members list shows the FortiGate units in the cluster and for each FortiGate unit shows interface connections. You can monitor up to 16 interfaces. if required. you can add a password. The web-based manager lists interfaces in alphanumeric order: • port1 • port2 through 9 • port10 Hash map order sorts interfaces in the following order: • port1 • port10 • port2 through port9 The default heartbeat interface configuration is different for each FortiGate unit. If heartbeat communication is interrupted. the cluster stops processing traffic.

The virtual cluster members list shows the status of both virtual clusters including the virtual domains added to each virtual cluster. status.com/ • Feedback 181 . you can display the cluster members list to view the status of the operating virtual clusters. See “Viewing HA statistics” on page 182. Up and down arrows Changes the order of cluster members in the list.0 Administration Guide 01-400-89802-20090424 http://docs. The operation of the cluster or of the units in the cluster are not affected. All that changes is the order of the units on the cluster members list.System Config HA To display the cluster members list. and monitor information for each cluster unit. FortiGate Version 4.fortinet. To display the virtual cluster members list for an operating cluster log in as the global admin administrator and go to System > Config > HA. Figure 96: Example FortiGate-5001SX virtual cluster members list Download Debug Log Edit Disconnect from Cluster Up and Down Arrows View HA Statistics Displays the serial number. Figure 95: Example FortiGate-5001SX cluster members list Download Debug Log Edit Disconnect from Cluster Up and Down Arrows If virtual domains are enabled. log into an operating cluster and go to System > Config > HA.

The host name of the FortiGate unit.fortinet. select Edit to change the virtual cluster HA configuration.com/ • Feedback . • Role is MASTER for the primary (or master) unit • Role is SLAVE for all subordinate (or backup) cluster units The device priority of the cluster unit. select Edit to change the cluster HA configuration (including the device priority) of the primary unit. The default host name of the FortiGate unit is the FortiGate unit serial number. See “Disconnecting a cluster unit from a cluster” on page 184. including the virtual cluster 1 and virtual cluster 2 device priority of this cluster unit. You can send this debug log file to Fortinet Technical Support (http://support. select Edit to change the subordinate unit host name and the device priority of the subordinate unit for the selected virtual cluster. status.HA System Config Cluster member Illustrations of the front panels of the cluster units. serial number. and monitor information for each cluster unit. If the network jack for an interface is shaded green. 182 FortiGate Version 4. See “Changing subordinate unit host name and device priority” on page 183. The device priority range is 0 to 255. Select to change a cluster unit HA configuration. • For a primary unit in a virtual cluster. • To change the primary unit host name. • For a subordinate unit in a virtual cluster. The status or role of the cluster unit in the cluster. Pause the mouse pointer over each illustration to view the cluster unit host name. Hostname Role Priority Disconnect from cluster Edit Download debug log Select to download an encrypted debug log to a file. • For a subordinate unit.com) to help diagnose problems with the cluster or with individual cluster units. the unit with the highest device priority becomes the primary unit. • To change a subordinate unit host name. the interface is connected. and the interfaces that are configured for port monitoring. select Edit to change the subordinate unit host name and device priority. • For a primary unit. See “Changing subordinate unit host name and device priority” on page 183. Viewing HA statistics From the cluster members list. you can select View HA Statistics to display the serial number. go to System > Status and select Change beside the current host name. go to System > Config > HA and select View HA Statistics. Each cluster unit can have a different device priority. from the cluster members list select the Edit icon for a subordinate unit. how long the unit has been operating (up time). Select to disconnect a selected cluster unit from the cluster. During HA negotiation.fortinet.0 Administration Guide 01-400-89802-20090424 http://docs. To view HA statistics.

The web-based manager displays memory usage for core processes only. FortiGate Version 4. The current memory status of each cluster unit. The number of intrusions or attacks detected by Intrusion Protection running on the cluster unit. and seconds since the cluster unit was last started. The number of communications sessions being processed by the cluster unit. Select Edit for any slave (subordinate) unit in the cluster members list. The time in days. Memory usage for management processes (for example. The number of bytes that have been processed by the cluster unit since it last started up. The number of packets that have been processed by the cluster unit since it last started up. hours.com/ • Feedback 183 .fortinet. for HTTPS connections to the web-based manager) is excluded. Back to HA monitor Select to close the HA statistics list and return to the cluster members list. The total network bandwidth being used by all of the cluster unit interfaces. A green check mark indicates that the cluster unit is operating normally. for HTTPS connections to the web-based manager) is excluded. The number of viruses detected by the cluster unit. A red X indicates that the cluster unit cannot communicate with the primary unit.System Config HA Figure 97: Example HA statistics (active-passive cluster) Refresh every Select to control how often the web-based manager updates the HA statistics display. The host name and serial number of the cluster unit. CPU usage for management processes (for example. The current CPU status of each cluster unit.0 Administration Guide 01-400-89802-20090424 http://docs. The web-based manager displays CPU usage for core processes only. Unit Status Up Time Monitor CPU Usage Memory Usage Active Sessions Total Packets Virus Detected Network Utilization Total Bytes Intrusion Detected Changing subordinate unit host name and device priority To change the host name and device priority of a subordinate unit in an operating cluster. minutes. go to System > Config > HA to display the cluster members list. Displays system status information for each cluster unit. Indicates the status of each cluster unit.

Figure 99: Disconnect a cluster member Serial Number Interface Displays the serial number of the cluster unit to be disconnected from the cluster. the cluster unit with the highest device priority becomes the primary unit. Figure 98: Changing the subordinate unit host name and device priority Peer Priority View and optionally change the subordinate unit host name. In a functioning cluster you can change device priority to change the priority of any unit in the cluster. such as to act as a standalone firewall. The default device priority is 128. The device priority is not synchronized among cluster members. Specify an IP address and netmask for the interface. When the FortiGate unit is disconnected. log in as the global admin administrator and go to System > Config > HA to display the cluster members list.0 Administration Guide 01-400-89802-20090424 http://docs. Disconnecting a cluster unit from a cluster You can disconnect a cluster unit if you need to use the disconnected FortiGate unit for another purpose. Select the interface that you want to configure.HA System Config To change the host name and device priority of a subordinate unit in an operating cluster with virtual domains enabled. all management access options are enabled for this interface. You also specify the IP address and netmask for this interface. These changes only affect the configuration of the subordinate unit.com/ • Feedback . The device priority range is 0 to 255.fortinet. You can use this IP address to connect to this interface to configure the disconnected FortiGate unit. You can change the host name (Peer) and device priority (Priority) of this subordinate unit. IP/Netmask 184 FortiGate Version 4. The next time the cluster negotiates. View and optionally change the subordinate unit device priority. Select Edit for any slave (subordinate) unit in the cluster members list. You can go to System > Config > HA and select a Disconnect from cluster icon to disconnect a cluster unit from a functioning cluster without disrupting the operation of the cluster.

you can access SNMP traps and data from any FortiGate interface or VLAN subinterface configured for SNMP management access. FortiGate Version 4. and v3 compliant SNMP managers have read-only access to FortiGate system information through queries and can receive trap messages from the FortiGate unit. For more information about SNMP fields.System Config SNMP SNMP Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. Using an SNMP manager. These MIBs provide the information the SNMP manager needs to interpret the SNMP trap. SNMP v1. Note: Part of configuring an SNMP manager is to list it as a host in a community on the FortiGate unit it will be monitoring. to a FortiGate unit.fortinet. A FortiManager unit can act as an SNMP manager. RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411). event. such as the FortiGate SNMP agent. or host. and partial support of User-based Security Model (RFC 3414). This information is useful to monitor the condition of the unit. see “Fortinet and FortiGate traps” on page 189.0 Administration Guide 01-400-89802-20090424 http://docs. Another name for an SNMP manager is a host. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. An SNMP manager is a typically a computer running an application that can read the incoming trap and event messages from the agent and send out SNMP queries to the SNMP agents. both on an ongoing basis and to provide more information when a trap occurs. SNMP fields contain information about your FortiGate unit. Otherwise the SNMP monitor will not receive any traps from that FortiGate unit. you must first compile the proprietary Fortinet and FortiGate Management Information Base (MIB) files. and query messages of the FortiGate unit SNMP agent. see “Fortinet MIBs” on page 188. SNMP traps alert you to events that happen. see “Fortinet and FortiGate MIB fields” on page 192. You can configure the hardware. For more information. to report system information and send traps (alarms or event messages) to SNMP managers. such as an a log disk being full or a virus being detected. To monitor FortiGate system information and receive FortiGate traps.com/ • Feedback 185 . For more information about SNMP traps. The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernetlike MIB) and most of RFC 1213 (MIB II). v2c. or be able to query it. The FortiGate SNMP implementation is read-only.

such as one administrator terminal monitoring both a firewall SNMP community and a printer SNMP community. See “Configuring an SNMP community” on page 186. Configuring an SNMP community An SNMP community is a grouping of devices for network administration purposes. Enter descriptive information about the FortiGate unit. The contact information can be up to 35 characters. The system location description can be up to 35 characters long. Each community can be configured to monitor the FortiGate unit for a different set of events. The status of SNMP queries for each SNMP community. 186 FortiGate Version 4. Select Create New to add a new SNMP community.SNMP System Config Configuring SNMP Go to System > Config > SNMP v1/v2c to configure the SNMP agent. The query status can be enabled or disabled. Enter the physical location of the FortiGate unit. and contact information. The status of SNMP traps for each SNMP community. You can add up to 3 communities. Save changes made to the description.com/ • Feedback . One device can belong to multiple communities. The name of the SNMP community. Select Delete to remove an SNMP community. Figure 100: Configuring SNMP SNMP Agent Description Location Contact Apply Create New Communities Name Queries Traps Enable Delete icon Edit/View icon Enable the FortiGate SNMP agent. Within that SNMP community. Add SNMP communities to your FortiGate unit so that SNMP managers can connect to view system information and receive SNMP traps. The trap status can be enabled or disabled. The list of SNMP communities added to the FortiGate configuration.0 Administration Guide 01-400-89802-20090424 http://docs. location. Each community can have a different configuration for SNMP queries and traps. The description can be up to 35 characters long. You can also add the IP addresses of up to 8 SNMP managers to each community. Select Enable to activate an SNMP community.fortinet. You can add up to three SNMP communities. devices can communicate by sending and receiving traps and other information. Select to view or modify an SNMP community. Enter the contact information for the person responsible for this FortiGate unit.

0 Administration Guide 01-400-89802-20090424 http://docs.com/ • Feedback 187 . Figure 101: SNMP community options (part 1) Figure 102: SNMP community options (part 2) FortiGate Version 4. SNMP traps can only be sent on interfaces in the management virtual domain. Traps cannot be sent over other interfaces.System Config SNMP Note: When the FortiGate unit is in virtual domain mode.fortinet.

fortinet. 2 Choose an interface that an SNMP manager connects to and select Edit.0 to so that any SNMP manager can use this SNMP community. “Power Supply Failure” event trap is available only on FortiGate-3810A. Enter the Local and Remote port numbers (port 162 for each by default) that the FortiGate unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community. Fortinet MIBs The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. Enable each SNMP event for which the FortiGate unit should send traps to the SNMP managers in this community. select SNMP. This can occur if the SNMP manager is on the Internet or behind a router. To configure SNMP access (Transparent mode) 1 Go to System > Config > Operation Mode.com/ • Feedback . Select the Enable check box to activate queries for each SNMP version. Enter the IP address and Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit. In virtual domain mode. 188 FortiGate Version 4. Select the Enable check box to activate traps for each SNMP version. 3 Select Apply. You only have to select the interface if the SNMP manager is not on the same subnet as the FortiGate unit. You can add up to 8 SNMP managers to a single community.0. Add a blank line to the Hosts list.0. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit configuration. you must configure one or more FortiGate interfaces to accept SNMP connections.SNMP System Config Community Name Hosts IP Address Enter a name to identify the SNMP community. This prevents sharp spikes due to CPU intensive shortterm events such as changing a policy.0 Administration Guide 01-400-89802-20090424 http://docs. The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiGate unit. “CPU overusage” traps sensitivity is slightly reduced. by spreading values out over 8 polling cycles. 4 Select OK. the interface must belong to the management VDOM to be able to pass SNMP traps. 2 Enter the IP address that you want to use for management access and the netmask in the Management IP/Netmask field. and FortiGate-3016B units. Interface Delete Add Queries Traps SNMP Event To configure SNMP access (NAT/Route mode) Before a remote SNMP manager can connect to the FortiGate agent. “AMC interfaces enter bypass mode” event trap is available only on FortiGate models that support AMC modules. Select a Delete icon to remove an SNMP manager. 1 Go to System > Network > Interface. Optionally select the name of the interface that this SNMP manager uses to connect to the FortiGate unit. 3 In Administrative Access. Enter the Port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiGate unit. You can also set the IP address to 0.

The Fortinet MIB contains traps. FortiManager systems require this MIB to monitor FortiGate units. or that agent can send traps when an event occurs. For more information. The FortiGate SNMP agent supports MIB II groups with the following exceptions.10).fortinet.0 Administration Guide 01-400-89802-20090424 http://docs. Traps sent include the trap message as well as the FortiGate unit serial number (fnSysSerial) and hostname (sysName).) do not accurately capture all FortiGate traffic activity. see “Fortinet and FortiGate traps” on page 189 and “Fortinet and FortiGate MIB fields” on page 192. FortiGate Version 4. You need to obtain and compile the two MIBs for this release. You must add the Fortinet proprietary MIB to this database.11 and 6. Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use.mib RFC-1213 (MIB II) RFC-2665 (Ethernet-like MIB) Fortinet and FortiGate traps An SNMP manager can request information from the Fortinet device’s SNMP agent. FORTINET-FORTIGATE-MIB. For more information. You can obtain these MIB files from Fortinet technical support. The Trap Message column includes the message included with the trap as well as the SNMP MIB field name to help locate the information about the trap. • Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc. and the FortiGate MIB. you must load and compile the FORTINETCORE-MIB into your SNMP manager. Table 13: Fortinet MIBs MIB file name or RFC FORTINET-CORE-MIB.com/ • Feedback 189 . The name of the table indicates if it is found in the Fortinet MIB or the FortiGate MIB. section 3. The FortiGate SNMP agent supports Ethernet-like MIB information with the following exception. fields and information that is common to all Fortinet products. you must compile all of these MIBs into your SNMP manager. Your SNMP manager requires this information to monitor FortiGate configuration settings and receive traps from the FortiGate SNMP agent. The proprietary FortiGate MIB includes all system configuration information and trap information that is specific to FortiGate units. To be able to communicate with the FortiGate SNMP agent. FortiManager related traps are only sent if a FortiManager unit is configured to manage this FortiGate unit. Traps are a method used to inform the SNMP manager that something has happened or changed on the Fortinet device. Your SNMP manager requires this information to monitor FortiGate unit configuration settings and receive traps from the FortiGate SNMP agent.the Fortinet MIB.System Config SNMP There are two MIB files for FortiGate units . The Fortinet MIB and FortiGate MIB along with the two RFC MIBs are listed in tables in this section. fields and information that is specific to FortiGate units. see “Fortinet and FortiGate traps” on page 189 and “Fortinet and FortiGate MIB fields” on page 192. • No support for the EGP group from MIB II (RFC 1213. No support for the dot3Tests and dot3Errors groups. More accurate information can be obtained from the information reported by the Fortinet MIB. To receive Fortinet device SNMP traps.mib Description The proprietary Fortinet MIB includes all system configuration information and trap information that is common to all Fortinet products. The FortiGate MIB contains traps.

This threshold can be set in the CLI using config system global. Not all range devices have voltage monitoring instrumentation. Table 17: FortiGate IPS traps Trap message IPS Signature (fgTrapIpsSignature) IPS Anomaly (fgTrapIpsAnomaly) IPS Package Update (fgTrapIpsPkgUpdate) (fgIpsTrapSigId) Description IPS signature detected.1. the new IP address and the serial number of the Fortinet unit. An IPSec VPN tunnel has shut down.1. A temperature sensor on the device has exceeded its threshold. Not available on all models. The IPS signature database has been updated. (fnVpnTrapRemoteGateway) This information is associated with both of the VPN tunnel traps.1.12356.3. IPS anomaly detected. See manual for specifications.SNMP System Config Table 14: Generic FortiGate traps (OID1.12356. Diagnostic trap (fnTrapTest) Table 16: FortiGate VPN traps Trap message VPN tunnel is up (fgTrapVpnTunUp) VPN tunnel down (fgTrapVpnTunDown) Local gateway address (fnVpnTrapLocalGateway) Description An IPSec VPN tunnel has started.4. Only available on devices with log disks. This threshold can be set in the CLI using config system global. Available on some devices which support redundant power supplies. The IP address for an interface has changed.com/ • Feedback .1. Remote gateway address Address of remote side of the VPN tunnel.0) Trap message ColdStart WarmStart LinkUp LinkDown Description Standard traps as described in RFC 1215. Table 15: FortiGate system traps (OID1. This trap is sent for diagnostic purposes.999.6. ID of IPS signature identified in trap. It has an OID index of.1.3. The trap message includes the name of the interface.3. Memory usage exceeds 90%. Voltage outside acceptable Power levels have fluctuated outside of normal levels. This information is associated with both of the VPN tunnel traps.0 Administration Guide 01-400-89802-20090424 http://docs. (fnTrapVoltageOutOfRange) Power supply failure (fnTrapPowerSupplyFailure) Interface IP change (fnTrapIpChange) Power supply failure detected. Not all devices have thermal sensors.6.4. 190 FortiGate Version 4.1.fortinet. Log disk usage has exceeded the configured threshold.3. You can use this trap to track interface IP address changes for interfaces with dynamic IP addresses set using DHCP or PPPoE.0) Trap message CPU usage high (fnTrapCpuThreshold) Memory low (fnTrapMemThreshold) Log disk too full (fnTrapLogDiskThreshold) Temperature too high (fnTrapTempHigh) Description CPU usage exceeds 80%. Address of the local side of the VPN tunnel.

but has been passed due to configuration. Message associated with IPS event.System Config SNMP Table 17: FortiGate IPS traps Trap message (fgIpsTrapSrcIp) (fgIpsTrapSigMsg) Description IP Address of the IPS signature trigger. Sent to monitoring FortiManager when an interface changes IP address. The AV engine entered conservation mode due to low memory conditions.com/ • Feedback 191 . An HA member becomes available to the cluster.0 Administration Guide 01-400-89802-20090424 http://docs. . No message. Oversize file/email detected The FortiGate unit antivirus scanner detected an oversized file. The heartbeat failure count has exceeded the configured threshold. Used for verification by FortiManager. Used to identify the origin of a trap when a cluster is configured. An oversized file has been detected. (fgTrapAvOversize) Filename block detected (fgTrapAvPattern) Fragmented file detected (fgTrapAvFragmented) (fgTrapAvEnterConserve) (fgTrapAvBypass) (fgTrapAvOversizePass) (fgTrapAvOversizeBlock) (fgAvTrapVirName) The FortiGate unit antivirus scanner blocked a file that matched a known virus pattern. An HA member becomes unavailable to the cluster. The virus name that triggered the event. The trap sent when the HA cluster member changes its state. Indicates that a configuration change was not immediate and that the change is currently in progress. Table 19: FortiGate HA traps Trap message HA switch (fgTrapHaSwitch) HA Heartbeat Failure (fgTrapHaHBFail) (fgTrapHaMemberDown) (fgTrapHaMemberUp) (fgTrapHaStateChange) (fgHaTrapMemberSerial) Description The specified cluster member has transitioned from a slave role to a master role. The AV scanner has been bypassed due to conservation mode. An oversized file has been detected. The FortiGate unit configuration has been changed by something other than the managing FortiManager device. and has been blocked. The FortiGate unit antivirus scanner detected a fragmented file or attachment. (fgFmTrapDeployInProgress) (fgFmTrapConfChange) (fgFmTrapIfChange) FortiGate Version 4. Table 18: FortiGate antivirus traps Trap message Virus detected (fgTrapAvVirus) Description The antivirus engine detected a virus in an infected file from an HTTP or FTP download or from an email message. Used for verification by FortiManager.fortinet. Serial number of an HA cluster member. Table 20: FortiGate MIB FortiManager related traps Trap message (fgFmTrapDeployComplete) Description Indicates when deployment of a new configuration has been completed.

Table of administrators on this FortiGate unit. fgHaStatsIndex fgHaStatsSerial fgHaStatsCpuUsage fgHaStatsMemUsage fgHaStatsNetUsage fgHaStatsSesCount fgHaStatsPktCount fgHaStatsByteCount fgHaStatsIdsCount fgHaStatsAvCount fgHaStatsHostname Table 22: FortiGate Administrator accounts MIB field fgAdminIdelTimeout Description Idle period after which an administrator is automatically logged out of the system. The FortiGate unit serial number.0 Administration Guide 01-400-89802-20090424 http://docs. The number of bytes processed by the FortiGate unit The number of attacks that the IPS detected in the last 20 hours.com/ • Feedback .mib and FORTINETFORTIGATE-MIB. The current FortiGate unit CPU usage (%). The current unit memory usage (%). Serial fgHaStatsTable Statistics for the individual FortiGate unit in the HA cluster. The tables below list the names of the MIB fields and describe the status information available for each one. fgAdminVdom The virtual domain the administrator belongs to.fortinet.127). HA clustering priority (default . Table 21: FortiGate HA MIB fields MIB field fgHaGroupId fgHaPriority fgHaOverride fgHaAutoSync fgHaSchedule Description HA cluster group ID. The number of active sessions.SNMP System Config Fortinet and FortiGate MIB fields The FortiGate MIB contains fields reporting current FortiGate unit status information.mib files into your SNMP manager and browsing the MIB fields on your computer. fgAdminLcdProtection Status of the LCD protection. Status of an automatic configuration synchronization. The current unit network utilization (Kbps). fgHaTrapMember Serial number of an HA cluster member. either enabled or disabled. The index number of the unit in the cluster. Hostname of HA Cluster's unit. Status of a master override flag. The number of viruses that the antivirus system detected in the last 20 hours. fgHaGroupName HA cluster group name. Load balancing schedule for cluster in Active-Active mode. You can view more details about the information available from all Fortinet and FortiGate MIB fields by compiling the FORTINET-CORE-MIB. fgAdminTable 192 FortiGate Version 4. The number of packets processed.

The maximum number of virtual domains allowed on the FortiGate unit as allowed by hardware or licensing. Number of packets matched to policy (passed or blocked. Whether virtual domains are enabled on this FortiGate unit.either NAT or Transparent. Policy IDs are only unique within a virtual domain. depending on policy action). The destination IPv4 address of the active IP session. fgIpSessFromAddr The source IPv4 address of the active IP session. UDP. Count is from the time the policy became active. fgIpSessStatsTable IP Session statistics table for the virtual domain. Each entry has the following fields. FortiGate Version 4. fgIpSessNumber Total sessions on this virtual domain. Virtual domain the session is part of. depending on policy action). Corresponds to the index in fgVdTable. The source port of the active IP session (UDP and TCP only).com/ • Feedback 193 . Count is from the time the policy became active. fgFwPolicyPktCount fgFwPolicyByteCount Table 26: FortiGate Dialup VPNs MIB field fgVpnDialupIndex fgVpnDialupGateway Description An index value that uniquely identifies an VPN dial-up peer in the table. This is the same index used by fgVdTable. The remote gateway IP address on the tunnel. TCP. This index is also used by other tables referencing a virtual domain. Table 25: FortiGate Firewall policy statistics table MIB field Description fgFwPolicyStatsVdomIndex Index that identifies the virtual domain. Table 24: FortiGate Active IP sessions table MIB field fgIpSessIndex fgIpSessProto fgIpSessFromPort fgIpSessToAddr fgIpSessToPort fgIpSessExp fgIpSessVdom Description The index number of the IP session within the table The IP protocol the session is using (IP.). dEntry fgVdEntIndex Internal virtual domain index used to uniquely identify entries in this table. fgVdEntOpMode Operation mode of this virtual domain .System Config SNMP Table 23: FortiGate Virtual domains MIB field fgVdInfo Description FortiGate unit Virtual Domain related information.fortinet. fgVdNumber fgVdMaxVdoms fgVdEnabled The number of virtual domains configured on this FortiGate unit. fgVdEntName The name of the virtual domain. fgFwPolicyID Firewall policy ID.fgV Table of information about each virtual domain—each virtual domain has an fgVdEntry. etc. The destination port of the active IP session (UDP and TCP only). The number of seconds remaining until the sessions expires (if idle). Number of bytes matched to policy (passed or blocked.0 Administration Guide 01-400-89802-20090424 http://docs. fgVdTable. Only enabled policies are available for querying.

and FTP sessions. Number of bytes sent out on the tunnel. if it is UDP. Remote subnet address of the tunnel. The IP of the local gateway used by the tunnel. Destination selector port. Lifetime of the tunnel in seconds.com/ • Feedback . Beginning of the address range of the source selector. if time based lifetime is used. Timeout of the tunnel in seconds. Source selector port. The IP of the remote gateway used by the tunnel. if byte transfer based lifetime is used. Current status of the tunnel . Table 27: VPN Tunnel table MIB field fgVpnTunEntIndex fgVpnTunEntPhase1Name fgVpnTunEntPhase2Name fgVpnTunEntRemGwyIp fgVpnTunEntRemGwyPort fgVpnTunEntLocGwyIp fgVpnTunEntLocGwyPort fgVpnTunEntSelectorSrcBeginIp fgVpnTunEntSelectorSrcEndIp fgVpnTunEntSelectorSrcPort fgVpnTunEntSelectorDstBeginIp fgVpnTunEntSelectorDstEndIp fgVpnTunEntSelectorDstPort fgVpnTunEntSelectorProto fgVpnTunEntLifeSecs fgVpnTunEntLifeBytes fgVpnTunEntTimeout fgVpnTunEntInOctets fgVpnTunEntOutOctets fgVpnTunEntStatus fgVpnTunEntVdom Description An index value that uniquely identifies a VPN tunnel within the VPN tunnel table. Lifetime of the tunnel in bytes. if it is UDP. The descriptive name of the Phase1 configuration for the tunnel. Remote subnet mask of the tunnel.either up or down. Beginning of the address range of the destination selector. Protocol number for the selector. The virtual domain this tunnel is part of. The descriptive name of the Phase2 configuration for the tunnel. This index corresponds to the index in fgVdTable. Ending of the address range of the source selector. The port of the local gateway used by the tunnel. Ending of the address range of the destination selector.fortinet. Time remaining until the next key exchange (seconds) for this tunnel. Local subnet address of the tunnel.0 Administration Guide 01-400-89802-20090424 http://docs. Replacement messages Go to System > Config > Replacement Messages to change replacement messages and customize alert email and information that the FortiGate unit adds to content streams such as email messages. 194 FortiGate Version 4.Replacement messages System Config Table 26: FortiGate Dialup VPNs MIB field fgVpnDialupLifetime fgVpnDialupTimeout fgVpnDialupSrcBegin fgVpnDialupSrcEnd fgVpnDialupDstAddr fgVpnDialupVdom Description VPN tunnel lifetime in seconds. This index corresponds to the index used in fgVdTable. Number of bytes received on the tunnel. Virtual domain the tunnel belongs to. web pages. The port of the remote gateway used by the tunnel.

Figure 103: Replacement messages list Name The replacement message category. Select to change or view a replacement message. FortiGate Version 4. if a virus is found in an email message. the user must initiate an HTTP traffic first in order to trigger the Authentication Disclaimer page. The replacement messages are described below. the file is removed from the email and replaced with a replacement message. Description Edit or view icon Note: FortiOS uses HTTP to send the Authentication Disclaimer page for the user to accept before the firewall policy is in effect. Therefore. You use the replacement messages list to view and customize replacement messages to your requirements. the user can send whatever traffic is allowed by the firewall policy. Note: Disclaimer replacement messages provided by Fortinet are examples only. A description of the replacement message. Use the expand arrow beside each type to display the replacement messages for that category.System Config Replacement messages The FortiGate unit adds replacement messages to a variety of content streams.0 Administration Guide 01-400-89802-20090424 http://docs. Each category contains several replacement messages that are used by different FortiGate features. The same applies to pages blocked by web filtering and email blocked by spam filtering. Once the Disclaimer is accepted. Replacement messages list To view the replacement messages list go to System > Config > Replacement Messages. and so on).fortinet. Select the expand arrow to expand or collapse the category.com/ • Feedback 195 . HTTP. Select the Edit icon beside each replacement message to customize that message for your requirements. For example. The list organizes replacement message into an number of types (for example. Mail.

Allowed formats can be Text or HTML. Figure 104: Sample HTTP virus replacement message Replacement messages can be text or HTML messages. Use the expand arrows to view the replacement message that you want to change. Different replacement messages have different sets of fields and options.0 Administration Guide 01-400-89802-20090424 http://docs. The type of content that can be included in the replacement message. HTML codes (if HTML is the allowed format) and replacement message tags. Message Setup Allowed Formats The name of the replacement message. You can include replacement message tags in text and HTML messages.Replacement messages System Config Changing replacement messages To change a replacement message list go to System > Config > Replacement Messages. There is a limit of 8192 characters for each replacement message. You can change the content of the replacement message by editing the text and HTML codes and by working with replacement message tags. The number of characters allowed in the replacement message. Usually size is 8192 characters.fortinet. Size Message Text You can customize the following categories of replacement messages: • • • • • • • • • • • Mail replacement messages HTTP replacement messages FTP replacement messages NNTP replacement messages Alert Mail replacement messages Spam replacement messages Administration replacement message Authentication replacement messages FortiGuard Web Filtering replacement messages IM and P2P replacement messages Endpoint control replacement message FortiGate Version 4. The message text can include text. Allowed Formats shows you which format to use in the replacement message. The following fields and options are available when editing a replacement message. For descriptions of the replacement message tags. You should not use HTML code in Text messages. see Table 38 on page 205. The editable text of the replacement message.com/ • Feedback 196 . You can add HTML code to HTML messages.

or SMTP when an event occurs such as antivirus blocking a file attached to an email that contains a virus. This message also replaces any additional email messages message that the banned user sends until they are removed from the banned user list. the file is blocked and the email is replaced with this message. Ban. Email replacement messages are text messages. Quarantine IP address. File block Splice mode is enabled and the antivirus file filter deleted a file from an SMTP message (splice email message. When the antivirus File Filter enabled for an email protocol in a protection profile deletes a file that matches an entry in the selected file filter list. This message replaces the first fragment of the fragmented email. POP3. Banned by data In a DLP sensor. Oversized file Splice mode is enabled and antivirus Oversized File/Email set to Block and the message (splice FortiGate unit blocks an oversize SMTP email message. a rule with action set to Ban replaces a blocked email message leak prevention with this message. In a DLP sensor. The FortiGate unit mode) aborts the SMTP session and returns a 554 SMTP error message to the sender that includes this replacement message. a rule with action set to Block replaces a blocked email message with this message. a rule with action set to Ban Sender replaces a blocked email message with this message.fortinet. HTTP replacement messages are HTML pages.System Config Replacement messages • • NAC quarantine replacement messages SSL VPN replacement message Mail replacement messages The FortiGate unit sends the mail replacement messages listed in Table 28 to email clients and servers using IMAP. Table 28: Mail replacement messages Message name Description Virus message File block message Oversized file message Fragmented email Data leak prevention message Subject of data leak prevention message Antivirus Virus Scan enabled for an email protocol in a protection profile deletes a infected file from an email message and replaces the file with this message. POP3S.com/ • Feedback 197 . When the antivirus Oversized File/Email is set to Block for an email protocol in a protection profile and removes an oversized file from an email message.0 Administration Guide 01-400-89802-20090424 http://docs. Splice mode is enabled and the antivirus system detects a virus in an SMTP email message. and SMTPS email messages. antivirus Pass Fragmented Emails is not enabled so a fragmented email is blocked. HTTP replacement messages The FortiGate unit sends the HTTP replacement messages listed in Table 29 to web browsers using the HTTP protocol when an event occurs such as antivirus blocking a file that contains a virus in an HTTP session. If the FortiGate unit supports SSL content scanning and inspection these replacement messages can also be added to IMAPS. The FortiGate unit aborts the SMTP session and returns a 554 mode) SMTP error message to the sender that includes this replacement message. Ban Sender. This message also replaces any additional email messages that the banned user sends until the user is removed from the banned user list. and Quarantine interface actions. the file is replaced with this message. In a protection profile. FortiGate Version 4. The FortiGate unit aborts the SMTP session and returns a 554 SMTP error message to the sender that includes this replacement message. Sender banned by data leak prevention message Virus message (splice mode) In a DLP sensor. This message is added to the subject field of all email messages replaced by the DLP sensor Block.

Antivirus Oversized File/Email set to Block for HTTP or HTTPS in a protection profile blocks an oversized file being downloaded using an HTTP GET and replaces the file with this web page that is displayed by the client browser. see “HTTP and FTP client comforting” on page 410. 198 FortiGate Version 4. antivirus Oversized File/Email set to Block for HTTP or HTTPS and an oversized file that is being uploaded with an HTTP PUT is blocked and replaced with this web page. Infection cache message File block message Oversized file message Data leak prevention message Banned by data In a DLP sensor. The client browser displays this web page. Antivirus File Filter enabled for HTTP or HTTPS in a protection profile blocks a file being downloaded using an HTTP GET that matches an entry in the selected file filter list and replaces it with this web page that is displayed by the client browser. URL block message Client block Client anti-virus Client filesize Client banned word POST block FTP replacement messages The FortiGate unit sends the FTP replacement messages listed in Table 30 to FTP clients when an event occurs such as antivirus blocking a file that contains a virus in an FTP session. Web content blocking enabled in a protection profile blocks a web page being uploaded with an HTTP PUT that contains content that matches an entry in the selected Web Content Block list. Banned word message Web content blocking enabled in a protection profile blocks a web page being downloaded with an HTTP GET that contains content that matches an entry in the selected Web Content Block list. Client comforting is enabled in a protection profile and the FortiGate unit blocks a URL added to the client comforting URL cache and replaces the blocked URL with this web page. This web page also replaces any additional web pages or message files that the banned user attempts to access until the user is removed from the banned user list. The blocked page is replaced with this web page. these replacement messages can also replace web pages downloaded using the HTTPS protocol. Antivirus Virus Scan enabled for HTTP or HTTPS in a protection profile deletes an infected file being uploaded using an HTTP PUT and replaces the file with this a web page that is displayed by the client browser.fortinet. For more information about the client comforting URL cache.Replacement messages System Config If the FortiGate unit supports SSL content scanning and inspection and if Protocol Recognition > HTTPS Content Filtering Mode is set to Deep Scan in the protection profile. HTTP POST Action is set to Block in a protection profile and the FortiGate unit blocks an HTTP POST and displays this web page. Antivirus File Filter enabled for HTTP or HTTPS in a protection profile blocks a file being uploaded by an HTTP POST that matches an entry in the selected file filter list and replaces it with this web page that is displayed by the client browser. The blocked page is replaced with this web page. a rule with action set to Ban replaces a blocked web page or file leak prevention with this web page.com/ • Feedback . FTP replacement messages are text messages. a rule with action set to Block replaces a blocked web page or file with this web page. Web URL filtering enabled in a protection profile blocks a web page with a URL that matches an entry in the selected URL Filter list. In a DLP sensor. In a protection profile. Table 29: HTTP replacement messages Message name Description Virus message Antivirus Virus Scan enabled for HTTP or HTTPS in a protection profile deletes an infected file being downloaded using an HTTP GET and replaces the file with this web page that is displayed by the client browser.0 Administration Guide 01-400-89802-20090424 http://docs.

For more information about alert email. and Quarantine interface actions. Antivirus File Filter enabled for FTP in a protection profile blocks a file being downloaded using FTP that matches an entry in the selected file filter list and sends this message to the FTP client. a rule with action set to Ban blocks an FTP session and displays this message. Ban. Antivirus File Filter enabled for NNTP in a protection profile blocks a file attached to an NNTP message that matches an entry in the selected file filter list and sends this message to the FTP client. If you enable Send alert email for logs based on severity for alert email. NNTP replacement messages The FortiGate unit sends the NNTP replacement messages listed in Table 31 to NNTP clients when an event occurs such as antivirus blocking a file attached to an NNTP message that contains a virus.0 Administration Guide 01-400-89802-20090424 http://docs. In a DLP sensor.System Config Replacement messages Table 30: FTP replacement messages Message name Description Virus message Blocked message Oversized message DLP message DLP ban message Antivirus Virus Scan enabled for FTP in a protection profile deletes an infected file being downloaded using FTP and sends this message to the FTP client. Antivirus Virus Scan must be enabled in a protection profile and detect a virus. Quarantine IP address. FortiGate Version 4. In a DLP sensor.fortinet.com/ • Feedback 199 . Banned by data In a DLP sensor. a rule with action set to Block replaces a blocked FTP download with this message. Alert mail replacement messages are text messages. Antivirus Oversized File/Email set to Block for NNTP in a protection profile removes an oversized file from an NNTP message and replaces the file with this message. This message also replaces any additional NNTP message messages that the banned user sends until they are removed from the banned user list. Antivirus Oversized File/Email set to Block for FTP in a protection profile blocks an oversize file from being downloaded using FTP and sends this message to the FTP client. This message is added to the subject field of all NNTP messages replaced by the DLP sensor Block. whether or not replacement messages are sent by alert email depends on how you set the alert email Minimum log level. Table 32: Alert mail replacement messages Message name Description Virus message Virus detected must be enabled for alert email. NNTP replacement messages are text messages. a rule with action set to Block replaces a blocked NNTP message with this message. In a DLP sensor. This message is displayed whenever the banned user attempts to access until the user is removed from the banned user list. a rule with action set to Ban replaces a blocked NNTP leak prevention message with this message. Alert Mail replacement messages The FortiGate unit adds the alert mail replacement messages listed in Table 32 to alert email messages sent to administrators. Table 31: FTP replacement messages Message name Description Virus message Blocked message Oversized message Data Leak prevention message Subject of data leak prevention message Antivirus Virus Scan enabled for NTTP in a protection profile deletes an infected file attached to an NNTP message and sends this message to the FTP client. see “Alert Email” on page 670.

Spam replacement messages The FortiGate unit adds the Spam replacement messages listed in Table 33 to SMTP server responses if the email message is identified as spam and the spam action is discard. Spam Filtering E-mail address BWL check enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message.0 Administration Guide 01-400-89802-20090424 http://docs. spamhdrcheck enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. An IPS Sensor or a DoS Sensor detects and attack. Whenever a critical level event log message is generated. 200 FortiGate Version 4.com/ • Feedback . If the FortiGate unit supports SSL content scanning and inspection these replacement messages can also be added to SMTPS server responses. HELO DNS lookup is not available for SMTPS. Antivirus File Filter must be enabled in a protection profile.fortinet. Intrusion detected enabled for alert email. spamrbl enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. and block a file that matches an entry in a selected file filter list. HELO/EHLO domain Email address Spam Filtering HELO DNS lookup enabled for SMTP in a protection profile identifies an email message as spam and adds this replacement message. DNSBL/ORDBL From the CLI. Spam Filtering Banned word check enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. whether or not replacement messages are sent by alert email depends on how you set the alert email Minimum log level. Spam Filtering adds this message to all email tagged as spam. Mime header Returned email domain Banned word Spam submission message Administration replacement message If you enter the following CLI command the FortiGate unit displays the Administration Login disclaimer whenever an administrator logs into the FortiGate unit web-based manager or CLI. Any Spam Filtering option enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. The message describes a button that the recipient of the message can select to submit the email signatures to the FortiGuard Antispam service if the email was incorrectly tagged as spam (a false positive). Table 33: Spam replacement messages Message name Description Email IP Spam Filtering IP address BWL check enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. From the CLI. Spam Filtering Return e-mail DNS check enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. Intrusion message Critical event message Disk full message If you enable Send alert email for logs based on severity for alert email.Replacement messages System Config Table 32: Alert mail replacement messages Message name Description Block message Virus detected must be enabled for alert email. Disk usage enabled and disk usage reaches the % configured for alert email. this replacement message is sent unless you configure alert email to enable Send alert email for logs based on severity and set the Minimum log level to Alert or Emergency.

The disclaimer page makes a statement about usage policy to which the user must agree before the FortiGate unit permits access. For more information about identitybased policies. The authentication login page and the authentication disclaimer include replacement tags and controls not found on other replacement messages. Authentication replacement messages The FortiGate unit uses the text of the authentication replacement messages listed in Table 34 for various user authentication HTML pages that are displayed when a user is required to authenticate because a firewall policy includes at least one identity-based policy that requires firewall users to authenticate.com/ • Feedback 201 .0 Administration Guide 01-400-89802-20090424 http://docs. The administrator must select accept to login. You should change only the disclaimer text itself.System Config Replacement messages config system global set access-banner enable end The web-based manager administrator login disclaimer contains the text of the Login Disclaimer replacement message as well as Accept and Decline buttons. Users see the authentication login page when they use a VPN or a firewall policy that requires authentication. Authentication replacement messages are HTML messages. There are some unique requirements for these replacement messages: • • The login page must be an HTML page containing a form with ACTION="/" and METHOD="POST" The form must contain the following hidden controls: • <INPUT TYPE="hidden" NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%"> • <INPUT TYPE="hidden" NAME="%%STATEID%%" VALUE="%%STATEVAL%%"> • <INPUT TYPE="hidden" NAME="%%REDIRID%%" VALUE="%%PROTURI%%"> • The form must contain the following visible controls: • <INPUT TYPE="text" NAME="%%USERNAMEID%%" size=25> • <INPUT TYPE="password" NAME="%%PASSWORDID%%" size=25> Example The following is an example of a simple authentication page that meets the requirements listed above. not the HTML form code.</H4> <FORM ACTION="/" method="post"> <INPUT NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%" TYPE="hidden"> <TABLE ALIGN="center" BGCOLOR="#00cccc" BORDER="0" CELLPADDING="15" CELLSPACING="0" WIDTH="320"><TBODY> FortiGate Version 4. <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service. These pages are used for authentication using HTTP and HTTPS. You cannot customize the firewall authentication messages for FTP and Telnet. You can customize this page in the same way as you modify other replacement messages.fortinet. Administrators see the authentication disclaimer page when logging into the FortiGate web-based manager or CLI. see “Identity-based firewall policy options (non-SSL-VPN)” on page 328 and “Configuring SSL VPN identity-based firewall policies” on page 331.

This feature is supported by RADIUS and uses the generic RADIUS challenge-access auth response. the Declined disclaimer page is displayed. Go to User > Options to set the Authentication Timeout.fortinet. Keepalive page The HTML page displayed with firewall authentication keepalive is enabled using the following command: config system global set auth-keepalive enable end Authentication keepalive keeps authenticated firewall sessions from ending when the authentication timeout ends. and for FortiGuard overrides. “Please enter new PIN”). This message is displayed on the login challenge page.com/ • Feedback .0 Administration Guide 01-400-89802-20090424 http://docs. challenge-access responses contain a Reply-Message attribute that contains a message for the user (for example. When a firewall user selects the button on the disclaimer page to decline access through the FortiGate unit. The Login challenge page is most often used with RSA RADIUS server for RSA SecurID authentication. and auth-disclaimer-page-3 that you can use to increase the size of the authentication disclaimer page replacement message. Login page Login failed page The authentication HTML page displayed when firewall users who are required to authenticate connect through the FortiGate unit using HTTP or HTTPS. FortiGuard Web Filtering replacement messages are HTTP pages. Login challenge The HTML page displayed if firewall users are required to answer a question to page complete authentication. 202 FortiGate Version 4.Replacement messages System Config <TR><TH>Username:</TH> <TD><INPUT NAME="%%USERNAMEID%%" SIZE="25" TYPE="text"> </TD></TR> <TR><TH>Password:</TH> <TD><INPUT NAME="%%PASSWORDID%%" SIZE="25" TYPE="password"> </TD></TR> <TR><TD COLSPAN="2" ALIGN="center" BGCOLOR="#00cccc"> <INPUT NAME="%%STATEID%%" VALUE="%%STATEVAL%%" TYPE="hidden"> <INPUT NAME="%%REDIRID%%" VALUE="%%PROTURI%%" TYPE="hidden"> <INPUT VALUE="Continue" TYPE="submit"> </TD></TR> </TBODY></TABLE></FORM></BODY></HTML> Table 34: Authentication replacement messages Message name Description Disclaimer page User Authentication Disclaimer enabled in a firewall policy that also includes at least one identity-based policy. The page displays the question and includes a field in which to type the answer. The login challenge appears when the server needs the user to enter a new PIN. You can customize the replacement message to ask the user for a SecurID PIN. provides details about blocked HTTP 4xx and 5xx errors. Declined The Disclaimer page replacement message does not re-direct the user to a disclaimer page redirect URL or the firewall policy does not include a redirect URL. When a firewall user attempts to browse a network through the FortiGate unit using HTTP or HTTPS this disclaimer page is displayed. The HTML page displayed if firewall users enter an incorrect user name and password combination. The user enters a response that is sent back to the RADIUS server to be verified. FortiGuard Web Filtering replacement messages The FortiGate unit sends the FortiGuard Web Filtering replacement messages listed in Table 35 to web browsers using the HTTP protocol when FortiGuard web filtering blocks a URL. Usually. For more information. The CLI includes auth-disclaimer-page-1. authdisclaimer-page-3. see the FortiGate CLI Reference.

FortiGate Version 4. ICQ. Do not remove this tag from the replacement message. Table 35: FortiGuard Web Filtering replacement messages Message name Description URL block message HTTP error message Enable FortiGuard Web Filtering enabled in a protection profile for HTTP or HTTPS blocks a web page. File name block Antivirus File Filter enabled for IM in a protection profile deletes a file with a message name that matches an entry in the selected file filter list and replaces it with this message. IM and P2P replacement messages The FortiGate unit sends the IM and P2P replacement messages listed in Table 36 to IM and P2P clients using AIM. or Yahoo and the application control list is added to a protection profile. Virus message Oversized file message Data leak prevention message Antivirus Virus Scan enabled for IM in a protection profile deletes a infected file from and replaces the file with this message.com/ • Feedback 203 .fortinet. Using override form this web page users can authenticate to get access to the page. Banned by data In a DLP sensor. You enable photo blocking from the CLI.0 Administration Guide 01-400-89802-20090424 http://docs. the Block Audio option is selected for AIM. The blocked page is replaced with this web page. MSN. Voice chat block In an Application Control list. ICQ.System Config Replacement messages If the FortiGate unit supports SSL content scanning and inspection and if Protocol Recognition > HTTPS Content Filtering Mode is set to Deep Scan in the protection profile. This message also replaces any additional message messages that the banned user sends until they are removed from the banned user list. message MSN. In a DLP sensor. Table 36: IM and P2P replacement messages Message name Description File block message Antivirus File Filter enabled for IM in a protection profile deletes a file that matches an entry in the selected file filter list and replaces it with this message. IM and P2P replacement messages are text messages. these replacement messages can also replace web pages downloaded using the HTTPS protocol. see “Configuring administrative override rules” on page 489. For more information. the block-photo CLI keyword is enabled for MSN. The blocked page is replaced with this web page. Photo share block message In an Application Control list. FortiGuard Web Override selected for a FortiGuard Web Filtering category and FortiGuard Web Filtering Filtering blocks a web page in this category and displays this web page. Provide details for blocked HTTP 4xx and 5xx errors enabled in a protection profile for HTTP or HTTPS blocks a web page. a rule with action set to Ban replaces a blocked IM or P2P leak prevention message with this message. Go to UTM > Web Filter > Override to add override rules. Antivirus Oversized File/Email set to Block for IM in a protection profile removes an oversized file and replaces the file with this message. or Yahoo! Messenger when an event occurs such as antivirus blocking a file attached to an email that contains a virus. or Yahoo! and the application control list is added to a protection profile. a rule with action set to Block replaces a blocked IM or P2P message with this message. The %%OVRD_FORM%% tag provides the form used to initiate an override if FortiGuard Web Filtering blocks access to a web page.

You can customize the pages as required. or FortiGate interface to the banned user list. if they attempt to start an HTTP session through the FortiGate unit using TCP port 80. The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80. NAC quarantine replacement messages When a user is blocked by NAC quarantine or a DLP sensor with action set to Quarantine IP address or Quarantine Interface. The endpoint control replacement message is an HTML message.com/ • Feedback . The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80. For more information about NAC quarantine see “NAC quarantine and the Banned User list” on page 595. The portal provides links to download a FortiClient application installer. For more information about Endpoint control. a destination IP address. Quarantine Attackers enabled in an IPS sensor filter or override and the IPS sensor added to a protection profile adds a source IP address. a destination IP. The default messages inform the user of why they are seeing this page and recommend they contact the system administrator. You can modify the appearance of the FortiClient Download Portal from System > Config > Replacement Messages > Endpoint Control by editing the Endpoint Control Download Portal.Replacement messages System Config Endpoint control replacement message The endpoint control download portal replacement message formats the FortiClient download portal page that appears if you enable endpoint control in a firewall policy and select Redirect Non-conforming Clients to Download Portal. a DoS sensor detected an attack. or a DLP rule with action set to Quarantine IP address or Quarantine Interface matched a session from the user. the FortiGate unit connects them to one of the four NAC Quarantine HTML pages listed in Table 37. Be sure to retain the %%LINK%% tag which provides the download URL for the FortiClient installer. Table 37: NAC quarantine replacement messages Message name Description Virus Message Antivirus Quarantine Virus Sender enabled in a protection profile adds a source IP address or FortiGate interface to the banned user list. for example to include an email address or other contact information or if applicable a note about how long the user can expect to be blocked. see “Endpoint control” on page 641. or a FortiGate interface to the banned user list. DoS Message IPS Message 204 FortiGate Version 4. This replacement message is not displayed if method is set to Attacker and Victim IP Address. an IPS sensor detected an attack.fortinet.0 Administration Guide 01-400-89802-20090424 http://docs. For a DoS Sensor the CLI quarantine option set to attacker or interface and the DoS Sensor added to a DoS firewall policy adds a source IP. This replacement message is not displayed if quarantine is set to both. The page that is displayed for the user depends on whether NAC quarantine blocked the user because a virus was found. The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80.

Table 38: Replacement message tags Tag %%AUTH_LOGOUT%% Description The URL that will immediately delete the current policy and close the session. Table 38 lists the replacement message tags that you can add. For email this is the IP address of the email server that sent the email containing the virus. The page is linked to FortiGate functionality and you must construct it according to the following guidelines to ensure that it will work. SSL VPN replacement message The SSL VPN login replacement message is an HTML replacement message that formats the FortiGate SSL VPN portal login page. The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80. Replacement message tags Replacement messages can include replacement message tags. Used on the auth-keepalive page. The email address of the sender of the message from which the file was removed. The link to the FortiClient Host Security installs download for the Endpoint Control feature. • • • The login page must be an HTML page containing a form with ACTION="%%SSL_ACT%%" and METHOD="%%SSL_METHOD%%" The form must contain the %%SSL_LOGIN%% tag to provide the login form. The HTTP error description.com/ • Feedback 205 . The name of a file that has been removed from a content stream. The form must contain the %%SSL_HIDDEN%% tag. %%FILE%% can be used in virus and file block messages. For HTTP this is the IP address of web page that sent the virus. %%CATEGORY%% %%DEST_IP%% The name of the content category of the web site. “404” for example. %%FILE%% %%FORTIGUARD_WF%% %%FORTINET%% %%LINK%% %%HTTP_ERR_CODE%% %%HTTP_ERR_DESC%% FortiGate Version 4. This could be a file that contained a virus or was blocked by antivirus file blocking. The Fortinet logo. The IP address of the request destination from which a virus was received. When users receive the replacement message. The FortiGuard . %%EMAIL_FROM%% %%EMAIL_TO%% %%FAILED_MESSAGE%% The failed to login message displayed on the auth-login-failed page.0 Administration Guide 01-400-89802-20090424 http://docs.Web Filtering logo. The email address of the intended receiver of the message from which the file was removed. The HTTP error code.System Config Replacement messages Table 37: NAC quarantine replacement messages Message name Description DLP Message Action set to Quarantine IP address or Quarantine Interface in a DLP sensor and the DLP sensor added to a protection profile adds a source IP address or a FortiGate interface to the banned user list. %%AUTH_REDIR_URL%% The auth-keepalive page can prompt the user to open a new window which links to this tag. the replacement message tag is replaced with content relevant to the message.fortinet. You can customize this replacement message according to your organization’s needs.

0 Administration Guide 01-400-89802-20090424 http://docs. This tag must be present in the FortiGuard Web Filtering override form and should not be used in other replacement messages. %%PROTOCOL%% is added to alert email virus messages. This could be a file that contained a virus or was blocked by antivirus file blocking. Changing operation mode You can set the operating mode for your VDOM and perform sufficient network configuration to ensure that you can connect to the web-based manager in the new mode. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked. imap. %%VIRUS%% can be used in virus messages %%OVRD_FORM%% %%PROTOCOL%% %%QUARFILENAME%% %%QUESTION%% %%SERVICE%% %%SOURCE_IP%% %%TIMEOUT%% %%URL%% %%VIRUS%% Operation mode and VDOM management access You can change the operation mode of each VDOM independently of other VDOMs. The URL of a web page. The link to the FortiGuard Web Filtering override form. The IP address of the request originator who would have received the blocked file. %%QUARFILENAME%% can be used in virus and file block messages.Operation mode and VDOM management access System Config Table 38: Replacement message tags (Continued) Tag %%NIDSEVENT%% %%OVERRIDE%% Description The IPS attack message. Quarantining is only available on FortiGate units with a local disk. Prompt to enter username and password on auth-login page. This is visible only if the user belongs to a group that is permitted to create FortiGuard web filtering overrides. This can be a web page that is blocked by web filter content or URL blocking. Used on the auth-keepalive page. For email this is the IP address of the user’s computer that attempted to download the message from which the file was removed.fortinet. The protocol (http. Configured number of seconds between authentication keepalive connections. %%NIDSEVENT%% is added to alert email intrusion messages. pop3. 206 FortiGate Version 4. The name of the web filtering service. This allows any combination of NAT/Route and Transparent operating modes on the FortiGate unit VDOMs. The name of a file that has been removed from a content stream and added to the quarantine. ftp. To switch from NAT/Route to Transparent mode 1 Go to System > Config > Operation Mode or select Change beside Operation Mode on the System Status page for the virtual domain. Authentication challenge question on auth-challenge page. or smtp) in which a virus was detected.com/ • Feedback . The FortiGuard web filter block override form. The name of a virus that was found in a file by the antivirus system. Management access to a VDOM can be restricted based on which interfaces and protocols can be used to connect to the FortiGate unit.

the interface IP address is used for management access. In NAT/Route mode.System Config Operation mode and VDOM management access 2 From the Operation Mode list. select Transparent. Management IP/Netmask Enter the management IP address and netmask. Management access You can configure management access on any interface in your VDOM. Enter the default gateway required to reach other networks from the FortiGate unit. In Transparent mode. Interface IP/Netmask Device Default Gateway Gateway Device Enter a valid IP address and netmask for the network from which you want to manage the FortiGate unit.0 Administration Guide 01-400-89802-20090424 http://docs. 2 From the Operation Mode list. Select the interface to which the default gateway is connected. This must be a valid IP address for the network from which you want to manage the FortiGate unit. Select the interface to which the Interface IP/Netmask settings apply. select NAT. Default Gateway To switch from Transparent to NAT/Route mode 1 Go to System > Config > Operation Mode or select Change beside Operation Mode on the System Status page for the virtual domain. you configure a single management IP address that applies to all interfaces in your VDOM that permit management access.fortinet. Enter the default gateway required to reach other networks from the FortiGate unit. FortiGate Version 4. 3 Enter the following information and select Apply. See “Administrative access to an interface” on page 135.com/ • Feedback 207 . The FortiGate also uses this IP address to connect to the FDN for virus and attack updates (see “Configuring FortiGuard Services” on page 264). 3 Enter the following information and select Apply.

com/ • Feedback . In both cases. A regular administrator account can access only the VDOM to which it belongs. HTTPS. It does not matter to which VDOM the interface belongs. However. 208 FortiGate Version 4. Do not change the system idle timeout from the default value of 5 minutes (see “Settings” on page 228). or SSH sessions if those services are enabled on the interface.Operation mode and VDOM management access System Config The system administrator (admin) can access all VDOMs. Change these passwords regularly. You can allow remote administration of the FortiGate unit. Enable secure administrative access to this interface using only HTTPS or SSH. Use Trusted Hosts to limit where the remote access can originate from. telnet. the management computer must connect to an interface that permits management access and its IP address must be on the same network. allowing remote administration from the Internet could compromise the security of the FortiGate unit.fortinet. HTTPS and SSH are preferred as they are more secure. To improve the security of a FortiGate unit that allows remote administration from the Internet: • • • • • Use secure administrative user passwords.0 Administration Guide 01-400-89802-20090424 http://docs. Management access can be via HTTP. You should avoid this unless it is required for your configuration. and create regular administrator accounts. The management computer must connect to an interface in that VDOM.

System administrators FortiGate Version 4. Administrators access the FortiGate unit to configure its operation. If virtual domains are enabled. and any administrator that is assigned to the super_admin_readonly profile. the session remains open.System Admin Administrators System Admin This section describes how to configure administrator accounts on your FortiGate unit. see “Using virtual domains” on page 103. For details.0 Administration Guide 01-400-89802-20090424 http://docs. If you enable virtual domains (VDOMs) on the FortiGate unit. but it is one of the selections in the Admin Profile drop-down list in System > Admin New/Edit Administrator dialog box. it does not appear in the list of profiles in System > Admin > Admin Profile. in the CLI or the web-based manager. The factory default configuration has one administrator. has full access to the FortiGate unit configuration and general system settings that includes the ability to: • enable VDOM configuration • create VDOMs • configure VDOMs • assign regular administrators to VDOMs • configure global options • customize the FortiGate web-based manager. Note: Always end your FortiGate session by logging out. Any administrator assigned to the super_admin admin profile. The super_admin admin profile cannot be changed. see “VDOM configuration settings” on page 104 and “Global configuration settings” on page 107.com/ • Feedback 209 . For information about which options are global and which are per VDOM. After connecting to the web-based manager or the CLI. admin. any other administrators assigned to the super_admin profile. Includes the factory default system administrator admin. the regular administrator is assigned to one VDOM and cannot access global configuration options or the configuration for any other VDOM. you can configure additional administrators with various levels of access to different parts of the FortiGate unit configuration. If you do not. This section describes: • • • • • • • Administrators Admin profiles Central Management Settings Monitoring administrators FortiGate IPv6 support Customizable web-based manager Administrators There are two levels of administrator accounts: Regular administrators An administrator with any admin profile other than super_admin. including the default administrator account admin. system administrators are configured globally for the entire FortiGate unit. A regular administrator account has access to configuration options as determined by its Admin Profile.fortinet.

to set the password to 123456: config sys admin edit ITAdmin set password 123456 end Example: For a user ITAdmin with the admin profile super_admin. 210 FortiGate Version 4. • By default. The read-only super_admin profile is suitable in a situation where it is necessary for a system administrator to troubleshoot a customer configuration without being able to make changes. the user will be logged out and prompted to re-authenticate with the new password. If the password of a user who is logged in is changed.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet. similar to the super_admin. to reset the password from 123456 to the default ‘empty’: config sys admin edit ITAdmin unset password 123456 end There is also an admin profile that allows read-only super admin privileges. The password should be 32 characters or less.Administrators System Admin Figure 105: New Administrator dialog box displaying super_admin readonly option Users assigned to the super_admin profile: • • cannot delete logged-in users who are also assigned the super_admin profile can delete other users assigned the super_admin profile and/or change the configured authentication method. Other than being read-only. Example: For a user ITAdmin with the admin profile super_admin. password. only if the other users are not logged in can delete the default “admin” account only if the default admin user is not logged in. the super_admin_readonly profile can view all the FortiGate configuration tools. super_admin_readonly. or admin profile.com/ • Feedback . Note: The password of users with the super_admin admin profile can be reset in the CLI. admin has no password. This profile cannot be deleted or changed.

Remote+ Authentication of any account on an LDAP. go to System > Admin > Administrators. If you log in with an administrator account that does not have the super_admin admin profile. or TACACS+ server. or TACACS+ server. For more information. To authenticate an administrator with an LDAP or TACACS+ server. and associate the administrator with the user group. To view the list of administrators.fortinet. include the server in a user group. A VDOM/admin profile override feature supports authentication of administrators via RADIUS. or TACACS+ server. RADIUS. This feature is available only to wildcard administrators.com/ • Feedback 211 . see the FortiGate CLI Reference. Users authenticated with the PKI-based certificate are permitted access to internal network resources based on the user group they belong to and the associated admin profile.0 Administration Guide 01-400-89802-20090424 http://docs. RADIUS. Figure 106: Administrators list Change password Delete Edit Create New Name Add an administrator account. you must add the server to an authentication list. an account with the super_admin admin profile. The type of authentication for this administrator.System Admin Administrators You can authenticate an administrator by using a password stored on the FortiGate unit. or by using PKI certificate-based authentication. There can only be one VDOM override user per system. Authentication of a specific account on a RADIUS. Wildcard PKI PKI-based certificate authentication of an account. The login name for an administrator account. an LDAP. The admin user will have access depending on which VDOM and associated admin profile he or she is restricted to. one of: Authentication of an account with a local password stored on the FortiGate unit. Viewing the administrators list You need to use the default ”admin” account. and can be set only through the FortiGate CLI. For more information. see “Using trusted hosts” on page 221. LDAP.The RADIUS server authenticates users and authorizes access to internal network resources based on the admin profile of the user. or an administrator with read-write access control to add new administrator accounts and control their permission levels. FortiGate Version 4. the administrators list will show only the administrators for the current virtual domain. Profile Type Local Remote The admin profile for the administrator. Trusted Hosts The IP address and netmask of trusted hosts from which the administrator can log in.

and select OK to save the changes. and select the Change Password icon next to the administrator account you want to change the password for.Regular (local) authentication Figure 108: Administrator account configuration . go to System > Admin > Administrators and select Create New. You cannot delete the original “admin” account until you create another user with the super_admin profile. log out of the “admin” account. Change the password for the administrator account.0 Administration Guide 01-400-89802-20090424 http://docs. To create a new administrator. To configure the settings for an existing administrator. Enter and confirm the new password. and log in with the alternate user that has the super_admin profile. an account with the super_admin admin profile. Edit or View icon Change Password icon To change an administrator password. select the Edit icon beside the administrator. Figure 107: Administrator account configuration .Administrators System Admin Delete icon Delete the administrator account. Configuring an administrator account You need to use the default “admin” account. Edit or view the administrator account.Remote authentication 212 FortiGate Version 4. or an administrator with read-write access control to create a new administrator.fortinet. go to System > Admin > Administrators.com/ • Feedback .

This is available only if Type is Remote. The administrator user group cannot be deleted once the group is selected for authentication. For more information. Select the admin profile for the administrator. You can also select Create New to create a new admin profile. Select to allow all accounts on the RADIUS. Select the administrator user group that includes the Remote server/PKI (peer) users as members of the User Group. LDAP. the password should be at least 6 characters long.0. This is not available if Wildcard is selected or when Type is PKI. see “Using trusted hosts” on page 221. see “Configuring an admin profile” on page 225.fortinet.com/ • Feedback 213 .0 Administration Guide 01-400-89802-20090424 http://docs. This is not available if Wildcard is selected or when PKI authentication is selected. Only one wildcard user is permitted per VDOM.0/0. Type Regular Remote PKI User Group Wildcard Password Confirm Password Type the password for the administrator account a second time to confirm that you have typed it correctly.System Admin Administrators Figure 109: Administrator account configuration . FortiGate Version 4. Trusted Host #1 Trusted Host #2 Trusted Host #3 Admin Profile Enter the trusted host IP address and netmask that administrator login is restricted to on the FortiGate unit. These addresses all default to 0.0. or TACACS+ server to be administrators.PKI authentication Administrator Enter the login name for the administrator account. Only one administrator can be logged in with PKI authentication enabled.0. see “Configuring remote authentication for administrators” on page 214.0/0 or 0. Select to enable certificate-based authentication for the administrator. see “Configuring PKI certificate authentication for administrators” on page 220. or TACACS+ server.0. Using these characters in the administrator account name can result in a cross site scripting (XSS) vulnerability. See the Fortinet Knowledge Center article Recovering lost administrator account passwords if you forget or lose an administrator account password and cannot log in to your FortiGate unit.0. LDAP. Select the type of administrator account: Select to create a Local administrator account. The name of the administrator should not contain the characters <>()#"'. Server authentication for administrators must be configured first. This is available only if Type is Remote or PKI. Select to authenticate the administrator using a RADIUS. see “Configuring regular (password) authentication for administrators” on page 214.0.0. For more information. For more information on admin profiles. For improved security. For more information. For more information. You can specify up to three trusted hosts. Enter a password for the administrator account.

For more information. Regular. and accounting functions.0 Administration Guide 01-400-89802-20090424 http://docs. or select the Edit icon beside an existing administrator. The password entered in Password. Configuring remote authentication for administrators You can authenticate administrators using RADIUS. the FortiGate unit refuses the connection. Configuring RADIUS authentication for administrators Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication. When you select Type > Regular. the FortiGate unit sends the user’s credentials to the RADIUS server for authentication. LDAP. To do this you need to: • • configure the FortiGate unit to access the RADIUS server create a user group with the RADIUS server as its only member. 4 Configure additional features as required. The admin profile to apply to the administrator. 214 FortiGate Version 4. or TACACS+ servers. A password for the administrator to use to authenticate. If the RADIUS server cannot authenticate the user. 5 Select OK. In order to do this. include the server as a user in a user group. the user is successfully authenticated with the FortiGate unit. 2 Select Create New. see the Fortinet Knowledge Center article Recovering lost administrator account passwords. If you want to use a RADIUS server to authenticate administrators in your VDOM. For more information. FortiGate units use the authentication and authorization functions of the RADIUS server. and create the administrator account to include in the user group.Administrators System Admin Configuring regular (password) authentication for administrators You can use a password stored on the local FortiGate unit to authenticate an administrator. see “Configuring an administrator account” on page 212. you will see Local as the entry in the Type column when you view the list of administrators. see “Viewing the administrators list” on page 211. If the RADIUS server can authenticate the user. authorization. 3 Enter the following information: Administrator Type Password Confirm Password Admin Profile A name for the administrator. To use the RADIUS server for authentication. To configure an administrator to authenticate with a password stored on the FortiGate unit 1 Go to System > Admin. Note: If you forget or lose an administrator account password and cannot log in to your FortiGate unit. you must configure the authentication before you create the administrator accounts.com/ • Feedback .fortinet. you must configure the server. you must configure the server before you configure the FortiGate users or user groups that will need it. If you have configured RADIUS support and a user is required to authenticate using a RADIUS server.

go to User > Remote > RADIUS. For information on how to set up a RADIUS server. custom authentication scheme. 4 For Primary Server Name/IP.com/ • Feedback 215 . 7 Optionally. configure the RADIUS server to be included in every user group in the associated VDOM.0 Administration Guide 01-400-89802-20090424 http://docs. To view the RADIUS server list. and a NAS IP/Called Station ID. see the documentation for your RADIUS server. Edit icon To configure the FortiGate unit to access the RADIUS server 1 Go to User > Remote > RADIUS. The RADIUS server administrator can provide this information. 3 Enter a name that identifies the RADIUS server. provide information regarding a secondary RADIUS server. enter the RADIUS server secret.System Admin Administrators Note: Access to the FortiGate unit depends on the VDOM associated with the administrator account. see “Configuring a RADIUS server” on page 572. 8 Select OK. 3 Enter the name that identifies the user group. Use this name when you create the user group. Figure 110: Example RADIUS server list Delete Edit Create New Name Server Name/IP Delete icon Add a new RADIUS server. 5 For Primary Server Secret. The domain name or IP address of the RADIUS server. 6 Optionally. or select the Edit icon beside an existing RADIUS server. Delete a RADIUS server configuration. FortiGate Version 4. To create the user group (RADIUS) 1 Go to User > User Group. 2 Select Create New or select the Edit icon beside an existing RADIUS group. Edit a RADIUS server configuration.fortinet. The name that identifies the RADIUS server on the FortiGate unit. enter the domain name or IP address of the RADIUS server. You cannot delete a RADIUS server that has been added to a user group. For further information about RADIUS authentication. 2 Select Create New. The following instructions assume that there is a RADIUS server on your network populated with the names and passwords of your administrators.

5 Select OK. For more information about using a RADIUS server to authenticate system administrators. 5 In the Available Users/Groups list. passwords.0 Administration Guide 01-400-89802-20090424 http://docs. To configure an administrator to authenticate with a RADIUS server 1 Go to System > Admin. The password the administrator uses to authenticate. 6 Select OK. If you have configured LDAP support and an administrator is required to authenticate using an LDAP server. the FortiGate unit contacts the LDAP server for authentication.com/ • Feedback . see “Configuring an administrator account” on page 212. The re-entered password that confirms the original entry in Password. To view the LDAP server list. enter Firewall. you must configure the authentication before you create the administrator accounts. see Fortinet Knowledge Centre article #3849 Using RADIUS for Admin Access and Authorization. 216 FortiGate Version 4. For more information. If you want to use an LDAP server to authenticate administrators in your VDOM. go to User > Remote > LDAP.Administrators System Admin 4 For Type. printers. groups of people.fortinet. The admin profile to apply to the administrator. The user group that includes the RADIUS server as a member. etc. or select the Edit icon beside an existing administrator. If the LDAP server cannot authenticate the administrator. 2 Select Create New. email addresses. To do this you need to: • • • configure the LDAP server configure the FortiGate unit to access the LDAP server create a user group with the LDAP server as a member. Remote. • • • Admin profiles Configuring a RADIUS server Configuring a user group Configuring LDAP authentication for administrators Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments. people. 4 Configure additional features as required. select the RADIUS server name and move it to the Members list. 3 Enter the following information: Name Type User Group Password Confirm Password Admin Profile A name that identifies the administrator. the FortiGate unit refuses the connection.

com/ • Feedback 217 . The base distinguished name for the server in the correct X. Name Server Name/IP Server Port Common Name Identifier Distinguished Name Query icon The name that identifies the LDAP server on the FortiGate unit. Edit the LDAP server configuration. 3 Enter or select the following and select OK. Available only if Bind Type is Regular. Available only if Bind Type is Anonymous or Regular. 2 Select Create New or select the Edit icon beside an existing LDAP server. The name that identifies the LDAP server on the FortiGate unit.500 or LDAP format. To configure an LDAP server 1 Go to User > Remote > LDAP.0 Administration Guide 01-400-89802-20090424 http://docs. Bind using a user name/password and then search. Available only if Bind Type is Regular. Password of user to be authenticated. The type of binding for LDAP authentication. The common name identifier for the LDAP server. The TCP port used to communicate with the LDAP server. The distinguished name used to look up entries on the LDAP server. Bind using anonymous user search. Bind using a simple password authentication without a search. Filter used for group searching. Delete the LDAP server configuration. Bind Type Anonymous Regular Simple Filter User DN Password Secure Connection FortiGate Version 4. Distinguished name of user to be authenticated. The domain name or IP address of the LDAP server. The domain name or IP address of the LDAP server. For more information. View the LDAP server Distinguished Name Query tree for the LDAP server that you are configuring so that you can cross-reference to the Distinguished Name. see “Using Query” on page 577. A check box that enables a secure LDAP server connection for authentication.System Admin Administrators Figure 111: Example LDAP server list Delete Edit Create New Name Server Name/IP Port Distinguished Name Delete icon Edit icon Add a new LDAP server. Common Name Identifier The common name identifier for the LDAP server.fortinet. The TCP port used to communicate with the LDAP server.

Configuring TACACS+ authentication for administrators Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that provides access control for routers. 2 Select Create New or select the Edit icon beside an existing administrator account. A check box that allows all accounts on the LDAP server to be administrators. Available only if Secure Connection is selected. The re-entered password that confirms the original entry in Password. Not available if Wildcard is enabled.0 Administration Guide 01-400-89802-20090424 http://docs. The admin profile to apply to the administrator. see “Configuring an LDAP server” on page 575. The user group that includes the LDAP server as a member. If you want to use an TACACS+ server to authenticate administrators in your VDOM. enter Firewall. 2 Select Create New or select the Edit icon beside an existing user group. 4 For Type. network access servers. select the LDAP server name and move it to the Members list. 5 In the Available Users/Groups list. see “Configuring an administrator account” on page 212. and other networked computing devices via one or more centralized servers. 6 Select OK. Not available if Wildcard is enabled. the connection is refused by the FortiGate unit. Remote. The password the administrator uses to authenticate. the FortiGate unit contacts the TACACS+ server for authentication. For further information about LDAP authentication. 3 Enter a Name that identifies the user group. 3 Enter or select the following: Administrator Type User Group Wildcard Password Confirm Password Admin Profile A name that identifies the administrator. Available only if Secure Connection is selected.Administrators System Admin Protocol Certificate The secure LDAP protocol to use for authentication. The certificate to use for authentication.fortinet. To configure an administrator to authenticate with an LDAP server 1 Go to System > Admin. you must configure the authentication before you create the administrator accounts. 4 Configure additional features as required. To do this you need to: • • configure the TACACS+ server configure the FortiGate unit to access the TACACS+ server FortiGate Version 4. 5 Select OK. For more information. If the TACACS+ server cannot authenticate the administrator. To create the user group (LDAP) 1 Go to User > User Group.com/ • Feedback 218 . If you have configured TACACS+ support and an administrator is required to authenticate using a TACACS+ server.

Figure 112: Example TACACS+ server list Delete Edit Create New Server Authentication Type Delete icon Edit icon Add a new TACACS+ server. 4 For Type.0 Administration Guide 01-400-89802-20090424 http://docs. MSCHAP. 2 Select Create New. or select the Edit icon beside an existing administrator. select Firewall. To view the TACACS+ server list. TACACS+ authentication methods include: Auto. 6 Select OK. enter the key to access the TACACS+ server. 4 For Server Name/IP.com/ • Feedback 219 . To create the user group (TACACS+) 1 Go to User > User Group. ASCII. and MSCHAP. ASCII. enter the server domain name or IP address of the TACACS+ server. FortiGate Version 4. see “Configuring TACACS+ servers” on page 578. PAP. Delete this TACACS+ server Edit this TACACS+ server. or select the Edit icon beside an existing user group. select the TACACS+ server name and move it to the Members list. To configure an administrator to authenticate with a TACACS+ server 1 Go to System > Admin. 7 Select OK. The maximum number is 16. The server domain name or IP address of the TACACS+ server. enter one of Auto. 2 Select Create New.System Admin Administrators • create a user group with the TACACS+ server as a member. and CHAP (in that order). For further information about TACACS+ authentication. PAP. 6 For Authentication Type. go to User > Remote > TACACS+. and MSCHAP. 3 Enter a Name that identifies the user group. The supported authentication method. To configure the FortiGate unit to access the TACACS+ server 1 Go to User > Remote > TACACS+. 3 Enter the Name that identifies the TACACS+ server. CHAP.fortinet. 5 For Server Key. Auto authenticates using PAP. 2 Select Create New. or select the Edit icon beside an existing TACACS+ server. CHAP. 5 In the Available Users/Groups list.

The CA certificate that is used to authenticate this user. Edit this PKI user. If you want to use PKI authentication for an administrator. and user groups and returns authentication successful or denied notifications. Users only need a valid certificate for successful authentication. see “Configuring an administrator account” on page 212. or select the Edit icon beside an existing PKI user. To do this you need to: • • configure a PKI administrator to be included in the user group create a user group. Figure 113: Example PKI user list Delete Edit Create New Name Subject CA Delete icon Edit icon Add a new PKI user. For more information.com/ • Feedback . 2 Select Create New. The user group that includes the TACACS+ server as a member. 5 Select OK. no username or password is necessary. you must configure the authentication before you create the administrator accounts. Configuring PKI certificate authentication for administrators Public Key Infrastructure (PKI) authentication uses a certificate authentication library that takes a list of peers. The name of the PKI user.fortinet.Administrators System Admin 3 Enter or select the following: Administrator Type User Group Wildcard Password Confirm Password Admin Profile A name that identifies the administrator. The admin profile to apply to the administrator. To configure a PKI user 1 Go to User > PKI. Remote. peer groups. 4 Configure additional features as required. 220 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs. The re-entered password that confirms the original entry in Password. Delete this PKI user. go to User > PKI. To view the PKI user list. The password the administrator uses to authenticate. Not available if Wildcard is enabled. Not available if Wildcard is enabled. The text string that appears in the subject field of the certificate of the authenticating user. Select to allow all accounts on the TACACS+ server to be administrators.

the FortiGate unit does not respond to administrative access attempts from any other hosts. 5 In the Available Users/Groups list. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255. enter the text string that appears in the subject field of the certificate of the authenticating user.0.0.0/0. see “Configuring an administrator account” on page 212. an administrator must connect only through the subnet or subnets you specify. select the PKI user name and move it to the Members list.0. If you set one of the 0.fortinet.0.0/0. The only way to use a wildcard entry is to leave the trusted hosts at 0. the unit accepts administrative access attempts on any interface that has administrative access enabled.0. 3 Enter the Name that identifies the user group. The admin profile to apply to the administrator. 4 For Type. The trusted hosts you define apply both to the web-based manager and to the CLI when accessed through Telnet or SSH. or select the Edit icon beside an existing administrator. However.0.0/0. 2 Select Create New.0. 6 Select OK.0/0.255. or select the Edit icon beside an existing user group. This provides the highest security.0.System Admin Administrators 3 Enter the Name of the PKI user. 5 Select the CA certificate used to authenticate this user.0 addresses to a non-zero address. To create the user group (PKI) 1 Go to User > User Group. 4 Configure additional features as required. If you leave even one administrator unrestricted.255.0. 5 Select OK. In addition to knowing the password. The trusted host addresses all default to 0. CLI access through the console connector is not affected. 6 Select OK.0. FortiGate Version 4. To configure an administrator to authenticate with a PKI certificate 1 Go to System > Admin. The user group that includes the PKI user as a member.255. 4 For Subject.0 Administration Guide 01-400-89802-20090424 http://docs. PKI. 2 Select Create New. 3 Enter or select the following: Administrator Type User Group Admin Profile A name that identifies the administrator. When you set trusted hosts for all administrators.com/ • Feedback 221 . enter Firewall.0.0.0. potentially exposing the unit to attempts to gain unauthorized access.0. this configuration is less secure.0. the other 0. For more information.0 will be ignored. Using trusted hosts Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access.0.0.0.

P2P & VoIP > User > Config UTM > Intrusion Protection Log&Report System > Maintenance System > Network > Interface System > Network > Zone System > DHCP Router UTM > AntiSpam System > Status. For information about which settings are global. Note: When Virtual Domain Configuration is enabled (see “Settings” on page 228). address. profile. service. P2P & VoIP > Statistics IM.fortinet.0 Administration Guide 01-400-89802-20090424 http://docs. P2P & VoIP > User > Current Users IM.com/ • Feedback . read only. only the administrators with the admin profile super_admin have access to global settings. schedule. The following table lists the web-based manager pages to which each category provides access: Table 39: Admin profile control of access to Web-based manager pages Access control Admin Users Affected web-based manager pages System > Admin System > Admin > Central Management System > Admin > Settings UTM > AntiVirus User Firewall System > Maintenance > FortiGuard IM. P2P & VoIP > User > User List IM. P2P & VoIP Configuration IPS Configuration Log&Report Maintenance Network Configuration Router Configuration Spamfilter Configuration System Configuration VPN Configuration Webfilter Configuration Read-only access enables the administrator to view the web-based manager page. see “VDOM configuration settings” on page 104. and other virtual IP (VIP) configurations. Other administrator accounts are assigned to one VDOM and cannot access global configuration options or the configuration for any other VDOM. The administrator needs write access to change the settings on the page. You can expand the firewall configuration access control to enable more granular control of access to the firewall functionality.Admin profiles System Admin Admin profiles Each administrator account belongs to an admin profile. 222 FortiGate Version 4. or read/write access. The admin profile separates FortiGate features into access control categories for which an administrator with read/write access can enable none (deny). You can control administrator access to policy. including Session info System > Config System > Hostname System > Network > Options System > Admin > Central Management System > Admin > Settings System > Status > System Time VPN UTM > Web Filter Antivirus Configuration Auth Users Firewall Configuration FortiGuard Update IM.

system autoupdate execute update-av execute update-ips execute update-now ips alertemail log system fortianalyzer execute log execute execute execute execute execute formatlogdisk restore backup batch usb-disk FortiProtect Update (updategrp) IPS Configuration (ipsgrp) Log & Report (loggrp) Maintenance (mntgrp) Network Configuration (netgrp) system arp-table system dhcp system interface system zone execute dhcp lease-clear execute dhcp lease-list execute clear system arp table execute interface FortiGate Version 4.fortinet. schedule.0 Administration Guide 01-400-89802-20090424 http://docs. see FortiGate CLI Reference. You can access “get” and “show” commands with Read Only access. address. Table 40: Admin profile control of access to CLI commands Access control Admin Users (admingrp) Antivirus Configuration (avgrp) Auth Users (authgrp) Firewall Configuration (fwgrp) Available CLI commands system admin system accprofile antivirus user firewall Use the set fwgrp custom and config fwgrppermission commands to set some firewall permissions individually.System Admin Admin profiles The admin profile has a similar effect on administrator access to CLI commands. You can make selections for policy. For more information. The following table shows which command types are available in each Access Control category. profile. service. Access to “config” commands requires Read-Write access.com/ • Feedback 223 . and other (VIP) configurations.

There are no Create or Apply buttons and lists display only the View ( ) icon instead of icons for Edit.fortinet. Viewing the admin profiles list You need to use the admin account or an account with Admin Users read/write access to create or edit admin profiles.com/ • Feedback . Each administrator account belongs to an admin profile. go to System > Admin > Admin Profile. Figure 114: Admin profile list Delete Edit 224 FortiGate Version 4. admin. arp-table. autoupdate. or allow both readand write-access to FortiGate features. allow read-only. Delete or other modification commands. the administrator can access the web-based manager page for that feature but cannot make changes to the configuration. and zone.0 Administration Guide 01-400-89802-20090424 http://docs. interface. To view the admin profiles list. fortianalyzer. go to System > Admin > Admin Profile.Admin profiles System Admin Table 40: Admin profile control of access to CLI commands (Continued) Access control Router Configuration (routegrp) Available CLI commands router execute router execute mrouter spamfilter system except accprofile. When an administrator has read-only access to a feature. An administrator with read/write access can create admin profiles that deny access to. execute date execute ha execute ping execute ping-options execute ping6 execute time execute traceroute execute cfg execute factoryreset execute reboot execute shutdown execute deploy execute set-next-reboot execute ssh execute telnet execute disconnect-admin-session execute usb vpn execute vpn webfilter Spamfilter Configuration (spamgrp) System Configuration (sysgrp) VPN Configuration (vpngrp) Webfilter Configuration (webgrp) To add admin profiles for FortiGate administrators.

System Admin Admin profiles Create New Profile Name Delete icon Add a new admin profile.fortinet. Select Create New or select the Edit icon beside an existing profile. Select to modify the admin profile.com/ • Feedback 225 .0 Administration Guide 01-400-89802-20090424 http://docs. go to System > Admin > Admin Profile. Select to delete the admin profile. The name of the admin profile. Edit icon Configuring an admin profile You need to use the admin account or an account with Admin Users read/write access to edit an admin profile. You cannot delete an admin profile that has administrators assigned to it. Enter or select the following. To configure an admin profile. and select OK. List of the items that can customize access control settings if configured. Figure 115: Admin profile options Profile Name Access Control Enter the name of the admin profile. FortiGate Version 4.

see “Admin profiles” on page 222. From System > Admin > Central Management. Figure 116: Central Management using FortiManager Figure 117: Central Management using the FortiGuard Analysis and Management Service 226 FortiGate Version 4. Select to allow read/write access in all Access Control categories.0 Administration Guide 01-400-89802-20090424 http://docs. you can configure your FortiGate unit to back up or restore configuration settings automatically to the specified central management server. For detailed information about the Access Control categories. Central Management The Central Management tab provides the option of remotely managing your FortiGate unit by either a FortiManager unit or the FortiGuard Analysis and Management Service.fortinet.com/ • Feedback . either a FortiManager unit or the FortiGuard Analysis and Management Service. see “Customizable web-based manager” on page 231. Enable Read access in all Access Control categories. For more information. Select Customize to create a custom web-based manager configuration for the administrators who login with this admin profile. If you have a subscription for FortiGuard Analysis and Management Service. Select Standard to use the default FortiGate web-based manager. you can also remotely upgrade the firmware on the FortiGate unit. Make specific control selections as required. The central management server is the type of service you enable.Central Management System Admin None Read Only Read-Write Access Control (categories) GUI Control Deny access to all Access Control categories.

You can select FortiManager or the FortiGuard Analysis and Management Service. Select the type of central management for this FortiGate unit. register for the FortiGuard Analysis and Management Service on the FortiGuard Analysis and Management Service website. If you do not have an account ID.System Admin Central Management Enable Central Management Type Enables the Central Management feature on the FortiGate unit. a green arrow-up indicates that there is a connection. enter the account ID in the Account ID field. A red arrow-down indicates that there is no connection enabled.fortinet. if applicable Change the FortiManager IP address Change the FortiGate IP address Contact the FortiManager administrator to verify the FortiGate unit displays in the Device list in the Device Manager module FortiGate behind NAT Revision control The Revision Control tab displays a list of the backed up configuration files. Under Analysis and Management Service Options. add the FortiGate unit to the FortiManager database in the Device Manager module Change the FortiManager IP address Change the FortiGate IP address In System > Admin > Central Management. the following steps must be taken because of the two different deployment scenarios. Enter the Account ID in the Account ID field. The list displays only when your FortiGate unit is managed by a central management server. see “Managing configuration revisions” on page 261. Enter the IP address or name of the FortiManager unit in the IP/Name field. choose FortiManager Add the FortiManager unit to the Trusted FortiManager List.0 Administration Guide 01-400-89802-20090424 http://docs. Select Register to include the FortiManager unit in the Trusted FortiManager List. Select to use the FortiGuard Analysis Management Service as the central management service for the FortiGate unit.com/ • Feedback 227 . Select Change to go directly to System > Maintenance > FortiGuard. If your organization is operating a FortiManager cluster. FortiGate Version 4. Status indicates whether or not the FortiGate unit can communicate wit the FortiManager unit added to the IP/Name field. add the IP address or name of the primary FortiManager unit to the IP/Name field and add the IP address or name of the backup FortiManager units to the Trusted FortiManager list. For more information. • FortiGate is directly reachable from FortiManager: • • • • • • • • • In the FortiManager GUI. FortiManager FortiGuard Analysis and Management Service When you are configuring your FortiGate unit to connect to and communicate with a FortiManager unit. A yellow caution symbol appears when your FortiGate unit is considered an unregistered device by the FortiManager unit. Select to use FortiManager as the central management service for the FortiGate unit.

go to System > Admin > Settings.0 Administration Guide 01-400-89802-20090424 http://docs. An alternative HTTPS port number for remote client web browsers to connect to the FortiGate unit. 228 FortiGate Version 4.fortinet. enter or select the following and select OK. The default is 80. Figure 118: Administrators Settings Web Administration Ports HTTP HTTPS SSLVPN Login Port Telnet Port TCP port to be used for administrative HTTP access. The default port number is 10443. To configure settings.com/ • Feedback .Settings System Admin Settings The Settings tab includes the following features that you can configure: • • • • • • ports for HTTP/HTTPS administrative access and SSL VPN login the idle timeout setting settings for the language of the web-based manager and the number of lines displayed in generated reports PIN protection for LCD and control buttons (LCD-equipped models only) SCP capability for users logged in via SSH IPv6 support on the web based manager. TCP port to be used for administrative HTTPS access. TCP port to be used for administrative telnet access. The default is 23. The default is 443.

Under System Information. or SSH.fortinet. HTTPS. Number of lines per page to display in table lists. To improve security. You should select the language that the management computer operating system uses. Simplified Chinese. Figure 119: System Information displaying current administrators FortiGate Version 4. (Optional) The number of minutes that an administrative connection can be idle before the administrator must log in again. Choose from English. Default allows configuration from CLI only. Monitoring administrators To see the number of logged-in administrators. keep the idle timeout at the default value of 5 minutes. Spanish. Enable compatibility with SSH v1 in addition to v2. The default is 50. Enable users logged in through the SSH to be able to use the SCP to copy the configuration file. Japanese. Administrators must enter the PIN to use the control buttons and LCD. address and address group).com/ • Feedback 229 . Telnet. Note: If you make a change to the default port number for HTTP. Display Settings Language Lines per Page IPv6 Support on GUI Enable to configure IPv6 options from the GUI (Firewall policy.1000. The language the web-based manager uses. go to System > Status. Range is from 20 . LCD Panel (LCD-equipped models only) PIN Protection Enable SCP Select and enter a 6-digit PIN. The maximum is 480 minutes (8 hours). Note: IPv6 is not supported in Transparent mode. route. ensure that the port number is unique. Select Details to view information about the administrators currently logged in to the FortiGate unit. The default is 22.System Admin Monitoring administrators SSH Port Enable SSH v1 compatibility Timeout Settings Idle Timeout TCP port to be used for administrative SSH access. Korean.0 Administration Guide 01-400-89802-20090424 http://docs. you will see Current Administrators. Traditional Chinese or French.

See also FortiGate IPv6 support IPv6 is version 6 of the Internet Protocol. It can provide billions more unique IP addresses than the previous standard. you must enable IPv6 support. For more information. go to System > Admin > Settings. see the FortiGate IPv6 Support Technical Note available from the Fortinet Knowledge Center. To enable IPv6 support.0 Administration Guide 01-400-89802-20090424 http://docs. Type contains the administrator’s IP address. Select and then select Disconnect to log off this administrator. the value in From is N/A.com/ • Feedback . jsconsole. IPv6 hosts and routers maintain interoperability with the existing IPv4 infrastructure in two ways: • • implementing dual IP layers to support both IPv6 and IPv4 using IPv6 over IPv4 tunneling to encapsulate IPv6 packets within IPv4 headers to carry them over IPv4 infrastructure. User Name Type From Time The administrator account name. firewall policies and IPSec VPN. After you enable IPv6 support in the web-based manager. you can: • • create IPv6 static routes (see Router Static) monitor IPv6 routes (see Router Monitor) 230 FortiGate Version 4. Note: IPv6 is not supported in Transparent mode. The type of access: http. then under Display Settings. routing. one for IPv4-addressed packets and another for IPv6-addressed packets. https. This is available only if your admin profile gives you System Configuration write permission. sshv2. The internet is currently in transition from IPv4 to IPv6 addressing. This is available only if your admin profile gives you System Configuration write access. If Type is jsconsole. select IPv6 Support on GUI. Select to update the list. Before you can work with IPv6 on the web-based manager.FortiGate IPv6 support System Admin Figure 120: Detailed view of Administrators logged in monitor window Disconnect Refresh Close Select to disconnect the selected administrators. Select to close the window. They support IPv6 overIPv4 tunneling. Otherwise. You can assign both an IPv4 and an IPv6 address to any interface on a FortiGate unit—the interface functions as two interfaces. IPv4.fortinet. You cannot log off the default “admin” user. FortiGate units are dual IP layer IPv6/IPv4 nodes. The date and time that the administrator logged on.

To configure the profile. you can customize the FortiGate web-based manager (or GUI) to show.System Admin Customizable web-based manager • • • • create IPv6 firewall addresses (see Firewall Address) create IPv6 firewall address groups (see Firewall Address) create IPv6 firewall policies (see Firewall Policy) create VPNs that use IPv6 addressing (see IPSec VPN) Once IPv6 support is enabled. The FortiGate default layout cannot be modified. In standard operation mode. you need to configure the administrative admin profile.top-level menu item in web-based manager layout (see “To create Tier-1 and Tier-2 menu items” on page 235). New admin profiles are based on the default layout. See “Settings” on page 228. go to System > Admin > Admin Profile and select Create New. hide. Before customizing the GUI layout.arrangement of widgets on a screen of the web-based manager (see Figure 132).HTML-layer pop-up window. you can configure the IPv6 options using the web-based manager or the CLI.0 Administration Guide 01-400-89802-20090424 http://docs. Displayed via HTML with grayed-out background (see Figure 124). and also prevent him or her from viewing additional FortiGate features. Tier 2 menu item . There are also several configuration widgets which you can enable for CLI-only options that are not displayed by default.com/ • Feedback 231 . the display is static.fortinet. FortiGate Version 4. Only administrators with the super_admin admin profile may create and edit GUI layouts. Customizable web-based manager In addition to configuring administrators with varying levels of access to different parts of the FortiGate unit configuration.web-based manager layout configured for a specific Admin Profile (see Figure 135). Tier 1 menu item .submenu item in web-based manager layout (see “To create Tier-1 and Tier-2 menu items” on page 235). GUI layout . Tip: Increase the timeout settings before creating or editing a GUI layout. Customizing the display allows you to vary or limit the GUI layout—to fulfill different administrator roles. The customized GUI layouts are stored as part of the administrator admin profile. See the FortiGate CLI Reference for information on configuring IPv6 support using the CLI. Page layout . GUI layout customization example The following example illustrates the basic steps to customize the display. This protection profile will allow the regular admin user read-only access to logs and reports produced by the FortiGate unit. The super_admin will create a profile called Report Profile for a regular admin user. Terms used in this section include: • • • • • Dialog box . The example assumes that you are an administrator with a super_admin profile performing the customization. and arrange widgets/menus/items according to your specific requirements.

232 FortiGate Version 4.com/ • Feedback . The following configuration will set up read-only administrative access to Log&Report items for the Report Profile profile. and prevent access to the default layout. you must set access for all fixed components to None and also set all the standard menu items to Hide from within the GUI layout dialog box (see Figure 124).0 Administration Guide 01-400-89802-20090424 http://docs.Customizable web-based manager System Admin Figure 121: Admin profile dialog box (default settings) Note: The current administrator Access Control settings apply only to the fixed components of the layout (default). not to the customized items.fortinet. If you want to create a completely customized layout profile.

select Customize.System Admin Customizable web-based manager Figure 122: Admin Profile dialog box . 6 Under GUI Control > Menu Layout. 3 Under GUI Control > Menu Layout. The admin profiles list reappears. set Access Control to None for all items except Log & Report. select Standard. (see Figure 123 and Figure 124).Log & Report access Access denied to other layout items Read-only access selected for Log & Report Standard GUI Control Menu Layout selection To configure the admin profile 1 Enter the name Report Profile (see Figure 122). 2 To prevent access to the default layout items. 4 Select OK to save the settings. and then select OK.fortinet. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs. 5 From the list.com/ • Feedback 233 . select the Edit icon beside Report Profile.

com/ • Feedback . 234 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.Customizable web-based manager System Admin Figure 123: Selection of Customize GUI Control option for Report Profile ] Select Customize to access the layout dialog box Figure 124: Customize GUI layout dialog box for Report Profile Customization drop-down menu icon Edit Layout Add Content Show Preview Customization drop-down menu Save layout Cancel layout changes Layout preview icon Create new Tier-1 menu item Reset menu to default layout configuration In the GUI layout dialog box. Repeat for each menu item except Log&Report. select the customization drop-down menu icon beside System and select hide (see Figure 124).

System Admin Customizable web-based manager To start the configuration of customized menu items. with the default name custom menu. and an additional Create New icon appears beside it. The first Tier-1 menu item with the default name custom menu will appear. 7 Press Enter to save your change. 4 Select the Create New Tier-2 icon (3). Figure 125: Creating Tier-1 and Tier-2 menu items in FortiGate menu 1 Creation of new Tier-1 menu item Custom Log Report 2 3 Creation of new Tier-2 menu item Custom Log Menu1 4 5 Creation of new Tier-2 menu item Custom Log Menu2 6 After you create Tier-1 and Tier-2 menu items. You will need to: • • • configure Tier-1 and Tier-2 menu items add tabs to each of these items as required add content to the page layout. 3 Press Enter to save your change. 8 Repeat steps 4 to 7 to create a second Tier-2 menu item called Custom Log Menu2 (5) and (6). The Create New tab icon is not available until you have created the Tier-1 and Tier-2 menu items. To create a new tab 1 Select the Create New tab item icon (see Figure 5). The Create New Tier-2 icon will appear. 2 Select and rename the default name to Custom Log Report (2). with an additional Create New Tier-1 icon below it (1).com/ • Feedback 235 .0 Administration Guide 01-400-89802-20090424 http://docs. FortiGate Version 4. 5 The first Tier-2 menu item with the default name custom menu will appear. with an additional Create New Tier-2 icon below it (4). select the Create New (Tier-1 menu item) icon in the FortiGate menu.fortinet. you need to create the subset of tab items across the page layout. A tab is created with the default name custom menu. 6 Select and rename the default name to Custom Log Menu1 (5). To create Tier-1 and Tier-2 menu items 1 Select the Create New Tier-1 icon.

4 Repeat steps 1 to 3 to create a second tab called Custom Log Report Tab2. 2 For the Custom Log Report Tab1. 3 Press Enter to save your change. The Edit this tab dialog box appears (see Figure 128).0 Administration Guide 01-400-89802-20090424 http://docs. Figure 126: Create New tab Create New tab item icon Figure 127: Creating tabs in page layout Creation of tab Custom Log Report Tab1 Creation of tab Custom Log Report Tab2 To modify the configuration of the current page 1 Select the required tab. select Save in the Edit this tab dialog box. 3 To save your modified configuration.fortinet. 5 To save your customized layout. select 2 columns.Customizable web-based manager System Admin 2 Select and rename the default name to Custom Log Report Tab1 (see Figure 127). or a page layout with two columns (2 columns) that displays up to 8 widgets. select Save in the GUI layout dialog box (see Figure 124). 236 FortiGate Version 4. then select Edit Layout.com/ • Feedback . a page layout with one column that displays up to 8 widgets (1 column). You may configure the page layout to display only one widget (Full page).

For example. Banned User. IM User Monitor. This search employs a real-time filtering mechanism with a “contains” type search on the widget names. Figure 129: Add content dialog box Search text box The Add content dialog box includes a search feature that you can use to find widgets. FortiGate Version 4.fortinet. select Add Content (see Figure 124). The Add content to the Custom Log Report Tab1 dialog box appears (see Figure 129). and Top Viruses (see Figure 130). if you search on “use”.System Admin Customizable web-based manager Figure 128: Edit this tab dialog box To add content to the page layout. you will be shown User Group.com/ • Feedback 237 . Firewall User Monitor.0 Administration Guide 01-400-89802-20090424 http://docs.

The maximum number of items that can be placed in a page layout is 8. select the Log&Report category. Figure 131: Log&Report category selection for Custom Log Report Tab1 238 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs. For the Custom Log Report Tab1. Select Add next to an item that you want to include in the tab. Close the Edit Layout dialog box. All the items related to the Log&Report menu item are listed (see Figure 131).Customizable web-based manager System Admin Figure 130: Search mechanism . You will see the configured layout when you close the Add content to the Custom Log Report Tab1 dialog box.com/ • Feedback . select the following items for inclusion in the layout: • • Alert E-mail Schedule. The item is placed in the page layout behind the Custom Log Report Tab1 dialog box.results for “use” Search on “use” Search results For Custom Log Report Tab1.fortinet.

com/ • Feedback 239 .System Admin Customizable web-based manager Figure 132: Custom Log Report Tab1 page layout preview For the Custom Log Report Tab2.0 Administration Guide 01-400-89802-20090424 http://docs. FortiGate Version 4. select the following items for inclusion in the layout: • • Event Log Log Setting.fortinet.

select Reset menus (see Figure 135). When you have completed the configuration selections for the page layout.com/ • Feedback . select Save to close the custom GUI layout dialog box (see Figure 135). select Show Preview (see Figure 135). 240 FortiGate Version 4. To exit the GUI layout dialog box without saving your changes. To abandon the configuration.fortinet.Customizable web-based manager System Admin Figure 133: Log&Report category selection for Custom Log Report Tab2 Figure 134: Custom Log Report Tab2 page layout preview To preview a customized layout in the custom GUI layout dialog box. select Cancel (see Figure 135).0 Administration Guide 01-400-89802-20090424 http://docs.

then log back in using the name and password of an administrator assigned the Report Profile administrative profile. To save the configuration. close the dialog box to return to the Admin Profile dialog box in which you configured the custom GUI. To view the web-based manager configuration created in Report Profile.0 Administration Guide 01-400-89802-20090424 http://docs. select OK to close the Admin Profile dialog box (see Figure 121).complete Cancel Show Preview Save Reset menus When you complete the customization.System Admin Customizable web-based manager Figure 135: Report Profile customized GUI layout dialog box .fortinet. The FortiGate web-based manager reflects the customized configuration of Report Profile (see Figure 136). Figure 136: Customized FortiGate web-based manager page FortiGate Version 4. you must log out of the FortiGate unit.com/ • Feedback 241 .

fortinet.Customizable web-based manager System Admin 242 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.com/ • Feedback .

Authentication is the process of determining if a remote host can be trusted with access to network resources. Found only on units shipped at the end of 2008 onward. FortiGate Version 4. for example. Embedded inside BIOS. or in FortiGate CLI under vpn certificate local. Same on all FortiGate units. see the FortiGate Certificate Management User Guide. Used for FortiGate/FortiManager tunnel. the remote host must provide an acceptable authentication certificate by obtaining a certificate from a certification authority (CA). or in FortiGate CLI under vpn certificate local. Embedded inside BIOS. see “Using virtual domains” on page 103. Listed under Certificates > Local. for example with a FortiGate/FortiManager tunnel or an SSL connection to a FortiGuard server. or in FortiGate CLI under vpn certificate ca or vpn certificate ocsp. Fortinet_Factory Fortinet_Factory2 Fortinet_CA Fortinet_CA2 System administrators can use these certificates wherever they may be required. Fortinet’s CA certificate. For additional background information on certificates. Signed by Fortinet_CA. Certificate authentication allows administrators to generate certificate requests. Listed under Certificates > Local. Used to verify certificates that claim to be signed by Fortinet.com/ • Feedback 243 . or in FortiGate CLI under vpn certificate local. Embedded inside firmware and BIOS. Signed by Fortinet_CA.0 Administration Guide 01-400-89802-20090424 http://docs. Will eventually replace Fortinet_CA. and PKI.System Certificates System Certificates This section explains how to manage X. Fortinet’s CA certificate. Signed by Fortinet_CA2. Used for FortiGate/FortiManager tunnel and HTTPS administrative access. install signed certificates. as well as SSL VPN user groups or clients. To establish its trustworthiness. import CA root certificates and certificate revocation lists. HTTPS administrative access if Fortinet_Factory2 is not available. If you enable virtual domains (VDOMs) on the FortiGate unit. system certificates are configured globally for the entire FortiGate unit. and to authenticate IPSec VPN peers or clients.509 security certificates using the FortiGate webbased manager. Listed under Certificates > Local. Embedded inside BIOS. LDAP. as Fortinet_CA will expire in 2020. There are several certificates on the FortiGate unit that have been automatically generated: Table 41: Automatically generated FortiGate certificates Fortinet_Firmware Embedded inside the firmware. For details.fortinet. with SSL VPN. Found only on units shipped at the end of 2008 onward. or in FortiGate CLI under vpn certificate ca or vpn certificate ocsp. Listed under Certificates > CA. Listed under Certificates > CA. and back up and restore installed certificates and private keys. IPSec. Unique to each FortiGate unit. Used so FortiGate units without Fortinet_Factory2 certificates have a built-in certificate signed by a FortiGate CA. The FortiGate unit can then use certificate authentication to reject or allow administrative access via HTTPS. Unique to each FortiGate unit.

To view certificate requests and/or import signed server certificates. select the View Certificate Detail icon in the row that corresponds to the certificate. For more information. The CA will then sign the certificate and send it to you to install on the FortiGate unit. The names of existing local certificates and pending certificate requests. and the public key of the CA. 244 FortiGate Version 4. an expiration date. A description of the certificate. Import a signed local certificate. For more information. see “Importing a signed server certificate” on page 247. go to System > Certificates > Local Certificates.0 Administration Guide 01-400-89802-20090424 http://docs. After you submit the request to a CA. the CA will verify the information and register the contact information on a digital certificate that contains a serial number.fortinet.Local Certificates System Certificates This section describes: • • • • Local Certificates Remote Certificates CA Certificates CRL Local Certificates Certificate requests and installed server certificates are displayed in the Local Certificates list. The Distinguished Names (DNs) of local signed certificates. see “Generating a certificate request” on page 245. Figure 137: Local Certificates list Download View Certificate Detail Delete Generate Import Name Subject Comments Generate a local certificate request.com/ • Feedback . To view certificate details.

This is available only if the certificate has PENDING status. You can send the request to your CA to obtain a signed server certificate for the FortiGate unit (SCEP-based certificates only). you can download the request to a computer that has management access to the FortiGate unit and then forward the request to a CA. Generated requests are displayed in the Local Certificates list with a status of PENDING. and valid certificate dates. go to System > Certificates > Local Certificates. see “Downloading and submitting a certificate request” on page 246. subject. see the FortiGate Certificate Management User Guide. Delete the selected certificate request or installed server certificate from the FortiGate configuration. Generating a certificate request The FortiGate unit generates a certificate request based on the information you enter to identify the FortiGate unit. and complete the fields in the table below.System Certificates Local Certificates Status View Certificate Detail icon Delete icon The status of the local certificate. Figure 138: Generate Certificate Signing Request Remove/Add OU FortiGate Version 4.com/ • Feedback 245 . PENDING designates a certificate request that needs to be downloaded and signed. Display certificate details such as the certificate name. Download icon For detailed information and step-by-step procedures related to obtaining and installing digital certificates. Save a copy of the certificate request to a local computer. To download and send the certificate request to a CA. issuer. To fill out a certificate request.fortinet. After you generate a certificate request. select Generate.0 Administration Guide 01-400-89802-20090424 http://docs.

Select one of the following methods: Select to generate the certificate request. select Save to Disk. For more information. You can enter a maximum of 5 Organization Units. To download and submit a certificate request 1 Go to System > Certificates > Local Certificates. Complete as described or leave blank. CA Server URL: Enter the URL of the SCEP server from which to retrieve the CA certificate. Do not include the protocol specification (http://) or any port number or path names. If a domain name is not available and the FortiGate unit subscribes to a dynamic DNS service. Enter the name of the state or province where the FortiGate unit is installed. use the plus (+) or minus (-) icon. select the Download icon in the row that corresponds to the generated certificate request. Enter the information needed to identify the FortiGate unit: If the FortiGate unit has a static IP address. 246 FortiGate Version 4. use a domain name if available to identify the FortiGate unit. see “Generating a certificate request” on page 245. If you select E-mail. Enter the legal name of your company or organization. If the FortiGate unit has a static IP address and subscribes to a dynamic DNS service.Local Certificates System Certificates Certification Name Enter a certificate name. To add or remove a unit. Enter the name of your department or departments. use an email address (or domain name if available) instead.0 Administration Guide 01-400-89802-20090424 http://docs. Enter the contact email address. Larger keys are slower to generate but they provide better security. Select 1024 Bit. an “unable to verify certificate” message may be displayed in the user’s browser whenever the public IP address of the FortiGate unit changes. Select to obtain a signed SCEP-based certificate automatically over the network. Select the country where the FortiGate unit is installed. To enable the export of a signed certificate as a PKCS12 file later on if required. enter the fully qualified domain name of the FortiGate unit. Enter the name of the city or town where the FortiGate unit is installed.fortinet. If the FortiGate unit does not have a public IP address. Typically.com/ • Feedback . 2 In the Local Certificates list. select Host IP and enter the public IP address of the FortiGate unit. this would be the name of the FortiGate unit. If you select Domain Name. 1536 Bit or 2048 Bit. 3 In the File Download dialog box. 4 Name the file and save it to the local file system. Challenge Password: Enter the CA server challenge password. do not include spaces in the name. Subject Information Host IP Domain Name E-Mail Optional Information Organization Unit Organization Locality (City) State/Province Country e-mail Key Type Key Size Enrollment Method File Based Online SCEP Downloading and submitting a certificate request You have to fill out a certificate request and generate the request before you can submit the results to a CA. enter the email address of the owner of the FortiGate unit. Only RSA is supported.

6 When you receive the signed certificate from the CA. select the certificate.com/ • Feedback 247 . When you receive the signed certificate from the CA. The certificate file can be in either PEM or DER format. Alternatively. The file is associated with a password. The other dialog boxes are for importing previously exported certificates and private keys. file FortiGate Version 4.System Certificates Local Certificates 5 Submit the request to your CA as follows: • Using the web browser on the management computer. and then select OK. To import the PKCS12 file. Importing a signed server certificate Your CA will provide you with a signed server certificate to install on the FortiGate unit. which you will need to know in order to import the file. See “Importing a signed server certificate” on page 247. save the certificate on a computer that has management access to the FortiGate unit. • Follow the CA instructions to place a base-64 encoded PKCS#12 certificate request and upload your certificate request. install the certificate on the FortiGate unit. go to System > Certificates > Local Certificates and select Import.0 Administration Guide 01-400-89802-20090424 http://docs. Before you begin. Importing an exported server certificate and private key .fortinet. For more information. browse to the location on the management computer where the certificate has been saved. Figure 139: Upload Local Certificate Certificate File Browse Enter the full path to and file name of the signed server certificate. and then install the root certificate and CRL on each remote client (refer to the browser documentation). save a copy of the file on a computer that has management access to the FortiGate unit. go to System > Certificates > Local Certificates and select Import. Figure 140: Upload PKCS12 Certificate Certificate with key Enter the full path to and file name of the previously exported PKCS12 file. • Follow the CA instructions to download their root certificate and Certificate Revocation List (CRL). To install the signed server certificate. see the FortiGate Certificate Management User Guide. browse to the CA web site.

If a password is required to upload and open the files. The OCSP is configured in the CLI only. 248 FortiGate Version 4. Remote certificates are public certificates without a private key. type the password. For more information. Remote Certificates Note: The certificate file must not use 40-bit RC2-CBC encryption. Note: There is one OCSP per VDOM. and then select OK. select the file. Figure 141: Upload Certificate Certificate file Browse Key file Browse Password Enter the full path to and file name of the previously exported certificate file. Alternatively. you need to use an Online Certificate Status Protocol (OCSP) server. select the file. and then select OK.com/ • Feedback . and then select OK. select the file. The two files to import must be available on the management computer.fortinet. go to System > Certificates > Remote. Enter the full path to and file name of the previously exported key file. To view installed Remote (OCSP) certificates or import a Remote (OCSP) certificate. To view certificate details. Installed Remote (OCSP) certificates are displayed in the Remote Certificates list. browse to the location on the management computer where the PKCS12 file has been saved. Type the password needed to upload the PKCS12 file.Remote Certificates System Certificates Browse Password Alternatively. For dynamic certificate revocation. Alternatively.0 Administration Guide 01-400-89802-20090424 http://docs. browse to the location of the previously exported key file. select the View Certificate Detail icon in the row that corresponds to the certificate. Importing separate server certificate and private key files You need to use the Upload Certificate dialog box to import a server certificate and the associated private key file when the server certificate request and private key were not generated by the FortiGate unit. see the FortiGate CLI Reference. browse to the location of the previously exported certificate file.

browse to the location on the management computer where the certificate has been saved. REMOTE_Cert_2. Subject Delete icon View Certificate Detail icon Download icon Importing Remote (OCSP) certificates To import a Remote (OCSP) certificate. Save a copy of the Remote (OCSP) certificate to a local computer. You cannot delete the Fortinet_CA certificate. Delete a Remote (OCSP) certificate from the FortiGate configuration. The FortiGate unit assigns unique names (REMOTE_Cert_1. Figure 143: Upload Remote Certificate Local PC Browse Enter the location in a management PC to upload a public certificate. The names of existing Remote (OCSP) certificates. To view installed CA root certificates or import a CA root certificate. CA Certificates When you apply for a signed personal or group certificate to install on remote clients. Installed CA certificates are displayed in the CA Certificates list. Information about the Remote (OCSP) certificate. The system assigns a unique name to each Remote (OCSP) certificate. The names are numbered consecutively (REMOTE_Cert_1. To view root certificate details. REMOTE_Cert_3. and so on). select the View Certificate Detail icon in the row that corresponds to the certificate. and then select OK. Alternatively.fortinet. select the certificate. Display certificate details. Install the corresponding root certificate and CRL from the issuing CA on the FortiGate unit.0 Administration Guide 01-400-89802-20090424 http://docs. FortiGate Version 4. REMOTE_Cert_3. When you receive the certificate. go to System > Certificates > CA Certificates. install it on the remote clients according to the browser documentation. you must obtain the corresponding root certificate and CRL from the issuing CA. go to System > Certificates > Remote and select Import. and so on) to the Remote (OCSP) certificates when they are imported. REMOTE_Cert_2. See “Importing CA certificates” on page 250.com/ • Feedback 249 .System Certificates CA Certificates Figure 142: Remote certificate list Import Name Import a public OCSP certificate.

Information about the issuing CA. the system starts the retrieval process as soon as you select OK. Local PC If you choose SCEP. see the FortiGate Certificate Management User Guide. enter identifying information of the CA. CA_Cert_2. Select to use a local administrator’s PC to upload a public certificate. To import a CA root certificate. CA_Cert_2. Display certificate details. Importing CA certificates After you download the root certificate of the CA. save the certificate on a PC that has management access to the FortiGate unit. 250 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs. CA_Cert_3. select the certificate. Save a copy of the CA root certificate to a local computer. Select OK. The system assigns a unique name to each CA certificate. such as the file name.com/ • Feedback . CA_Cert_3. go to System > Certificates > CA Certificates and select Import. Subject Delete icon View Certificate Detail icon Download icon For detailed information and step-by-step procedures related to obtaining and installing digital certificates. or browse to the location on the management computer where the certificate has been saved. The names of existing CA root certificates. and so on).fortinet.CA Certificates System Certificates Figure 144: CA Certificates list View Certificate Detail Download Import Name Import a CA root certificate. Enter the URL of the SCEP server from which to retrieve the CA certificate. See “Importing CA certificates” on page 250. and then select OK. The FortiGate unit assigns unique names (CA_Cert_1. Delete a CA root certificate from the FortiGate configuration. Figure 145: Import CA Certificate SCEP Select to use an SCEP server to access CA certificate for user authentication. Optionally. and so on) to the CA certificates when they are imported. The names are numbered consecutively (CA_Cert_1. Enter the location.

For more information. and so on) to certificate revocation lists when they are imported. go to System > Certificates > CRL and select Import. After you download a CRL from the CA web site. Subject Delete icon View Certificate Detail icon Download icon Importing a certificate revocation list Certificate revocation lists from CA web sites must be kept updated on a regular basis to ensure that clients having revoked certificates cannot establish a connection with the FortiGate unit. Installed CRLs are displayed in the CRL list. Note: When the CRL is configured with an LDAP.com/ • Feedback 251 . Information about the certificate revocation lists. CRL_3. The names of existing certificate revocation lists. the latest version of the CRL is retrieved automatically from the server when the FortiGate unit does not have a copy of it or when the current copy expires. To import a certificate revocation list. The FortiGate unit assigns unique names (CRL_1. HTTP. and/or SCEP server. The FortiGate unit uses CRLs to ensure that the certificates belonging to CAs and remote clients are valid. CRL_2.System Certificates CRL CRL A Certificate Revocation List (CRL) is a list of CA certificate subscribers paired with certificate status information. FortiGate Version 4. Save a copy of the CRL to a local computer. Figure 146: Certificate revocation list View Certificate Detail Download Import Name Import a CRL. To view installed CRLs. save the CRL on a computer that has management access to the FortiGate unit. see “Importing a certificate revocation list” on page 251.0 Administration Guide 01-400-89802-20090424 http://docs. Delete the selected CRL from the FortiGate configuration. go to System > Certificates > CRL.fortinet. Display CRL details such as the issuer name and CRL update dates.

select the certificate. Local PC The system assigns a unique name to each CRL. Select to use an LDAP server to retrieve the CRL.fortinet.com/ • Feedback . Select to use a local administrator’s PC to upload a public certificate. The names are numbered consecutively (CRL_1. CRL_2.CRL System Certificates Figure 147: Import CRL HTTP LDAP SCEP Select to use an HTTP server to retrieve the CRL. then select the Local Certificate from the list. then select the LDAP server from the list. Enter the URL of the HTTP server. and so on). 252 FortiGate Version 4. CRL_3.0 Administration Guide 01-400-89802-20090424 http://docs. and then select OK. Enter the URL of the SCEP server from which the CRL can be retrieved. Enter the location. Select to use an SCEP server to retrieve the CRL. or browse to the location on the management computer where the certificate has been saved.

From this menu.displays script history execution and provides a way to upload script files to the FortiGuard Analysis and Management Service portal web site FortiGuard . This section also explains the types of FDN services that are available for your FortiGate unit. script files. web content files and spam filtering files are also included. Scripts .displays all system configuration backups with the date and time of when they were backed up. This section includes the following topics: • • • • • • • • About the Maintenance menu Managing configuration revisions Using script files Configuring FortiGuard Services Troubleshooting FDN connectivity Updating antivirus and attack definitions Enabling push updates Adding VDOM Licenses About the Maintenance menu The maintenance menu provides help with maintaining and managing firmware. You can save the configuration to the management computer or to a USB disk if your FortiGate unit includes a USB port (see “Formatting USB Disks” on page 261). You can also restore the system configuration from previously downloaded backup files in the Backup & Restore menu. such as antivirus and IPS definitions as well as the FortiGuard Analysis and Management Service. configuration revisions.fortinet. For more information. and antispam services.allows you to increase the maximum number of VDOMs (on some FortiGate models). Before you can use revision control.com/ • Feedback 253 . you can upgrade or downgrade the firmware. Revision Control . system maintenance is configured globally for the entire FortiGate unit. IPS. License . This tab also provides configuration options for antivirus. web filtering. and import CLI commands. or update FortiGuard services.allows you to back up and restore your system configuration file. FortiGate Version 4. remotely upgrade firmware. see “Using virtual domains” on page 103. and FortiGuard subscription-based services. The maintenance menu has the following tabs: • • Backup & Restore . • • • When backing up the system configuration.0 Administration Guide 01-400-89802-20090424 http://docs. a Central Management server must be configured and enabled. view historical backups of configuration files.displays all FDN subscription services.System Maintenance About the Maintenance menu System Maintenance This section describes how to maintain your system configuration as well as how to enable and update FDN services. If you enable virtual domains (VDOMs) on the FortiGate unit.

Note: The Firmware section is available only on FortiGate-100A units and higher.0 Administration Guide 01-400-89802-20090424 http://docs. the content of the backup file depends on the administrator account that created it. Some FortiGate models support FortiClient by storing a FortiClient image that users can download. and 5005FA2 models.com/ • Feedback . the central management server is the FortiManager unit. If you have a FortiGate-60B unit or lower. The central management server is whatever remote management service the FortiGate unit is connected to. and on uploading and downloading firmware for your FortiGate unit. For more information. 3600A.fortinet. Tip: For simplified procedures on managing firmware. 254 FortiGate Version 4. the backup file contains the global settings and the settings for the VDOM that the regular administrator belongs to. FortiGate units support most USB disks including USB keys and external USB hard disks (see “Formatting USB Disks” on page 261). A regular administrator is the only user account that can restore the configuration from this file. A backup of the system configuration from the super_admin account contains global settings and the settings included in each VDOM. The FortiClient section of Backup & Restore is available if your FortiGate model supports FortiClient. see “Central Management” on page 226. To view the backup and restore options. if the current configuration on a FortiGate-60 is backed up to a FortiManager unit. This feature is currently available on FortiGate-1000A. go to System > Maintenance > Backup and Restore. For example. a central management server.Backing up and restoring System Maintenance When virtual domain configuration is enabled. For Backing up and restoring The Backup & Restore tab allows you to back up and restore your FortiGate configuration to your management PC. you can upgrade or downgrade the firmware by going to System > Status and selecting the Update link that appears beside Firmware Version. When you back up the system configuration from a regular administrator account. Only the super_admin can restore the configuration from this file. including backup and restore options. You must configure central management in System > Admin > Central Management before these options are available in the Backup & Restore section. see “Managing firmware versions” on page 91. or a USB disk. You can back up and restore your configuration to a USB disk if the FortiGate unit includes a USB port and if you have connected a USB disk to the USB port.

Back up the configuration to the FortiGuard Analysis and Management Service. Management Station is displayed.0 Administration Guide 01-400-89802-20090424 http://docs. You can also restore a backed-up configuration file. If you do not connect a USB disk. this option is grayed out.com/ • Feedback 255 . To view the backup and restore options. FortiGuard Analysis and Management Service is enabled. USB Disk is displayed only if the FortiGate unit includes a USB port. Select one of the displayed options: Local PC Back up the configuration to the management computer the FortiGate unit is connected to. Local PC is always displayed regardless of whether a USB disk is available. go to System > Maintenance > Backup & Restore. For more information.System Maintenance Backing up and restoring Figure 148: Backup and restore page on a FortiGate-1000A unit Basic backup and restore options This section of the Backup & Restore page provides the option of backing up the current configuration file to several different locations.fortinet. FortiGuard | Management Station USB Disk FortiGate Version 4. Figure 149: Backup & Restore options with FortiGuard services option enabled Backup Backup configuration to: The options available for backing up your current configuration. or the FortiGate unit is connected to a FortiManager unit. Back up the configuration file to the USB disk connected to the FortiGate unit. If the service is not enabled. see “Formatting USB Disks” on page 261. including encryption for added security.

Password Confirm Filename Enter a password to encrypt the configuration file. This protocol provides communication between a FortiGate unit and a FortiManager unit. this option is grayed out. The FortiGate unit connects using the FortiGuard-FortiManager protocol. Enter the name of the backup file or select Browse to locate the file. Select to restore the configuration. For detailed instructions on how to install a FortiManager unit. Enter the configuration file name or select Browse if you are restoring the configuration from a file on the management computer. If you are backing up to a FortiManager device. You will need this password to restore the configuration file. Management Station appears. Select one of the displayed options: Restore a configuration file from the management computer the FortiGate unit is connected to. this option is not displayed. this option is not displayed. If the FortiGate unit is not connected to a FortiManager unit.Backing up and restoring System Maintenance FortiManager Back up the configuration to the configured FortiManager unit. The options available for restoring the configuration from a specific file. Local PC is always displayed regardless of whether a USB disk is available. FortiGuard appears when the FortiGuard Analysis and Management Service is enabled. This option is not available for configurations backed up to a FortiManager unit. Enter the password you entered when backing up the configuration file. a confirmation message is displayed after successfully completion of the backup. Backup Restore Restore configuration from: Local PC USB disk FortiGuard FortiManager Filename Password Restore Note: When central management is disabled. FortiGate Version 4. If the FortiGuard Analysis and Management Service is not enabled. Select to back up the configuration. this option is not displayed and instead displays Management Station. Encrypt configuration Select to encrypt the backup file.com/ • Feedback 256 . and runs over SSL using IPv4/TCP port 541. Restore a configuration file from the USB disk connected to the FortiGate unit.0 Administration Guide 01-400-89802-20090424 http://docs. Remote FortiManager backup and restore options Your FortiGate unit can be remotely managed by a FortiManager unit. The Filename field is available only when you choose to back up the configuration to a USB disk. Restore a configuration from the configured FortiManager unit. USB Disk is displayed only if the FortiGate unit includes a USB port. or the FortiGate unit is connected to a FortiManager unit. If you do not connect a USB disk.fortinet. see the FortiManager Install Guide. file Encryption must be enabled to save VPN certificates with the configuration. Select the configuration file name from the Browse list if you are restoring the configuration from a USB disk. Enter the password again to confirm the password. See “Formatting USB Disks” on page 261. FortiGuard Analysis and Management Service is enabled. If the FortiGate unit is not connected to a FortiManager unit. Restore a configuration from the FortiGuard Analysis and Management Service.

Additional information. Comments: Backup Enter a description or information about the file in the Comments field. Select to back up the configuration file to the FortiManager unit. This is optional.System Maintenance Backing up and restoring After successfully connecting to the FortiManager unit from your FortiGate unit. including how to register you FortiGate unit for the FortiGuard Analysis and Management Service. The options for restoring a configuration file. from: Please Select: Select the configuration file you want to restore from the list. The list is in numerical order. Backup configuration Select FortiManager to upload the configuration to the FortiManager unit. The automatic configuration backup is available only in local mode on the FortiManager unit. Figure 150: Backup & Restore options with FortiManager option enabled \ Backup The options available for backing up your current configuration to a FortiManager unit.com/ • Feedback 257 . The list allows you to choose the configuration to restore. to: The Local PC option is always available. which is available when you register for the FortiGuard Analysis and Management Service. go to System > Maintenance > Backup & Restore. you can back up your configuration to the FortiManager unit.0 Administration Guide 01-400-89802-20090424 http://docs. This list includes the comments you included in the Comment field before it was uploaded to the FortiManager unit. To view the basic backup and restore options. Restore Remote FortiGuard backup and restore options Your FortiGate unit can be remotely managed by a central management server. with the recent uploaded configuration first. Select to restore the configuration from the FortiManager unit.fortinet. A confirmation message appears after successful completion of the backup. You can also restore your configuration. A list of revisions is displayed when restoring the configuration from a remote location. FortiGate Version 4. The FortiGuard Analysis and Management Service is a subscription-based service and is purchased by contacting support. is available in the FortiGuard Analysis and Management Service Users Guide. Restore Restore configuration Select the FortiManager option to download and restore the configuration from the FortiManager unit.

To view the basic backup and restore options. Restore 258 FortiGate Version 4. See “Upgrading and downgrading firmware through FortiGuard” on page 259 for more information about upgrading firmware from the backup and restore menu. and on uploading and downloading firmware for your FortiGate unit.Backing up and restoring System Maintenance After registering. you can back up or restore your configuration. go to System > Maintenance > Backup & Restore. Restore Restore configuration Select the FortiGuard option to download the configuration file from the FortiGuard Analysis and Management Service. a list of revisions is displayed so that you can choose the configuration file to restore. Upgrading the firmware is available in the Firmware Upgrade section of the backup and restore menu.0 Administration Guide 01-400-89802-20090424 http://docs.com/ • Feedback . from: Please Select: Select the configuration file you want to restore from the list. Backup configuration Select the FortiGuard option to upload the configuration to the FortiGuard Analysis and Management Service. The options for restoring a configuration file. You can also upgrade the firmware on your FortiGate unit using the FortiGuard Analysis and Management Service. The FortiGuard Analysis and Management Service is useful when administering multiple FortiGate units without having a FortiManager unit. Figure 151: Backup & Restore Central Management options Backup The options available for backing up your current configuration to the FortiGuard Analysis and Management Service. Tip: For simplified procedures on managing firmware. to: The Local PC option is always available. This list includes the comments you included in the Comment field before it was uploaded to the FortiGuard Analysis and Management Service. For When restoring the configuration from a remote location. Select to back up the configuration file to the FortiGuard Analysis and Management Service. Comments: Backup Enter a description or information about the file in the Comments field. This is optional. including backup and restore options. see “Managing firmware versions” on page 91.fortinet. A confirmation message appears after successful completion of the backup. Select to restore the configuration from the FortiGuard Analysis and Management Service. with the recent uploaded configuration first. The list is in numerical order.

To view the firmware options. You must register for the service by contacting customer support. To view the firmware options.System Maintenance Backing up and restoring Note: The FortiGuard-FortiManager protocol is used when connecting to the FortiGuard Analysis and Management Service. Active Last upgrade Firmware Version Boot alternate firmware Upgrading and downgrading firmware through FortiGuard The Firmware Upgrade section of the backup and restore page displays options for upgrading to a new version using the FortiGuard Analysis and Management Service if that option is available to you.com/ • Feedback 259 . See “Formatting USB Disks” on page 261. Upgrading and downgrading firmware The firmware section displays the current version of firmware installed on your FortiGate unit. The version and build number of the FortiGate firmware. One partition is active and the other is used as a backup.fortinet. go to System > Maintenance > Backup & Restore. This is available only for FortiGate-100 units or higher.0 Administration Guide 01-400-89802-20090424 http://docs. The date and time of the last update to this partition. A green check mark indicates the partition currently in use. as well as the firmware version currently in use if there is more than one firmware image saved on the FortiGate unit. Using the FortiGuard Analysis and Management Service to upgrade the firmware on your FortiGate unit is only available on certain FortiGate units. FortiGate Version 4. Detailed firmware version information is provided if you have subscribed for the FortiGuard Analysis and Management Service. • Select Upload and Reboot to replace the existing firmware and make this the active partition. Restart the FortiGate unit using the backup firmware. FortiGate-100A units and higher have two partitions. This protocol runs over SSL using IPv4/TCP port 541 and includes the following functions: • • • detects FortiGate unit dead or alive status detects management service dead or alive status notifies the FortiGate units about configuration changes. The USB disk must be connected to the FortiGate unit USB port. go to System > Maintenance > Backup & Restore. you can: • Select Upload to replace with firmware from the management computer or a USB disk. Figure 152: Two firmware images displayed on a FortiGate-1000A unit Partition A partition can contain one version of the firmware and the system configuration. AV/IPS database update and firewall changes. If your FortiGate model has a backup partition.

0 Administration Guide 01-400-89802-20090424 http://docs. Figure 154: Options available in the Advanced section On system restart... Select Browse to locate a file on your local PC to upload to the FortiGate unit. Ensure that the default configuration file name matches the configuration file name on the USB disk.fortinet. 260 FortiGate Version 4. North America) version: [Please Select] • maintenance release number • patch release number • build number. Automatically update the configuration on restart. automatically update FortiGate configuration. Upgrade by File OK Configuring advanced options The Advanced section on the backup and restore page includes the USB Auto Install feature and the debug log. go to System > Maintenance > Backup & Restore. See “Formatting USB Disks” on page 261. Ensure that the default image name matches the firmware file name on the USB disk. Allow firmware downgrade Select to allow installation of older versions than the one currently installed. if you are upgrading to FortiOS 3. Automatically update the firmware on restart. Select OK to enable your selection. For example.0 MR6-NA (build 0700). The USB settings are available only if the FortiGate unit includes a USB port. the FortiGate unit skips the configuration update process. If the configuration file on the disk matches the currently installed configuration. This is useful if the current version changed functionality you need and you have to revert to an older firmware image. To view the advanced options. The list contains the following information for each available firmware release: network to firmware • continent (for example. You must connect a USB disk to the FortiGate unit USB port to use the USB auto-install feature.. the firmware version available is v3.. automatically update FortiGate firmware. If the firmware image on the disk matches the currently installed firmware. On system restart. the FortiGate unit skips the firmware update process.Backing up and restoring System Maintenance Figure 153: Firmware Upgrade section of the Backup & Restore page Upgrade from FortiGuard Select one of the available firmware versions.0 MR6 and the FortiGate unit is located in North America.com/ • Feedback .

Managing configuration revisions The Revision Control tab enables you to manage multiple versions of configuration files. Formatting USB Disks FortiGate units with USB ports support USB disks for backing up and restoring configurations. a list of saved revisions of those backed-up configurations appears. Back up the information on the USB disk before formatting to ensure all information on the disk is recoverable. either by using the CLI or a Windows system. FortiUSB and generic USB disks are supported. go to System > Maintenance > Revision Control. When revision control is enabled on your FortiGate unit. There are two ways that you can format the USB disk. Figure 155: Revision Control page displaying system configuration backups Current Page Diff Revert Download FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs. When using a Windows system to format the disk. Revision control requires a configured central management server.fortinet. but the generic USB disk must be formatted as a FAT16 disk.com/ • Feedback 261 . and configurations have been backed up.System Maintenance Managing configuration revisions Apply Download Debug Log Select to apply the selected settings. “format <drive_letter>: /FS:FAT /V:<drive_label>” where <drive_letter> is the letter of the connected USB drive you want to format. Caution: Formatting the USB disk deletes all information on the disk. You can send this debug log to Fortinet Technical Support to help diagnose problems with your FortiGate unit. No other partition type is supported. Download an encrypted debug log to a file. If central management is not configured on your FortiGate unit. To view the configuration revisions. and <drive_label> is the name you want to give the USB drive for identification. This server can either be a FortiManager unit or the FortiGuard Analysis and Management Service. a message appears to tell you to do one of the following: • • enable central management (see “Central Management” on page 226) obtain a valid license. at the command prompt type. exe usb-disk format. You can format the USB disk in the CLI using the command syntax.

from which you can view and compare the selected revision to one of: • the current configuration • a selected revision from the displayed list including revision history and templates • a specified revision number. To view the script options. the scripts you upload are executed and discarded. The list displays the last 10 executed scripts. scripts you upload are executed and stored. The uploaded script files appear on the FortiGuard Analysis and Management Service portal web site. If you upload a script directly to a FortiGate unit. Select to compare two revisions. If your FortiGate unit is configured to use the FortiGuard Analysis and Management Service. you can upload your scripts to the FortiManager unit. and highest. Restore the previous selected revision. Any relevant information saved with the revision. If you are using a FortiGate unit without a FortiManager unit or the FortiGuard Analysis and Management Service. These can be uploaded and executed to run complex command sequences easily.fortinet. number is first in the list. You can run uploaded scripts from any FortiGate unit configured with your FortiGuard Analysis and Management Service account. who saved it. see “Using page controls on web-based manager lists” on page 57. If your FortiGate unit is configured to use a FortiManager unit. previous.0 Administration Guide 01-400-89802-20090424 http://docs. 262 FortiGate Version 4. Revision Date/Time Administrator Comments Diff icon Download icon Revert icon Using script files Scripts are text files containing CLI command sequences. and then deploy the script to all the devices which should use those same settings. After executing scripts. and if there is a date when it can be deleted to free up space. These may not be consecutive numbers if configurations are deleted. you must keep a copy on your management PC. The administrator account that was used to back up this revision. A window will appear.Using script files System Maintenance Current Page The current page number of list items that are displayed. For more information. An incremental number indicating the order in which the configurations were saved. and run them from any FortiGate unit configured to use the FortiManager unit. next or last page of system configuration backups. you can enter the commands required to create the admin profiles in a script. it is executed and discarded. you can view the script execution history on the script page. if all of your devices use identical administrator admin profiles. Select the left and right arrows to display the first. You will be prompted to confirm this action.com/ • Feedback . The date and time this configuration was saved on the FortiGate unit. For example. such as why the revision was saved. go to System > Maintenance > Scripts. The most recent. If you want to execute a script more than once. Download this revision to your local PC. Scripts can be used to deploy identical configurations to many devices.

A remote file is executed on the FortiGate unit after being sent from a FortiManager unit or the FortiGuard Analysis and Management Service. Choose the script you want to run from the list of all scripts stored remotely. You can generate script files more quickly this way. If the FortiGate unit is configured to use the FortiGuard Analysis and Management Service. The name of the script file. 3 Save the file to your maintenance PC. FortiGate Version 4. A list of the 10 most recently executed scripts. When a script file is uploaded to a FortiGate unit.0 Administration Guide 01-400-89802-20090424 http://docs.System Maintenance Using script files Figure 156: Script execution history Execute Script from Scripts can be uploaded directly to the FortiGate unit from the management PC. GEdit on Linux. Textedit on the Mac. Upload Bulk CLI Command File Select From remote management station Script Execution History (past 10 scripts) Name Type Time Status Delete icon Creating script files Script files are text files with CLI command sequences. Delete the script entry from the list. scripts that have been stored remotely can also be run on the FortiGate unit. To create a script file 1 Open a text editor application.fortinet. with one command per line. 2 Enter the CLI commands you want to run. A local file is uploaded directly to the FortiGate unit from the management PC and executed. making any edits you require. The source of the script file. the commands are executed in sequence. The commands must be entered in sequence. Notepad on Windows. the script will be saved on the server for later use. You can save a configuration file and copy the required parts to a new file.com/ • Feedback 263 . Select to execute a script from the FortiManager unit or the FortiGuard Analysis and Management Service. The status of the script file. or any editor that will save plain text can create a script file. Tip: An unencrypted configuration file uses the same structure and syntax as a script file. if its execution succeeded or failed. The date and time the script file was executed. If you have configured either a FortiManager unit or the FortiGuard Analysis and Management Service. Select Browse to locate the script file and then select Apply to upload and execute the file.

uploaded scripts are discarded after execution. 264 FortiGate Version 4. IPS definitions. The FortiGate unit supports the following update options: • • • • • user-initiated updates from the FDN hourly. expiry dates. You can view the script or run it from the FortiGuard Analysis and Management Service portal web site. Registering your FortiGate unit on the Fortinet Support web page provides a valid license contract and connection to the FDN. or if it is configured to use a FortiManager unit. Save script files to your management PC if you want to execute them again later. see the FortiGuard Analysis and Management Service Users Guide. daily. FortiGuard Distribution Network The FDN is a world-wide network of FortiGuard Distribution Servers (FDS). IPS definitions.com/ • Feedback . Caution: Commands that require the FortiGate unit to reboot when entered on the command line will also force a reboot if included in a script. FortiGuard Services include FortiGuard web filtering and the FortiGuard Analysis and Management Service. When the FortiGate unit contacts the FDN. and the antispam rule set. it connects to the nearest FDS based on the current time zone setting. On the Fortinet Support web page. For more information about viewing or running an uploaded script on the portal web site. If the FortiGate unit is configured to use the FortiGuard Analysis and Management Service. or weekly scheduled antivirus definition. IPS definition. go to Product Registration and follow the instructions. and the Antispam rule set. The FDN provides updates to antivirus (including grayware) definitions.0 Administration Guide 01-400-89802-20090424 http://docs. 3 Select Browse to locate the script file. you can then upload it through System > Maintenance > Scripts. 4 Select Apply. and update dates and times push updates through a NAT device.fortinet. When a script is uploaded. The FDN provides updates to antivirus definitions. 2 Verify that Upload Bulk CLI Command File is selected.Configuring FortiGuard Services System Maintenance Uploading script files After you have created a script file. To execute a script 1 Go to System > Maintenance > Scripts. and antispam rule set updates from the FDN push updates from the FDN update status including version numbers. If the FortiGate unit is not configured for remote management. Configuring FortiGuard Services Go to System > Maintenance > FortiGuard to configure your FortiGate unit to use the FortiGuard Distribution Network (FDN) and FortiGuard Services. it is automatically executed. the script file is saved to the remote server for later reuse.

contained in an antispam rule set that is downloaded to the FortiGate unit. FortiGuard Antispam service FortiGuard Antispam is an antispam system from Fortinet that includes an IP address black list. If the closest service point becomes unreachable for any reason. For more information. By default. see “Spam Filtering options” on page 416.0 Administration Guide 01-400-89802-20090424 http://docs. The URL black list contains URLs that are found in spam email. You cannot change the FortiGuard service point name using the web-based manager. you can switch the UDP port used for service point communication to port 8888 by going to System > Maintenance > FortiGuard. Every FortiGate unit comes with a free 30-day FortiGuard Antispam trial license.System Maintenance Configuring FortiGuard Services The FortiGate unit must be able to connect to the FDN using HTTPS on port 443 to receive scheduled updates. FortiGuard services Worldwide coverage of FortiGuard services is provided by FortiGuard service points. The IP address black list contains IP addresses of email servers known to generate spam. For more information. For more information.com/ • Feedback 265 . FortiGuard Antispam processes are completely automated and configured by Fortinet. see “Enabling push updates” on page 273. the FDN must be able to route packets to the FortiGate unit using UDP port 9443. there is no need to enter a license number. When the FortiGate unit is receiving push updates. Contact Fortinet Technical support to renew the FortiGuard Antispam license after the free trial expires. use the hostname keyword in the system fortiguard CLI command. FortiGuard Antispam is always current. For more information. the FortiGate unit contacts another service point and information is available within seconds. the FortiGate unit communicates with the service point via UDP on port 53. FortiGuard Web Filtering service FortiGuard Web Filtering is a managed web filtering solution provided by Fortinet. FortiGate Version 4. Alternately. see “To enable scheduled updates” on page 272. spam filtering tools. it is connecting to the closest FortiGuard service point. FortiGuard Web Filtering sorts hundreds of millions of web pages into a wide range of categories users can allow. You can globally enable FortiGuard Antispam in System > Maintenance > FortiGuard and then configure Spam Filtering options in each firewall protection profile in Firewall > Protection Profile. see “Enabling push updates through a NAT device” on page 274. You can either enable or disable FortiGuard Antispam in the Firewall menu in a protection profile. or monitor. then follows the firewall policy configured for that user or interface. When the FortiGate unit is connecting to the FDN. The FortiGate unit accesses the nearest FortiGuard Web Filtering service point to determine the category of a requested web page. If you need to change the default FortiGuard service point host name. block. The FortiGate unit automatically contacts a FortiGuard Antispam service point when enabling FortiGuard Antispam. You can also configure the FortiGate unit to receive push updates. With constant monitoring and dynamic updates. see the FortiGuard Center web page.fortinet. a URL black list. If the FortiGate unit is behind a NAT device. FortiGuard Antispam license management is performed by Fortinet servers. For more information about FortiGuard services. see “Spam Filtering options” on page 416. Fortinet adds new service points as required.

See “Viewing system status” on page 63. which provides a central location for configuring logging and reporting and remote management. The FDN page contains four sections of FortiGuard services: • • • • Support Contract and FortiGuard Subscription Services Downloading antivirus and IPS updates Configuring Web Filtering and AntiSpam Options Configuring Analysis and Management Service Options Support Contract and FortiGuard Subscription Services The Support Contract and FortiGuard Subscription Services sections are displayed in abbreviated form on the System Status page. These services were previously available only on FortiAnalyzer and FortiManager units.Configuring FortiGuard Services System Maintenance Every FortiGate unit comes with a free 30-day FortiGuard Web Filtering trial license. Configuring the FortiGate unit for FDN and FortiGuard subscription services FDN updates. 266 FortiGate Version 4.fortinet. There is no need to enter a license number. The subscription-based service is available from the FortiGuard Analysis and Management Service portal web site.0 Administration Guide 01-400-89802-20090424 http://docs. as well as FortiGuard services. including logging and reporting capabilities for all FortiGate units. FortiGuard license management is performed by Fortinet servers. Contact Fortinet Technical Support to renew a FortiGuard license after the free trial. The FortiGate unit automatically contacts a FortiGuard service point when enabling FortiGuard category blocking. To view the FortiGuard options. and for viewing subscription contract information.com/ • Feedback . see “FortiGuard Web Filtering options” on page 413. such as daily quota and the expiry date of the service. You can globally enable FortiGuard Web Filtering in System > Maintenance > FortiGuard and then configure FortiGuard Web Filtering options for each profile in Firewall > Protection Profiles. go to System > Maintenance > FortiGuard. FortiGuard Analysis and Management Service FortiGuard Analysis and Management Service is a subscription-based service that provides remote management services. For more information. are configured in System > Maintenance > FortiGuard.

Green (Valid license) – FortiGate unit can connect to FDN and has a registered support contract. Indicates the status of the subscription service. Valid License. Not Registered. This is displayed in Analysis and Management Service. or Valid Contract. Select Update Now to immediately download current updates from FDN directly. This will prompt you to download the update file from your local computer. Select to manually update this service on your FortiGate unit. Gray (Unreachable) – FortiGate unit is not able to connect to service. but is not subscribed to this service. Availability and status information for each of the FortiGuard subscription services including: • AntiVirus • Intrusion Protection • Web Filtering • AntiSpam • Analysis and Management Service The availability of this service on this FortiGate unit. [Register] FortiGuard Subscription Services [Availability] [Update] [Register] Status Icon [Version] FortiGate Version 4. Not Registered or Valid Contract. If Valid Contract is shown. This option is available only when the support contract is not registered. dependent on your service subscription. The icon corresponds to the availability description.fortinet. the expiry date is displayed. If the Status icon is green. The option Renew appears if Availability has expired. The version number of the definition file currently installed on the FortiGate unit for this service. The status displays can be one of the following: Unreachable. The status can be Unreachable. A green checkmark also appears.com/ • Feedback 267 . The option Subscribe appears if Availability is Not Registered. the FortiOS firmware version and contract expiry date appear. Select to register the service.0 Administration Guide 01-400-89802-20090424 http://docs. Orange (Not Registered) – FortiGate unit can connect. Select to register your FortiGate unit support contract. Yellow (Expired) – FortiGate unit had a valid license that has expired.System Maintenance Configuring FortiGuard Services Figure 157: Support Contract and FortiGuard Subscription Services section License status icon License expiry Valid license Support Contract The availability or status of your FortiGate unit support contract.

The status of the FortiGate unit for receiving push updates: Gray (Unreachable) . The SETUP message that the FortiGate unit sends when you enable push updates includes the IP address of the FortiGate interface that the FDN connects to. you can schedule antivirus and IPS updates. When selected.fortinet. or allow push updates. If the icon is gray or yellow. You can access these options by selecting the expand arrow. enter the IP address or domain name of a FortiGuard server and select Apply. configure an override server. If the FDN Status still indicates no connection to the FDN.com/ • Feedback . see “Troubleshooting FDN connectivity” on page 271. Allow Push Update Allow Push Update status icon 268 FortiGate Version 4. Figure 158: AntiVirus and IPS Options section Expand arrow Allow Push Update Status Use override server address Select to configure an override server if you cannot connect to the FDN or if your organization provides updates using their own FortiGuard server.0 Administration Guide 01-400-89802-20090424 http://docs. For more information. Select to allow push updates. Use the Use override push IP option when your FortiGate unit is behind a NAT device.the push update service is allowed. See “Enabling push updates” on page 273.the push update service is not available with current support license Green (Available) . see “Troubleshooting FDN connectivity” on page 271. see “Enabling push updates through a NAT device” on page 274. eliminating any need for you to check if they are available. The NAT device must also be configured to forward the FDS traffic to the FortiGate unit on port 9443. method] [Date] Local system date when the FortiGate unit last checked for updates for this service.theFortiGate unit is not able to connect to push update service Yellow (Not Available) .Configuring FortiGuard Services System Maintenance [Last update date and The date of the last update and method used for last attempt to download definition updates for this service. Updates are then sent automatically to your FortiGate unit when they are available. Downloading antivirus and IPS updates In the Antivirus and IPS Options section. The FortiGate unit sends the FDS the IP and port numbers of the NAT device to the FDS.

Fortinet recommends that you select this check box. The update attempt occurs at a randomly determined time within the selected hour. Available only if Use override push is enabled. Select the port on the NAT device that will receive the FDS push updates. It helps to improve the quality of IPS signature. Select the number of hours between each update request. the least recently used IP address or URL is deleted. Select to enable caching of web filter queries. Available if Enable Web Filter is selected.fortinet. See “Enabling push updates through a NAT device” on page 274. This port must be forwarded to UDP port 9443 on the FortiGate unit. FDS will connect to this device when attempting to reach the FortiGate unit.0 Administration Guide 01-400-89802-20090424 http://docs. Attempt to update once every 1 to 23 hours. Select to allow you to create a forwarding policy that redirects incoming FDS push updates to your FortiGate unit. Port Schedule Updates Every Daily Weekly Update Now Submit attack characteristics… (recommended) Configuring Web Filtering and AntiSpam Options You can access this section by selecting the expand arrow to view Web Filtering and AntiSpam Options. TTL FortiGate Version 4. The NAT device must be configured to forward the FDS traffic to the FortiGate unit on UDP port 9443. Select this check box to enable scheduled updates.System Maintenance Configuring FortiGuard Services Use override push IP Available only if both Use override server address and Allow Push Update are enabled. The update attempt occurs at a randomly determined time within the selected hour. This improves performance by reducing FortiGate unit requests to the FortiGuard server. The cache uses 6 percent of the FortiGate memory. Enter the IP address of the NAT device in front of your FortiGate unit. Select to manually initiate an FDN update. Available only if both Enable Web Filter and Enable Cache are selected. You can specify the hour of the day to check for updates.com/ • Feedback 269 . You can specify the day of the week and the hour of the day to check for updates. Attempt to update once a week. Time to live. Figure 159: Web Filtering and AntiSpam Options section Enable Web Filter Enable Cache Select to enable the FortiGuard Web Filter service. Attempt to update once a day. When the cache is full. The number of seconds to store blocked IP addresses and URLs in the cache before contacting the server again.TTL must be between 300 and 86400 seconds.

When the cache is full. Figure 160: FortiGuard Analysis and Management Service options Account ID Enter the name for the Analysis and Management Service that identifies the account. please click here 270 FortiGate Version 4.TTL must be between 300 and 86400 seconds. Configuring Analysis and Management Service Options The Analysis and Management Service Options section contains the Account ID and other options regarding the FortiGuard Analysis and Management Service.fortinet. the least recently used IP address or URL is deleted. Results are shown below the button and on the Status indicators. Account ID: To launch the service portal. Select to go directly to the FortiGuard Analysis and Management Service portal web site to view logs or configuration. Time to live. Available only if Enable AntiSpam is selected. The cache uses 6 percent of the FortiGate memory. The account ID that you entered in the Account ID field when registering is used in this field. You can also select this to register your FortiGate unit with the FortiGuard Analysis and Management Service. TTL Port Section Use Default Port (53) Use Alternate Port (8888) Test Availability To have a URL's category Select to re-evaluate a URL’s category rating on the FortiGuard Web rating re-evaluated. This improves performance by reducing FortiGate unit requests to the FortiGuard server.com/ • Feedback .Configuring FortiGuard Services System Maintenance Enable AntiSpam Enable Cache Select to enable the FortiGuard AntiSpam service. Select to use port 8888 for transmitting with FortiGuard Antispam servers. please click here. click here. Select to log into the FortiGuard Analysis and Management Service web portal.0 Administration Guide 01-400-89802-20090424 http://docs. To launch the service portal. Select to test the connection to the servers. You can access this section by selecting the expand arrow. Select to enable caching of antispam queries. Select one of the following ports for your web filtering and antispam requirements: Select to use port 53 for transmitting with FortiGuard Antispam servers. Enter your FortiGuard Analysis and Management Service account ID. The number of seconds to store blocked IP addresses and URLs in the cache before contacting the server again. please Filter service.

For example. FortiGuard Analysis & Management server. check your configuration.com/ • Feedback 271 . For more information. Note: Updating antivirus and IPS attack definitions can cause a very short disruption in traffic scanning while the FortiGate unit applies the new signature definitions.System Maintenance Troubleshooting FDN connectivity To configure FortiGuard Select the link please click here to configure and enable logging to the Analysis Service options. the logs from the past two months will be removed from the server. This appears only after logging is enabled and log messages are sent to the FortiGuard Analysis server.0 Administration Guide 01-400-89802-20090424 http://docs. 3 Select the expand arrow beside Web Filtering and AntiSpam Options to reveal the available options. check your configuration to make sure you can connect to the override FortiGuard server from the FortiGate unit. if you select 2 months. You can also use this option to remove logs that may appear on a current report. For example. To make sure the FortiGate unit can connect to the FDN 1 Go to System > Status and select Change on the System Time line in the System Information section. corresponding to the region where your FortiGate unit is located. The link redirects you to Log&Report > Log Config > Log Setting. please click here This appears only after registering for the service. To purge logs older than n Select the number of months from the list that will remove those logs months. FortiGate Version 4. Fortinet recommends scheduling updates when traffic is light to minimize disruption. Troubleshooting FDN connectivity If your FortiGate unit is unable to connect to the FDN. see “To add an override server” on page 272. 2 Go to System > Maintenance > FortiGuard. If this is not successful. You might have to connect to an override FortiGuard server to receive updates. Push updates might be unavailable if: • • • you have not registered the FortiGate unit (go to Product Registration and follow the instructions on the web site if you have not already registered your FortiGate unit) there is a NAT device installed between the FortiGate unit and the FDN (see “Enabling push updates through a NAT device” on page 274) your FortiGate unit connects to the Internet using a proxy server (see “To enable scheduled updates through a proxy server” on page 273). please click here from the FortiGuard Analysis & Management server and select the link please click here. you may need to add routes to the FortiGate routing table or configure your network to allow the FortiGate unit to use HTTPS on port 443 to connect to the Internet. Updating antivirus and attack definitions Use the following procedures to configure the FortiGate unit to connect to the FDN to update the antivirus (including grayware) definitions and IPS attack definitions. Verify that the time zone is set correctly.fortinet.

The test results displays at the top of the FortiGuard page. To enable scheduled updates 1 Go to System > Maintenance > FortiGuard. To add an override server 1 Go to System > Maintenance > FortiGuard. The FortiGate unit starts the next scheduled update according to the new update schedule. If the connection to the FDN or override server is successful. You can specify the day of the week and the time of day to check for updates. Your database will be updated in a few minutes. Once a week. 3 Type the fully qualified domain name or IP address of the FortiGuard server. you can use the following procedure to add the IP address of an override FortiGuard server. 2 Select the expand arrow beside Antivirus and IPS Options to reveal the available options. indicating whether the update was successful or not. the event is recorded in the FortiGate event log.Updating antivirus and attack definitions System Maintenance 4 Select Test Availability. Whenever the FortiGate unit runs a scheduled update. 3 Select the Scheduled Update check box. 2 Select the Use override server address check box. 4 Select one of the following: Every Daily Weekly Once every 1 to 23 hours.0 Administration Guide 01-400-89802-20090424 http://docs. If you cannot connect to the FDN. if an update is available. Messages are recorded to the event log. Once a day. the web-based manager displays a message similar to the following: Your update request has been sent. 2 Select the expand arrow beside AntiVirus and IPS Options to reveal the available options. The page also displays new dates and version numbers for the updated definitions and engines. or if your organization provides antivirus and IPS attack updates using its own FortiGuard server. After a few minutes. 3 Select Update Now to update the antivirus and attack definitions. Please check your update page for the status of the update. 272 FortiGate Version 4.fortinet.com/ • Feedback . 5 Select Apply. The FortiGate unit tests its connection to the FDN. To update antivirus and attack definitions 1 Go to System > Maintenance > FortiGuard. Select the number of hours and minutes between each update request. You can specify the time of day to check for updates. the FortiGuard page lists new version information for antivirus definitions and IPS attack definitions.

The next time new antivirus or IPS attack definitions are released. the FDN notifies all FortiGate units that are configured for push updates. When you configure a FortiGate unit to allow push updates. configuring push updates is recommended in addition to scheduled updates. Scheduled updates ensure that the FortiGate unit receives current updates. To enable scheduled updates through a proxy server If your FortiGate unit must connect to the Internet through a proxy server. For more information. If the FortiGuard Distribution Network availability icon changes from gray to green. that a new update is available. the FortiGate unit sends a SETUP message to the FDN. you can use the config system autoupdate tunneling command syntax to allow the FortiGate unit to connect (or tunnel) to the FDN using the proxy server. Product Registration. the FortiGate unit cannot connect to the override server. The FortiGate unit might not receive the push notification. The FortiGate unit sends the SETUP message if you: • • change the IP address of this interface manually have set the interface addressing mode to DHCP or PPPoE and your DHCP or PPPoE server changes the IP address. Register your FortiGate unit by going to the Fortinet Support web site. If your FortiGate unit is behind a NAT device. When the FortiGate unit receives a push notification. see “Enabling push updates through a NAT device” on page 274.System Maintenance Enabling push updates 4 Select Apply. Enabling push updates when a FortiGate unit IP address changes The SETUP message that the FortiGate unit sends when you enable push updates includes the IP address of the FortiGate interface that the FDN connects to. the FortiGate unit requests the update from the FDN. it makes only one attempt to connect to the FDN and download updates. The FDN must be able to connect to this IP address so that your FortiGate unit can receive push update messages. but if push updates are also enabled. If the FortiGuard Distribution Network availability icon stays gray. the FortiGate unit will usually receive new updates sooner. the FortiGate unit has successfully connected to the override server. Check the FortiGate configuration and network configuration for settings that may prevent the FortiGate unit from connecting to the override FortiGuard server.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet. Enabling push updates The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. Fortinet does not recommend enabling push updates as the only method for obtaining updates. The interface used for push updates is the interface configured in the default route of the static routing table. You must register the FortiGate unit before it can receive push updates. When the network configuration permits. see the FortiGate CLI Reference.com/ • Feedback 273 . FortiGate Version 4. The FortiGate unit tests the connection to the override server. Within 60 seconds of receiving a push notification. and following the instructions.

the FortiGate unit also sends the SETUP message to notify the FDN of the address change. For more information.20.0 Administration Guide 01-400-89802-20090424 http://docs. 2 Configure the following FortiGuard options on the FortiGate unit on the internal network.com/ • Feedback . The following procedures configure the FortiGate unit to push updates through a NAT device.35. 3 Add a port forwarding virtual IP to the NAT device.6. Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual IP. See “To enable scheduled updates through a proxy server” on page 273 for more information. you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration. Figure 161: Example network: Push updates through a NAT device Internal network 172. if you change the management IP address. change the override push update port.16. • Enable Allow push updates. the FortiGate unit is unable to receive push updates through a NAT device. • Set the external IP address of the virtual IP to match the override push update IP.fortinet. • Enable Use override push IP and enter the IP address. If the external IP address of the NAT device is dynamic (PPPoE or DHCP). see “Registering your Fortinet product” on page 25.144 (external interface) Virtual IP 10. Usually this is the IP address of the external interface of the NAT device. Usually this is the IP address of the external interface of the NAT device.135 (external interface) Internet NAT Device FDN Server The overall process is: 1 Register the FortiGate unit on the internal network so that it has a current support license and can receive push updates. Enabling push updates through a NAT device If the FDN connects only to the FortiGate unit through a NAT device. • If required. Port forwarding enables the FDN to connect to the FortiGate unit using UDP on either port 9443 or an override push port that you specify.Enabling push updates System Maintenance If you have redundant connections to the Internet. the FortiGate unit also sends the SETUP message when one Internet connection goes down and the FortiGate unit fails over to another Internet connection. In transparent mode. Note: Push updates are not supported if the FortiGate unit must use a proxy server to connect to the FDN. 274 FortiGate Version 4. These procedures also include adding port forwarding virtual IP and a firewall policy to the NAT device.

Mapped IP Address/Range Port Forwarding Protocol External Service Port Map to Port 4 Select OK. UDP port 9943 is changed only if it is blocked or in use. 3 Enter the appropriate information for the following: Name External Interface External IP Address/Range Enter a name for the Virtual IP. However. Select an external interface from the list. 2 Select the expand arrow beside AntiVirus and IPS Options to reveal the available options.com/ • Feedback 275 . This IP address must be the same as the IP address in User override push update for the FortiGate unit on the internal network. This is usually the IP address of the external interface of the NAT device.0 Administration Guide 01-400-89802-20090424 http://docs. Select UDP. Enter the IP address and/or range of the FortiGate unit on the internal network. the options Protocol. Enter 9443. 5 Enter the IP address of the external interface of the NAT device. 4 Select the Use override push IP check box. 3 Select the Allow Push Update check box. This is the port number to which the NAT FortiGate unit will send the push update after it comes through the virtual IP. When you select Port Forwarding.System Maintenance Enabling push updates To configure FortiGuard options on the FortiGate unit on the internal network 1 Go to System > Maintenance > FortiGuard. To add a port forwarding virtual IP to the FortiGate NAT device 1 Go to Firewall > Virtual IP. To add a port forwarding virtual IP to the FortiGate NAT device. push updates will not actually work until a virtual IP is added to the NAT device so that the NAT device accepts push update packets and forwards them to the FortiGate unit on the internal network. select Apply to have the FortiGate unit send the updated push information to the FDN. FortiGate units expect push update notifications on port 9443. Enter the IP address and/or range. allows you to configure the NAT device to use port forwarding to push update connections from the FDN to the FortiGate unit on the internal network. This is the interface that connects to the Internet. This is the IP address to which the FDN sends the push updates. If the NAT device is also a FortiGate unit. Select Port Forwarding. The external service port for push updates is usually 9443. If you changed the push update port in the FortiGuard configuration of the FortiGate unit on the internal network. The external service port is the port that the FDN connects to. When the FortiGate unit sends the override push IP address and port to the FDN. Enter the external service port. you must set the external service port to the changed push update port. 6 Select Apply. FortiGate Version 4. 2 Select Create New. You can change to the push override configuration if the external IP address of the external service port changes. the FDN uses this IP address and port for push updates to the FortiGate unit. External Services Port and Map to Port appear.fortinet. the following procedure.

Select NAT. the total number of registered FortiGate units on the FortiAnalyzer unit is seven. 100 or 250. Note: VDOMs created on a registered FortiGate unit are recognized as real devices by any connected FortiAnalyzer unit. Fortinet requires the serial number of the FortiGate unit to generate the license key. Select Accept. Adding VDOM Licenses If you have you can increase the maximum number of VDOMs on your FortiGate unit you can purchase a license key from Fortinet to increase the maximum number of VDOMs to 25.0 Administration Guide 01-400-89802-20090424 http://docs. Select the virtual IP added to the NAT device. FortiGate units support a maximum of 10 VDOMs.Adding VDOM Licenses System Maintenance To add a firewall policy to the FortiGate NAT device 1 Go to Firewall > Policy. This appears only on high-end FortiGate models. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action NAT Select the name of the interface that connects to the Internet.com/ • Feedback . Select Always. 3 Configure the external to internal firewall policy. Select ANY. 276 FortiGate Version 4. if three FortiGate units are registered on the FortiAnalyzer unit and they contain a total of four VDOMs. For example. Enter the license key supplied by Fortinet and select Apply.fortinet. 2 Select Create New. The FortiAnalyzer unit includes VDOMs in its total number of registered devices. Figure 162: License key for additional VDOMs Current License Input License key The current maximum number of virtual domains. For more information. 4 Select OK. Verify that push updates to the FortiGate unit on the internal network are working by going to System > Maintenance > FortiGuard and selecting Test Availability under Web Filtering and AntiSpam Options. 50. see the FortiAnalyzer Administration Guide. By default. Select All Select the name of the interface of the NAT device that connects to the internal network. The license key is entered in System > Maintenance > License in the Input License Key field. The Push Update indicator should change to green. The license key is a 32-character string supplied by Fortinet.

you can define route policies. or delete the factory configured route and specify your own static default route that points to the default gateway for the FortiGate unit. and how to define static routes and route policies.com/ • Feedback 277 . This section describes: • • • Routing concepts Static Route Policy Route Routing concepts The FortiGate unit works as a security device on a network and packets must pass through it. The factory configured static default route provides you with a starting point to configure the default gateway. this module will help you understand how the FortiGate unit performs routing functions. For more information. static routing is configured separately for each virtual domain.Router Static Routing concepts Router Static This section explains some general routing concepts. A route provides the FortiGate unit with the information it needs to forward a packet to a particular destination on the network.fortinet. Whether you administer a small or large network. Route policies specify additional criteria for examining the properties of incoming packets. You define static routes manually. You need to understand a number of basic routing concepts in order to configure the FortiGate unit appropriately. For more information. Static routes control traffic exiting the FortiGate unit— you can specify through which interface the packet will leave and to which device the packet should be routed. see “Default route and default gateway” on page 281. If you enable virtual domains (VDOMs) on the FortiGate unit. The following topics are covered in this section: • • • • • How the routing table is built How routing decisions are made Multipath routing and determining the best routeRoute priority Route priority Blackhole Route FortiGate Version 4. Using route policies. You must either edit the factory configured static default route to specify a different default gateway for the FortiGate unit. see “Using virtual domains” on page 103. you can configure the FortiGate unit to route packets based on the IP source and destination addresses in packet headers and other criteria such as on which interface the packet was received and which protocol (service) and port are being used to transport the packet.0 Administration Guide 01-400-89802-20090424 http://docs. As an option. A static route causes packets to be forwarded to a destination other than the factory configured default gateway.

Multipath routing and determining the best route Multipath routing occurs when more than one entry to the same destination is present in the routing table. the FortiGate unit forwards the packet to a next-hop router according to a policy route and the information stored in the FortiGate forwarding table. with lower numbers being preferred. For more information. A distance of 255 is seen as infinite and will not be installed in the routing table.fortinet.0 Administration Guide 01-400-89802-20090424 http://docs. Administrative distance is based on the expected reliability of a given route. More hops from the source means more possible points of failure. If the FortiGate unit cannot communicate with the computer at the source IP address through the interface on which the packet was received. forcing the FortiGate unit to decide which next-hop is the best one. If the packet is destined for another network. The default administrative distances for any of these routing protocols are configurable. If the destination address can be matched to a local address (and the local configuration permits delivery). Two methods to manually resolve multiple routes to the same destination are to lower the administrative distance of one route or to set the priority of both routes. For the FortiGate unit to select a primary (preferred) route. The FortiGate unit selects the “best” route for a packet by evaluating the information in the routing table. How routing decisions are made Whenever a packet arrives at one of the FortiGate unit’s interfaces. 278 FortiGate Version 4. the FortiGate unit delivers the packet to the local network. Here is an example to illustrate how administration distance works—if there are two possible routes traffic can take between 2 destinations with administration distances of 5 (always up) and 31 (sometimes not available). Different routing protocols have different default administrative distances. In some cases. The administrative distance can be from 1 to 255. the FortiGate unit drops the packet as it is likely a hacking attempt. see “Policy Route” on page 285.com/ • Feedback . the FortiGate routing table contains a single static default route. It is determined through a combination of the number of hops from the source and the protocol used.Routing concepts Router Static How the routing table is built In the factory default configuration. the traffic will use the route with an administrative distance of 5. manually lower the administrative distance associated with one of the possible routes. the unit determines whether the packet was received on a legitimate interface by doing a reverse lookup using the source IP address in the packet header. You can add routing information to the routing table by defining additional static routes. The table may include several different routes to the same destination—the IP addresses of the next-hop router specified in those routes or the FortiGate interfaces associated with those routes may vary. When multipath routing happens. The FortiGate unit installs the best available routes in the unit’s forwarding table. Packets are forwarded according to the information in the forwarding table. which is a subset of the unit’s routing table. the next best route may be selected if the best route is unavailable. the FortiGate unit may have several possible destinations for an incoming packet. The best route to a destination is typically associated with the shortest distance between the FortiGate unit and the closest next-hop router.

If the routing table contains several entries that point to the same destination (the entries may have different gateways or interface associations).Router Static Routing concepts Table 42: Default administrative distances for routing protocols Routing protocol Direct physical connection Static EBGP OSPF RIP IBGP Default administrative distance 1 10 20 110 120 200 Another method is to manually change the priority of both of the routes. FortiGate Version 4. Since this means there is more than one route to the same destination. This provides added security since the originator will not discover any information from the target network. see the FortiGate CLI Reference. Blackhole routes are used to dispose of packets instead of responding to suspicious inquiries. see “Adding a static route to the routing table” on page 284. the priority field of those routes determines routing preference.0 Administration Guide 01-400-89802-20090424 http://docs. It is very much like /dev/null in Linux programming. see load balancing in “Configuring virtual IPs” on page 370. the FortiGate unit compares the administrative distances of those entries. You configure the priority field through the CLI. then they are equal cost multipath (ECMP) routes. because you can use the CLI to specify which sequence numbers or priority field settings to use when defining static routes. Lower priorities are preferred. selects the entries having the lowest distances. and it is also the primary route.com/ • Feedback 279 . You can set the priority for a route only from the CLI. If two routes have the same administrative distance and the same priority. For more information.fortinet. If the next-hop administrative distances of two routes on the FortiGate unit are equal. it can be confusing which route or routes to install and use. In summary. The command to set the priority field is: set priority <integer> under the config route static command. see the FortiGate CLI Reference. For more information. Route priority After the FortiGate unit selects static routes for the forwarding table based on their administrative distances. For a static route to be the preferred route. the FortiGate forwarding table contains only those routes having the lowest distances to every possible destination. Configuring the priority for each of those routes will make it clear which next-hop will be used in the case of a tie. The route with the lowest value in the priority field is considered the best route. Blackhole Route A blackhole route is a route that drops all traffic sent to it. As a result. you can prioritize routes to the same destination according to their priority field settings. you must create the route using the config router static CLI command and specify a low priority for the route. then different sessions will resolve this problem by using different routes to the same address. it may not be clear which route the packet will take. if you have enabled load balancing with ECMP routes. However. For information about how to change the administrative distance associated with a static route. and installs them as routes in the FortiGate forwarding table. For more information. All entries in the routing table are associated with an administrative distance.

IPv6 routes are visible on the Static Route list. traffic to those addresses (traffic which may be valid or malicious) can be directed to a blackhole for added security and to reduce traffic on the subnet. You can add new entries manually. edit. Once configured. Since it cannot have hardware connection or link status problems. Figure 163 shows the static route list belonging to a FortiGate unit that has interfaces named “port1” and “port2”. static route examples and procedures are for IPv4 static routes. see “Default route and default gateway” on page 281.Static Route Router Static Blackhole routes can also limit traffic on a subnet. see “FortiGate IPv6 support” on page 230. the FortiGate unit performs a check to determine whether a matching route and destination already exist in the FortiGate routing table. Initially.fortinet. 280 FortiGate Version 4. this loopback interface has fewer parameters to configure. To view the static route list. the FortiGate unit adds the route to the routing table. making it useful for other dynamic routing roles. The loopback interface. see the “router” chapter of the FortiGate CLI Reference.com/ • Feedback . IPv6 routes are not displayed. When IPv6 is enabled in the GUI. it is always available. Similar to a normal interface. the list contains the factory configured static default route. Otherwise. The names of the interfaces on your FortiGate unit may be different. a virtual interface that does not forward traffic. If some subnet addresses are not in use. If no match is found. Static Route You configure static routes by defining the destination IP address and netmask of packets that you intend the FortiGate unit to intercept. For more information on IPv6. For more information. Note: Unless otherwise specified. or delete static routes for IPv6 traffic. routing. When you add a static route to the Static Route list. You configure this feature only from the CLI. The gateway address specifies the next-hop router to which traffic will be routed. go to Router > Static > Static Route. was added to enable easier configuration of blackhole routing. you can use a loopback interface in firewall policies. Working with static routes The Static Route list displays information that the FortiGate unit compares to packet headers in order to route packets. For more information. see the system chapter of the FortiGate CLI Reference. and by specifying a (gateway) IP address for those packets. and all traffic sent to it stops there. and other places that refer to interfaces. Note: You can use the config router static6 CLI command to add. For more information.0 Administration Guide 01-400-89802-20090424 http://docs.

Figure 164 shows a FortiGate unit connected to a router.0. The values represent distances to next-hop routers. For details. This is displayed only when IPv6 is enabled in the GUI. see “Configuring firewall policies” on page 323.0. FortiGate Version 4. you must edit the factory default configuration and make the router the default gateway for the FortiGate unit.Router Static Static Route Figure 163: Static Route list when IPv6 is enabled in the GUI Expand Arrow Delete Edit Create New Add a static route to the Static Route list.0/0. which means any/all destinations.0. entry number 1 in the Static Route list is associated with a destination address of 0. Delete or edit an entry in the list. For more information. To ensure that all outbound packets destined to any network beyond the router are routed to the correct destination. Select the down arrow to create an IPv6 static Route.0 Administration Guide 01-400-89802-20090424 http://docs. By default these routes are displayed. the factory configured static default route causes the FortiGate unit to forward the packet to the default gateway. or delete the factory configured route and specify your own static default route that points to the default gateway for the FortiGate unit. even with the correct routes configured. The destination IP addresses and network masks of packets that the FortiGate unit intercepts.0.com/ • Feedback 281 . Route IPv6 Route IP/Mask Gateway Device Distance Delete and Edit icons Default route and default gateway In the factory default configuration.0. The names of the FortiGate interfaces through which intercepted packets are received and sent. This route is called the “static default route”. This is displayed only when IPv6 is enabled in the GUI. Note: For network traffic to pass. To prevent this you must either edit the factory configured static default route to specify a different default gateway for the FortiGate unit. By default these routes are hidden. The administrative distances associated with each route. Select the Expand Arrow to display or hide the IPv6 static routes. you must have the appropriate firewall policies. For example. If no other routes are present in the routing table and a packet needs to be forwarded beyond the FortiGate unit. Select the Expand Arrow to display or hide the IPv4 static routes. The IP addresses of the next-hop routers to which intercepted packets are forwarded. see “Adding a static route to the routing table” on page 284.fortinet.

168.1 in order to forward packets to Network_1 and Network_2 respectively.0 Gateway: 192.1 and 192.168.0. The interface behind the router (192.0/24 (for example “external”).0.10.168.Static Route Router Static Figure 164: Making a router the default gateway Internet Gateway Router 192. in Figure 165.168. 282 FortiGate Version 4.168.1) is the default gateway for FortiGate_1.0. there may be routers behind the FortiGate unit.0/24. the FortiGate unit must be configured with static routes to interfaces 192.10.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.1 external FortiGate_1 internal Internal network 192.com/ • Feedback .168.0/0. If the destination IP address of a packet is not on the local network but is on a network behind one of those routers.10.1 Device: Name of the interface connected to network 192.168.168. For example.0. Distance: 10 The Gateway setting specifies the IP address of the next-hop router interface to the FortiGate external interface.10.10.20.0/24 To route outbound packets from the internal network to destinations that are not on network 192. you would edit the default route and include the following settings: • • • • Destination IP/mask: 0.20.11. the FortiGate routing table must include a static route to that network. In some cases.

11.30. On the FortiGate unit.168.1 Device: dmz Distance: 10 To route packets from Network_2 to Network_1.168.10. Router_2 must be configured to use the FortiGate dmz interface as its default gateway.168. or Reconnect the PPPoE connection.168. On the FortiGate unit.1 Gateway Router_2 Network_1 192. Doing this will remove the need to specify a gateway for this interface’s route.20. Note: If you are using DHCP or PPPoE FortiGate over a modem interface on your FortiGate unit. you would create a new static route with these settings: Destination IP/mask: 192.168. After trying to either Renew your DHCP license. you may have problems configuring a static route.10.1 Device: internal Distance: 10 Changing the gateway for the default route The default gateway determines where packets matching the default route will be forwarded.0/24 Gateway: 192.Router Static Static Route Figure 165: Destinations on networks behind internal routers Internet FortiGate_1 internal 192.fortinet.11.20.0/24 Network_2 192. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs. Router_1 must be configured to use the FortiGate internal interface as its default gateway. go to the CLI and enable dynamic-gateway under config system interface for the modem interface.0/24 To route packets from Network_1 to Network_2. For more information see FortiGate CLI Reference.com/ • Feedback 283 .0/24 Gateway: 192.1 Gateway Router_1 dmz 192. you would create a new static route with these settings: Destination IP/mask: 192.168.30. To change the gateway for the default route 1 Go to Router > Static > Static Route.168.168.

5 In the Distance field. 3 If the FortiGate unit reaches the next-hop router through an interface other than the interface that is currently selected in the Device field. If you discover that route A is unreliable. A static route causes packets to be forwarded to a destination other than the default gateway. 5 Enter the gateway IP address. For example.255. you can change the administrative distance for route A from 10 to 40.1. type the IP address of the next-hop router to which outbound traffic may be directed. or connected to it. The administrative distance allows you to weight one route to be preferred over another.0/255.com/ • Feedback .0 Administration Guide 01-400-89802-20090424 http://docs. 7 Select OK to confirm and save your new static route.fortinet. 4 In the Gateway field. which will make the route B the preferred route. if route A has an administrative distance of 30 and route B has an administrative distance of 10.Static Route Router Static 2 Select the Edit icon in row 1.1.x. Figure 166 shows the Edit Static Route dialog box belonging to a FortiGate unit that has an interface named “internal”. 284 FortiGate Version 4. You define static routes manually. 4 Enter the FortiGate unit interface closest to this subnet. 172. Continuing with the example. select the name of the interface from the Device field. To add a static route entry 1 Go to Router > Static > Static Route. 2 Select Create New.2. 6 Select OK. 3 Enter the IP address and netmask.2. the FortiGate unit assigns the next unassigned sequence number to the route automatically and adds the entry to the Static Route list.3 would be a valid address. the preferred route is route A with the smaller administrative distance of 10. Static routes control traffic exiting the FortiGate unit— you can specify through which interface the packet will leave and to which device the packet should be routed.255. For example. optionally adjust the administrative distance value. This is useful when one route is unreliable.1.0 would be a route for all addresses on the subnet 172. 172. When you add a static route through the web-based manager. Adding a static route to the routing table A route provides the FortiGate unit with the information it needs to forward a packet to a particular destination. The names of the interfaces on your FortiGate unit may be different. 6 Enter the administrative distance of this route.2.

Type an administrative distance from 1 to 255 for the route. the FortiGate unit routes the packet through the specified interface to the specified gateway. You can use incoming traffic’s protocol. if the outgoing interface is the only item in the policy. To edit an existing policy route. or port number to determine where to send the traffic.0. For example.0. Type the IP address of the next-hop router to which the FortiGate unit will forward intercepted packets. generally network traffic would go to the router of a subnet. destination address. A lower value indicates a more preferred route.Router Static Policy Route Figure 166: Edit Static Route Destination IP/Mask Gateway Device Distance Type the destination IP address and network mask of packets that the FortiGate unit has to intercept.0. If you have configured the FortiGate unit with routing policies and a packet arrives at the FortiGate unit. Select the name of the FortiGate interface through which the intercepted packets may be routed to the next-hop router. This situation could happen when the interfaces are dynamic (such as DHCP or PPPoE) and you do not want or are unable to specify the IP address of the next-hop router.0. If the attributes of a packet match all the specified conditions. Policy Route A routing policy allows you to redirect traffic away from a static route. If a match is found and the policy contains enough information to route the packet (a minimum of the IP address of the next-hop router and the FortiGate interface for forwarding packets to it).fortinet.0 Administration Guide 01-400-89802-20090424 http://docs. Policy route options define which attributes of a incoming packet cause policy routing to occur. For example. Note: Most policy settings are optional. Figure 167 shows the policy route list belonging to a FortiGate unit that has interfaces named “external” and “internal”. the FortiGate unit looks up the IP address of the next-hop router in the routing table. FortiGate Version 4.com/ • Feedback 285 . This can be useful if you want to route certain types of network traffic differently. The FortiGate unit may refer to the routing table in an attempt to match the information in the packet header with a route in the routing table. The value 0. the FortiGate unit starts at the top of the Policy Route list and attempts to match the packet with a policy. The names of the interfaces on your FortiGate unit may be different. see “Adding a policy route” on page 286. the FortiGate unit routes the packet using the routing table. source address or interface. the FortiGate unit routes the packet using the information in the policy. The distance value is arbitrary and should reflect the distance to the next-hop router. If no policy route matches the packet.0 is reserved for the default route. but you might want to direct SMTP or POP3 traffic addressed to that subnet directly to the mail server.0/0. so a matching policy alone might not provide enough information for forwarding the packet.

Adding a policy route To add a policy route. and RFC 5237 includes a list of the assigned protocol numbers. The Internet Protocol Number is found in the IP packet header. enter the destination position in the window that appears. The ID numbers of configured route policies. The interfaces on which packets subjected to route policies are received. go to Router > Static > Policy Route and select Create New. and select OK. The IP source addresses and network masks that cause policy routing to occur. See “Adding a policy route” on page 286. These numbers are sequential unless policies have been moved within the table. enter the protocol number to match. After selecting this icon. Edit a policy route.0 Administration Guide 01-400-89802-20090424 http://docs. 286 FortiGate Version 4. Figure 168: New Routing Policy Protocol To perform policy routing based on the value in the protocol field of the packet. see “Moving a policy route” on page 287.com/ • Feedback . The names of the interfaces on your FortiGate unit may be different. The interfaces through which policy routed packets are routed. For more information.Policy Route Router Static Figure 167: Policy Route list Delete Edit Move To Create New # Incoming Outgoing Source Destination Delete icon Edit icon Move To icon Add a policy route. Figure 168 shows the New Routing Policy dialog box belonging to a FortiGate unit that has interfaces named “external” and “internal”. Incoming Interface Select the name of the interface through which incoming packets subjected to the policy are received. A value of 0 disables the feature.fortinet. Delete a policy route. The range is from 0 to 255. The IP destination addresses and network masks that cause policy routing to occur.

0. A value of 0. alternating sessions will use both routes in a load balancing configuration.0/255.0.255.0 disables the feature. If both of these routes are in the policy table.0. Select After to place it following the indicated route. For details.0. A value of 0 disables this feature. type the same port number in the From and To fields.Router Static Policy Route Source Address / Mask Destination Address / Mask Destination Ports To perform policy routing based on the IP source address of the packet. To perform policy routing based on the port on which the packet is received. For two matches in the routing table. Type of Service Outgoing Interface Select the name of the interface through which packets affected by the policy will be routed. Use a two digit hexadecimal bit pattern to match to define the service.0.0. If you wanted to ignore all odd numbered services you would use a bit mask of 01.0/0. You can also manually assign priorities to routes.fortinet. type the source address and network mask to match. you may want to move it to a different location in the routing policy table.0.0. The option to use one of two routes happens when both routes are a match. A value of 0. To apply policy routing to a range of ports.0. If you prefer to use one policy over another.0. This feature is available only through the CLI.0 Administration Guide 01-400-89802-20090424 http://docs.20. both can match a route to 172.120. A value of 0. Moving a policy route A routing policy is added to the bottom of the routing table when it is created.com/ • Feedback 287 . Gateway Address Type the IP address of the next-hop router that the FortiGate unit can access through the specified interface.112 but you consider the second one as a better match.0 and 172. or use a two digit hexadecimal bit mask to mask out. For example if you want the policy to apply to service 14 you would use a bit pattern of 0E.20.120. for example 172.0 disables the feature.0 is not valid. In that case the best match route should be positioned before the other route in the policy table.255. go to Router > Static > Policy Route and select Move To for the policy route you want to move. type the destination address and network mask to match. the priority will determine which route is used. Figure 169: Moving a policy route Before/After Policy route ID Select Before to place the selected Policy Route before the indicated route.0/255. The Destination Ports fields are only used for TCP and UDP protocols. In the case of two matches in the routing table.255. To perform policy routing based on the IP destination address of the packet.0. Enter the Policy route ID of the route in the Policy route table to move the selected route before or after. FortiGate Version 4.0.0/0.20. see FortiGate CLI Reference. To change the position of a policy route in the table. type the starting port number in the From field and the ending port number in the To field. The ports are skipped over for all other protocols.0.

Policy Route Router Static 288 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.com/ • Feedback .fortinet.

Bi-Directional Forwarding (BFD) is a protocol that works with BGP and OSPF to quickly discover routers on the network that cannot be contacted. see “Using virtual domains” on page 103. and route map. For details. key chain. FortiGate Version 4. You can also define rules to suppress the advertising of routes to neighboring routers and change FortiGate routing information before it is advertised.0 Administration Guide 01-400-89802-20090424 http://docs.com/ • Feedback 289 . PIM can use static routes. This section describes: • • • • • • RIP OSPF BGP Multicast Bi-directional Forwarding Detection (BFD) Customizable routing widgets RIP Routing Information Protocol (RIP) is a distance-vector routing protocol intended for small. dynamic routing is configured separately for each virtual domain. If you enable virtual domains (VDOMs) on the FortiGate unit. distribute list.fortinet. offset list. The FortiGate unit supports these dynamic routing protocols: • • • Routing Information Protocol (RIP) Open Shortest Path First (OSPF) Border Gateway Protocol (BGP). the unit can determine the best route or path for sending packets to a destination. prefix list. RIP. A useful part of the FortiOS web-based management interface is the customizable menus and widgets. These widgets include the following routing widgets: access list. Dynamic routing protocols enable the FortiGate unit to automatically share information about routes with neighboring routers and learn about routes and networks advertised by them. and to re-route traffic accordingly until those routers can be contacted. For more information on these routing widgets. Note: A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual domain. see “Customizable routing widgets” on page 309. FortiGate units support PIM sparse mode and dense mode and can service multicast servers or receivers on the network segment to which a FortiGate interface is connected. OSPF. or BGP to forward multicast packets to their destinations. Given a set of rules. The FortiGate implementation of RIP supports RIP version 1 (see RFC 1058) and RIP version 2 (see RFC 2453). The FortiGate unit selects routes and updates its routing table dynamically based on the rules you specify.Router Dynamic RIP Router Dynamic This section explains how to configure dynamic protocols to route traffic through large or complex networks. relatively homogeneous networks.

Each network that a packet travels through to reach its destination usually counts as one hop. how long the unit advertises the route as unreachable before it is removed from the routing table. Neighboring routers respond with information from their routing tables. how long a route can be kept in the routing table without being updated. A hop count of 1 represents a network that is connected directly to the unit. the FortiGate unit broadcasts requests for RIP updates from each of its RIP-enabled interfaces. You can specify how often the FortiGate unit sends updates. RIP uses hop count as the metric for choosing the best route.com/ • Feedback . the unit compares the advertised route to the recorded route and chooses the shortest route for the routing table. Similarly. When the FortiGate unit compares two routes to the same destination. To view and edit RIP settings go to Router > Dynamic > RIP. subject to the rules that you specify for advertising those routes. and. 290 FortiGate Version 4. for routes that are not updated regularly. while a hop count of 16 represents a network that the FortiGate unit cannot reach. Figure 170 shows the basic RIP settings on a FortiGate unit that has interfaces named “dmz” and “external”. you have to specify the networks that are running RIP and specify any additional settings needed to adjust RIP operation on the FortiGate interfaces that are connected to the RIP-enabled network. The updates provide information about the routes in the FortiGate routing table. The names of the interfaces on your FortiGate unit may be different. The FortiGate unit adds routes from neighbors to its own routing table only if those routes are not already recorded in the routing table.RIP Router Dynamic How RIP works When RIP is enabled.fortinet. when RIP is enabled on an interface.0 Administration Guide 01-400-89802-20090424 http://docs. it adds the route having the lowest hop count to the routing table. the FortiGate unit sends RIP responses to neighboring routers on a regular basis. When a route already exists in the routing table. Viewing and editing basic RIP settings When you configure RIP settings.

0 Administration Guide 01-400-89802-20090424 http://docs. see “Selecting advanced RIP options” on page 292. You can enable RIP on all FortiGate interfaces whose IP addresses match the RIP network address space. You can override the global settings for a specific FortiGate interface if required.com/ • Feedback 291 .fortinet. For more information. the FortiGate interfaces that are part of the network are advertised in RIP updates. Select the Expand Arrow to view or hide advanced RIP options. When you add a network to the Networks list. 2 — send and receive RIP version 2 packets.Router Dynamic RIP Figure 170: Basic RIP settings Expand Arrow Delete Edit RIP Version Select the level of RIP compatibility needed at the FortiGate unit. see “Configuring a RIP-enabled interface” on page 293. You can enable global RIP settings on all FortiGate interfaces connected to RIP-enabled networks: 1 — send and receive RIP version 1 packets. Advanced Options Networks IP/Netmask Add FortiGate Version 4. Enter the IP address and netmask that defines the RIP-enabled network. Select to add the network information to the Networks list. The IP addresses and network masks of the major networks (connected to the FortiGate unit) that run RIP. For more information.

Text or MD5. This metric is the hop count. Select the Expand Arrow to view or hide advanced options. Delete or edit a RIP network entry or a RIP interface definition.com/ • Feedback .fortinet. Enter the default hop count that the FortiGate unit should assign to routes that are added to the FortiGate routing table. For more information. The name of the unit RIP interface. or a prefix list. you can configure the unit to advertise those routes on RIP-enabled interfaces. The versions of RIP used to listen for updates on each interface: 1. select Apply. The range is from 1 to 16. The version of RIP used to send updates through each interface: 1. Permissions for RIP broadcasts on this interface. 2. see “Configuring a RIP-enabled interface” on page 293. These parameters will override the global RIP settings for that interface. 292 FortiGate Version 4. you can specify settings for RIP timers and define metrics for redistributing routes that the FortiGate unit learns through some means other than RIP updates. go to Router > Dynamic > RIP and expand Advanced Options.RIP Router Dynamic Interfaces Create New Any additional settings needed to adjust RIP operation on a FortiGate interface. For example. To select advanced RIP options. Add new RIP operating parameters for an interface. 2. or both. see “Customizable routing widgets” on page 309.0 Administration Guide 01-400-89802-20090424 http://docs. with 1 being best or shortest. Interface Send Version Receive Version Authentication Passive Delete and Edit icons Selecting advanced RIP options With advanced RIP options. see the “router” chapter of the FortiGate CLI Reference. The type of authentication used on this interface: None. Figure 171: Advanced Options (RIP) Expand Arrow Rip Version Advanced Options Default Metric Select the version of RIP packets to send and receive. A green checkmark means the RIP broadcasts are blocked. The FortiGate unit also supports offset lists. For more information on CLI routing commands. an access list. and the CLI. which add the specified offset to the metric of a route. Note: You can configure additional advanced options through customizable GUI widgets. or both. For example. you can filter incoming or outgoing updates by using a route map. For more information on customizable GUI widgets. After you select the options. if the unit is connected to an OSPF or BGP network or you add a static route to the FortiGate routing table manually. This value also applies to Redistribute unless otherwise specified.

OSPF. select Metric. The valid hop count range is from 1 to 16. or both. The range is from 1 to 16. The range is from 1 to 16. select Metric.Router Dynamic RIP Default-information. To specify a hop count for those routes. This is the maximum time the FortiGate unit will keep a reachable route in the routing table while no updates for that route are received. The generated route may be based on routes learned originate through a dynamic routing protocol. To specify a hop count for those routes. the timer is restarted. and enter the hop count in the Metric field. The Timeout period should be at least three times longer than the Update period. To specify a hop count for those routes. The value determines how long an unreachable route is kept in the routing table. Authentication guarantees the authenticity of the update packet. ensure that the new settings are compatible with local routers and access servers. static routes.Select to generate and advertise a default route into the FortiGate unit’s RIPenabled networks. Select to redistribute routes learned from static routes. Select to redistribute routes learned through BGP. To set specific RIP operating parameters for a RIP-enabled interface. The unit and the neighboring router must both be configured with the same password. routes in the routing table. Select to redistribute routes learned through OSPF. select Metric. Select one or more of the options to redistribute RIP updates about routes that were not learned through RIP. you can optionally choose password authentication to ensure that the FortiGate unit authenticates a neighboring router before accepting updates from that router. and BGP.com/ • Feedback 293 . If the FortiGate unit receives an update for the route before the timeout period expires. To specify a hop count for those routes. Select to redistribute routes learned from directly connected networks. The range is from 1 to 16. Passive interfaces listen for RIP updates but do not respond to RIP requests. and enter the hop count in the Metric field. RIP Timers Enter new values to override the default RIP timer settings. For example. and enter the hop count in the Metric field. and enter the hop count in the Metric field. see the “router” chapter of the FortiGate CLI Reference or the Fortinet Knowledge Center. Enter the amount of time (in seconds) that the FortiGate unit will advertise a route as being unreachable before deleting the route from the routing table. go to Router > Dynamic > RIP and select Create New. If the Update timer is smaller than Timeout or Garbage timers. Update Timeout Garbage Redistribute Connected Static OSPF BGP Configuring a RIP-enabled interface You can use RIP interface options to override the global RIP settings that apply to all FortiGate unit interfaces connected to RIP-enabled networks.fortinet. select Metric. The default settings are effective in most configurations — if you change these settings. you can set the interface to operate passively. If RIP version 2 is enabled on the interface. The FortiGate unit can use RIP to redistribute routes learned from directly connected networks. Enter the maximum amount of time (in seconds) that a route is considered reachable while no updates are received for the route. you will get an error.0 Administration Guide 01-400-89802-20090424 http://docs. Note: Additional options such as split-horizon and key-chains can be configured per interface through the CLI. if you want to suppress RIP advertising on an interface that is connected to a subnet of a RIP-enabled network. not the confidentiality of the routing information in the packet. For more information. FortiGate Version 4. Enter the amount of time (in seconds) that the FortiGate unit will wait between sending RIP updates.

MD5 — Authenticate the exchange using MD5. When a FortiGate unit interface is connected to an OSPF area. An Area Border Router (ABR) links one or more ASes to the OSPF network backbone (area ID 0).fortinet. A group of contiguous networks form an area. Select to suppress the advertising of FortiGate unit routing information over the specified interface. Type a password (up to 35 characters) in the Password field. After initial contact. FortiGate units support OSPF version 2 (see RFC 2328). Clear the check box to allow the interface to respond normally to RIP requests.OSPF Router Dynamic Figure 172 shows the New/Edit RIP Interface dialog box belonging to a FortiGate unit that has an interface named “internal”. For information on configuring an OSPF AS. How OSPF works An OSPF network consists of one or more Autonomous Systems (ASes). The FortiGate unit and the RIP updates router must both be configured with the same password. An OSPF AS is typically divided into logical areas linked by Area Border Routers. version 2 or Both. see “Defining an OSPF AS—Overview” on page 295.0 Administration Guide 01-400-89802-20090424 http://docs. A neighbor is any router that directly connected to the same area as the FortiGate unit. that unit can participate in OSPF communications. 294 FortiGate Version 4. Select to override the default RIP-compatibility setting for sending and receiving updates through the interface: RIP version 1.com/ • Feedback . The interface must be connected to a RIP-enabled network. The names of the interfaces on your FortiGate unit may be different. so routing overhead is reduced. Send Version. the FortiGate unit exchanges Hello packets with its OSPF neighbors regularly to confirm that the neighbors can be reached. Figure 172: New/Edit RIP Interface Interface Select the name of the FortiGate interface to which these settings apply. The password is sent in clear text over the network. The main benefit of OSPF is that it advertises routes only when neighbors change state instead of at timed intervals. Select an authentication method for RIP exchanges on the specified interface: None — Disable authentication. The interface can be a virtual IPSec or GRE interface. Text — Select if the interface is connected to a network that runs RIP version 2. Receive Version Authentication Passive Interface OSPF Open Shortest Path First (OSPF) is a link-state routing protocol that is most often used in large heterogeneous networks to share routing information among routers in the same Autonomous System (AS). FortiGate units use the OSPF Hello protocol to acquire neighbors in an area.

select Create New. To define an OSPF AS 1 Go to Router > Dynamic > OSPF. A single unit can support tens of thousands of routes if the OSPF network is configured properly. LSAs between OSPF neighbors do not occur. Depending on the network topology.Router Dynamic OSPF OSPF-enabled routers generate Link-State Advertisements (LSA) and send them to their neighbors whenever the status of a neighbor changes or a new neighbor comes online. All LSA exchanges between OSPF-enabled routers are authenticated. The path cost of a route is calculated by adding together all of the costs associated with the outgoing interfaces along the path to a destination. Defining an OSPF AS—Overview Defining an OSPF Autonomous System (AS). routes to AS boundary routers. involves: • • • defining the characteristics of one or more OSPF areas creating associations between the OSPF areas that you defined and the local networks to include in the OSPF AS if required. If you are using the web-based manager to perform these tasks. OSPF uses relative path cost metric for choosing the best route. The path cost. An LSA identifies the interfaces of all OSPF-enabled routers in an area. the FortiGate unit applies the Shortest Path First (SPF) algorithm to the accumulated link-state information. follow the procedures summarized below. and provides information that enables OSPF-enabled routers to select the shortest path to a destination. The FortiGate unit maintains a database of link-state information based on the advertisements that it receives from OSPF-enabled routers. 2 Under Areas. which reside on the OSPF network backbone and are configured to forward packets to destinations outside the OSPF AS. The number of routes that a FortiGate unit can learn through OSPF depends on the network topology. The FortiGate unit dynamically updates its routing table based on the results of the SPF calculation to ensure that an OSPF packet will be routed using the shortest path to its destination. the entries in the FortiGate routing table may include: • • • the addresses of networks in the local OSPF area (to which packets are sent directly) routes to OSPF area border routers (to which packets destined for another area are sent) if the network contains OSPF areas and non-OSPF domains. In this situation. See “Defining OSPF areas” on page 299. Note: The inter-area routes may not be calculated when a Cisco type ABR has no fully adjacent neighbor in the backbone area. imposes a penalty on the outgoing direction of a FortiGate interface. the router considers summaryLSAs from all Actively summary-LSAs from all Actively Attached areas (RFC 3509). 3 Define the characteristics of one or more OSPF areas. To calculate the best route (shortest path) to a destination.com/ • Feedback 295 .fortinet. adjusting the settings of OSPF-enabled interfaces. but is typically the speed of the path—how fast traffic will get from one point to another. and generally the fastest route. The lowest overall path cost indicates the best route. select Create New. The path cost can be any metric.0 Administration Guide 01-400-89802-20090424 http://docs. similar to “distance” for RIP. FortiGate Version 4. As long as the OSPF network is stable. 4 Under Networks.

See “Specifying OSPF networks” on page 300. Configuring basic OSPF settings When you configure OSPF settings. the router ID is the numerically highest IP address assigned to any of the FortiGate interfaces in the OSPF AS. the highest IP address of the VDOM or unit will be used.0 Administration Guide 01-400-89802-20090424 http://docs. The names of the interfaces on your FortiGate unit may be different. all connections to OSPF neighbors will be broken temporarily.com/ • Feedback .fortinet. See “Selecting advanced OSPF options” on page 298. Figure 173 shows the basic OSPF settings on a FortiGate unit that has an interface named “port1”. Figure 173: Basic OSPF settings Expand Arrow Router ID Enter a unique router ID to identify the FortiGate unit to other OSPF routers. See “Selecting operating parameters for an OSPF interface” on page 301.OSPF Router Dynamic 5 Create associations between the OSPF areas that you defined and the local networks to include in the OSPF AS. 9 Select Apply. As part of the AS definition. Advanced Options Select the Expand Arrow to view or hide advanced OSPF settings. If Router ID is not explicitly set. see “Selecting advanced OSPF options” on page 298. you specify the AS areas and specify which networks to include those areas. select Create New under Interfaces. To view and edit OSPF settings. go to Router > Dynamic > OSPF. 6 If you need to adjust the default settings of an OSPF-enabled interface. 296 FortiGate Version 4. By convention. 7 Select the OSPF operating parameters for the interface. 8 Optionally select advanced OSPF options for the OSPF AS. For more information. Repeat steps 6 and 7 for any additional OSPF-enabled interfaces. The connections will re-establish themselves. If you change the router ID while OSPF is configured on an interface. You may optionally adjust the settings associated with OSPF operation on the FortiGate interfaces. you have to define the AS in which OSPF is enabled and specify which of the FortiGate interfaces participate in the AS.

0 Administration Guide 01-400-89802-20090424 http://docs. in dotted-decimal notation. see “Selecting operating parameters for an OSPF interface” on page 301. These settings override the area Authentication settings. A different authentication setting may apply to some of the interfaces in an area.fortinet. The types of areas in the AS: • Regular .0 references the backbone of the AS and cannot be changed or deleted. For more information.0. and Interfaces sections.com/ • Feedback 297 . The IP addresses and network masks of networks in the AS on which OSPF runs. For example. Create New Area Type Authentication Networks Create New Network Area Interfaces Create New Name Interface IP Authentication Delete and Edit icons FortiGate Version 4. The names of FortiGate physical or VLAN interfaces having OSPF settings that differ from the default values assigned to all other interfaces in the same area. you can configure a different password for one or more of the networks in that area.a stub area. Networks. or interface definition. Delete or edit an OSPF area entry. For more information. Area ID 0.Router Dynamic OSPF Areas Information about the areas making up an OSPF AS. The methods for authenticating LSA exchanges sent and received on specific OSPF-enabled interfaces. if an area employs simple passwords for authentication. Add a network to the AS. which helps to identify the origination of a packet inside the AS. Define and add a new OSPF area to the Areas list. see “Specifying OSPF networks” on page 300. The header of an OSPF packet contains an area ID. and add the definition to the Networks list. specify its area ID. For more information. The methods for authenticating OSPF packets sent and received through all FortiGate interfaces linked to each area: None — authentication is disabled Text — text-based authentication is enabled MD5 — MD5 authentication is enabled. network entry. all FortiGate interfaces that are part of the network are advertised in OSPF link-state advertisements.a normal OSPF area • NSSA . Any additional settings needed to adjust OSPF operation on a FortiGate interface. The names of OSPF interface definitions. see “Defining OSPF areas” on page 299.a not so stubby area • Stub . The networks in the OSPF AS and their area IDs. as displayed under Interfaces. The unique 32-bit identifiers of areas in the AS. Icons are visible only when there are entries in Areas. For more information. The IP addresses of the OSPF-enabled interfaces having additional/different settings.0. Create additional/different OSPF operating parameters for a unit interface and add the configuration to the Interfaces list. The FortiGate unit may have physical or VLAN interfaces connected to the network. You can enable OSPF on all FortiGate interfaces whose IP addresses match the OSPF network address space. The area IDs that have been assigned to the OSPF network address space. see “Defining OSPF areas” on page 299. When you add a network to the Networks list.

Select one or more of the options listed to redistribute OSPF link-state advertisements about routes that were not learned through OSPF. or both. Select to redistribute routes learned from directly connected networks. you can specify metrics for redistributing routes that the FortiGate unit learns through some means other than OSPF link-state advertisements. and BGP. None Regular Prevent the generation of a default route. Generate a default route into the OSPF AS and advertise the route to neighboring autonomous systems unconditionally. Generate a default route into the OSPF AS and advertise the route to neighboring autonomous systems only if the route is stored in the FortiGate routing table. Enter a cost for those routes in the Metric field. Enter a cost for those routes in the Metric field.0 Administration Guide 01-400-89802-20090424 http://docs. Default Information Generate and advertise a default (external) route to the OSPF AS.fortinet. Figure 174: Advanced Options (OSPF) Expand Arrow Router ID Expand Arrow Enter a unique router ID to identify the FortiGate unit to other OSPF routers. if the FortiGate unit is connected to a RIP or BGP network or you add a static route to the FortiGate routing table manually. select Apply. Select to redistribute routes learned through RIP. routes in the routing table. The FortiGate unit can use OSPF to redistribute routes learned from directly connected networks. static routes. you can configure the unit to advertise those routes on OSPF-enabled interfaces. Select to redistribute routes learned from static routes. go to Router > Dynamic > RIP and expand Advanced Options. To select advanced RIP options. even if the route is not stored in the FortiGate routing table. Select to redistribute routes learned through BGP. The range is from 1 to 16 777 214. Enter a cost for those routes in the Metric field.com/ • Feedback .OSPF Router Dynamic Selecting advanced OSPF options By selecting advanced OSPF options. The range is from 1 to 16 777 214. You may base the generated route on routes learned through a dynamic routing protocol. After you select the options. The range is from 1 to 16 777 214. For example. RIP. The range is from 1 to 16 777 214. Enter a cost for those routes in the Metric field. Always Redistribute Connected Static RIP BGP 298 FortiGate Version 4. Select to view or hide Advanced Options.

0. Regular areas and stub areas (including not-so-stubby areas) are connected to the OSPF backbone through area border routers. To reach the OSPF backbone. For more information on virtual links. Virtual links can be set up only between two FortiGate units that act as area border routers. see the “router” chapter of the FortiGate CLI Reference.0.Router Dynamic OSPF Note: You can configure additional advanced options through customizable GUI widgets. you can filter incoming or outgoing updates by using a route map. The FortiGate unit also supports offset lists. Any router connected to a stub area is considered part of the stub area. the routers in a stub area must send packets to an area border router. an access list. which add the specified offset to the metric of a route. For example.fortinet. For more information on customizable GUI widgets. You can classify the remaining areas of an AS as regular. go to Router > Dynamic > OSPF. Figure 175: New/Edit OSPF Area FortiGate Version 4.168. see “Customizable routing widgets” on page 309. stub. and then under Areas. or a prefix list. select Create New.0 is reserved for the OSPF network backbone.com/ • Feedback 299 . To define an OSPF area. routes that lead out of the area into a non-OSPF domain are made known to OSPF AS. To edit the attributes of an OSPF area.0. go to Router > Dynamic > OSPF and select the Edit icon in the row that corresponds to the area. The area border router advertises to the OSPF AS a single default route (destination 0. Note: If required. Area ID 0. the area itself continues to be treated like a stub area by the rest of the AS.0) into the stub area. In a Not-So-Stubby Area (NSSA). Each area is identified by a 32-bit area ID expressed in dotted-decimal notation. which ensures that any OSPF packet that cannot be matched to a specific route will match the default route.0.0 Administration Guide 01-400-89802-20090424 http://docs.0. see the FortiGate CLI Reference. Defining OSPF areas An area logically defines part of the OSPF AS. For more information on CLI routing commands. you can define a virtual link to an area that has lost its physical connection to the OSPF backbone. and the CLI. A regular area contains more than one router. each having at least one OSPF-enabled interface to the area.1. Routes leading to non-OSPF domains are not advertised to the routers in stub areas. for example 192. However. or NSSA.

and then under Networks. the area IP value cannot be changed. STUB — If the routers in the area must send packets to an area border router in order to reach the backbone and you do not want routes to non-OSPF domains to be advertised to the routers in the area. Type Authentication Select the method for authenticating OSPF packets sent and received through all interfaces in the area: None — Disable authentication. Specifying OSPF networks OSPF areas group a number of contiguous networks together. MD5 — Enable MD5-based authentication using an MD5 cryptographic hash (RFC 1321). Note: To assign a network to the area.0 Administration Guide 01-400-89802-20090424 http://docs. To change the OSPF area ID assigned to a network. To assign an OSPF area ID to a network. go to Router > Dynamic > OSPF and select the Edit icon in the row that corresponds to the network. see “Specifying OSPF networks” on page 300. When you assign an area ID to a network address space.OSPF Router Dynamic Area Type a 32-bit identifier for the area. you must delete the area and restart. see “Defining OSPF areas” on page 299. to authenticate LSA exchanges using a plain-text password. go to Router > Dynamic > OSPF. the attributes of the area are associated with the network. The attributes of the area must match the characteristics and topology of the specified network. For more information. Text — Enables text-based password authentication. You must define the area before you can select the area ID. Select an area ID for the network. you can override this setting for one or more of the interfaces in the area. 300 FortiGate Version 4.com/ • Feedback . select Create New. Figure 176: New/Edit OSPF Network IP/Netmask Area Enter the IP address and network mask of the local network that you want to assign to an OSPF area. Select an area type to classify the characteristics of the network that will be assigned to the area: Regular — If the area contains more than one router. each having at least one OSPF-enabled interface to the area.fortinet. The value must resemble an IP address in dotted-decimal notation. see “Selecting operating parameters for an OSPF interface” on page 301. Once you have created the OSPF area. For more information. NSSA — If you want routes to external non-OSPF domains made known to OSPF AS and you want the area to be treated like a stub area by the rest of the AS. If required. The password is sent in clear text over the network.

VLAN. You could configure an OSPF interface definition containing one set of Hello and dead-interval parameters for compatibility with one neighbor’s settings.fortinet.0.0. select Create New. the name could indicate to which OSPF area the interface will be linked. For example. the IP address assigned to the interface. go to Router > Dynamic > OSPF and select the Edit icon in the row that corresponds to the OSPF-enabled interface. vlan2 as 10. The interface names on your FortiGate unit may differ.3.2. To enable all interfaces.0.0. you would create an OSPF network 0.0. Figure 177: New/Edit OSPF Interface Add Name Interface Enter a name to identify the OSPF interface definition. and then under Interfaces. You can enable OSPF on all FortiGate interfaces whose IP addresses match the OSPFenabled network space.1/24. the same FortiGate interface could be connected to two neighbors through different subnets. go to Router > Dynamic > OSPF. FortiGate Version 4.0/0 You can configure different OSPF parameters for the same FortiGate interface when more than one IP address has been assigned to the interface.0/16.0. port1.0. The definition includes the name of the interface (for example. For example.0 and the OSPF network as 10.0. define an area of 0. virtual IPSec or GRE interfaces connected to the OSPF-enabled network.1/24 and vlan3 as 10. or VLAN_1). All three VLANs can run OSPF in area 0. and timer settings for sending and receiving OSPF Hello and dead-interval packets.0 Administration Guide 01-400-89802-20090424 http://docs. external.0.1/24. the method for authenticating LSA exchanges through the interface. The FortiGate unit can have physical.1. For example.Router Dynamic OSPF Selecting operating parameters for an OSPF interface An OSPF interface definition contains specific operating parameters for a FortiGate OSPF-enabled interface. and a second OSPF interface definition for the same interface to ensure compatibility with the second neighbor’s settings.com/ • Feedback 301 . To edit the operating parameters of an OSPF-enabled interface. external or VLAN_1). Figure 177 shows the New/Edit OSPF Interface dialog box belonging to a FortiGate unit that has an interface named “port1”. Select the name of the FortiGate interface to associate with this OSPF interface definition (for example. To select OSPF operating parameters for a FortiGate interface. Then define vlan1 as 10.0.0.0.

For example. BGP enables the sharing of network paths between the ISP network and an autonomous system (AS) that uses RIP.20.com/ • Feedback . Enter the key identifier for the (first) password in the ID field (the range is from 1 to 255) and then type the associated password in the Key field. If the OSPF neighbor uses more than one password to generate MD5 hash. The OSPF neighbors that send link-state advertisements to this FortiGate interface must be configured with an identical MD5 key. the FortiGate unit examines the Multi-Exit Discriminator (MED) attributes of potential routes to determine the best path to a destination network before recording the path in the FortiGate unit routing table. the FortiGate unit sends routing table updates to neighboring autonomous systems connected to that interface whenever any part of the FortiGate routing table changes. select the Add icon to add additional MD5 keys to the list. Text — Authenticate LSA exchanges using a plain-text password. Enter an alphanumeric value of up to 15 characters.140. if you defined an OSPF network of 172. Optionally.BGP Router Dynamic IP Enter the IP address that has been assigned to the OSPF-enabled interface. and is sent in clear text over the network. By convention. represented by an alphanumeric string of up to 16 characters.120. MD5 Keys Hello Interval Dead Interval BGP Border Gateway Protocol (BGP) is an Internet routing protocol typically used by ISPs to exchange routing information between different ISP networks. This field is available only if you selected plain-text authentication. This setting defines the period of time (in seconds) that the FortiGate unit waits between sending Hello packets through this interface.0 Administration Guide 01-400-89802-20090424 http://docs. The OSPF neighbors that send link-state advertisements to this FortiGate interface must be configured with an identical password. MD5 — Use one or more keys to generate an MD5 cryptographic hash.20. the FortiGate unit declares the neighbor inaccessible. Password Enter the plain-text password. If the FortiGate unit does not receive a Hello packet within the specified amount of time. This setting defines the period of time (in seconds) that the FortiGate unit waits to receive a Hello packet from an OSPF neighbor through the interface.140. This field is available only if you selected MD5 authentication. type 172. The AS number references a particular destination network. Authentication Select an authentication method for LSA exchanges on the specified interface: None — Disable authentication.fortinet. The interface becomes OSPF-enabled because its IP address matches the OSPF network address space. the Dead Interval value is usually four times greater than the Hello Interval value. 302 FortiGate Version 4. When the FortiGate unit receives a BGP update. set the Dead Interval to be compatible with Dead Interval settings on all OSPF neighbors.120. The password is a 128-bit hash.0/24 and port1 has been assigned the IP address 172. set the Hello Interval to be compatible with Hello Interval settings on all OSPF neighbors. BGP updates advertise the best path to a destination network.20. Optionally. The password can be up to 35 characters. For example. Each AS to which the unit belongs is associated with an AS number. OSPF. The FortiGate implementation of BGP supports BGP-4 and complies with RFC 1771 and RFC 2385.120. How BGP works When BGP is enabled on an interface. or both to route packets within the AS.

the highest IP address of the VDOM will be used. The connections will reestablish themselves. It also reduces routing flaps by stabilizing the network. Delete a BGP neighbor entry. This capability limits the effects of software problems by allowing forwarding to continue when the control plane of the router fails. Enter the number of the AS that the neighbor belongs to. Enter a unique router ID to identify the FortiGate unit to other BGP routers. Enter the IP address of the neighbor interface to the BGP-enabled network.0 Administration Guide 01-400-89802-20090424 http://docs. The router ID is an IP address written in dotted-decimal format.0. Neighbors IP Remote AS Add/Edit Neighbor Remote AS Delete icon FortiGate Version 4.Router Dynamic BGP BGP has the capability to gracefully restart. If Router ID is not explicitly set. The IP addresses of BGP peers.fortinet. You must also identify the FortiGate unit’s BGP neighbors and specify which of the networks local to the FortiGate unit should be advertised to BGP neighbors. see the “router” chapter of the FortiGate CLI Reference. Note: You can configure graceful restarting and other advanced settings only through CLI commands. Figure 178: Basic BGP options Delete Local AS Router ID Enter the number of the local AS to which the FortiGate unit belongs. see the “router” chapter of the FortiGate CLI Reference. for example 192. all connections to BGP peers will be broken temporarily. you need to specify the AS to which the FortiGate unit belongs and enter a router ID to identify this unit to other BGP routers. To view and edit BGP settings. Viewing and editing BGP settings When you configure BGP settings. go to Router > Dynamic > BGP.168. The IP addresses and AS numbers of BGP peers in neighboring autonomous systems. For more information on advanced BGP settings. The web-based manager offers a simplified user interface to configure basic BGP options.com/ • Feedback 303 . Add the neighbor information to the Neighbors list. or edit an entry in the list. You can also configure many advanced BGP options through the CLI.1. The numbers of the autonomous systems associated with the BGP peers. For more information. If you change the router ID while BGP is configured on an interface.

or is connected directly to a receiver. Add the network information to the Networks list. FortiGate units support PIM sparse mode (RFC 2362) and PIM dense mode (RFC 3973) and can service multicast servers or receivers on the network segment to which a FortiGate interface is connected. if a FortiGate unit is located between a source and a PIM router. For complete descriptions and examples of how to use CLI commands to configure PIM settings.fortinet. but only through the CLI. If sparse mode is enabled. A PIM domain is a logical area comprising a number of contiguous networks. Note: To support PIM communications. The domain contains at least one Boot Strap Router (BSR). OSPF. you must create a firewall policy manually to pass encapsulated (multicast) packets or decapsulated data (IP traffic) between the source and destination. see the “router” chapter of the FortiGate CLI Reference. RIP. The FortiGate unit may have a physical or VLAN interface connected to those networks. If required for sparse mode operation. Note: You can configure basic options through the web-based manager. see the FortiGate Multicast Technical Note.0 Administration Guide 01-400-89802-20090424 http://docs. Note: For more information about FortiGate multicast support.com/ • Feedback . PIM can use static routes. At the end-point destination. see multicast in the “router” chapter of the FortiGate CLI Reference. Sparse mode routers cannot send multicast messages to dense mode routers. Enter the IP address and netmask of the network to be advertised. When you enable PIM on a FortiGate unit. the FortiGate unit can perform any of these functions at any time as configured. IP/Netmask Add Network Delete icon Note: The get router info bgp CLI command provides detailed information about configured BGP settings. To support source-to-destination packet delivery. Multicast A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual domain. either sparse mode or dense mode must be enabled on all the PIM-router interfaces. copies of the packet are made only when required to deliver the information to multicast client applications that request traffic destined for the multicast address. the sending/receiving applications and all connecting PIM routers in between must be enabled with PIM version 2. or between two PIM routers. The IP addresses and network masks of major networks that are advertised to BGP peers. or BGP to forward multicast packets to their destinations. How multicast works Multicast server applications use a (Class D) multicast address to send one copy of a packet to a group of receivers. you can define static RPs. the domain also contains a number of Rendezvous Points (RPs) and Designated Routers (DRs). 304 FortiGate Version 4. The PIM routers throughout the network ensure that only one copy of the packet is forwarded through the network until it reaches an end-point destination. For a complete list of the command options. Many additional options are available. In addition. Delete a BGP network definition.Multicast Router Dynamic Networks The IP addresses and network masks of networks to advertise to BGP peers.

enter the IP address of a Rendezvous Point (RP) that may be used as the root of a packet distribution tree for a multicast group. Delete or edit the PIM settings on the interface. Create a new multicast entry for an interface. If an RP for the specified IP’s multicast group is already known to the Boot Strap Router (BSR). see “Overriding the multicast settings on an interface” on page 306. Join messages from the multicast group are sent to the RP. You can use the new entry to fine-tune PIM operation on a specific FortiGate interface or override the global PIM settings on a particular interface.Router Dynamic Multicast Viewing and editing multicast settings When multicast (PIM) routing is enabled. Available only when RP candidacy is enabled. For more information.0 Administration Guide 01-400-89802-20090424 http://docs. The web-based manager offers a simplified user interface to configure basic PIM options. The mode of PIM operation (Sparse or Dense) on that interface. The priority number assigned to Designated Router (DR) candidacy on the interface. Available only when sparse mode is enabled. You can also configure advanced PIM options through the CLI. To view and edit PIM settings. go to Router > Dynamic > Multicast. The status of parse-mode RP candidacy on the interface. and data from the source is sent to the RP. Save the specified static RP addresses. For more information. The names of FortiGate interfaces having specific PIM settings. Apply Create New Interface Mode Status Priority DR Priority Delete and Edit icons FortiGate Version 4. see the “router” chapter of the FortiGate CLI Reference. you can configure sparse mode or dense mode operation on any FortiGate interface.com/ • Feedback 305 . If required for sparse mode operation. the RP known to the BSR is used and the static RP address that you specify is ignored.fortinet. Figure 179: Basic Multicast options Add Static RP Delete Edit Enable Multicast Routing Add Static RP Select to enable PIM version 2 routing. select the Edit icon in the row that corresponds to the interface. A firewall policy must be created on PIM-enabled interfaces to pass encapsulated packets and decapsulated data between the source and destination. The priority number assigned to RP candidacy on that interface. To change the status of RP candidacy on an interface.

. All PIM routers connected to the same network segment must be running the same mode of operation. you can adjust the priority number that is used to advertise Rendezvous Point (RP) and/or Designated Router (DR) candidacy on the interface.Multicast Router Dynamic Overriding the multicast settings on an interface You use multicast (PIM) interface options to set operating parameters for FortiGate interfaces connected to PIM domains. PIM Mode DR Priority RP Candidate RP Candidate Priority Enter the priority number for advertising RP candidacy on the FortiGate interface. By using this feature that is available only in the CLI.0 Administration Guide 01-400-89802-20090424 http://docs. Multicast destination NAT Multicast destination NAT (DNAT) allows you translate externally received multicast destination addresses to addresses that conform to an organization's internal addressing policy. Configure multicast DNAT in the CLI by using the following command: config firewall multicast-policy edit p1 set dnat <dnatted-multicast-group> set . The range is from 1 to 4 294 967 295. Figure 180: Multicast interface settings Interface Select the name of the root VDOM FortiGate interface to which these settings apply.fortinet. you can avoid redistributing routes at the translation boundary into their network infrastructure for Reverse Path Forwarding (RPF) to work properly. Enable RP candidacy on the interface. Enter the priority number for advertising DR candidacy on the FortiGate unit’s interface. you can enable dense mode on an interface that is connected to a PIM-enabled network segment. For example. The unit compares this value to the DR interfaces of all other PIM routers on the same network segment. 306 FortiGate Version 4. next end For more information. The interface must be connected to a PIM version 2 enabled network segment. Select the mode of operation: Sparse Mode or Dense Mode. adjust the remaining options as described below.com/ • Feedback . and selects the router having the highest DR priority to be the DR. When sparse mode is enabled. The range is from 1 to 255.. If you select Sparse Mode. They can also receive identical feeds from two ingress points in the network and route them independently. see the “firewall” chapter of the FortiGate CLI Reference.

BFD will not connect to the network device but it will keep trying. You can limit where BFD looks for routers by enabling one interface only. and by enabling BFD for specific neighboring routers on the network. Configuring BFD on your FortiGate unit For this example. Once the connection has been made. Which method you choose will be determined by the amount of configuring required for your network The timeout period determines how long the unit waits before labeling a connection as down. Those two factors (CPU load and network traversal time) affect how long the timeout you select should be. These small packets are sent frequently. This state generates unnecessary network traffic. routes are reset to include the router once again. This means that once a connection is established. Note: You can configure BFD only from the CLI. BFD will continue to send periodic packets to the router to make sure it is still operational. If this happens. How BFD works When you enable BFD on your FortiGate unit. BFD can more quickly react to these failures. BFD continues to try to reestablish a connection with the non-responsive router. since it detects them on a millisecond timer. as it varies for each network and unit. If there is no response from the neighboring router within the set period of time. and if it is too long time will be wasted waiting for a reply from a connection that is down. You can enable BFD for the whole unit. you should try setting a longer timeout period to allow BFD more time to discover the device on the network. Your unit supports BFD as part of OSPF and BGP dynamic networking. BFD configuration on your FortiGate unit is very flexible. or interface. BFD starts trying to connect to other routers on the network. config system settings FortiGate Version 4. With too short a timeout period. Once that connection is reestablished. The port that BFD traffic originates from will be checked for security purposes as indicated by disabling bfd-dont-enforce-src-port. and leaves the device unmonitored. Configuring BFD BFD is intended for networks that use BGP or OSPF routing protocols. This generally excludes smaller networks.fortinet.Router Dynamic Bi-directional Forwarding Detection (BFD) Bi-directional Forwarding Detection (BFD) The bi-directional Forwarding Detection (BFD) protocol is designed to deal with dynamic routing protocols' lack of a fine granularity for detecting device failures on the network and re-routing around those failures. and turn it off for one or two interfaces. The length of the timeout period is important—if it is too short connections will be labeled down prematurely.com/ • Feedback 307 . Alternatively you can specifically enable BFD for each neighbor router. where other dynamic routing protocols can only detect them on a second timer. BFD is enabled on the FortiGate unit using the default values. Also the size of the network will slow down the response time—packets need to make more hops than on a smaller network. BFD on your unit reports that router down and changes routing accordingly. There is no easy number. your unit will wait for up to 150 milliseconds for a reply from a BFD router before declaring that router down and rerouting traffic—a 50 millisecond minimum transmit interval multiplied by a detection multiplier of 3. High end FortiGate models will respond very quickly unless loaded down with traffic.0 Administration Guide 01-400-89802-20090424 http://docs.

you can reduce network traffic by disabling BFD for that interface. To enable BFD on OSPF: configure routing OSPF set bfd enable end To override BFD on an interface: configure routing OSPF configure ospf-interface edit <interface_name> set bfd disable end end 308 FortiGate Version 4. BFD is disabled for the internal interface using CLI commands. The correct value for your situation will vary based on the size of your network and the speed of your unit’s CPU. config system settings set bfd enable end config router bgp config neighbor edit <ip_address> set bfd disable end end Configuring BFD on OSPF Configuring BFD on an OSPF network is very much like enabling BFD on your unit—you can enable it globally for OSPF.com/ • Feedback . and you can override the global settings at the interface level. If an interface is not connected to any BFD enabled routers.Bi-directional Forwarding Detection (BFD) Router Dynamic set set set set set end bfd enable bfd-desired-min-tx 50 bfd-required-min-rx 50 bfd-detect-mult 3 bfd-dont-enforce-src-port disable Note: The minimum receive interval (bfd-required-min-rx) and the detection multiplier (bfd-detect-mult) combine to determine how long a period your unit will wait for a reply before declaring the neighbor down. For this example. The numbers used in this example may not work for your network.fortinet.0 Administration Guide 01-400-89802-20090424 http://docs. config system interface edit <interface> set bfd disable end Configuring BFD on BGP Configuring BFD on a BGP network involves only one step— enable BFD globally and then disable it for each neighbor that is running the protocol. Disabling BFD for a specific interface The previous example enables BFD for your entire FortiGate unit.

The prefix can match any address. Select Add to save the new access list.fortinet. a process that supports RIP or OSPF).0. Note: If you are setting a prefix of 128. it must be called by a FortiGate unit routing process (for example. The IP address prefix for this access-list.0. Only administrators with the super_admin admin profile may create and edit GUI layouts. or a specific address.0. 0.0/1. Each rule in an access list consists of a prefix (IP address and netmask).0.0.0. The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the list. When this prefix is matched. hide.Router Dynamic Customizable routing widgets Customizable routing widgets You can customize the FortiGate web-based manager (or GUI) to show. Actions can be either permit or deny. the action is taken. the action to take for this prefix (permit or deny). If no match is found the default action is deny. Figure 181: Access List GUI widget Access-list Name Action Prefix Enter the name of a new access list. For more information. see “Prefix List” on page 312. If it finds a match for the prefix. Each of the customizable GUI widgets can be minimized or maximized using the arrow next to the widget title. see “OSPF” on page 294. use the format 128. it takes the action specified for that prefix. and arrange widgets/menus/items according to your specific requirements. For more information about OSPF. FortiGate Version 4. see “Customizable web-based manager” on page 231. For more information on GUI layouts.com/ • Feedback 309 . The name of the access list. A prefix-list must be used for this purpose. The action to take when the prefix of this access list is matched.0. Customizable routing widgets include: • • • • • • Access List Distribute List Key Chain Offset List Prefix List Route Map Access List Access lists are filters used by FortiGate unit routing processes to limit access to the network based on IP addresses. see “RIP” on page 289. and whether to match the prefix exactly or to match the prefix and any more specific prefix. The offset list is part of the RIP and OSPF routing protocols.0/0 can not be exactly matched with an access-list.0 Administration Guide 01-400-89802-20090424 http://docs. The default route. For an access list to take effect. For more information about RIP. Customizing the display allows you to vary or limit the GUI layout to address different administrator needs such as advanced routing.

For more information about RIP.0 Administration Guide 01-400-89802-20090424 http://docs.com/ • Feedback . Rules are processed from smallest to highest number. see “RIP” on page 289. but overlapping the key lifetimes ensures that a key is always available even if there is some difference in the system times. It filters the networks in routing updates using an access or prefix list. see “Access List” on page 309. The FortiGate unit migrates from one key to the next according to the scheduled send and receive lifetimes. Select to change the direction.fortinet. For more information about OSPF. This includes setting the direction. For more information on the distribute list. The prefix-list or access-list to apply to this interface. see “OSPF” on page 294. A green check indicates this distribute list is enabled. The interface to apply the filter on. Select to add a rule to this access-list. and must be configured with the same keys. Key Chain A key chain is a list of one or more keys and the send and receive lifetimes for each key. The name of the access list. Distribute List The distribute list is a subcommand of OSPF. Keys are used for authenticating routing packets only during the specified lifetimes. Note: You must configure the access list that you want the distribution list to use before you configure the distribution list. The offset list is part of the RIP and OSPF routing protocols. Figure 182: Distribute List GUI widget Create New Direction Filter Interface Enable Delete Icon Edit Icon Select to create a new distribute list. For more information on access list. Routes not matched by any of the distribution lists will not be advertised. To configure an access list. Rules include actions and prefixes. see the “router” chapter of the FortiGate CLI Reference. The sending and receiving routers should have their system dates and times synchronized.Customizable routing widgets Router Dynamic Delete Icon Add Icon Select delete to remove this access-list. 310 FortiGate Version 4. Select to remove a distribution list rule. The offset list is part of the RIP and OSPF routing protocols. selecting either the prefix-list or access-list. or interface of the distribute list. see the “router” chapter of the FortiGate CLI Reference. and interface. filter. For authentication to work both the sending and receiving routers must be set to use authentication. RIP version 2 uses authentication keys to ensure that the routing information exchanged between routers is reliable.

The end can be infinite. The interface this offset list applies to. The format is H:M:S M/D/YYYY. see the “router” chapter of the FortiGate CLI Reference. The format is H:M:S M/D/YYYY. Select to edit an existing key. For more information on key-chains. The access-list to use to match the traffic.Router Dynamic Customizable routing widgets Figure 183: Key Chain GUI widget Key-chain Name Accept Lifetime Start End Send Lifetime Start End Delete Icon Add Icon Edit Icon Enter the name for a new key-chain.fortinet.0 Administration Guide 01-400-89802-20090424 http://docs. see “OSPF” on page 294. For more information on the offset list. For more information about RIP. The end time for this key. Select Add to save the new key-chain. The start time for this key. Select to remove a offset entry. or a set time as with the start time. or the number of the key on that chain. Figure 184: Offset List GUI widget Create New Direction Access-list Offset Interface Delete Icon Edit Icon Select to add a new offset to the list. see the “router” chapter of the FortiGate CLI Reference. Select to remove a key or key-chain Select to add keys to the key-chain. The offset list is part of the RIP and OSPF routing protocols. a set duration in seconds. The adjustment to the hop count metric. The direction can be In or Out. or a set time as with the start time. FortiGate Version 4. The name of the key-chain. For more information about OSPF. Select to edit an existing offset entry. a set duration in seconds. The start and end time that this key can accept routing packets. The end time for this key. see “RIP” on page 289.com/ • Feedback 311 . Offset List Use the offset list to change the weighting of the metric (hop count) for a route from the offset list. The start and end time that this key can send routing packets. The start time for this key. The end can be infinite.

The rules are examined in ascending order until one or more of the rules in the route map are found to match one or more of the route attributes: • When a single matching match-* rule is found.Customizable routing widgets Router Dynamic Prefix List A prefix list is an enhanced version of an access list that allows you to control the length of the prefix netmask.0/0. A prefix-list should be used to match the default route 0. The IP address and netmask associated with this prefix. the action to take for this prefix (permit or deny). The name of the prefix list. Compared to access lists. or the number of the prefix entry. Optionally this can be set to match any address. it must be called by another FortiGate unit routing feature such as RIP or OSPF. For more information about OSPF. In addition. For a prefix list to take effect. see “RIP” on page 289. The FortiGate unit compares the rules in a route map to the attributes of a route. The FortiGate unit attempts to match a packet against the rules in a prefix list starting at the top of the list. route maps can be configured to permit or deny the addition of routes to the FortiGate unit routing table and make changes to routing information dynamically as defined through route-map rules. Select Add to save the new prefix list entry. changes to the routing information are made as defined through the rule’s set-ip-nexthop. Actions can be permit or deny.0. set-metric.fortinet. The action of the prefix entry. For more information on the prefix list. This number or less will be matched for there to be a match Select to remove a prefix entry or list. FortiGate Version 4.com/ • Feedback 312 . Figure 185: Prefix List GUI widget Prefix-list Name Action Prefix GE LE Delete Icon Add Icon Edit Icon Enter the name of a new prefix-list.0 Administration Guide 01-400-89802-20090424 http://docs. For more information about RIP. Each rule in a prefix list consists of a prefix (IP address and netmask). Select the number of bits to match in the address. If no match is found the default action is deny. Select the number of bits to match in the address. and maximum and minimum prefix length settings. Route Map Route maps provide a way for the FortiGate unit to evaluate optimum routes for forwarding packets or suppressing the routing of packets to particular destinations using the BGP routing protocol. Select to edit an existing prefix entry. and/or set-tag settings. Select to add a prefix entry to a list. This number or greater will be matched for there to be a match. route maps support enhanced packet-matching criteria. set-metric-type.0. see “OSPF” on page 294. If it finds a match for the prefix it takes the action specified for that prefix. see the “router” chapter of the FortiGate CLI Reference.

The name of the route map. all of the defined match-* rules must evaluate to TRUE or the routing information is not changed. FortiGate Version 4. the FortiGate unit makes changes to the routing information only when all of the default match-* rules happen to match the attributes of the route. The default rule in the route map (which the FortiGate unit applies last) denies all routes. If no match-* rules are defined. The action of the route map. For a route map to take effect. and a tag number.fortinet. Select Add to save the new routemap.Router Dynamic Customizable routing widgets • • • If no matching rule is found. The rules include the criteria to match and a value to set. The criteria to match can be an interface. Select to add a route map entry to a route map. no changes are made to the routing information. metric type. Figure 186: Route Map GUI widget Route-map Name Action Rules Enter the name of a new route-map. Actions can be permit or deny. the next-hop to match from access or prefix list. Select to edit an existing route map entry.0 Administration Guide 01-400-89802-20090424 http://docs. When more than one match-* rule is defined. Delete Icon Add Icon Edit Icon For more information on the route map. see the “router” chapter of the FortiGate CLI Reference. or other information. the metric. The value to set can be the next-hop IP address. it must be called by a FortiGate unit routing process. or the number of the prefix entry. a metrics.com/ • Feedback 313 . address from access or prefix list. Select to remove a route map or entry.

Customizable routing widgets Router Dynamic 314 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.com/ • Feedback .fortinet.

0.0.0/0.Router Monitor Viewing routing information Router Monitor This section explains how to interpret the Routing Monitor list. If you enable virtual domains (VDOMs) on the FortiGate unit. The names of the interfaces on your FortiGate unit may be different. For more information. and “lan”. see “Using virtual domains” on page 103. Figure 187: Routing Monitor list FortiGate Version 4. “port4”. which matches the destination IP address of “any/all” packets. To display the routes in the routing table. The default static route is defined as 0. router monitoring is available separately for each virtual domain.com/ • Feedback 315 .fortinet. This section describes: • • Viewing routing information Searching the FortiGate routing table Viewing routing information By default. The list displays the entries in the FortiGate routing table. go to Router > Monitor.0 Administration Guide 01-400-89802-20090424 http://docs. Figure 187 shows the Routing Monitor list belonging to a FortiGate unit that has interfaces named “port1”. all routes are displayed in the Routing Monitor list.

The metric associated with the route type. The following are types of metrics and when they are applied.168. • Relative cost — routes learned through OSPF. For details about HA routing synchronization. To modify the administrative distance assigned to static routes. RIP. Connected — all routes associated with direct connections to FortiGate interfaces. RIP — all routes learned through RIP. 192. • Multi-Exit Discriminator (MED) — routes learned through BGP. • External 1 — the destination is outside the OSPF AS. BGP — all routes learned through BGP. The administrative distance associated with the route. The IP addresses of gateways to the destination networks. the metric of the redistributed route is equivalent to the external cost only. but the route was received through a notso-stubby area (NSSA).fortinet. OSPF. HA routes are maintained on subordinate units and are visible only if you are viewing the router monitor from a virtual domain that is configured as a subordinate virtual domain in a virtual cluster. Type Subtype The type values assigned to FortiGate routes (Static. To modify this distance for dynamic routes. 172. Network Distance Metric Gateway 316 FortiGate Version 4.Viewing routing information Router Monitor IP version Type Select IPv4 or IPv6 routes.16. If applicable. • OSPF NSSA 2 — same as External 2. The IP addresses and network masks of destination networks that the FortiGate unit can reach. • OSPF inter area — the destination is in the OSPF AS. OSPF — all routes learned through OSPF. Enter an IP address and netmask (for example. Select one of the following route types to search the routing table and display routes of the selected type only: All — all routes recorded in the routing table. or BGP). In this case. The metric of a redistributed route is calculated by adding the external cost and the OSPF cost together. Enter an IP address and netmask (for example. The destination is in an area to which the FortiGate unit is connected.14. • An empty string implies an intra-area route. The metric of a route influences how the FortiGate unit dynamically adds it to the routing table. but the FortiGate unit is not connected to that area.0/24) to search the routing table and display routes that match the specified network. • Hop count — routes learned through RIP. • External 2 — the destination is outside the OSPF AS.12. For more information see “OSPF” on page 294. Static — the static routes that have been added to the routing table manually. Network Gateway Apply Filter Select to search the entries in the routing table based on the specified search criteria and display any matching routes.1/32) to search the routing table and display routes that match the specified gateway. However. expressed as an OSPF cost. several attributes in addition to MED determine the best path to a destination network. but the route was received through a notso-stubby area. the subtype classification assigned to OSPF routes. OSPF. For more information see “RIP” on page 289. see FortiGate CLI Reference. and BGP routes synchronized between the primary unit and the subordinate units of a high availability (HA) cluster. see “Adding a static route to the routing table” on page 284.0 Administration Guide 01-400-89802-20090424 http://docs. Connected. • OSPF NSSA 1 — same as External 1. A value of 0 means the route is preferable compared to routes to the same destination.com/ • Feedback . see the FortiGate High Availability User Guide. For more information see “BGP” on page 302 HA — RIP. For more information see “Static Route” on page 280.

2 From the Type list. The total accumulated amount of time that a route learned through RIP. connected routes.0/24 and you want to display all directly connected routes to network 172.14. select the type of route to display. 3 If you want to display routes to a specific network. 5 Select Apply Filter. type 172. and routes associated with the network or gateway that you specify.com/ • Feedback 317 . type the IP address and netmask of the network in the Networks field. For example. For example. or BGP has been reachable. If you want to search the routing table by route type and further limit the display according to network or gateway. type the IP address of the gateway in the Gateway field. or select RIP to display all routes learned through RIP.16.16. select Connected to display all connected routes. 4 If you want to display routes to a specific gateway. Note: All of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed. all of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed (an implicit AND condition is applied to all of the search parameters you specify). and then select Apply Filter to display the associated routing table entry or entries. you must select Connected from the Type list.14.Router Monitor Searching the FortiGate routing table Interface Up Time The interface through which packets are forwarded to the gateway of the destination network. if the FortiGate unit is connected to network 172.14.0/24 in the Network field.0 Administration Guide 01-400-89802-20090424 http://docs. or BGP. For example.0/24. FortiGate Version 4. Searching the FortiGate routing table You can apply a filter to search the routing table and display certain routes only. To search the FortiGate routing table 1 Go to Router > Monitor > Routing Monitor. routes learned through RIP. OSPF.fortinet. Any entry that contains the word “Connected” in its Type field and the specified value in the Gateway field will be displayed. OSPF. you can display one or more static routes.16.

fortinet.Searching the FortiGate routing table Router Monitor 318 FortiGate Version 4.com/ • Feedback .0 Administration Guide 01-400-89802-20090424 http://docs.

0 Administration Guide 01-400-89802-20090424 http://docs. Firewall policies can contain many instructions for the FortiGate unit to follow when it receives matching packets.com/ • Feedback 319 .fortinet. and you must first enter the virtual domain to configure its firewall policies. it analyzes the packet’s source address. firewall policies are configured separately for each virtual domain. which can specify application-layer inspection and other protocol-specific protection and logging. Policy instructions may also include protection profiles. destination address. by using virtual IPs or IP pools to translate source and destination IP addresses and port numbers. For details on using virtual IPs and IP pools. and service (by port number). or port address translation (PAT). see “Firewall Virtual IP” on page 365. For details. FortiGate Version 4. it applies the matching policy’s specified actions to the packet. between FortiGate interfaces. This section describes: • • • • • How list order affects policy matching Multicast policies Viewing the firewall policy list Configuring firewall policies Firewall policy examples How list order affects policy matching Each time a FortiGate unit receives a connection attempting to pass through one of its interfaces. The search begins at the top of the policy list and progresses in order towards the bottom. For details on using protection profiles. see “Using virtual domains” on page 103. Firewall policies are instructions the FortiGate unit uses to decide connection acceptance and packet processing for traffic attempting to pass through. If you enable virtual domains (VDOMs) on the FortiGate unit. When the firewall receives a connection packet. are optional. and VLAN subinterfaces. and attempts to locate a firewall policy matching the packet. see “Firewall Protection Profile” on page 397. zones. Policy instructions may include network address translation (NAT). Matching firewall policies are determined by comparing the firewall policy and the packet’s: • • • • source and destination interfaces source and destination firewall addresses services time/schedule. the unit searches its firewall policy list for a matching firewall policy. while other instructions. Some instructions are required. The FortiGate unit evaluates each policy in the firewall policy list for a match until a match is found.Firewall Policy How list order affects policy matching Firewall Policy Firewall policies control all traffic attempting to pass through the FortiGate unit. such as whether to drop or accept and process the packets. and disregards subsequent firewall policies. When the FortiGate unit finds the first matching policy. such as logging and authentication.

the connection is dropped. the connection will be accepted. IPSec VPN. Ordering policies from most specific to most general prevents policies that match a wide range of traffic from superseding and effectively masking policies that match exceptions. all connections. Note: A default firewall policy may exist which accepts all connections. Figure 189: Example: Blocking FTP — Incorrect policy order }General }Exception Similarly.com/ • Feedback . you would add a policy that denies FTP connections above the general policy. or SSL VPN. if specific traffic requires authentication. the connection will be dropped. If you move the default policy to the bottom of the firewall policy list and no other policy matches the packet. you would position those policies above other potential matches in the policy list. which only indicates the order in which the policy was created. including FTP. and the policy to block FTP would never be applied. Subsequent possible matches are not considered or applied. the other matching policies could always take precedence. As a general rule. you should order the firewall policy list from most specific to most general because of the order in which policies are evaluated for a match. Figure 190: Move Policy 320 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs. Figure 188: Example: Blocking FTP — Correct policy order }Exception }General FTP connections would immediately match the deny policy. disable or delete it. positioning the general policy before the policy to block FTP. Otherwise. you might have a general policy that allows all connections from the internal network to the Internet. but want to make an exception that blocks FTP. would immediately match the general policy. and so policy evaluation would continue until reaching the matching general policy. For more information. or SSL VPN might never occur. Other kinds of services do not match the FTP policy. and because only the first matching firewall policy is applied to a connection. This policy order would not have the intended effect. But if you reversed the order of the two policies. blocking the connection. see “How list order affects policy matching” on page 319. For example.How list order affects policy matching Firewall Policy If no policy matches. This policy order has the intended effect. You can move. and the required authentication.fortinet. the first matching firewall policy will be applied to the traffic session. Moving a policy to a different position in the policy list You can arrange the firewall policy list to influence the order in which policies are evaluated for matches with incoming traffic. In this case. Moving a policy in the firewall policy list does not change its ID. If you disable or delete the default policy and no other policy matches the packet. When more than one policy has been defined for the same interface pair. IPSec VPN.

fortinet. go to System > VDOM. and in the row corresponding to the VDOM whose policies you want to configure. 2 In the firewall policy list. delete. see “How list order affects policy matching” on page 319 and “Moving a policy to a different position in the policy list” on page 320. you must access the VDOM before you can configure its policies. To view the policy list. select Enter. If virtual domains are enabled on the FortiGate unit.Firewall Policy Multicast policies To move a firewall policy in the firewall policy list 1 Go to Firewall > Policy. You can configure and create multicast policies using the following CLI command: config firewall multicast-policy For more information.0 Administration Guide 01-400-89802-20090424 http://docs.com/ • Feedback 321 . 4 Select Before or After. edit. You can add. see the FortiOS CLI Reference and the FortiGate Multicast Technical Note. For details about arranging policies in a policy list. select the Move To icon. and enter the ID of the firewall policy that is before or after your intended destination. Figure 191: Firewall policy list Filter Delete Edit Insert Policy before Move To FortiGate Version 4. 5 Select OK. go to Firewall > Policy. This specifies the policy’s new position in the firewall policy list. and re-order policies in the policy list. note the ID of a firewall policy that is before or after your intended destination. Multicast policies FortiGate units support multicast policies. firewall policies are configured separately for each virtual domain. 3 In the row corresponding to the firewall policy that you want to move. To access a VDOM. Firewall policy order affects policy matching. Viewing the firewall policy list The firewall policy list displays firewall policies in their order of matching precedence for each source and destination interface pair.

see “Firewall Address” on page 345. Edit the policy. The VPN tunnel the VPN policy uses. Select the down arrow beside Create New to add a firewall policy or firewall policy section.fortinet. Edit the column filters to filter or sort the policy list according to the criteria you specify. a grey cross mark indicates traffic logging is disabled for the policy. The destination interface. The counter is reset when the FortiGate unit is restarted or the policy is deleted and re-configured. A firewall policy section visually groups firewall policies. Select to list all firewall policies in order according to a sequence number. The destination address or address group to which the policy applies. Column Settings Customize the table view. The service to which the policy applies. Global View Filter icons ID From To Source Destination Schedule Service Profile Action Status From To VPN Tunnel Authentication Comments Log Count Delete icon Edit icon Insert Policy Before icon Move To icon 322 FortiGate Version 4. You can select the columns to hide or display and specify the column displaying order in the table. Section View Select to display firewall policies organized by source and destination interfaces. For more information. The protection profile that is associated with the policy. The policy identifier. Comments entered when creating or editing the policy. see “Configuring firewall policies” on page 323. For more information. The schedule that controls when the policy should be active. Global view only. The FortiGate unit counts the number of packets and bytes that hit the firewall policy. Note: Section View is not available if any policy selects Any as the source or destination interface. For example. For more information. For more information. Policies are numbered in the order they are added to the policy list. For more information. see “Using column settings to control the columns displayed” on page 58 and “Web-based manager icons” on page 60. Global view only. see “Moving a policy to a different position in the policy list” on page 320. The source address or address group to which the policy applies. Delete the policy from the list. The destination interface of the policy. Select the checkbox to enable a policy or deselect it to disable a policy. Move the corresponding policy before or after another policy in the list.com/ • Feedback . see “Firewall Schedule” on page 361. For more information. For more information. 5/50B means that five packets and 50 bytes in total have hit the policy. Add a new policy above the corresponding policy (the New Policy screen appears). see “Firewall Service” on page 351. The source interface of the policy. The source interface.Viewing the firewall policy list Firewall Policy Create New Add a firewall policy. see “Adding filters to web-based manager lists” on page 53. see “Firewall Address” on page 345. For more information. A green check mark indicates traffic logging is enabled for the policy. The response to make when the policy matches a connection attempt.0 Administration Guide 01-400-89802-20090424 http://docs. The user authentication method the policy uses.

and may optionally apply NAT and allow traffic for one or both directions. see “IPSec firewall policy options” on page 330 and “Configuring SSL VPN identity-based firewall policies” on page 331. For more information. destined for the local private network. Select “IPv6 Support on GUI”. by selecting Insert Policy before (see “Viewing the firewall policy list” on page 321). Each time that you create or edit a policy. or specifying a protection profile to apply features such as virus scanning to packets in the session.com/ • Feedback 323 . go to Firewall > Policy. • • To add or edit a firewall policy. DENY. An ACCEPT policy can also apply interface-mode IPSec VPN traffic if either the selected source or destination interface is an IPSec virtual interface. • ACCEPT policy actions permit communication sessions. and may optionally include other packet processing instructions. IPSEC and SSL-VPN policy actions apply a tunnel mode IPSec VPN or SSL VPN tunnel. If you want to create a DoS policy. For more information. You can create a new policy and position it right away before an existing one in the firewall policy list. and configure the settings according to the following table. If you want to use IPv6 firewall addresses in your firewall policy.fortinet. See the “firewall” chapter of the FortiGate CLI Reference.Firewall Policy Configuring firewall policies Configuring firewall policies You can configure firewall policies to define which sessions will match the policy and what actions the FortiGate unit will perform with packets from matching sessions. and may optionally log the denied traffic. If the initial packet matches the firewall policy. such as requiring authentication to use the policy. FortiGate Version 4. the FortiGate unit performs the configured Action and any other configured options on all packets in the session. a tunnel may be initiated automatically whenever a packet matching the policy arrives on the specified network interface. see “DoS policies” on page 337. Note: You can configure differentiated services (DSCP) firewall policy options through the CLI. Packet handling actions can be ACCEPT. go to Firewall > Policy > DoS Policy. Then go to Firewall > Policy > IPv6 Policy. make sure that you position it in the correct location in the list. Select Create New to add a policy or select the edit icon beside an existing firewall policy. IPSEC or SSL-VPN. and then select OK. see “Overview of IPSec VPN configuration” on page 531. Configure the settings as described in the following table and in the references to specific features for IPSec. Sessions are matched to a firewall policy by considering these features of both the packet and policy: • • • • • • Source Interface/Zone Source Address Destination Interface/Zone Destination Address schedule and time of the session’s initiation service and the packet’s port numbers. respectively.0 Administration Guide 01-400-89802-20090424 http://docs. and configure the settings according to the following table. If permitted by the firewall encryption policy. For more information. first go to System > Admin > Settings. DENY policy actions block communication sessions. Firewall policy order affects policy matching. SSL VPN and other specialized settings.

com/ • Feedback . select the name of the address that you reserved for tunnel mode clients. Interfaces and zones are configured on the System Network page. or zone on which IP packets are received. the address is the private IP address of the host. 324 FortiGate Version 4. In the dialog box. from Source Address. the interface is associated with the local private network. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy.Configuring firewall policies Firewall Policy Figure 192: Firewall Policy options Source Interface/Zone Select the name of the FortiGate network interface. see “Configuring addresses” on page 347. move the firewall addresses or address groups from the Available Addresses section to the Members section. select Multiple.0 Administration Guide 01-400-89802-20090424 http://docs. You can also create firewall addresses by selecting Create New from this list. the interface is associated with connections from remote SSL VPN clients. server. If Action is set to IPSEC. If Action is set to SSL-VPN and the policy is for tunnel mode clients. select all. virtual domain (VDOM) link. the policy matches all interfaces as source. Source Address Select the name of a firewall address to associate with the Source Interface/Zone. then select OK. If you want to associate multiple firewall addresses or address groups with the Source Interface/Zone. For more information. see “Interfaces” on page 119 and “Configuring zones” on page 138. If Action is set to SSL-VPN. If you select Any as the source interface. For more information. If Action is set to SSL-VPN and the policy is for web-only mode clients. or network behind the FortiGate unit.fortinet. If Action is set to IPSEC.

For more information. If Action is set to SSL-VPN. or you can create a custom service or service group by selecting Create New from this list. or add a comment to the policy. Select the name of a firewall address to associate with the Destination Interface/Zone. the interface is associated with the local private network. and whether you select NAT (below). Select the name of a firewall service or service group that packets must match to trigger this policy. If Action is set to IPSEC. set authentication options. You can select from a wide range of predefined firewall services. the interface is associated with the entrance to the VPN tunnel.com/ • Feedback 325 . protection profiles. For more information on using virtual IPs. This option is available only after you have added a SSL-VPN user group. Reject traffic matched by the policy. log traffic. see “Configuring addresses” on page 347. log traffic. By selecting the Multiple button beside Service. Destination Address Schedule Service Action ACCEPT DENY IPSEC SSL-VPN FortiGate Version 4. You can also configure NAT and protection profiles. If you select a virtual IP. Select a one-time or recurring schedule that controls when the policy is in effect.Firewall Policy Configuring firewall policies Destination Interface/Zone Select the name of the FortiGate network interface. The options available will vary widely depending on this selection. The only other configurable policy options are Log Violation Traffic to log the connections denied by this policy and adding a Comment. shape traffic. see “Firewall Virtual IP” on page 365. shape traffic or add a comment to the policy. Interfaces and zones are configured on the System Network page. see “Interfaces” on page 119 and “Configuring zones” on page 138. For more information. If Action is set to SSL-VPN. select Multiple. log traffic. see “Firewall Schedule” on page 361. you can select multiple services or service groups. as well as configure protection profiles. The applied translation varies by the settings specified in the virtual IP.0 Administration Guide 01-400-89802-20090424 http://docs. You can configure an SSL-VPN firewall encryption policy to accept SSL VPN traffic. or zone to which IP packets are forwarded. move the firewall addresses or address groups from the Available Addresses section to the Members section. If you want to associate multiple firewall addresses or address groups with the Destination Interface/Zone. select the name of the IP address that corresponds to the host. For more information. You can configure NAT. You can also create schedules by selecting Create New from this list. You can configure an IPSec firewall encryption policy to process IPSec VPN packets. In the dialog box. shape traffic or add a comment to the policy. See “Configuring SSL VPN identity-based firewall policies” on page 331.fortinet. See “IPSec firewall policy options” on page 330. You can also create firewall addresses by selecting Create New from this list. from Destination Address. server. see “Configuring custom services” on page 357 and “Configuring service groups” on page 359. the policy matches all interfaces as destination. the address is the private IP address to which packets may be delivered at the remote end of the VPN tunnel. or network that remote clients need to access behind the FortiGate unit. For more information. the FortiGate unit applies NAT or PAT. If you select Any as the destination interface. Accept traffic matched by the policy. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. virtual domain (VDOM) link. If Action is set to IPSEC. then select OK. Select how you want the firewall to respond when a packet matches the conditions of the policy.

Available only on some models and only if Action is set to ACCEPT. the FortiGate unit performs destination NAT (DNAT) rather than full NAT. then FortiGate and switch settings may require adjusting. do not make a Protection Profile selection. Also. Select to limit bandwidth in order to keep less important services from using bandwidth needed for more important ones. In most cases. do not set both Guaranteed Bandwidth and Maximum Bandwidth to 0 (zero). VLAN subinterface. web category filtering. For more information. or if you have selected a Destination Interface to which no IP Pools are bound. You cannot use IP pools when using zones. the policy. make sure that the interface ethernet statistics show no errors. Fixed Port Select Fixed Port to prevent NAT from translating the source port. web filtering. Some applications do not function correctly if the source port is translated. For more information. the user is redirected to the URL after authenticating and/or accepting the user authentication disclaimer. or one of the interfaces or VLAN subinterfaces in the destination zone is configured using DHCP or PPPoE. or the policy will not allow any traffic.Configuring firewall policies Firewall Policy NAT Available only if Action is set to ACCEPT or SSL-VPN. When NAT is enabled. see “Endpoint Compliance Compliance Check options” on page 336. a policy with Fixed Port selected can allow only one connection to that service at a time. see “Adding authentication to firewall policies” on page 327. Protection Profile Traffic Shaping Guaranteed Bandwidth Maximum Bandwidth 326 FortiGate Version 4. If any of these problems do appear. spam filtering. Select a value to ensure there is enough bandwidth available for a high-priority service.com/ • Feedback . Traffic Shaping controls the bandwidth available to. see “IP pools” on page 381. then select an IP pool to translate the source address to an IP address randomly selected from addresses in the IP Pool. Select this option to display the Authentication Disclaimer page (a replacement message) to the user. If you enter a URL. Select a protection profile to apply antivirus. Enable or disable Network Address Translation (NAT) of the source address and port of packets accepted by the policy.0 Administration Guide 01-400-89802-20090424 http://docs. Source NAT (SNAT) is not performed. An IP pool can only be associated with an interface. The user must accept the disclaimer to connect to the destination. For more information. collisions.fortinet. see “Adding authentication to firewall policies” on page 327. Note: To ensure that traffic shaping is working at its best. Enable Identity Based Policy Enable Endpoint Firewall policies can deny access for hosts that do not have FortiClient Endpoint Security software installed and operating. You can use the disclaimer together with authentication or a protection profile. see “Firewall Protection Profile” on page 397. content archiving. but do not select the NAT option. if Fixed Port is selected. Check You cannot enable Endpoint Compliance Check in firewall policies if Redirect HTTP Challenge to a Secure Channel (HTTPS) is enabled in User > Options > Authentication. You can also select to create a new traffic shaper. The user group you choose for authentication is already linked to a protection profile. Dynamic IP pool is also selected. You can also create a protection profile by selecting Create New from this list. or buffer overruns. Select a traffic shaper for the policy. and sets the priority of the traffic processed by. Select to configure firewall policies that require authentication. Dynamic IP Pool Select the check box. For information about traffic shaping. see “Traffic Shaping” on page 423. and logging to a firewall policy. For details. If you select a virtual IP as the Destination Address. you can also configure Dynamic IP Pool and Fixed Port. User Authentication Disclaimer Redirect URL Available only on some models and only if Action is set to ACCEPT. IPS. If you intend to apply authentication to this policy. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies is significantly less than the bandwidth capacity of the interface. For more information. If Dynamic IP pool is not selected. IP Pool cannot be selected if the destination interface.

You must also enable traffic log for a logging location (syslog. FortiGate Version 4. Select Traffic Priority so the FortiGate unit manages the relative priorities of different types of traffic. For certificate-based (HTTPS or HTTP redirected to HTTPS only) authentication. Available only if Action is set to DENY. local disk if available. Log Violation Traffic Comments Adding authentication to firewall policies If you enable Enable Identity Based Policy in a firewall policy. Select to record messages to the traffic log whenever the policy processes a connection. Prior to using either POP3 or SMTP. to record messages to the traffic log whenever the policy processes a connection. the FortiGate unit prompts network users to input their firewall user name and password. a policy for connecting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority. WebTrends.com/ • Feedback 327 . The authentication style will be one of two types. the policy is set to high priority by default. local disk if available. the network user would send traffic using the HTTPS service. select this option will also apply the policy shaping configuration to traffic from port2 to port1. For example. you must select a firewall service (in the firewall policy) that includes SMTP. memory. Less important services should be assigned a low priority.Firewall Policy Configuring firewall policies Traffic Priority Select High. Select Log Violation Traffic. You must also enable traffic log for a logging location (syslog. The maximum length is 63 characters. Add information about the policy. and Telnet) authentication. or FortiAnalyzer) and set the logging severity level to Notification or lower using the Log and Report screen. and successfully authenticate. Reverse Direction Traffic Shaping Log Allowed Traffic Select to enable the reverse traffic shaping. WebTrends. Distribute firewall policies over all three priority queues. or FortiAnalyzer) and set the logging severity level to Notification or lower using the Log and Report screen. Medium. memory. you must install customized certificates on the FortiGate unit and on the browsers of network users. if you want to require HTTPS certificate-based authentication before allowing SMTP and POP3 traffic. If you do not apply any traffic shaping rule to a policy. if the traffic direction that a policy controls is from port1 to port2. FTP. which the FortiGate unit would use to verify the network user’s certificate. the network user would then be able to access his or her email. which the FortiGate unit matches. For example. For example. or Low. For user name and password-based (HTTP. before the FortiGate unit will allow any other traffic matching the firewall policy. for Deny policies.fortinet. For more information see “Log&Report” on page 647. For more information. The firewall provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections. upon successful certificate-based authentication. network users must send traffic involving a supported firewall authentication protocol to trigger the firewall authentication challenge. POP3 and HTTPS services. User authentication can occur through any of the following supported protocols: • • • • HTTP HTTPS FTP Telnet The authentication style depends on which of these supported protocols you have included in the selected firewall services group and which of those enabled protocols the network user applies to trigger the authentication challenge. see “Log&Report” on page 647.0 Administration Guide 01-400-89802-20090424 http://docs. Be sure to enable traffic shaping on all firewall policies.

Configuring firewall policies

Firewall Policy

In most cases, you should ensure that users can use DNS through the FortiGate unit without authentication. If DNS is not available, users will not be able to use a domain name when using a supported authentication protocol to trigger the FortiGate unit’s authentication challenge.
Note: If you do not install certificates on the network user’s web browser, the network users may see an SSL certificate warning message and have to manually accept the default FortiGate certificate, which the network users’ web browsers may then deem as invalid. For information on installing certificates, see “System Certificates” on page 243. Note: When you use certificate authentication, if you do not specify any certificate when you create a firewall policy, the FortiGate unit will use the default certificate from the global settings will be used. If you specify a certificate, the per-policy setting will override the global setting. For information on global authentication settings, see “Options” on

page 590. Authentication requires that Action is ACCEPT or SSL-VPN, and that you first create users, assign them to a firewall user group, and assign a protection profile to that user group. For information on configuring user groups, see “User Group” on page 583. For information on configuring authentication settings, see “Identity-based firewall policy options (non-SSL-VPN)” on page 328 and “Configuring SSL VPN identity-based firewall policies” on page 331.

Identity-based firewall policy options (non-SSL-VPN)
For network users to use non-SSL-VPN identity-based policies, you need to add user groups to the policy. For information about configuring user groups, see “User Group” on page 583. To configure identity-based policies, go to Firewall > Policy, select Create New to add a firewall policy, or, in the row corresponding to an existing firewall policy, select Edit. Make sure that Action is set to ACCEPT. Select Enable Identity Based Policy.
Figure 193: Selecting user groups for authentication

Edit Delete
Enable Identity Select to enable identity-based policy authentication. Based Policy When the Action is set to ACCEPT, you can select one or more authentication server types. When a network user attempts to authenticate, the server types selected indicate which local or remote authentication servers the FortiGate unit will consult to verify the user’s credentials. Add User Group Schedule Select to create an identity-based firewall policy. For more information, see “To create an identity-based firewall policy (non-SSL-VPN)” on page 329. The selected user groups that must authenticate to be allowed to use this policy. The one-time or recurring schedule that controls when the policy is in effect. You can also create schedules by selecting Create New from this list. For more information, see “Firewall Schedule” on page 361.

328

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

Configuring firewall policies

Service Profile

The firewall service or service group that packets must match to trigger this policy. The protection profile to apply antivirus, web filtering, web category filtering, spam filtering, IPS, content archiving, and logging to this policy. You can also create a protection profile by selecting Create New from this list. For more information, see “Firewall Protection Profile” on page 397.

Traffic Shaping The traffic shaping configuration for this policy. For more information, see “Firewall Policy” on page 319. Reverse Direction Traffic Shaping Log Traffic Delete icon Edit icon Firewall Select to enable the reverse traffic shaping. For example, if the traffic direction that a policy controls is from port1 to port2, select this option will also apply the policy shaping configuration to traffic from port2 to port1.

If the Log Allowed Traffic option is selected when adding an identity-based policy, a green check mark appears. Otherwise, a white cross mark appears. Select to remove this policy. Select to modify this policy. Include firewall user groups defined locally on the FortiGate unit, as well as on any connected LDAP and RADIUS servers. This option is selected by default.

Directory Include Directory Service groups defined in User > User Group. The groups are Service (FSAE) authenticated through a domain controller using Fortinet Server Authentication Extensions (FSAE). If you select this option, you must install the FSAE on the Directory Service domain controller. For information about FSAE, see the FSAE Technical Note. For information about configuring user groups, see “User Group” on page 583. NTLM Include Directory Service groups defined in User > User Group. If you select this Authentication option, you must use Directory Service groups as the members of the authentication group for NTLM. For information about configuring user groups, see “User Group” on page 583. Certificate Certificate-based authentication only. Select the protection profile that guest accounts will use. Note: In order to implement certificate-based authentication, you must select a firewall service group that includes one of the supported authentication protocols that use certificate-based authentication. You should also install the certificate on the network user’s web browser. For more information, see “Adding authentication to firewall policies” on page 327.

To create an identity-based firewall policy (non-SSL-VPN) 1 Go to Firewall > Policy > Policy and select Create New. 2 Configure Source Interface/Zone, Source Address, Destination Interface/Zone, Destination Address, Schedule, and Service. For more information, see “Configuring firewall policies” on page 323. 3 In the Action field, select ACCEPT. 4 Select the Enable Identity Based Policy check box. A table opens below the check box. 5 Select Add.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

329

Configuring firewall policies

Firewall Policy

Figure 194: Creating identity-based firewall policies

Right Arrow Left Arrow

6 From the Available User Groups list, select one or more user groups that must authenticate to be allowed to use this policy. Select the right arrow to move the selected user groups to the Selected User Groups list. 7 Select services in the Available Services list and then select the right arrow to move them to the Selected Services list. 8 Select a schedule from the Schedule drop-down list. There is no default. 9 Optionally, select a Protection Profile, enable User Authentication Disclaimer or Log Allowed Traffic. 10 Optionally, select Traffic Shaping and choose a traffic shaper. 11 Select OK.

IPSec firewall policy options
In a firewall policy (see “Configuring firewall policies” on page 323), the following encryption options are available for IPSec. To configure these options, go to Firewall > Policy, select Create New to add a firewall policy, or in the row corresponding to an existing firewall policy, select Edit. Make sure that Action is set to IPSEC. Enter the information in the following table and select OK.
Figure 195: IPSEC encryption policy

VPN Tunnel Allow Inbound Allow outbound

Select the VPN tunnel name defined in the phase 1 configuration. The specified tunnel will be subject to this firewall encryption policy. Select to enable traffic from a dialup client or computers on the remote private network to initiate the tunnel. Select to enable traffic from computers on the local private network to initiate the tunnel.

330

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

Configuring firewall policies

Inbound NAT Outbound NAT

Select to translate the source IP addresses of inbound decrypted packets into the IP address of the FortiGate interface to the local private network. Select only in combination with a natip CLI value to translate the source addresses of outbound cleartext packets into the IP address that you specify. When a natip value is specified, the source addresses of outbound IP packets are replaced before the packets are sent through the tunnel. For more information, see the “firewall” chapter of the FortiGate CLI Reference.

Note: For a route-based (interface mode) VPN, you do not configure an IPSec firewall policy. Instead, you configure two regular ACCEPT firewall policies, one for each direction of communication, with the IPSec virtual interface as the source or destination interface as appropriate.

For more information, see the “Defining firewall policies” chapter of the FortiGate IPSec VPN User Guide.

Configuring SSL VPN identity-based firewall policies
For network users to use SSL-VPN identity-based policies, you must configure users, add them to user groups, and then configure the policy. To create an identity-based firewall policy (SSL-VPN), go to Firewall > Policy > Policy and select Create New and enter the information in the following table. Select Action > SSL VPN.
Note: The SSL-VPN option is only available from the Action list after you have added SSL VPN user groups. To add SSL VPN user groups, see “SSL VPN user groups” on page 585.

For more information, see “Configuring firewall policies” on page 323.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

331

Configuring firewall policies

Firewall Policy

Figure 196: Configuring a new SSL VPN firewall policy

Source Interface/Zone Source Address

Select the name of the FortiGate network interface, virtual domain (VDOM) link, or zone on which IP packets are received. Select the name of a firewall address to associate with the Source Interface/Zone. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. You can also create firewall addresses by selecting Create New from this list. For more information, see “Configuring addresses” on page 347. If Action is set to SSL-VPN and the policy is for web-only mode clients, select all. If Action is set to SSL-VPN and the policy is for tunnel mode clients, select the name of the address that you reserved for tunnel mode clients.

Destination Interface/Zone Select the name of the FortiGate network interface, virtual domain (VDOM) link, or zone to which IP packets are forwarded. If Action is set to SSL-VPN, the interface is associated with the local private network.

332

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

Configuring firewall policies

Destination Address

Select the name of a firewall address to associate with the Destination Interface/Zone. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. You can also create firewall addresses by selecting Create New from this list. For more information, see “Configuring addresses” on page 347. If you want to associate multiple firewall addresses or address groups with the Destination Interface/Zone, from Destination Address, select Multiple. In the dialog box, move the firewall addresses or address groups from the Available Addresses section to the Members section, then select OK. If you select a virtual IP, the FortiGate unit applies NAT or PAT. The applied translation varies by the settings specified in the virtual IP, and whether you select NAT (below). For more information on using virtual IPs, see “Firewall Virtual IP” on page 365. If Action is set to IPSEC, the address is the private IP address to which packets may be delivered at the remote end of the VPN tunnel. If Action is set to SSL-VPN, select the name of the IP address that corresponds to the host, server, or network that remote clients need to access behind the FortiGate unit. Select SSL-VPN to configure the firewall encryption policy to accept SSL VPN traffic. This option is available only after you have added a SSL-VPN user group. Allow traffic generated by holders of a (shared) group certificate. The holders of the group certificate must be members of an SSL VPN user group, and the name of that user group must be present in the Allowed field. Select the bit level of SSL encryption. The web browser on the remote client must be capable of matching the level that you select: Any, High >= 164, or Medium >= 128. Select the authentication server type by which the user will be authenticated: For all of the above authentication methods. Local is attempted first, then RADIUS, then LDAP. For a local user group that will be bound to this firewall policy. For remote clients that will be authenticated by an external RADIUS server. For remote clients that will be authenticated by an external LDAP server. For remote clients that will be authenticated by an external TACACS+ server. Enable or disable Network Address Translation (NAT) of the source address and port of packets accepted by the policy. When NAT is enabled, you can also configure Dynamic IP Pool and Fixed Port. If you select a virtual IP as the Destination Address, but do not select the NAT option, the FortiGate unit performs destination NAT (DNAT) rather than full NAT. Source NAT (SNAT) is not performed. Select Fixed Port to prevent NAT from translating the source port. Select to configure a SSL-VPN firewall policy that requires authentication. Select to configure the valid authentication methods, user group names, and services. For more information, see “User Group” on page 583. Add information about the policy. The maximum length is 63 characters.

Action

SSL Client Certificate Restrictive

Cipher Strength

User Authentication Method Any Local RADIUS LDAP TACACS+ NAT

Fixed Port Enable Identity Based Policy Add

Comments

To create an identity based firewall policy, select the Enable Identity Based Policy check box. A table opens below the check box. Select Add. The New Authentication Rule dialog opens (see Figure 197).

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

333

Configuring firewall policies

Firewall Policy

Figure 197: New Authentication Rule

User Group Available User Groups List of user groups available for inclusion in the firewall policy. To add a user group to the list, select the name and then select the Right Arrow. Selected User Groups List of user groups that are included in the firewall policy. To remove a user group from the list, select the name and then select the Left Arrow. Service Available Services Selected Services Schedule List of available services to include in the firewall policy. To add a service to the list, select the name and then select the Right Arrow. List of services that are included in the firewall policy. To remove a service from the list, select the name and then select the Left Arrow. Select a one-time or recurring schedule that controls when the policy is in effect. You can also create schedules by selecting Create New from this list. For more information, see “Firewall Schedule” on page 361. Select a protection profile to apply antivirus, web filtering, web category filtering, spam filtering, IPS, content archiving, and logging to a firewall policy. You can also create a protection profile by selecting Create New from this list. For more information, see “Firewall Protection Profile” on page 397.

Protection Profile

334

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

Configuring firewall policies

Traffic Shaping

Select a traffic shaper for the policy. You can also select to create a new traffic shaper. Traffic Shaping controls the bandwidth available to, and sets the priority of the traffic processed by, the policy. For information about traffic shaping, see “Traffic Shaping” on page 423. Select to enable the reverse traffic shaping. For example, if the traffic direction that a policy controls is from port1 to port2, select this option will also apply the policy shaping configuration to traffic from port2 to port1. Select to enable the reverse traffic shaping. For example, if the traffic direction that a policy controls is from port1 to port2, select this option will also apply the policy shaping configuration to traffic from port2 to port1. Select to record messages to the traffic log whenever the policy processes a connection. You must also enable traffic log for a logging location (syslog, WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging severity level to Notification or lower using the Log and Report screen. For more information see “Log&Report” on page 647.

Reverse Direction Traffic Shaping

Reverse Direction Traffic Shaping

Log Allowed Traffic

For information about how to create a firewall encryption policy for SSL VPN users, see the “SSL VPN administration tasks” chapter of the FortiGate SSL VPN User Guide.
Figure 198: Selecting user groups for authentication

Move Up or Move Down

Delete Edit Enable Identity Based Policy Add Rule ID User Group Schedule Select to enable identity-based policy authentication. Select to create an identity-based firewall policy. The ID number of the policy. The selected user groups that must authenticate to be allowed to use this policy. The one-time or recurring schedule that controls when the policy is in effect. You can also create schedules by selecting Create New from this list. For more information, see “Firewall Schedule” on page 361. The firewall service or service group that packets must match to trigger this policy. The protection profile to apply antivirus, web filtering, web category filtering, spam filtering, IPS, content archiving, and logging to this policy. You can also create a protection profile by selecting Create New from this list. For more information, see “Firewall Protection Profile” on page 397.

Service Profile

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

335

Configuring firewall policies

Firewall Policy

Traffic Shaping Log Traffic

The traffic shaping configuration for this policy. For more information, see “Traffic Shaping” on page 423. If the Log Allowed Traffic option is selected when adding an identitybased policy, a green check mark appears. Otherwise, a white cross mark appears. Select to delete this policy. Select to edit this policy. Select to move the policy in the list. Firewall policy order affects policy matching. You can arrange the firewall policy list to influence the order in which policies are evaluated for matches with user groups.

Delete icon Edit icon Move Up or Move Down

Tip: If you select NAT, the IP address of the outgoing interface of the FortiGate unit is used as the source address for new sessions started by SSL VPN.

Note: The traffic shaping option can be used to traffic shape tunnel-mode SSL VPN traffic, but has no effect on web-mode SSL VPN traffic.

Endpoint Compliance Check options
You can require users of a firewall policy to have FortiClient Endpoint Security software installed. Optionally, you can also require that the antivirus signatures are up-to-date and check for the presence of specific applications on the computer. You can quarantine noncompliant users to a web portal, from which they can download the FortiClient installer or update their antivirus signatures. For more information about configuring the Endpoint Control feature and monitoring endpoints, see “Endpoint control” on page 641. In a new or existing firewall policy, the following options configure the Endpoint Compliance Check:
Figure 199: Endpoint Compliance firewall policy options

Enable Endpoint Compliance Check

Check that the source hosts of this firewall policy have FortiClient Endpoint Security software installed. Make sure that all of these hosts are capable of installing the software. You cannot enable Endpoint Compliance Check in firewall policies if Redirect HTTP Challenge to a Secure Channel (HTTPS) is enabled in User > Options > Authentication.

Enforce FortiClient AV Check that the FortiClient Endpoint Security application has the antivirus (real-time protection) feature enabled and is using the latest Up-to-date version of the antivirus signatures available from FortiGuard Services. Collect System Information from the Endpoints Redirect Non-conforming Clients to Download Portal Collect information about the host computer, its operating system and specific installed applications. This information is displayed in the Endpoints list. See “Monitoring endpoints” on page 644. The non-compliant user sees a web page that explains why they are non-compliant. The page also provides links to download a FortiClient application installer. To edit this web page go to System > Config > Replacement Messages and edit the Endpoint Control Download Portal replacement message. If the redirect is not enabled, the non-compliant user simply has no network access.

336

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

DoS policies

Note: If the firewall policy involves a load balancing virtual IP, the endpoint compliance check is not performed.

DoS policies
DoS policies are primarily used to apply DoS sensors to network traffic based on the FortiGate interface it is leaving or entering as well as the source and destination addresses. DoS sensors are a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. A common example of anomalous traffic is the denial of service attack. A denial of service occurs when an attacking system starts an abnormally large number of sessions with a target system. The large number of sessions slows down or disables the target system so legitimate users can no longer use it. DoS policies examine network traffic very early in the sequence of protective measures the FortiGate unit deploys to protect your network. Because of this, DoS policies are a very efficient defence, using few resources. The previously mention denial of service would be detected and its packets dropped before requiring firewall policy look-ups, antivirus scans, and other protective but resource-intensive operations.

Viewing the DoS policy list
The DoS policy list displays the DoS policies in their order of matching precedence for each interface, source/destination address pair, and service. If virtual domains are enabled on the FortiGate unit, DoS policies are configured separately for each virtual domain; you must access the VDOM before you can configure its policies. To access a VDOM, go to System > VDOM, and in the row corresponding to the VDOM whose policies you want to configure, select Enter. You can add, delete, edit, and re-order policies in the DoS policy list. DoS policy order affects policy matching. As with firewall policies, DoS policies are checked against traffic in the order in which they appear in the DoS policy list, one at a time, from top to bottom. When a matching policy is discovered, it is used and further checking for DoS policy matches are stopped. To view the DoS policy list, go to Firewall > Policy > DoS Policy.
Figure 200: The DoS policy list

Create New

Add a firewall policy. Select the down arrow beside Create New to add a firewall policy or firewall policy section. A firewall policy section visually groups firewall policies. For more information, see “Configuring DoS policies” on page 338. Customize the table view. You can select the columns to hide or display and specify the column displaying order in the table. Select to display firewall polices organized by interface.

Column Settings Section View

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

337

DoS policies

Firewall Policy

Global View Filter icon

Select to list all firewall policies in order according to a sequence number. Edit the column filters to filter or sort the policy list according to the criteria you specify. For more information, see “Adding filters to web-based manager lists” on page 53. When selected, the DoS policy is enabled. Clear the checkbox to disable the policy. A unique identifier for each policy. Policies are numbered in the order they are created. The source address or address group to which the policy applies. For more information, see “Firewall Address” on page 345. The destination address or address group to which the policy applies. For more information, see “Firewall Address” on page 345. The service to which the policy applies. For more information, see “Firewall Service” on page 351. The DoS sensor selected in this policy. The interface to which this policy applies. Delete the policy from the list. Edit the policy. Add a new policy above the corresponding policy (the New Policy screen appears). Move the corresponding policy before or after another policy in the list.

Status ID Source Destination Service DoS Interface Delete icon Edit icon Insert Policy Before icon Move To icon

Configuring DoS policies
The DoS policy configuration allows you to specify the interface, a source address, a destination address, and a service. All of the specified attributes must match network traffic to trigger the policy. You can also use the config firewall interface-policy CLI command to specify an IPS sensor to function as part of a DoS policy. For more information, see the FortiGate CLI Reference. For IPv6 operation, DoS sensors are not supported. Further, you must specify IPS sensors with the config firewall interface-policy CLI command. For more information on FortiGate IPv6 support, see “FortiGate IPv6 support” on page 230.
Figure 201: Editing a DoS policy

Source Interface/Zone Source Address

The interface or zone to be monitored. Select an address or address range to limit traffic monitoring to network traffic sent from the specified address or range. Select Multiple to include multiple addresses or ranges.

338

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

Firewall policy examples

Destination Address

Select an address or address range to limit traffic monitoring to network traffic sent to the specified address or range. Select Multiple to include multiple addresses or ranges. Select a service to limit traffic monitoring to only the selected type. Select and specify a DoS sensor to have the FortiGate apply the sensor to matching network traffic.

Service DoS Sensor

Firewall policy examples
FortiGate units are capable of meeting various network requirements from home use to SOHO, large enterprises and ISPs. The following two scenarios demonstrate practical applications of firewall policies in the SOHO and large enterprise environments. This section describes: • • • • Scenario one: SOHO-sized business Scenario two: enterprise-sized business Viewing the firewall policy list Configuring firewall policies

Scenario one: SOHO-sized business
Company A is a small software company performing development and providing customer support. In addition to their internal network of 15 computers, they also have several employees who work from home all or some of the time. With their current network topography, all 15 of the internal computers are behind a router and must go to an external source to access the IPS mail and web servers. All homebased employees access the router through open/non-secured connections.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

339

Firewall policy examples

Firewall Policy

Figure 202: Example SOHO network before FortiGate installation

Internet

IPS Mail Server

ISP Web Server
172.16.10.3

Home-based Workers (no secure connection)

192.168.100.1

Finance Department Internal Network

Help Desk

Engineering Department

Company A requires secure connections for home-based workers. Like many companies, they rely heavily on email and Internet access to conduct business. They want a comprehensive security solution to detect and prevent network attacks, block viruses, and decrease spam. They want to apply different protection settings for different departments. They also want to integrate web and email servers into the security solution. To deal with their first requirement, Company A configures specific policies for each home-based worker to ensure secure communication between the home-based worker and the internal network. 1 Go to Firewall > Policy. 2 Select Create New and enter or select the following settings for Home_User_1:
Interface / Zone Address Schedule Service Action VPN Tunnel Allow Inbound Allow outbound Inbound NAT Source: internal Source: CompanyA_Network Always ANY IPSEC Home1 yes yes yes Destination: wan1 Destination: Home_User_1

340

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

Firewall policy examples

Outbound NAT Protection Profile

no Select the check mark and select standard_profile

3 Select OK. 4 Select Create New and enter or select the following settings for Home_User_2:
Interface / Zone Address Schedule Service Action VPN Tunnel Allow Inbound Allow outbound Inbound NAT Outbound NAT Protection Profile Source: internal Source: CompanyA_network Always ANY IPSEC Home2_Tunnel yes yes yes no Select the check mark and select standard_profile Destination: wan1 Destination: All

5 Select OK.
Figure 203: SOHO network topology with FortiGate-100

VPN Tunnel

Internet

VPN Tunnel

Home User 1 172.20.100.6

External 172.30.120.8
FortiGate 100A

Home User 2 172.25.106.99 DMZ 10.10.10.1 Email Server 10.10.10.2

Internal 192.168.100.1

Finance Users 192.168.100.10192.168.100.20 Help Desk Users 192.168.100.21192.168.100.50

Engineering Users 192.168.100.51192.168.100.100

Web Server 10.10.10.3

The proposed network is based around a ForitGate 100A unit. The 15 internal computers are behind the FortiGate unit. They now access the email and web servers in a DMZ, which is also behind the FortiGate unit. All home-based employees now access the office network through the FortiGate unit via VPN tunnels.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

341

malware. The first firewall policy for main office staff members allows full access to the Internet at all times. The staff firewall policies will all use a protection profile configured specifically for staff access. A second policy will allow direct access to the DMZ for staff members. and blocking of all P2P traffic. 342 FortiGate Version 4.com/ • Feedback . The current network topography at the main location consists of three user groups. The catalog access terminals directly access the catalog server without first going through the firewall. IPS. FortiGuard web filtering is also used to block advertising. Enabled features include virus scanning. The topography at the branch office has all three users accessing the servers at the main branch through non-secured internet connections.fortinet. and spyware sites. with more than a dozen branches spread throughout the city.0 Administration Guide 01-400-89802-20090424 http://docs. the library system is anchored by a main downtown location serving most of the population.Firewall policy examples Firewall Policy Scenario two: enterprise-sized business Located in a large city. The main branch staff and public terminals access the servers in the DMZ behind the firewall. Figure 204: The library system’s current network topology The library must be able to set different access levels for patrons and staff members. spam filtering. A second pair of policies is required to allow branch staff members the same access. Each branch is wired to the Internet but none are linked with each other by dedicated connections.

Firewall Policy Firewall policy examples A few users may need special web and catalog server access to update information on those servers. Figure 205: Proposed library system network topology Policies are configured in Firewall > Policy. Special access can be allowed based on IP address or user. to the HA Cluster and finally to the servers. where additional policies can be applied. Main office “staff to Internet” policy: Source Interface Source Address Destination Interface Destination Address Schedule Action Internal All External All Always Accept FortiGate Version 4. The branch office has all three users routed through a FortiWiFi unit to the main branch via VPN tunnels. Protection Profiles are configured in Firewall > Protection Profile.com/ • Feedback 343 . The proposed topography has the main branch staff and the catalog access terminals going through a FortiGate HA cluster to the servers in a DMZ.0 Administration Guide 01-400-89802-20090424 http://docs. The public access terminals first go through a FortiWiFi unit. depending on how they are configured.fortinet.

Firewall policy examples Firewall Policy Main office “staff to DMZ” policy: Source Interface Source Address Destination Interface Destination Address Schedule Action Internal All DMZ Servers Always Accept Branches “staff to Internet” policy: Source Interface Source Address Destination Interface Destination Address Schedule Action Branches Branch Staff External All Always Accept Branches “staff to DMZ” policy: Source Interface Source Address Destination Interface Destination Address Schedule Action Branches Branch Staff DMZ Servers Always Accept For more information about these examples.fortinet.0 Administration Guide 01-400-89802-20090424 http://docs.com/ • Feedback . see: • • SOHO and SMB Configuration Example Guide FortiGate Enterprise Configuration Example 344 FortiGate Version 4.

0/255.0 x.x.255. or a fully qualified domain name (FQDN).0 for a class C subnet 0.0.1.x. When representing hosts by an IP address with a netmask. Example formats: • • • • • • • netmask for a single computer: 255.255. and can be represented in either dotted decimal or CIDR format.0.x. such as 192.255. You can organize related addresses into address groups to simplify your firewall policy list.168.1. This section describes: • • • • • About firewall addresses Viewing the firewall address list Configuring addresses Viewing the address group list Configuring address groups About firewall addresses A firewall address can contain one or more network addresses.0.x.Firewall Address About firewall addresses Firewall Address Firewall addresses and address groups define network addresses that you can use when configuring firewall policies’ source and destination address fields. or /8 netmask for a class B subnet: 255. or /24 netmask including all IP addresses: 0.0.255.168. The FortiGate unit compares the IP addresses contained in packet headers with firewall policy source and destination addresses to determine if the firewall policy matches the traffic. an IP address range.45. such as 192.255.255 is not a valid firewall address. or /32 netmask for a class A subnet: 255.46.255. The FortiGate unit automatically converts CIDR formatted netmasks to dotted decimal format.255.0.0. the IP address can represent one or more hosts.255.x/x. which matches any IP address The netmask corresponds to the subnet class of the address being added. For example. If you enable virtual domains (VDOMs) on the FortiGate unit.255. firewall addresses are configured separately for each virtual domain.0 x. and you must first enter the virtual domain to configure its firewall addresses.0.0 with netmask 255. a firewall address can be: • • • a single computer.45 a subnetwork. Network addresses can be represented by an IP address with a netmask.x. see “Using virtual domains” on page 103. such as 192.255. such as 192.0/24 Note: An IP address 0.1.0.0.x.0.0.0.com/ • Feedback 345 .0 Administration Guide 01-400-89802-20090424 http://docs.0. Valid IP address and netmask formats include: FortiGate Version 4. For details.x/x. or /16 netmask for a class C subnet: 255.x.fortinet.168.

example.<top_level_domain_name>. or 192.168.x. Note: By default. FortiGate unit default configurations include the all address.168. because policy matching then relies on a trusted DNS server. the domain name can be a subdomain.* When representing hosts by a FQDN.168.x. then select IPv6 Address.x. FortiGate units automatically resolve and maintain a record of all addresses to which the FQDN resolves.com <host_name>. see “Settings” on page 228. Name 346 FortiGate Version 4.* to indicate the complete range of hosts on that subnet. the range indicates hosts with continuous IP addresses in a subnet.120 x.Viewing the firewall address list Firewall Address When representing hosts by an IP Range.168.x-x.example. To view the address list.fortinet. Valid IP Range formats include: • • • x. If IPv6 Support on GUI is enabled. firewall policies requiring domain name resolution may no longer function properly.0 Administration Guide 01-400-89802-20090424 http://docs.x. Valid FQDN formats include: • • <host_name>. such as 192. such as 192. which represents any IP address on any network. IPv6 firewall addresses can be configured only in the CLI. Figure 206: Firewall address list Create Options Delete Edit Create New Add a firewall address. does present some security risks.[x-x]. A single FQDN firewall address may be used to apply a firewall policy to multiple hosts.168.110. Should the DNS server be compromised.[2-10].x.100-192. such as 192. go to Firewall > Address. such as mail. such as mail.<top_level_domain_name> Caution: Be cautious if employing FQDN firewall addresses. while convenient. For information on enabling configuration of IPv6 firewall addresses in the web-based manager.x. For more information on enabling IPv6 support.x.1. The name of the firewall address. such as 192.com/ • Feedback . see “Settings” on page 228. FQDN.[100-120] x.*. Viewing the firewall address list Firewall addresses in the list are grouped by type: IP/Netmask. as in load balancing and high availability (HA) configurations.x. you can alternatively select Create Options (the down arrow) located in the Create New button.1. to configure an IPv6 firewall address. Using a fully qualified domain name in a firewall policy.x.110.168.com.110.110. or IPv6.<second_level_domain_name>.

firewall policies requiring domain name resolution may no longer function properly. Should the DNS server be compromised. or enter an IP address range separated by a hyphen. and virtual IPs must have unique names. The interface. Select to remove the address. FortiGate Version 4. To add a firewall address 1 Go to Firewall > Address. or fully qualified domain name. Configuring addresses You can use one of the following methods to represent hosts in firewall addresses: IP/Netmask. 3 Complete the following: Figure 207: New address or IP range options Address Name Type Subnet / IP Range Interface Enter a name to identify the firewall address. then select IPv6 Address to configure an IPv6 firewall address. then subnet mask. or IPv6. For information on enabling configuration of IPv6 firewall addresses in the web-based manager. Select the type of address: Subnet/IP Range or FQDN. followed by a forward slash (/). or virtual domain (VDOM) to which you bind the IP address. Select Any if you want to bind the IP address with the interface/zone when you create a firewall policy. You can enter either an IP range or an IP address with subnet mask. because policy matching then relies on a trusted DNS server. For information on enabling configuration of IPv6 firewall addresses in the web-based manager. Using a fully qualified domain name in a firewall policy. zone. The Delete icon appears only if a firewall policy or address group is not currently using the address.Firewall Address Configuring addresses Address / FQDN Interface Delete icon Edit icon The IP address and mask. Select to edit the address. zone. Select the interface.com/ • Feedback 347 . Enter the firewall IP address. IPv6 firewall addresses can be configured only in the CLI. see “Settings” on page 228. see “Settings” on page 228. you can alternatively select the down arrow located in the Create New button. or virtual domain (VDOM) link to which you want to bind the IP address. IP address range. while convenient.0 Administration Guide 01-400-89802-20090424 http://docs. Note: By default. 2 Select Create New. does present some security risks.fortinet. If IPv6 Support on GUI is enabled. FQDN. Caution: Be cautious if employing FQDN firewall addresses. address groups. Addresses.

If IPv6 Support on GUI is enabled. From the Source Address list. For example. The name of the address group. rather than during creation of the firewall address. which is used by a single firewall policy. Figure 208: Firewall address group list Create Options Delete Edit Create New Add an address group.0 Administration Guide 01-400-89802-20090424 http://docs. 2 Select Create New. see “Settings” on page 228. you can alternatively select Create Options (the down arrow) located in the Create New button. Select to remove the address group. For example.Viewing the address group list Firewall Address 4 Select OK. then select IPv6 Address Group. they cannot be grouped. To view the address group list. instead of having five identical policies for five different but related firewall addresses. if address A1 is associated with port1. select Address > Create New. 3 Complete the following: 348 FortiGate Version 4. address groups should contain only addresses bound to the same network interface. or to Any — addresses whose selected interface is Any are bound to a network interface during creation of a firewall policy.com/ • Feedback .fortinet. you might combine the five addresses into a single address group. Group Name Members Delete icon Edit icon Configuring address groups Because firewall policies require addresses with homogenous network interfaces. However. Viewing the address group list You can organize multiple firewall addresses into an address group to simplify your firewall policy list. select the appropriate policy tab and then Create New. The Delete icon appears only if the address group is not currently being used by a firewall policy. they can be grouped. if A1 and A2 have an interface of Any. go to Firewall > Address > Group. Select to edit the address group. To organize addresses into an address group 1 Go to Firewall > Address > Group. The addresses in the address group. to configure an IPv6 firewall address group. For more information on enabling IPv6 Support on GUI. Tip: You can also create firewall addresses when configuring a firewall policy: Go to Firewall > Policy. and address A2 is associated with port2. even if the addresses involve different networks.

Use the arrows to move selected addresses between the lists of available and member addresses. From the Source Address list. Use the arrows to move selected addresses between the lists of available and member addresses.0 Administration Guide 01-400-89802-20090424 http://docs. The list of all configured and default firewall addresses. Addresses. The list of addresses included in the address group. address groups. FortiGate Version 4.com/ • Feedback 349 .Firewall Address Configuring address groups Figure 209: Address group options Group Name Available Addresses Members Enter a name to identify the address group. Tip: You can also create firewall address groups when configuring a firewall policy: Go to Firewall > Policy.fortinet. 4 Select OK. select Address Group > Create New. select the appropriate policy tab and then Create New. and virtual IPs must have unique names.

Configuring address groups Firewall Address 350 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.com/ • Feedback .fortinet.

if you require different services. For more information. This section describes: • • • • • Viewing the predefined service list Viewing the custom service list Configuring custom services Viewing the service group list Configuring service groups Viewing the predefined service list Many well-known traffic types have been predefined in firewall services. However. and cannot be edited or removed. If you enable virtual domains (VDOMs) on the FortiGate unit. see “Configuring custom services” on page 357. see “Using virtual domains” on page 103. Figure 210: Predefined service list FortiGate Version 4. To view the predefined service list.0 Administration Guide 01-400-89802-20090424 http://docs. go to Firewall > Service > Predefined.Firewall Service Viewing the predefined service list Firewall Service Firewall services define one or more protocols and port numbers associated with each service. Firewall policies use service definitions to match session types. You can organize related services into service groups to simplify your firewall policy list. These predefined services are defaults. For more information.com/ • Feedback 351 . you can create custom services.fortinet. you must configure firewall services separately for each virtual domain.

H. Dynamic Host Configuration Protocol for IPv6. Generic Routing Encapsulation. File Transfer Protocol. Border Gateway Protocol.CSSPServer is very good for providing anonymous CVS access to a repository. Dynamic Host Configuration Protocol. Applications using DCE-RPC can call procedures from another application without having to know on which host the other application is running. Encapsulating Security Payload. AH provides source host authentication and data integrity. A network service providing information about users. For more information. 547 53 53 50 FINGER FTP FTP_GET FTP_PUT GOPHER GRE 79 21 21 21 70 47 H323 1720. America Online Instant Message protocol.Viewing the predefined service list Firewall Service Name Detail The name of the predefined service.323 is a standard TCP approved by the International Telecommunication Union (ITU) defining how audiovisual conferencing UDP data can be transmitted across networks. BGP is an interior/exterior routing protocol.323 multimedia protocol. This protocol is used for authentication by IPSec remote gateways set to aggressive mode. The protocol and port number of the predefined service. DHCP allocates network addresses and delivers configuration parameters from DHCP servers to hosts.com/ • Feedback . Gopher organizes and displays Internet server contents as a hierarchically structured list of files. of TCP the AFS distributed file system protocol. Matches connections using any protocol over IP. see the FortiGate Support for H. AutoIKE VPN tunnels use ESP after establishing the tunnel by IKE. H. Table 43: Predefined services Service name AFS3 AH Description IP Protocol Port 7000-7009 7000-7009 51 Advanced File Security Encrypted File. ESP is used by manual key and AutoIKE IPSec VPN tunnels for communicating encrypted data. FTP-GET is used for FTP connections which upload files. by encapsulating the packets of the protocol within GRE packets.fortinet. File Transfer Protocol. TCP TCP TCP TCP TCP all TCP TCP TCP UDP TCP UDP ANY AOL BGP CVSPSERVER all 5190-5194 179 2401 2401 135 135 DCE-RPC DHCP UDP 67 68 DHCP6 DNS ESP UDP TCP UDP 546. FTP-PUT is used for FTP connections which download files. Concurrent Versions System Proxy Server. Domain Name Service. Distributed Computing Environment / Remote Procedure Calls.0 Administration Guide 01-400-89802-20090424 http://docs. File Transfer Protocol. version 3. DNS resolves domain names into IP addresses. 1503 1719 352 FortiGate Version 4.323 Technical Note. UDP Authentication Header. but not secrecy. GRE allows an arbitrary network protocol to be transmitted over any other arbitrary network protocol.

ILS includes LDAP. IP Protocol Port TCP TCP ICMP 80 443 Any IKE UDP 500. and LDAP over TLS/SSL.fortinet. IMAP with SSL. Network File System. and retrieve Usenet messages. Microsoft SQL Server is a relational database TCP management system (RDBMS) produced by Microsoft. Its primary query languages are MS-SQL and T-SQL. ONC-RPC is a widely deployed remote procedure call system. TCP 143 IMAPS 993 INFO_ADDRESS ICMP information request messages.0 Administration Guide 01-400-89802-20090424 http://docs. IMAPS is used for secure IMAP communication between email clients and servers. NFS allows network users to mount shared files. INFO_REQUEST ICMP address mask request messages. TCP MS-SQL 1433. IRC Internet Relay Chat. HTTP is used to browse web pages on the World Wide Web. 2727 InternetInternet Locator Service. Lightweight Directory Access Protocol.Firewall Service Viewing the predefined service list Table 43: Predefined services (Continued) Service name HTTP HTTPS ICMP_ANY Description Hypertext Transfer Protocol. Network Time Protocol. Open Shortest Path First. NNTP is used to TCP post. UDP NetMeeting allows users to teleconference using the Internet as the transmission medium. ICMP allows control messages and error reporting between a host and gateway (Internet). Media Gateway Control Protocol. L2TP is a PPP-based tunnel protocol for remote access. 2049 111. 4500 IMAP Internet Message Access Protocol. 2049 119 123 123 1720 111 111 89 Network News Transport Protocol. MySQL is a relational database management system (RDBMS) which runs as a server providing multi-user access to a number of databases. LDAP is used to access information directories. MGCP is used by UDP call agents and media gateways in distributed Voice over IP (VoIP) systems. Internet Control Message Protocol. IMAP is used by TCP email clients to retrieves email messages from email servers. ICMP ICMP TCP TCP TCP UDP TCP 17 15 6660-6669 389 1701 1701 389 2427. 1434 MYSQL 3306 NFS NNTP NTP NetMeeting ONC-RPC TCP UDP 111. TCP TCP UDP OSPF FortiGate Version 4. distribute. HTTP with secure socket layer (SSL). NTP synchronizes a host’s TCP time with a time server. HTTPS is used for secure communication with web servers. IMAPS is only available on FortiGate units that support SSL content scanning and inspection. OSPF is a common link state routing protocol. IRC allows users to join chat channels. Internet Key Exchange. IKE obtains authenticated keying material for use with the Internet Security Association and Key Management Protocol (ISAKMP) for IPSEC.com/ • Feedback 353 . Open Network Computing Remote Procedure Call. L2TP LDAP MGCP Layer 2 Tunneling Protocol. User Locator-Service Locator Service.

Remote Shell traffic allows specified commands to be executed on a remote host running the rshd service (daemon). Note: Also requires IP protocol 47. Remote Desktop Protocol is a multi-channel protocol that allows a user to connect to a networked computer. POP3S is used for secure retrieval of email messages. authorization and accounting management for people or computers to connect and use a network service. Ping6 sends ICMPv6 echo request/replies to network hosts to test IPv6 connectivity to other hosts. 8554 554 139 SAMBA SCCP Skinny Client Control Protocol. PPTP is used to tunnel connections between private network hosts over the Internet.fortinet.Viewing the predefined service list Firewall Service Table 43: Predefined services (Continued) Service name PC-Anywhere PING PING6 Description PC-Anywhere is a remote control and file transfer protocol. This is primarily used for Microsoft Windows hosts. Routing Information Protocol. This service matches RIP v1. Post Office Protocol v3 with secure socket layer (SSL). 2000 354 FortiGate Version 4. TCP 554. RealAudio multimedia traffic. 1813 QUAKE RADIUS Remote Authentication Dial In User Service. TCP RAUDIO RDP UDP TCP 7070 3389 REXEC TCP 512 RIP UDP 520 RLOGIN RSH TCP TCP 513 514 RTSP Real Time Streaming Protocol is a protocol for use TCP in streaming media systems which allows a client to remotely control a streaming media server. RADIUS is a networking protocol that provides centralized access. 7070. 27000. but may be used with operating systems running the Samba daemon. Point-to-Point Tunneling Protocol. Server Message Block. RIP is a common distance vector routing protocol. SMB allows clients to use file and print shares from enabled hosts. Remote login traffic. SCCP is a Cisco TCP proprietary standard for terminal control for use with voice over IP (VoIP). Post Office Protocol v3. TCP TCP IP Protocol Port TCP UDP ICMP 5631 5632 8 58 POP3 POP3S 110 995 PPTP 47 TCP UDP 1723 26000. POP retrieves email messages.0 Administration Guide 01-400-89802-20090424 http://docs. and UDP allowing time-based access to files on a server. issuing VCR-like commands such as play and pause. 27910. Quake multi-player computer game traffic. Rexec traffic allows specified commands to be executed on a remote host running the rexecd service (daemon). Ping sends ICMP echo request/replies to test connectivity to other hosts.com/ • Feedback . POP3S is only available on FortiGate units that support SSL content scanning and inspection. 27960 1812.

TCP UDP 25 SMTPS 465 SNMP SOCKS 161-162 161-162 1080 1080 FortiGate Version 4. and between email servers securely. SNMP can TCP be used to monitor and manage complex networks. SIP allows audiovisual conferencing data to be transmitted across networks. SMTP is used for TCP sending email messages between email clients and email servers. For more information. UDP SOCKetS. Session Initiation Protocol used by Microsoft Messenger to initiate an interactive.0 Administration Guide 01-400-89802-20090424 http://docs. possibly multimedia session.fortinet. SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall. SMTPS is only available on FortiGate units that support SSL content scanning and inspection.com/ • Feedback 355 . IP Protocol Port UDP 5060 SIPMSNmessenger SMTP TCP 1863 Simple Mail Transfer Protocol. see the FortiGate SIP Support Technical Note. SMTP with SSL.Firewall Service Viewing the predefined service list Table 43: Predefined services (Continued) Service name SIP Description Session Initiation Protocol. Used for sending email messages TCP between email clients and email servers. and between email servers. Simple Network Management Protocol.

but without security features such as authentication. Trivial File Transfer Protocol. caching web. TFTP is similar to FTP.0 Administration Guide 01-400-89802-20090424 http://docs. To view the custom service list. 356 FortiGate Version 4. or Citrix WinFrame/MetaFrame. DNS and other computer network lookups for a group of people sharing network resources. A computer network tool used to determine the route taken by packets across an IP network. WAIS is an Internet search protocol which may be used in conjunction with Gopher. SSH allows secure remote management and tunneling.Viewing the custom service list Firewall Service Table 43: Predefined services (Continued) Service name SQUID Description A proxy server and web cache daemon that has a wide variety of uses that includes speeding up a web server by caching repeated requests. WinFrame provides communications between computers running Windows NT. Virtual Network Computing. 1512 1512 6000-6063 X-WINDOWS Viewing the custom service list If you need to create a firewall policy for a service that is not in the predefined service list. you can add a custom service. TCP TCP WAIS TCP 210 WINFRAME TCP 1494 WINS Windows Internet Name Service is Microsoft's TCP implementation of NetBIOS Name Service (NBNS). Talk allows conversations between two or more users. X Window System (also known as X11) can forward TCP the graphical shell from an X Window server to X Window client. IP Protocol Port TCP 3128 SSH SYSLOG TALK TCP TELNET TFTP TCP UDP UDP UDP TCP TCP UDP 22 22 514 517-518 0-65535 23 69 TIMESTAMP TRACEROUTE UDP UUCP VDOLIVE VNC ICMP TCP UDP UDP 13 33434 33434 0-65535 540 7000-7010 5900 Unix to Unix Copy Protocol. aiding security by filtering traffic. Matches connections using any UDP port. UUCP provides simple UDP file copying. Secure Shell. ICMP timestamp request messages.fortinet. Syslog service for remote logging. Matches connections using any TCP port.com/ • Feedback . Wide Area Information Server. go to Firewall > Service > Custom. Allows plain text remote management. VDO Live streaming multimedia traffic.VNC is a graphical desktop sharing system which uses the RFB protocol to remotely control another computer. UDP a name server and service for NetBIOS computer names.

If the service uses one port number. From the Service list. 3 Set Protocol Type to TCP/UDP. 4 Complete the fields in the following table and select OK. The Delete icon appears only if the service is not currently being used by a firewall policy. Specify the source port number range for the service by entering the low and high port numbers. To add a custom TCP or UDP service 1 Go to Firewall > Service > Custom. select Service > Create New. enter this number in both the Low and High fields.com/ • Feedback 357 . Go to Firewall > Policy. Figure 212: New Custom Service . Remove the custom service. The default values allow the use of any source port. you can add a custom service. The protocol and port numbers for each custom service. select the appropriate policy tab and then Create New. FortiGate Version 4. Tip: You can also create custom services when you configure a firewall policy. Select TCP/UDP. Select TCP or UDP as the protocol of the port range being added.fortinet. Configuring custom services If you need to create a firewall policy for a service that is not in the predefined service list.Firewall Service Configuring custom services Figure 211: Custom service list Delete Edit Create New Service Name Detail Delete icon Edit icon Add a custom service.0 Administration Guide 01-400-89802-20090424 http://docs. 2 Select Create New.TCP/UDP Delete Name Protocol Type Protocol Source Port Enter a name for the custom service. The name of the custom service. Edit the custom service.

Figure 213: New Custom Service . 358 FortiGate Version 4. 2 Select Create New.0 Administration Guide 01-400-89802-20090424 http://docs.ICMP Name Protocol Type Type Code Enter a name for the ICMP custom service. If required. 2 Select Create New. enter this number in both the Low and High fields. Add Delete Icon If your custom service requires more than one port range. Remove the entry from the list. select Add to allow more source and destination ranges. 4 Complete the fields in the following table and select OK.com/ • Feedback . To add a custom IP service 1 Go to Firewall > Service > Custom. 4 Complete the fields in the following table and select OK.Configuring custom services Firewall Service Destination Port Specify the destination port number range for the service by entering the low and high port numbers.fortinet. Select IP. Figure 214: New Custom Service . 3 Set Protocol Type to ICMP. 3 Set Protocol Type to IP. Enter the IP protocol number for the service.IP Name Protocol Type Protocol Number Enter a name for the IP custom service. If the service uses one port number. To add a custom ICMP service 1 Go to Firewall > Service > Custom. Enter the ICMP type number for the service. enter the ICMP code number for the service. Select ICMP.

select the appropriate policy tab and then Create New. For example. Remove the entry from the list.com/ • Feedback 359 . Service groups cannot contain other service groups. FortiGate Version 4. Figure 215: Sample service group list Delete Edit Create New Group Name Members Delete icon Edit icon Add a service group. To view the service group list.0 Administration Guide 01-400-89802-20090424 http://docs. The Delete icon appears only if the service group is not selected in a firewall policy. you might combine the five services into a single address group that is used by a single firewall policy. To organize services into a service group. go to Firewall > Service > Group. The name to identify the service group. The services added to the service group. instead of having five identical policies for five different but related firewall services.Firewall Service Viewing the service group list Viewing the service group list You can organize multiple firewall services into a service group to simplify your firewall policy list. Tip: You can also create custom service groups when you configure a firewall policy. For example. Service groups cannot contain other service groups. which is used by a single firewall policy. select Service Group > Create New.fortinet. Service groups can contain both predefined and custom services. you might combine the five services into a single address group. From the Service list. instead of having five identical policies for five different but related firewall services. Select to edit the Group Name and Members. Go to Firewall > Policy. Configuring service groups You can organize multiple firewall services into a service group to simplify your firewall policy list. Service groups can contain both predefined and custom services. go to Firewall > Service > Group.

com/ • Feedback . The list of services in the group.Configuring service groups Firewall Service Figure 216: Service Group Group Name Available Services Members Enter a name to identify the service group. with custom services at the bottom. The list of configured and predefined services available for your group.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet. 360 FortiGate Version 4. Use the arrows to move selected services between this list and Members. Use the arrows to move selected services between this list and Available Services.

If you enable virtual domains (VDOMs) on the FortiGate unit. The initials of the days of the week on which the schedule is active. go to Firewall > Schedule > Recurring.0 Administration Guide 01-400-89802-20090424 http://docs. To view the recurring schedule list. This section describes: • • • • Viewing the recurring schedule list Configuring recurring schedules Viewing the one-time schedule list Configuring one-time schedules Viewing the recurring schedule list You can create a recurring schedule that activates a policy during a specified period of time. For example. You can create one-time schedules or recurring schedules. see “Using virtual domains” on page 103. The start time of the recurring schedule. The stop time of the recurring schedule. FortiGate Version 4. the schedule will take effect at the start time but end at the stop time on the next day. you must configure firewall schedules separately for each virtual domain. The name of the recurring schedule. Note: If a recurring schedule has a stop time that is earlier than the start time. For more information. set the start and stop times to 00. One-time schedules are in effect only once for the period of time specified in the schedule. to prevent game playing except at lunchtime.Firewall Schedule Viewing the recurring schedule list Firewall Schedule Firewall schedules control when policies are in effect. You can use this technique to create recurring schedules that run from one day to the next. Figure 217: Recurring schedule list Delete Edit Create New Name Day Start Stop Add a recurring schedule.m. and the stop time at 12:00 noon.fortinet. Recurring schedules are in effect repeatedly at specified times of specified days of the week. you might prevent game playing during office hours by creating a recurring schedule that covers office hours. For example. you might set the start time for a recurring schedule at 1:00 p.com/ • Feedback 361 . To create a recurring schedule that runs for 24 hours.

0 Administration Guide 01-400-89802-20090424 http://docs.fortinet. Select the start time for the recurring schedule. Complete the fields as described in the following table and select OK. select the appropriate policy tab and then Create New. go to Firewall > Schedule > One-time.com/ • Feedback .Configuring recurring schedules Firewall Schedule Delete icon Edit icon Remove the schedule from the list. Figure 218: New Recurring Schedule Name Select Start Stop Enter a name to identify the recurring schedule. The Delete icon appears only if the schedule is not being used in a firewall policy. Select the stop time for the recurring schedule. Select the days of the week for the schedule to be active. go to Firewall > Schedule > Recurring. Edit the schedule. Configuring recurring schedules To add a recurring schedule. Tip: You can also create recurring schedules when you configure a firewall policy. The name of the one-time schedule. For example. The stop date and time for the schedule. but you could add a one-time schedule to block access to the Internet during a holiday. select Recurring > Create New. To view the one-time schedule list. set schedule start and stop times to 00. Go to Firewall > Policy. From the Schedule list. Viewing the one-time schedule list You can create a one-time schedule that activates a policy during a specified period of time. 362 FortiGate Version 4. Figure 219: One-time schedule list Delete Edit Create New Name Start Stop Add a one-time schedule. To put a policy into effect for an entire day. a firewall might be configured with a default policy that allows access to all services on the Internet at all times. The start date and time for the schedule.

The Delete icon appears only if the schedule is not being used in a firewall policy. Tip: You can also create one-time schedules when you configure a firewall policy. select One-time > Create New. select the appropriate policy tab and then Create New. Complete the fields as described in the following table and select OK.0 Administration Guide 01-400-89802-20090424 http://docs. go to Firewall > Schedule > One-time. set schedule start and stop times to 00. Configuring one-time schedules To add a one-time schedule. Select the start date and time for the schedule.Firewall Schedule Configuring one-time schedules Delete icon Edit icon Remove the schedule from the list. Select the stop date and time for the schedule. To put a policy into effect for an entire day. Go to Firewall > Policy. Edit the schedule.fortinet. FortiGate Version 4.com/ • Feedback 363 . Figure 220: New One-time Schedule Name Start Stop Enter a name to identify the one-time schedule. From the Schedule list.

0 Administration Guide 01-400-89802-20090424 http://docs.Configuring one-time schedules Firewall Schedule 364 FortiGate Version 4.fortinet.com/ • Feedback .

IP pools. whereas virtual IPs configure dynamic or static translation of a packets’ IP addresses based upon the Source Interface/Zone.0 Administration Guide 01-400-89802-20090424 http://docs. virtual IPs are available from the FortiGate CLI. firewall virtual IPs are configured separately for each virtual domain. When the FortiGate unit receives inbound packets matching a firewall policy whose Destination Address field is a virtual IP. similarly to virtual IPs. also known as inbound NAT. See “Adding NAT firewall policies in transparent mode” on page 386. For details. can be used to configure aspects of NAT.Firewall Virtual IP How virtual IPs map connections through FortiGate units Firewall Virtual IP Virtual IP addresses (VIPs) can be used when configuring firewall policies to translate IP addresses and ports of packets received by a network interface. see “Configuring virtual IPs” on page 370. FortiGate Version 4.com/ • Feedback 365 . To implement the translation configured in the virtual IP or IP pool. In Transparent mode. however. Note: In Transparent mode from the FortiGate CLI you can configure NAT firewall policies that include Virtual IPs and IP pools. the FortiGate unit applies NAT. including a modem interface. For details. If you enable virtual domains (VDOMs) on the FortiGate unit. This section describes: • • • • • • • • • • • How virtual IPs map connections through FortiGate units Viewing the virtual IP list Configuring virtual IPs Virtual IP Groups Viewing the VIP group list Configuring VIP groups IP pools Viewing the IP pool list Configuring IP Pools Double NAT: combining IP pool with virtual IP Adding NAT firewall policies in transparent mode How virtual IPs map connections through FortiGate units Virtual IPs can specify translations of packets’ port numbers and/or IP addresses for both inbound and outbound connections. replacing packets’ IP addresses with the virtual IP’s mapped IP address. Inbound connections Virtual IPs can be used in conjunction with firewall policies whose Action is not DENY to apply bidirectional NAT.fortinet. IP pools configure dynamic translation of packets’ IP addresses based on the Destination Interface/Zone. see “Using virtual domains” on page 103. you must add it to a NAT firewall policy.

Real servers can be configured with health check monitors. rather than the IP address already configured for the network interface. its mapping may involve port address translation (PAT). Real servers can be configured with health check monitors. If you configure NAT in the virtual IP and firewall policy. If they match. if a firewall policy’s Destination Address is a virtual IP. Depending on your configuration of the virtual IP. which specifies how the FortiGate unit translates network addresses and/or port numbers of packets from the receiving (external) network interface to the network interface connected to the destination (mapped) IP address or IP address range. If using IP address ranges. if using dynamic NAT mapping full NAT vs. one-to-many NAT mapping: an external IP address is translated to one of the mapped IP addresses. If using IP address ranges. The external IP address is not always translated to the same mapped IP address. Health check monitors can be used to gauge server responsiveness before forwarding packets. and/or network address translation (NAT) of IP addresses. the NAT behavior varies by your selection of: • • • static vs. one-to-one NAT mapping with port forwarding: an external IP address is Port Forwarding always translated to the same mapped IP address. and an external port number is always translated to the same mapped port number. and each port number in the external range is always translated to the same port number in the mapped range.How virtual IPs map connections through FortiGate units Firewall Virtual IP When comparing packets with the firewall policy list to locate a matching policy. In addition to specifying IP address and port mappings between interfaces. the external IP address range corresponds to a mapped IP address range containing an equal number of IP addresses. Health check monitors can be used to gauge server responsiveness before forwarding packets. Static NAT with Static. one-to-one NAT mapping: an external IP address is always translated to the same mapped IP address. Server load balancing requires that you configure at least one “real” server. If using port number ranges. FortiGate units compares packets’ destination address to the virtual IP’s external IP address.0 Administration Guide 01-400-89802-20090424 http://docs. and each IP address in the external range is always translated to the same IP address in the mapped range. Server load balancing requires that you configure at least one “real” server. destination NAT (DNAT) The following table describes combinations of PAT and/or NAT that are possible when configuring a firewall policy with a virtual IP. one-to-many NAT mapping with port forwarding: an external IP Balancing with address is translated to one of the mapped IP addresses. the external IP address range corresponds to a mapped IP address range containing an equal number of IP addresses. The external IP address is not always translated to the same mapped IP address. Static NAT Static.fortinet. and each IP address in the external range is always translated to the same IP address in the mapped range. virtual IP configurations can optionally bind an additional IP address or IP address range to the receiving network interface.com/ • Feedback . the FortiGate unit applies the virtual IP’s inbound NAT mapping. also known as port forwarding or network address port translation (NAPT). as determined by the selected load balancing algorithm for more even traffic distribution. 366 FortiGate Version 4. but can use up to eight. By binding an additional IP address. you can configure a separate set of mappings that the FortiGate unit can apply to packets whose destination matches that bound IP address. dynamic NAT mapping the dynamic NAT’s load balancing style. the external port number range corresponds to a mapped port number range containing an equal number of port numbers. Server Load Dynamic. Server Load Balancing Dynamic. but can use up to eight. as determined by the Port Forwarding selected load balancing algorithm for more even traffic distribution.

10.fortinet.4.37.4 to 10. the FortiGate unit translates packets’ private network source IP address to match the destination address of the originating packets. the client computer on another network. When a client computer attempts to contact the web server. such as the Internet.42. it performs destination network address translation (DNAT). there is no reference to the client computer’s IP address. Reduced to its essence.42. The private network is aware of the source’s public IP address.10. it uses the virtual IP on the FortiGate unit’s external interface.37. and the packet is forwarded to the web server on the private network. the resulting policy does not perform full (source and destination) NAT.168. so the FortiGate unit changes the packets’ addresses. For reply traffic. The FortiGate unit makes a note of this translation in the firewall session table it maintains internally. this example involves only three hosts.10.2 and the destination is changed to 10. The web server has no indication that another network exists. but does not translate the source address. all packets are sent by the FortiGate unit.37. instead.10. except in its session table. The FortiGate unit receives the packets.55 and a destination IP of 192. Figure 222: Example of packet address remapping during NAT from client to server Note that the client computer’s address does not appear in the packets the server receives. As far as the server can tell.Firewall Virtual IP How virtual IPs map connections through FortiGate units Note: If the NAT check box is not selected when building the firewall policy.168. The FortiGate unit receives these packets at its external interface.com/ • Feedback 367 . which is maintained in the session table. and the FortiGate unit connecting the two networks.0 Administration Guide 01-400-89802-20090424 http://docs.168. The packets are then sent on to the web server. A typical example of static NAT is to allow client access from a public network to a web server on a private network that is protected by a FortiGate unit. FortiGate Version 4.10. The virtual IP settings map 192. DNAT translates packets’ destination address to the mapped private IP address. and matches them to a firewall policy for the virtual IP. as shown in Figure 221: the web server on a private network. Figure 221: A simple static NAT virtual IP example The packets sent from the client computer have a source IP of 192.10. The source address is changed to 10. For inbound traffic. The addresses in the packets are translated to private network IP addresses. After the FortiGate unit translates the network addresses.

10.168.2.1 368 FortiGate Version 4. but in the opposite direction.10. This time. The client has no indication that the web server’s IP address is not the virtual IP. the source address is changed to 192.168.10. the FortiGate unit’s virtual IP is the web server. and its bound virtual IP’s external IP is 10. however. the resulting policy does not perform full NAT. if virtual IP configurations exist. For example. the NAT check box is checked when configuring the firewall policy. After the FortiGate unit translates the network addresses. Outbound connections Virtual IPs can also affect outbound NAT.37.2.2. if a network interface’s IP address is 10.168. traffic outbound from 192. instead. Figure 223: Example of packet address remapping during NAT from server to client In the previous example. mapping inbound traffic to the private network IP address 192. In the reply packets. The web server sends its response packets having a source IP address of 10.55. For reply traffic.2. The web server’s private IP address does not appear in the packets the client receives.10. FortiGate units use virtual IPs’ inbound NAT mappings in reverse to apply outbound NAT.com/ • Feedback . there is no reference to the web server’s network.4 and the destination is changed to 192.1 will be translated to 10. If no virtual IPs are configured. For inbound traffic.42 and a destination IP address of 10. DNAT translates packets’ destination address to the mapped private IP address. the FortiGate unit translates packets’ private network source IP address to match the destination address of the originating packets.10. causing IP address mappings for both inbound and outbound traffic to be symmetric. not 10.10.2.168.1. FortiGate units apply traditional outbound NAT to connections outbound from private network IP addresses to public network IP addresses. However. If the NAT check box is not selected when building the firewall policy. the session table is used to recall the client computer’s IP address as the destination address for the address translation.10.10. but does not translate the source address.10. which is maintained in the session table.fortinet.How virtual IPs map connections through FortiGate units Firewall Virtual IP When the web server replies to the client computer. The web server would be aware of the client’s IP address. it performs destination network address translation (DNAT). As far as the client is concerned. address translation works similarly. The packets are then sent on to the client computer.37.0 Administration Guide 01-400-89802-20090424 http://docs. The FortiGate unit receives these packets on its internal interface.10.10.10.1. even though they are not selected in an outbound firewall policy.

The mapped to IP address or address range on the destination network.0. Figure 224: Virtual IP list Delete Edit Create New Name IP Service Port Map to IP/IP Range Map to Port Delete icon Edit icon Select to add a virtual IP.0. separated by a slash (/). the count of mapped port numbers and external port numbers must be the same. Remove the virtual IP from the list.0 Administration Guide 01-400-89802-20090424 http://docs. FortiGate Version 4. The external port number or port number range.255. The name of the virtual IP.fortinet. Edit the virtual IP to change any virtual IP option including the virtual IP name. This field is empty if the virtual IP does not specify port forwarding. and the last port number in the range must not exceed 65535. Duplicate entries or overlapping ranges are not permitted. This field is empty if the virtual IP does not specify port forwarding.0 or 255. go to Firewall > Virtual IP > Virtual IP. When port forwarding. the External IP Address/Range cannot be 0. The Delete icon only appears if the virtual IP is not selected in a firewall policy. • • • • • The Mapped IP Address/Range cannot be 0. • • • Viewing the virtual IP list To view the virtual IP list. Virtual IP names must be different from address or address group names.0.Firewall Virtual IP Viewing the virtual IP list VIP requirements Virtual IPs have the following requirements. If the virtual IP is mapped to a range of IP addresses and its type is Static NAT. The mapped to port number or port number range.255. the External IP Address/Range cannot include any other interface IP addresses.0.255.com/ • Feedback 369 . The bound network interface and external IP address or IP address. A physical external IP address can be used as the external VIP IP address. When port forwarding. The Mapped IP Address/Range must not include any interface IP addresses.0.

the network interface responds to ARP requests for the bound IP address or IP address range. read only. Select to perform port address translation (PAT). to add a firewall policy that maps public network addresses to a private network. add an external to internal firewall policy whose Destination Address field is a virtual IP. Mapped IP Address/Range Port Forwarding 370 FortiGate Version 4. or an IP address range. To implement the translation configured in the virtual IP or IP pool. Enter the external IP address that you want to map to an address on the destination network. or modem interface.0 Administration Guide 01-400-89802-20090424 http://docs. Type External IP Address/Range VIP type is Static NAT. This option appears only if Type is Static NAT. When you bind the virtual IP’s external IP address to a FortiGate unit interface.fortinet. Virtual IPs use proxy ARP. For a load balance dynamic virtual IP you can specify a single mapped address or a mapped address range. You can select any FortiGate interface. the FortiGate unit applies NAT. replacing the packet’s destination IP address with the virtual IP’s mapped IP address. so that the FortiGate unit can respond to ARP requests on a network for a server that is actually installed on another network. and virtual IPs cannot have the same names. To configure a dynamic virtual IP that accepts connections for any IP address. When the FortiGate unit receives packets matching a firewall policy whose Destination Address field is a virtual IP.0. you must add it to a NAT firewall policy. address groups. as defined in RFC 1027. To disable ARP replies. For example. To avoid confusion. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. For a static NAT dynamic virtual IP you can only add one mapped IP address. if you add a mapped IP address range the FortiGate unit calculates the external IP address range and adds the IP address range to the External IP Address/Range field. For a static NAT virtual IP. VPN interface. set the external IP address to 0. and is bound to a FortiGate unit interface. Figure 225: Creating a Virtual IP Name Enter or change the name to identify the virtual IP. You can also enter an address range to forward packets to multiple IP addresses on the destination network. External Interface Select the virtual IP external interface from the list. addresses. VLAN subinterface. see the FortiGate CLI Reference. Enter the real IP address on the destination network to which the external IP address is mapped. by default. A virtual IP’s mapped IP address can be a single IP address.Configuring virtual IPs Firewall Virtual IP Configuring virtual IPs A virtual IP’s external IP address can be a single IP address or an IP address range.0.com/ • Feedback .0.

TLS 1. but still improved over communications without SSL acceleration. that will be bound to the network interface.1 are supported. For a virtual IP with static NAT. but cannot be used in failover configurations where the failover path does not have an SSL accelerator. This option appears only if Port Forwarding is selected. and only on FortiGate models whose hardware support SSL acceleration. but the handshakes will be abbreviated. SSL Offloading Certificate To configure a virtual IP 1 Go to Firewall > Virtual IP > Virtual IP. if any. Enter the external interface port number for which you want to configure port forwarding. and selecting the mapping type and mapped IP address(es) and/or port(s). Enter the port number on the destination network to which the external port number is mapped. SSL 3.fortinet. and is available only if SSL Offloading is selected. 2 Select Create New. this also enables SSL acceleration without requiring changes to the server’s configuration. This option appears only if Port Forwarding is enabled. For details. This results in performance which is less than the other option. Note: Additional SSL Offloading options are available in the CLI.0 Administration Guide 01-400-89802-20090424 http://docs. You can also enter a port number range to forward packets to multiple ports on the destination network.0. and TLS 1. • Client <-> FortiGate <-> Server Select to apply hardware accelerated SSL to both parts of the connection: the segment between client and the FortiGate unit. This results in best performance. see: • “Adding a static NAT virtual IP for a single IP address” on page 372 • “Adding a static NAT virtual IP for an IP address range” on page 373 • “Adding static NAT port forwarding for a single IP address and a single port” on page 375 • “Adding static NAT port forwarding for an IP address range and a port range” on page 377 • “Adding dynamic virtual IPs” on page 378 • “Adding a virtual IP with port translation only” on page 379 FortiGate Version 4. The segment between the FortiGate unit and the server will use clear text communications. and can be used in failover configurations where the failover path does not have an SSL accelerator. The segment between the FortiGate unit and the server will use encrypted communications. For configuration examples of each type. such as FortiGate-3600A. then select which segments of the connection will receive SSL offloading. This option appears only if Port Forwarding is selected.com/ • Feedback 371 .0.Firewall Virtual IP Configuring virtual IPs Protocol External Service Port Map to Port Select the protocol of the forwarded packets. • Client <-> FortiGate Select to apply hardware accelerated SSL only to the part of the connection between the client and the FortiGate unit. and the segment between the FortiGate unit and the server. This option appears only if Port Forwarding is enabled. This option appears only if Port Forwarding is enabled. 3 Configure the virtual IP by entering the virtual IP address. see the FortiGate CLI Reference. if you add a map to port range the FortiGate unit calculates the external port number range and adds the port number range to the External Service port field. Select which SSL certificate to use with SSL Offloading. If the server is already configured to use SSL. Select to accelerate clients’ SSL connections to the server by using the FortiGate unit to perform SSL operations.

10.10.10.fortinet. see “Configuring firewall policies” on page 323.4 on the Internet is mapped to 10. For example. The virtual IP appears in the virtual IP list.com/ • Feedback . Attempts to communicate with 192.37. The computers on the Internet are unaware of this translation and see a single computer at 192. 3 Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network.37.10. 2 Select Create New. Figure 226: Static NAT virtual IP for a single IP address example To add a static NAT virtual IP for a single IP address 1 Go to Firewall > Virtual IP > Virtual IP. Figure 227: Virtual IP options: static NAT virtual IP for a single IP address Name Type static_NAT Static NAT External Interface wan1 372 FortiGate Version 4.37.168.4 from the Internet are translated and sent to 10. the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network. 5 To implement the virtual IP.Configuring virtual IPs Firewall Virtual IP 4 Select OK. then select the virtual IP in the Destination Address field of the policy. For details.168. select the virtual IP in a firewall policy. In our example. to add a firewall policy that maps public network addresses to a private network.4 rather than a FortiGate unit with a private network behind it. you might add an external to internal firewall policy and select the Source Interface/Zone to which a virtual IP is bound.168.42 on a private network.0 Administration Guide 01-400-89802-20090424 http://docs. Adding a static NAT virtual IP for a single IP address The IP address 192.42 by the FortiGate unit.

The external IP address is usually a static IP address obtained from your ISP for your web server.10. The IP address of the server on the internal network.4 are translated and sent to 10.44.168. FortiGate Version 4.10. 2 Configure the firewall policy: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action external All (or a more specific address) dmz1 simple_static_nat always HTTP ACCEPT 3 Select NAT. 1 Go to Firewall > Policy and select Create New.168.10. However.com/ • Feedback 373 .10.43.37.37.37.10. packets destined for 192. 4 Select OK.0 Administration Guide 01-400-89802-20090424 http://docs. When you add the virtual IP. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. the external interface responds to ARP requests for the external IP address. leave the second field blank.168.10.fortinet.6 on the Internet is mapped to 10. To add a static NAT virtual IP for a single IP address to a firewall policy Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP address packets pass through the FortiGate unit from the external interface to the dmz1 interface.37. Adding a static NAT virtual IP for an IP address range The IP address range 192. and packets destined for 192.168.123.42-10.10. the external IP address must be routed to the selected interface. Packets from Internet computers communicating with 192. The computers on the Internet are unaware of this translation and see three computers with individual IP addresses rather than a FortiGate unit with a private network behind it.10. Similarly.37.44 on a private network. Mapped IP Address/Range 4 Select OK.168.42 by the FortiGate unit.4-192. The virtual IP translates the destination address of these packets from the external IP to the DMZ network IP address of the web server.10.Firewall Virtual IP Configuring virtual IPs External IP Address/Range The Internet IP address of the web server.6 are translated and sent to 10. Since there is only one IP address.5 are translated and sent to 10. The virtual IP address and the external IP address can be on different subnets.

When you add the virtual IP.com/ • Feedback . In this example. These addresses must be unique IP addresses that are not used by another host and cannot be the same as the IP addresses of the external interface the virtual IP will be using. Define the range by entering the first address of the range in the first field and the last address of the range in the second field.0 Administration Guide 01-400-89802-20090424 http://docs. Figure 229: Virtual IP options: static NAT virtual IP with an IP address range Name External Interface Type External IP Address/Range static_NAT_range wan1 Static NAT The Internet IP address range of the web servers. the external interface responds to ARP requests for the external IP addresses. Mapped IP Address/Range 4 Select OK. 2 Select Create New. 374 FortiGate Version 4.Configuring virtual IPs Firewall Virtual IP Figure 228: Static NAT virtual IP for an IP address range example To add a static NAT virtual IP for an IP address range 1 Go to Firewall > Virtual IP > Virtual IP. The virtual IP addresses and the external IP address can be on different subnets. 3 Use the following procedure to add a virtual IP that allows users on the Internet to connect to three individual web servers on the DMZ network. the external IP addresses must be routed to the selected interface. the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network. The external IP addresses are usually static IP addresses obtained from your ISP for your web server. The IP address range of the servers on the internal network.fortinet. However.

Adding static NAT port forwarding for a single IP address and a single port The IP address 192.168.10. 2 Select Create New.Firewall Virtual IP Configuring virtual IPs To add a static NAT virtual IP with an IP address range to a firewall policy Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the server IP addresses. The computers on the Internet are unaware of this translation and see a single computer at 192. port 80 on the Internet is mapped to 10.fortinet.10.42.10. 2 Configure the firewall policy: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wan1 All (or a more specific address) dmz1 static_NAT_range always HTTP ACCEPT 3 Select NAT.10.0 Administration Guide 01-400-89802-20090424 http://docs. packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. 1 Go to Firewall > Policy and select Create New.168. FortiGate Version 4. 4 Select OK. port 80 from the Internet are translated and sent to 10. port 8000 on a private network.42. port 8000 by the FortiGate unit.com/ • Feedback 375 .4. port 80 rather than a FortiGate unit with a private network behind it. Attempts to communicate with 192.4. The virtual IP translates the destination addresses of these packets from the wan1 IP to the DMZ network IP addresses of the servers.37.168.4. Figure 230: Static NAT virtual IP port forwarding for a single IP address and a single port example To add static NAT virtual IP port forwarding for a single IP address and a single port 1 Go to Firewall > Virtual IP > Virtual IP.37.37.

Since there is only one IP address.Configuring virtual IPs Firewall Virtual IP 3 Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. The virtual IP translates the destination addresses and ports of these packets from the external IP to the dmz network IP addresses of the web servers. Mapped IP Address/Range Port Forwarding Protocol External Service Port Map to Port 4 Select OK. 2 Configure the firewall policy: 376 FortiGate Version 4. The port on which the server expects traffic. Selected TCP The port traffic from the Internet will use. The IP address of the server on the internal network. To add static NAT virtual IP port forwarding for a single IP address and a single port to a firewall policy Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP addresses.0 Administration Guide 01-400-89802-20090424 http://docs. The external IP address is usually a static IP address obtained from your ISP for your web server. this will typically be port 80. In our example. the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.com/ • Feedback . the external IP address must be routed to the selected interface. When you add the virtual IP. For a web server. The virtual IP address and the external IP address can be on different subnets. However. the external interface responds to ARP requests for the external IP address. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. 1 Go to Firewall > Policy and select Create New. Since there is only one port. leave the second field blank. packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface.fortinet. Figure 231: Virtual IP options: Static NAT port forwarding virtual IP for a single IP address and a single port Name External Interface Type External IP Address/Range Port_fwd_NAT_VIP wan1 Static NAT The Internet IP address of the web server. leave the second field blank.

37.7 on the Internet are mapped to ports 8000 to 8003 of addresses 10.10. port 82 from the Internet.10.37.42 to 10. 3 Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network.5.37.10. for example. 2 Select Create New.168. are translated and sent to 10. port 8002 by the FortiGate unit.4 to 192.168.43.com/ • Feedback 377 . Adding static NAT port forwarding for an IP address range and a port range Ports 80 to 83 of addresses 192. Attempts to communicate with 192.5 rather than a FortiGate unit with a private network behind it.168. 4 Select OK.37. The computers on the Internet are unaware of this translation and see a single computer at 192. Name External Interface Type Port_fwd_NAT_VIP_port_range external Static NAT FortiGate Version 4.44 on a private network.10.10.168. the external interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network. In this example.fortinet.0 Administration Guide 01-400-89802-20090424 http://docs.10.Firewall Virtual IP Configuring virtual IPs Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wan1 All (or a more specific address) dmz1 Port_fwd_NAT_VIP always HTTP ACCEPT 3 Select NAT. Figure 232: Static NAT virtual IP port forwarding for an IP address range and a port range example To add static NAT virtual IP port forwarding for an IP address range and a port range 1 Go to Firewall > Virtual IP > Virtual IP.

and cannot be the same as the IP address of the external interface the virtual IP will be using.0 Administration Guide 01-400-89802-20090424 http://docs. The IP addresses of the server on the internal network. For a web server. this will typically be port 80.com/ • Feedback 378 .0. The ports on which the server expects traffic. If there is only one port. Selected TCP The ports that traffic from the Internet will use. To add static NAT virtual IP port forwarding for an IP address range and a port range to a firewall policy Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP addresses.fortinet. Define the range by entering the first address of the range in the first field and the last address of the range in the second field. Adding dynamic virtual IPs Adding a dynamic virtual IP is similar to adding a virtual IP. the external IP addresses must be routed to the selected interface. 3 Enter a name for the dynamic virtual IP. To add a dynamic virtual IP 1 Go to Firewall > Virtual IP > Virtual IP. Mapped IP Address/Range Port Forwarding Protocol External Service Port Map to Port 4 Select OK. not used by another host.0 so the External IP address matches any IP address.Configuring virtual IPs Firewall Virtual IP External IP Address/Range The external IP addresses are usually static IP addresses obtained from your ISP. The virtual IP addresses and the external IP address can be on different subnets. However. The virtual IP translates the destination addresses and ports of these packets from the external IP to the dmz network IP addresses of the web servers. packets pass through the FortiGate unit from the external interface to the dmz1 interface. The difference is that the External IP address must be set to 0. the external interface responds to ARP requests for the external IP addresses. 1 Go to Firewall > Policy and select Create New. When you add the virtual IP. 2 Select Create New. Define the range by entering the first port of the range in the first field and the last port of the range in the second field. 2 Configure the firewall policy: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action external All (or a more specific address) dmz1 Port_fwd_NAT_VIP_port_range always HTTP ACCEPT 3 Select NAT.0. 4 Select OK. FortiGate Version 4. This addresses must be unique. leave the second field blank.

7 Select Port Forwarding. 5 Set the External IP Address to 0. Enter the same number as the External Service Port if the port is not to be translated. if the virtual IP provides PPTP passthrough access from the Internet to a PPTP server.com/ • Feedback 379 . The external interface is connected to the source network and receives the packets to be forwarded to the destination network. 6 Enter the Mapped IP Address to which to map the external IP address. the IP address of a PPTP server on an internal network.0. but the port number will be translated. 8 For Protocol. Note: To apply port forwarding to the external interface without binding a virtual IP address to it. 4 Select the virtual IP External Interface from the list. To add a virtual IP with port translation only 1 Go to Firewall > Virtual IP > Virtual IP.0.0 External IP Address matches any IP address. Select any firewall interface or a VLAN subinterface. 9 Enter the External Service Port number for which to configure dynamic port forwarding. The 0. if you enter a virtual IP address that is the same as the mapped IP address and apply port forwarding. For example. the IP address of a PPTP server on an internal network. 5 Set the External IP Address as the mapped IP address. For example. For example.Firewall Virtual IP Configuring virtual IPs 4 Select the virtual IP External Interface from the list. the external service port number should be 1723 (the PPTP port).0 Administration Guide 01-400-89802-20090424 http://docs. select TCP.0. enter the IP address of the network interface instead of a virtual IP address. FortiGate Version 4. 11 Select OK. 8 For Protocol. select TCP.0. the external service port number should be 1723 (the PPTP port). The external service port number must match the destination port of the packets to be forwarded. The external service port number must match the destination port of the packets to be forwarded. the destination IP address will be unchanged. then configure port forwarding as usual.fortinet. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. 3 Enter a name for the dynamic virtual IP. 7 Select Port Forwarding. 9 Enter the External Service Port number for which to configure dynamic port forwarding. if the virtual IP provides PPTP passthrough access from the Internet to a PPTP server. 6 Enter the Mapped IP Address to which to map the external IP address. Adding a virtual IP with port translation only When adding a virtual IP. Select any firewall interface or a VLAN subinterface. 10 Enter the Map to Port number to be added to packets when they are forwarded. For example.0. 2 Select Create New.

Viewing the VIP group list To view the virtual IP group list. and select OK. Firewall policies using VIP Groups are matched by comparing both the member VIP IP address(es) and port number(s).0 Administration Guide 01-400-89802-20090424 http://docs.fortinet. Displays the interface that the VIP group belongs to. Lists the group members. instead of having five identical policies for five different but related virtual IPs located on the same network interface.Virtual IP Groups Firewall Virtual IP 10 Enter the Map to Port number to be added to packets when they are forwarded. Configuring VIP groups To add a VIP group. 380 FortiGate Version 4. To edit a VIP group. See “Configuring VIP groups” on page 380.com/ • Feedback . Edit the VIP group information. For example. 11 Select OK. go to Firewall > Virtual IP > VIP Group and select the Edit icon for the VIP group to edit. The Delete icon only appears if the VIP group is not being used in a firewall policy. Figure 233: VIP Group list Delete Edit Create New Group Name Members Interface Delete icon Edit icon Select to add a new VIP group. Enter the information as described below. Remove the VIP group from the list. go to Firewall > Virtual IP > VIP Group and select Create New. go to Firewall > Virtual IP > VIP Group. which is used by a single firewall policy. you might combine the five virtual IPs into a single virtual IP group. Virtual IP Groups You can organize multiple virtual IPs into a virtual IP group to simplify your firewall policy list. including the group name and membership. The name of the virtual IP group.

110. IP pools Use IP pools to add NAT policies that translate source addresses to addresses randomly selected from the IP pool.168.Firewall Virtual IP IP pools Figure 234: Editing a VIP group Group Name Interface Available VIPs and Members Enter or modify the group name. For example.[x-x]. all of which respond to ARP requests on the interface to which the IP pool is added.x. for example 192.x. the Interface box is grayed out.x. If an IP address range is required. Add multiple IP pools to any interface and select the IP pool to use when configuring a firewall policy.168.100 is a valid IP pool address. rather than the IP address assigned to that FortiGate unit interface. Select Enable Dynamic IP Pool in a firewall policy to translate the source address of outgoing packets to an address randomly selected from the IP pool. If you are editing the group.110. Select the interface for which you want to create the VIP group.x. you can select Dynamic IP pool for policies with the internal interface as the destination. Select the up or down arrow to move virtual IPs between Available VIPs and Members. With an IP pool added to the internal interface.x.120 x.x.168.fortinet. Members contains virtual IPs that are a part of this virtual IP group.0 Administration Guide 01-400-89802-20090424 http://docs.x.com/ • Feedback 381 .100-192.[100-120] FortiGate Version 4. use either of the following formats. In Transparent mode.110. IP pools are available from the FortiGate CLI. A single IP address is entered normally. An IP pool list appears when the policy destination interface is the same as the IP pool interface.168. • • x. An IP pool defines an address or a range of IP addresses.110.x-x. 192. for example 192.

fortinet.. If you use fixed port in such a case. connections to the Internet appear to be originating from any of the IP addresses in the IP pool..168.. Assign one of the organization’s Internet IP addresses to the external interface of the FortiGate unit. For example. selecting fixed port means that only one connection can be supported through the firewall for this service. NAT translates source ports to keep track of connections for a particular service.com/ • Feedback . The firewall randomly selects an IP address from the IP pool and assigns it to each connection. this may cause conflicts if more than one firewall policy uses the same IP pool.. all connections from the network to the Internet appear to come from this IP address..1.168. In this case the number of connections that the firewall can support is limited by the number of IP addresses in the IP pool.1 192. one of the following three cases may occur: Scenario 1: The number of source addresses equals that of IP pool addresses In this case.168. add this address range to an IP pool for the external interface. and then select dynamic IP pool in the policy. or the same IP addresses are used in more than one IP pool.1.16.0 Administration Guide 01-400-89802-20090424 http://docs.1 Change to 172. However.30. However. the FortiGate unit will always match the IP addressed one to one. Then select Dynamic IP Pool for all policies with the external interface as the destination. 192. the FortiGate unit translates IP addresses using a wrap-around mechanism.10 382 FortiGate Version 4.1.254 Change to 172.168... an organization might have purchased a range of Internet addresses but has only one Internet connection on the external interface of the FortiGate unit.30. the firewall dynamically selects an IP address from the IP pool to be the source address for the connection. To be able to support multiple connections..16. the FortiGate unit will preserve the original source port.1 172.2 .IP pools Firewall Virtual IP IP pools and dynamic NAT Use IP pools for dynamic NAT.254 Scenario 2: The number of source addresses is more than that of IP pool addresses In this case.. Original address 192. the FortiGate unit preserves the original source port. If you use fixed port in such a case.30.1.. Select fixed port for NAT policies to prevent source port translation.16. add an IP pool to the destination interface. For connections to originate from all the Internet IP addresses.30. 172. Source IP address and IP pool address matching When the source addresses are translated to the IP pool addresses. As a result. Original address 192.16.2 . For each connection. But conflicts may occur since users may have different sessions using the same TCP 5 tuples. If the FortiGate unit is operating in NAT/Route mode. IP Pools for firewall policies that use fixed ports Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection.

Firewall Virtual IP Viewing the IP pool list 192.168...10 192.13 ..1.11 . To access IP pools.1.168..2 . Enter the end IP defines the end of an address range..16.12 172. To view the IP pool list go to Firewall > Virtual IP > IP Pool.30.fortinet.. Enter the name of the IP pool. select a virtual domain from the list on the main menu.16.19 172.16..12 192..1. FortiGate Version 4.1.168.168... Select to remove the entry from the list..168.30.168.16. Original address 192. Figure 235: IP pool list Delete Edit Create New Name Start IP End IP Delete icon Edit icon Select to add an IP pool. go to Firewall > Virtual IP > IP Pool. Select to edit the following information: Name.3 No more source addresses Change to 172. The Delete icon only appears if the IP pool is not being used in a firewall policy.16.. 172.10 172.1.12 .16..1. Scenario 3: The number of source addresses is fewer than that of IP pool addresses In this case. IP pools are created separately for each virtual domain.16.168.16.16..11 172.1 192.11 172.30.30. 192.30...2 192.. IP Range/Subnet.30. 172.13 and other addresses will not be used Viewing the IP pool list If virtual domains are enabled on the FortiGate unit.168..com/ • Feedback 383 . some of the IP pool addresses will used and the rest of them will not be used. Interface.30.1...0 Administration Guide 01-400-89802-20090424 http://docs.11 192.30.1.10 172. Configuring IP Pools To add an IP pool.30. Enter the start IP defines the start of an address range.

IP Range/Subnet Enter the IP address range for the IP pool.1.0 Administration Guide 01-400-89802-20090424 http://docs.1.fortinet. The IP range defines the start and end of an address range. you can use both IP pool and virtual IP for double IP and/or port translation.16.0/24 subnet use port 8080 to access server 172. The server’s listening port is 80. Figure 237: Double NAT To allow the local users to access the server. For example. in the following network topology: • • • Users in the 10.1. Double NAT: combining IP pool with virtual IP When creating a firewall policy. 384 FortiGate Version 4. The start and end of the IP range does not have to be on the same subnet as the IP address of the interface to which you are adding the IP pool.com/ • Feedback .Double NAT: combining IP pool with virtual IP Firewall Virtual IP Figure 236: New Dynamic IP Pool Name Interface Enter the name of the IP pool. The start of the range must be lower than the end of the range. you can use fixed port and IP pool to allow more than one user connection while using virtual IP to translate the destination port from 8080 to 80. Fixed ports must be used. To create an IP pool 1 Go to Firewall > Virtual IP > IP Pool. Select the interface to which to add an IP pool.1.

1 Address/Range Note this address is the same as the server address.1. 1 Go to Firewall > Policy. FortiGate Version 4.fortinet. Address/Range Port Forwarding Enable Protocol TCP External Service 8080 Port Map to Port 80 To create a firewall policy Add an internal to dmz firewall policy that uses the virtual IP to translate the destination port number and the IP pool to translate the source addresses. 3 Configure the firewall policy: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action internal 10. 3 Enter the following information and select OK.16.1. 2 Select Create New. Name Interface IP Range/Subnet pool-1 DMZ 10.0 Administration Guide 01-400-89802-20090424 http://docs. 5 Select OK.0/24 dmz server-1 always HTTP ACCEPT 4 Select NAT.com/ • Feedback 385 .254 To create a Virtual IP with port translation only 1 Go to Firewall > Virtual IP > Virtual IP.1.1.3. Name External Interface Type server-1 Internal Static NAT External IP 172.3.Firewall Virtual IP Double NAT: combining IP pool with virtual IP 2 Select Create New.1.16.1-10.1. 2 Select Create New.1. Mapped IP 172. 3 Enter the following information and select OK.

The example describes adding an IP pool with a single IP address of 10. This configuration results in a typical NAT mode firewall.1.1.0/24) all of the PCs have a default route of 10.168.1.Adding NAT firewall policies in transparent mode Firewall Virtual IP Adding NAT firewall policies in transparent mode Similar to operating in NAT/Route mode.fortinet.com/ • Feedback .1. A FortiGate unit operating in Transparent mode normally has only one IP address.1. when operating a FortiGate unit in Transparent mode you can add firewall policies and: • • • Enable NAT to translate the source addresses of packets as they pass through the FortiGate unit.0/24) are configured with 192. These packets can now travel across the Internet to their destination. In the example shown in Figure 238. One of the management IPs of the FortiGate unit is set to 192.1. the PC's default route sends packets destined for the Internet to the FortiGate unit internal interface.168.1. The internal to wan1 NAT policy translates the destination address of these return packets to the IP address of the originating PC and sends them out the internal interface to the originating PC.99. These two management IPs must be on different subnets.99 as their default route. Add virtual IPs to translate destination addresses of packets as they pass through the FortiGate unit.1.201. all of the PCs on the internal network (subnet address 192.1. When a PC on the internal network attempts to connect to the Internet. Reply packets return to the wan1 interface because they have a destination address of 10. Similarly on the DMZ network (subnet address 10. So all packets sent by a PC on the internal network that are accepted by the internal to wan1 policy leave the wan1 interface with their source address translated to 10. The example describes adding an internal to wan1 firewall policy to relay these packets from the internal interface out the wan1 interface to the Internet. To support NAT in Transparent mode you can add a second management IP.1.201. the management IP. When you add two management IP addresses.0 Administration Guide 01-400-89802-20090424 http://docs. Add IP pools as required for source address translation For NAT firewall policies to work in NAT/Route mode you must have two interfaces on two different networks with two different subnet addresses.168. Use the following steps to configure NAT in Transparent mode • • • Adding two management IPs Adding an IP pool to the wan1 interface Adding an internal to wan1 firewall policy 386 FortiGate Version 4.99. all FortiGate unit network interfaces will respond to connections to both of these IP addresses. you must add an IP pool to the wan1 interface that translates the source addresses of the outgoing packets to an IP address on the network connected to the wan1 interface.1.201. Then you can create firewall policies to translate source or destination addresses for packets as they are relayed by the FortiGate unit from one interface to the other. Because the wan1 interface does not have an IP address of its own.1.1.

1.Firewall Virtual IP Adding NAT firewall policies in transparent mode Figure 238: Example NAT in Transparent mode configuration Internet Router 10.0/24 Transparent mode Management IPs: 10.168. The second management IP is the default gateway for the internal network.1.1.99 192.1.0/24 DMZ network 10.1.1.1.1.1.99/24 192.1.168.0/24 To add a source address translation NAT policy in Transparent mode 1 Enter the following command to add two management IPs.1.99/24 end 2 Enter the following command to add an IP pool to the wan1 interface: config firewall ippool edit nat-out set interface "wan1" set startip 10. config system settings set manageip 10.1.0 Administration Guide 01-400-89802-20090424 http://docs.201 set endip 10.1.168.99 WAN 1 DMZ Internal Internal network 192.1.201 end 3 Enter the following command to add an internal to wan1 firewall policy with NAT enabled that also includes an IP pool: config firewall policy edit 1 set srcintf "internal" set dstintf "wan1" set scraddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable set ippool enable set poolname nat-out end FortiGate Version 4.fortinet.1.com/ • Feedback 387 .

0 Administration Guide 01-400-89802-20090424 http://docs. 388 FortiGate Version 4.com/ • Feedback .fortinet.Adding NAT firewall policies in transparent mode Firewall Virtual IP Note: You can add the firewall policy from the web-based manager and then use the CLI to enable NAT and add the IP Pool.

more servers can be added behind the FortiGate unit in order to cope with the increased load. The real servers may be interconnected by high-speed LAN or by geographically dispersed WAN.0 Administration Guide 01-400-89802-20090424 http://docs. this increases scalability. By doing so.Firewall Load Balance How load balancer works Firewall Load Balance Use the FortiGate load balancing function to intercept the incoming traffic and share it across the available servers. There are additional benefits to server load balancing. the load can still be handled by the other servers.com/ • Feedback 389 . Firstly. The topology of cluster is transparent to end users. Secondly. Up to 8 real servers can be bound to 1 virtual server.fortinet. the service being provided can be highly available. because the load is distributed across multiple servers. and the users interact with the system as if it were only a single virtual server. If one of the servers breaks down. If the load increases substantially. This in turn means that more simultaneous requests can be handled. the FortiGate unit enables multiple servers to respond as if they were a single device or server. Figure 239: Virtual server and real servers setup Internet/Intranet User (Virtual Server/Load Balancer) LAN/WAN Real Server Real Server Real Server FortiGate Version 4. The FortiGate unit schedules requests to the different servers and makes parallel services of the cluster to appear as a virtual service on a single IP address. This section describes: • • • • • How load balancer works Configuring virtual servers Configuring real servers Configuring health check monitors Monitoring the servers How load balancer works You can configure virtual servers on the FortiGate unit (load balancer) and bind them to a cluster of real servers.

Health Check Persistence 390 FortiGate Version 4.fortinet. the following persistence options are available: • None: No persistence option is selected. The health check monitor selected for this virtual server. Name of the virtual server. To view the virtual server list. • Round Robin: Directs requests to the next server. SSL session states are set in CLI under config firewall vip. The round trip time is determined by a Ping monitor and is defaulted to 0 if no Ping monitors are defined. Cookie ages are set in CLI under config firewall vip. see “To create a virtual server” on page 391. The IP address of the virtual server. This name is not the hostname for the FortiGate unit. Persistence is the process of ensuring that a user is connected to the same server every time they make a request within the boundaries of a single session. • Weighted: Servers with a higher weight value will receive a larger percentage of connections. Load balancing methods include: • Static: The traffic load is spread evenly across all servers. A separate server is required. Set the server weight when adding a server. and treats all servers as equals regardless of response time or number of connections. see the FortiGate CLI Reference.0 Administration Guide 01-400-89802-20090424 http://docs. Figure 240: Virtual server list Delete Edit Create New Name Type Comments Virtual Server IP Virtual server Port Load Balance Method Select to add virtual servers. When you bind the virtual server’s external IP address to a FortiGate unit interface. Virtual servers use proxy ARP. For more information. by default. Comments on the virtual server. • Least Session: Directs requests to the server that has the least number of current connections. as defined in RFC 1027. • First Alive: Always directs requests to the first alive real server. The communication protocol used by the virtual server.com/ • Feedback . see “Health Check” on page 392. the network interface responds to ARP requests for the bound IP address. This method works best in environments where the servers or other equipment you are load balancing have similar capabilities. For more information. Dead servers or non responsive servers are avoided. go to Firewall > Load Balance > Virtual Server. Depending on the type of protocol selected for the virtual server. To disable ARP replies. • HTTP Cookie: Persistence time is equal to the cookie age.Configuring virtual servers Firewall Load Balance Configuring virtual servers Configure a virtual server’s external IP address and bind it to a FortiGate unit interface. no additional server is required. so that the FortiGate unit can respond to ARP requests on a network for a real server that is actually installed on another network. The port number to which the virtual server communicates. • SSL Session ID: Persistence time is equal to the SSL sessions. • Least RTT: Directs requests to the server with the least round trip time.

To create a virtual server 1 Go to Firewall > Load Balance > Virtual Server > Create New. The port number to which the virtual server communicates. the header will contain the IP address of the FortiGate unit.Firewall Load Balance Configuring virtual servers Delete icon Edit icon Remove the virtual server from the list.1 compliant. and is available only if HTTP Multiplexing is selected. For more information. Select a persistence for the virtual server. Select to use the FortiGate unit’s HTTP proxy to multiplex multiple client connections destined for the web server into a few connections between the FortiGate unit and the web server. see the FortiGate CLI Reference. Enter the communication protocol used by the virtual server. The server must be HTTP/1. see “Persistence” on page 390. This can improve performance by reducing server overhead associated with establishing multiple connections. This can be useful if you require logging on the server of the client’s original IP address.fortinet.com/ • Feedback 391 . Note: Additional HTTP Multiplexing options are available in the CLI. Edit the virtual server to change any virtual server option including the virtual server name. The Delete icon only appears if the virtual server is not bound to a real server. Figure 241: Creating a virtual server 2 Complete the following: Name Type Interface Enter the name for the virtual server. Select the virtual server external interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. see “Load Balance Method” on page 390. Virtual Server IP Virtual server Port Load Balance Method Persistence HTTP Multiplexing Preserve Client IP FortiGate Version 4. For more information. Enter the IP address of the virtual server. This name is not the hostname for the FortiGate unit.0 Administration Guide 01-400-89802-20090424 http://docs. This option appears only if HTTP or HTTS are selected for Type. For more information. If this option is not selected. Select to preserve the IP address of the client in the X-Forwarded-For HTTP header. This option appears only if HTTP or HTTS are selected for Type. Select a load balancing method.

Any comments or notes about this virtual server. and can be used in failover configurations where the failover path does not have an SSL accelerator.Configuring real servers Firewall Load Balance SSL Offloading Select to accelerate clients’ SSL connections to the server by using the FortiGate unit to perform SSL operations. Select which health check monitor configuration will be used to determine a server’s connectivity status.0 Administration Guide 01-400-89802-20090424 http://docs. • Client <-> FortiGate Select to apply hardware accelerated SSL only to the part of the connection between the client and the FortiGate unit. Note: Additional SSL Offloading options are available in the CLI.com/ • Feedback . see “To create a real server” on page 393. • Client <-> FortiGate <-> Server Select to apply hardware accelerated SSL to both parts of the connection: the segment between client and the FortiGate unit. go to Firewall > Load Balance > Real Server. Select the blue arrow beside a virtual server name to view the IP addresses of the real servers that are bound to it. and is available only if SSL Offloading is selected. then select which segments of the connection will receive SSL offloading. see the FortiGate CLI Reference. Figure 242: Real server list Delete Edit Create New IP Address Port Select to add real servers. For information on configuring health check monitors. and TLS 1. The port number on the destination network to which the external port number is mapped. SSL 3. To view the real server list.0. SSL Offloading appears only if HTTPS or SSL are selected for Type. 392 FortiGate Version 4. and only on FortiGate models with hardware that supports SSL acceleration. Certificate Health Check Comments 3 Select OK. The segment between the FortiGate unit and the server will use clear text communications. 4096-bit keys are not supported. The certificate key size must be 1024 or 2048 bits. but still improved over communications without SSL acceleration.fortinet. This option appears only if HTTPS or SSL are selected for Type.1 are supported. If the server is already configured to use SSL. Configuring real servers Configure a real server to bind it to a virtual server. TLS 1. but cannot be used in failover configurations where the failover path does not have an SSL accelerator. see “Configuring health check monitors” on page 393. The segment between the FortiGate unit and the server will use encrypted communications. but the handshakes will be abbreviated. For more information. This results in performance which is less than the other option. and the segment between the FortiGate unit and the server. This results in best performance.0. this also enables SSL acceleration without requiring changes to the server’s configuration. Select the certificate to use with SSL Offloading. For more information.

A range of 1-99999 can be used. Enter the weight value of the real server. If the maximum number of connections is reached for the real server. A health check occurs every number of seconds indicated by the interval. Enter the limit on the number of active connections directed to a real server. Remove the real server from the list. FortiGate Version 4. the FortiGate unit will automatically switch all further connection requests to another server until the connection number drops below the specified limit. the higher the percentage of connections the server will handle. the FortiGate unit will automatically switch all further connection requests to another server until the connection number drops below the specified limit. A range of 1-255 can be used. Edit the real server to change any virtual server option.Firewall Load Balance Configuring health check monitors Weight Max Connection The weight value of the real server. Enter the port number on the destination network to which the external port number is mapped. Enter the IP address of the real server. Figure 243: Creating a real server 2 Complete the following: Virtual Server IP Port Weight Select the virtual server to which you want to bind this real server. The higher the weight value. it will attempt a health check again.0 Administration Guide 01-400-89802-20090424 http://docs. Max Connection 3 Select OK.fortinet. The limit on the number of active connections directed to a real server. HTTP or ICMP PING. Health check monitor configurations can specify TCP. the higher the percentage of connections the server will handle. Delete icon Edit icon To create a real server 1 Go to Firewall > Load Balance > Real Server > Create New. If a reply is not received within the timeout period. and you have configured the health check to retry. Configuring health check monitors You can specify which health check monitor configuration to use when polling to determine a virtual server’s connectivity status. The higher the weight value. and load balancing will compensate by disabling traffic to that server until it becomes responsive again. If the maximum number of connections is reached for the real server. the virtual server is deemed unresponsive. This option is available only if the associated virtual server’s load balance method is Weighted.com/ • Feedback 393 . otherwise.

For more information. Interval Enter the number of seconds between each server health check. which vary by the type of the health check monitor. This option appears only if Type is HTTP. Select the protocol used to perform the health check. 394 FortiGate Version 4.com/ • Feedback . The name of the health check monitor configuration. Select to change the health check monitor configuration. or retry. Figure 245: Creating a health check monitor 2 Complete the following: Name Type Enter the name of the health check monitor configuration.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.Configuring health check monitors Firewall Load Balance Figure 244: Health check monitor Delete Edit Create New Name Details Select to add a health check monitor configuration. see “To create a health check monitor configuration” on page 394. Select to remove the health check monitor configuration. which are settings common to all types. This option appears only if the health check monitor configuration is not currently being used by a virtual server configuration. Port URL Matched Content Enter the HTTP reply content that must be present to indicate proper server connectivity. timeout. • TCP • HTTP • PING Enter the port number used to perform the health check. Enter the URL that will receive the HTTP request. Delete Edit To create a health check monitor configuration 1 Go to Firewall > Virtual IP > Health Check Monitor > Create New. This option appears only if Type is HTTP. This field is empty if the type of the health check monitor is PING. This option does not appear if the Type is PING. and do not include the interval. The details of the health check monitor configuration. The names are grouped by the health check monitor types.

0 Administration Guide 01-400-89802-20090424 http://docs. the FortiGate unit will not accept new sessions but will wait for the active sessions to finish. Enter the number of times. 3 Select OK. Display the health status according to the health check results for each real server. Figure 246: Server monitor Virtual Server Real Server Health Status The IP addresses of the existing virtual servers. Display each real server's active sessions. Display the Round Trip Time of each real server. Display the traffic processed by each real server.fortinet. Monitoring the servers You can monitor the status of each virtual server and real server and start or stop the real servers. By default.com/ • Feedback 395 . the RTT is “<1". Display each real server's up and down times. a failed health check will be retried before the server is determined to be inaccessible. When stopping a server.Firewall Load Balance Monitoring the servers Timeout Retry Enter the number of seconds which must pass after the server health check to indicate a failed health check. The IP addresses of the existing real servers. A red arrow means the server is down. This value will change only when ping monitoring is enabled on a real server. Select to start or stop real servers. A green arrow means the server is up. Monitor Events Active Sessions RTT (ms) Bytes Processed Graceful Stop/Start FortiGate Version 4. if any.

com/ • Feedback .fortinet.0 Administration Guide 01-400-89802-20090424 http://docs.Monitoring the servers Firewall Load Balance 396 FortiGate Version 4.

For more information. traffic between trusted internal addresses might need moderate protection. and logging. For details on configuring the protection profile associated with the user group. web filtering. do not select the protection profile in the firewall policy.0 Administration Guide 01-400-89802-20090424 http://docs. such as antivirus. see “Configuring firewall policies” on page 323. rather than repeatedly configuring those same protection profile settings for each individual firewall policy. you can configure one protection profile for the traffic types handled by a set of firewall policies requiring identical protection levels and types. The protection profile is specific to the authenticating user group.Firewall Protection Profile What is a protection profile? Firewall Protection Profile Protection profiles contain settings for many application layer and other types of protection. while traffic between trusted and untrusted networks might need strict protection. To provide the different levels of protection. If you enable virtual domains (VDOMs) on the FortiGate unit. you might configure two separate protection profiles: one for traffic between trusted networks. firewall protection profiles are configured separately for each virtual domain.com/ • Feedback 397 . see “Using virtual domains” on page 103. that you can apply to a firewall policy. and one for traffic between trusted and untrusted networks. see “Configuring a user group” on page 586.fortinet. For information on applying a protection profile to a firewall policy. You can use protection profiles to configure: • • • • • • • antivirus protection web filtering FortiGuard Web Filtering spam filtering IPS data leak prevention sensor dashboard statistics FortiGate Version 4. For example. Note: If the firewall policy requires authentication. Because protection profiles can be used by more than one firewall policy. This section contains the following topics: • • • • • • What is a protection profile? Adding a protection profile to a firewall policy Default protection profiles Viewing the protection profile list SSL content scanning and inspection Configuring a protection profile What is a protection profile? A protection profile is a group of settings that you can apply to one or more firewall policies.

and SMTP traffic. 5 If you are creating a new firewall policy. Note: Content archiving is disabled by default with the unfiltered protection profile. POP3. Scan Web Unfiltered 398 FortiGate Version 4.com/ • Feedback .Adding a protection profile to a firewall policy Firewall Protection Profile • • application control logging for traffic which violates the protection profile. you might define one protection profile that can be used by many firewall policies. Default protection profiles FortiGate units have four default protection profiles. FTP. Add this protection profile to firewall policies that control HTTP traffic. files are quarantined remotely. For more information. Adding a protection profile to a firewall policy Protection profiles are used when specified in one or more firewall policies whose Action is set to ACCEPT. recover. Protection profiles can contain settings relevant to many different services. 3 Enable Protection Profile in the firewall policy. first select a virtual domain from the main menu. and SMTP traffic. Apply virus scanning to HTTP. you might select that protection profile in all external-to-internal firewall policies whose service group contain the SMTP service. or submit quarantined files to Fortinet for analysis. You can use these default protection profiles as bases for creating your own. each policy using a different or overlapping subset of the protection profile. The strict protection profile may not be useful under normal circumstances. 4 Select the protection profile that you want to apply to the firewall policy. Strict Apply maximum protection to HTTP. if you create a protection profile containing SMTP antivirus settings that you want to apply to all incoming SMTP connections. To access firewall policies. To add a protection profile to a firewall policy 1 Go to Firewall > Policy. On FortiGate models with a hard drive. Use the unfiltered content profile if no content protection for content traffic is required. 2 Select Create New to add a policy. blocking or IPS. Apply no scanning. POP3. configure other required policy options. In this way. FTP. The firewall policy will use settings from the protection profile that apply to its Services. but it is available when maximum protection is required. if antivirus scanning finds a virus in a file. Apply virus scanning and web content blocking to HTTP traffic.fortinet. or SSL VPN. 6 Select OK. Quarantine permits system administrators to inspect. For example. If a FortiAnalyzer unit is configured. the file is quarantined on the FortiGate hard disk. protection profiles are applied separately in firewall policies for each virtual domain (VDOM). Add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. Each firewall policy uses the subset of the protection profile settings which apply to its specified Service. If virtual domains are enabled on the FortiGate unit. or select Edit for the policy to which you want to apply the protection profile. IMAP.0 Administration Guide 01-400-89802-20090424 http://docs. IMAP. see “Configuring firewall policies” on page 323. IPSEC. Quarantine is also selected for all content services.

and content archiving to HTTPS. and SMTPS sessions between clients and servers (FortiGate SSL acceleration speeds up decryption) applies content inspection to decrypted content. IMAPS. Figure 247: Default protection profiles Delete Edit Delete Edit Create New Name Delete icon Edit icon Add a protection profile. POP3S. the FortiGate unit does the following: • • intercepts and decrypts HTTPS. IMAPS. Modify a protection profile.Firewall Protection Profile Viewing the protection profile list Viewing the protection profile list Both default and customized protection profiles appear in the protection profile list. The Delete icon appears only if the protection profile is not currently selected in a firewall policy or user group.0 Administration Guide 01-400-89802-20090424 http://docs. go to Firewall > Protection Profile. and SMTPS Antivirus. IMAPS. spam filtering. POP3S.com/ • Feedback 399 . Delete a protection profile from the list. including: • • • • HTTPS. POP3S. POP3S. FortiGate Version 4. and SMTPS spam filtering re-encrypts the sessions and forwards them to their destinations. and content archiving HTTPS web filtering and FortiGuard web filtering IMAPS. web filtering. To perform SSL content scanning and inspection. FortiGuard web filtering.fortinet. To view the protection profile list. DLP. SSL content scanning and inspection Using SSL content scanning and inspection you can apply antivirus scanning. The name of the protection profile. and SMTPS traffic. data leak prevention (DLP).

Inside the FortiGate unit the packets are decrypted. 400 FortiGate Version 4. and a second one between the FortiGate unit and the server. one between the client and the FortiGate unit. DLP. Encrypted packets POP3S. web filtering.0 Administration Guide 01-400-89802-20090424 http://docs.SSL content scanning and inspection Firewall Protection Profile Figure 248: FortiGate SSL content scanning and inspection packet flow 3 2 1 Decrypted packets 4 Protection Profile content scanning and inspection applied (antivirus.fortinet. content archiving) SSL decrypt/encrypt process decrypts SSL sessions using session certificate and key Content scanning and inspection 3 SSL Decrypt/ Encrypt Process Session encrypted 5 using SSL session certificate and key 2 Protection profile includes SSL content scanning and inspection Protection profile Encrypted packets 3 2 1 3 2 1 Firewall 6 Encrypted packets HTTPS. spam filtering. Two encrypted SSL sessions are set up. accepted by firewall policy POP3S or SMTPS session HTTPS. IMAPS. or forwarded to destination SMTPS Server Supported FortiGate models FortiGate models that support SSL acceleration also support SSL content scanning and inspection.com/ • Feedback . The following FortiGate models support SSL content scanning and inspection: • • • • • • • • • 110C 111C 310B 602B 3016B 3600A 3810A 5005FA2 5001A. IMAPS. POP3S or 1 SMTPS encrypted packets Client Starts HTTPS. Setting up certificates to avoid client warnings FortiGate SSL content scanning and inspection intercepts the SSL keys that are passed between clients and servers during SSL session handshakes and substitutes spoofed keys. IMAPS.

0 Administration Guide 01-400-89802-20090424 http://docs.com/ • Feedback 401 . In this example the signing CA certificate name is Example_CA. To add a signing CA certificate for SSL content scanning and inspection 1 Obtain a copy of the signing CA certificate file. the same signing CA certificate is used by all virtual domains. Then the FortiGate unit creates keys that appear to come from the server and not the FortiGate unit. the client and server communicate in clear text to exchange SSL session keys. All SSL content scanning and inspection uses the same signing CA certificate. Some client programs (for example. 8 Add the imported signing CA certificate to the SSL content scanning and inspection configuration. The FortiGate SSL decrypt/encrypt process intercepts these keys and uses a built-in signing CA certificate named Fortinet_CA_SSLProxy to create keys to send to the client and the server. The SSL decrypt/encrypt process then sets up encrypted SSL sessions with the client and server and uses these keys to decrypt the SSL traffic to apply content scanning and inspection.Firewall Protection Profile SSL content scanning and inspection While the SSL sessions are being set up. The CA certificate key size must be 1024 or 2048 bits. You can stop these security warnings by importing the signing CA certificate used by the server into the FortiGate unit SSL content scanning and inspection configuration. This signing CA certificate is used only by the SSL decrypt/encrypt process. If you want the certificate to have a different name. Figure 249: Importing a signing CA certificate for SSL content scanning and inspection 7 Select OK. The session keys are based on the client and server certificates. 4096-bit keys are not supported for SSL content scanning and encryption. web browsers) can detect this key replacement and will display a security warning message. the CA certificate key file. 6 Enter the CA certificate Password. FortiGate Version 4. and the CA certificate password. change these file names. Note: You can add one signing CA certificate for SSL content scanning and inspection. 2 Go to System > Certificates > Local Certificates and select Import. This name comes from the certificate file and key file name. Fortinet_CA_SSLProxy. 5 For Key file use the Browse button to select the CA certificate key file.fortinet. The CA certificate is added to the Local Certificates list. Use the following CLI command if the certificate name is Example_CA. with another signing CA certificate. 4 For Certificate file use the Browse button to select the signing CA certificate file. You can replace the default signing CA certificate. the CA certificate key file. To do this you need the signing CA certificate file. 3 Set Type to Certificate. The traffic is still encrypted and secure. and the password for the CA certificate. If your FortiGate unit is operating with virtual domains enabled. but the security warning indicates that a key substitution has occurred.

and SMTPS sessions. see “Web Filtering options” on page 411. and SMTPS. You can quarantine infected files. Using protocol recognition you can also configure the FortiGate unit to just perform URL filtering of HTTPS or to use SSL content scanning and inspection to decrypt HTTPS so that the FortiGate unit can also apply Antivirus and DLP content inspection and content archiving to HTTPS. see Table 43. Go to Firewall > Protection Profile.fortinet. Configuring SSL content scanning and inspection If SSL content scanning and inspection is available on your FortiGate unit. and SMTPS sessions. POP3S. For more information. POP3S. IMAPS. file filtering. IMAPS. For more information. POP3S. IMAPS. suspicious files. POP3S. you can configure the following SSL content scanning and inspection settings: Predefined firewall services Protocol Recognition The IMAPS. Antivirus options including virus scanning. Go to Firewall > Protection Profile.com/ • Feedback . POP3S. “Predefined services. POP3S. see “Protocol recognition options” on page 405. Add or edit a protection profile and configure Protocol Recognition for HTTPS. You can also quarantine infected files and suspicious files found in HTTPS sessions. IMAPS.0 Administration Guide 01-400-89802-20090424 http://docs. Antivirus Antivirus quarantine Web Filtering 402 FortiGate Version 4. For more information. and SMTPS. Using SSL content scanning and inspection to decrypt HTTPS also allows you to apply more web filtering and FortiGuard Web Filtering options to HTTPS. Go to UTM > AntiVirus > Config. see “Configuring quarantine options” on page 449. POP3S and SMTPS predefined services. Web filtering options for HTTPS: • Web Content Block • Web Content Exempt • Web URL Filter • ActiveX Filter • Cookie Filter • Java Applet Filter • Web Resume Download Block • Block invalid URLs • HTTP POST Action Go to Firewall > Protection Profile. For more information. The TCP port numbers that the FortiGate unit inspects for HTTPS. IMAPS. For more information. Antivirus quarantine options to quarantine files in HTTPS. and SMTPS. You can select these services in a firewall policy and a DoS policy. see “Anti-Virus options” on page 407. and blocked files found in IMAPS. and SMTPS. Add or edit a protection profile and configure Anti-Virus for HTTPS.” on page 352.SSL content scanning and inspection Firewall Protection Profile config firewall ssl setting set caname Example_CA end The Example_CA signing CA certificate will now be used by SSL content scanning and inspection for establishing encrypted SSL sessions. Add or edit a protection profile and configure Web Filtering for HTTPS. and client comforting for HTTPS.

POP3S. To view content summary information go to Log&Report > Content Archive. see “Spam Filtering options” on page 416. E-mail checksum check. POP3S. Select E-mail to view IMAPS. and SMTPS. and SMTPS content summary information. see “Content Archive” on page 667. and SMTPS. and SMTPS: • FortiGuard AntiSpam IP address check. Note: In a protection profile. Set this option to Deep Scan. follow the steps below: • Go to UTM > Data Leak Prevention > Rule to add DLP rules. • Go to Firewall > Protection Profile. Add or edit a protection profile and configure Web Filtering > FortiGuard Web Filtering for HTTPS. DLP rules with Archive selected in a DLP sensor perform full content archiving for the content that they match. and SMTPS. and Spam submission • IP address BWL check • HELO DNS lookup • E-mail address BWL check • Return e-mail DNS check • Banned word check • Spam Action • Tag Location • Tag Format Go to Firewall > Protection Profile. IMAPS. For more information. POP3S. See “Adding or configuring DLP rules” on page 516. see “Content Archive” on page 667. For more information. add an HTTP rule and select HTTPS POST and HTTPS GET. DLP for HTTPS. All DLP rules perform content summary content archiving for the content that they match. For summary content archiving. IMAPS. POP3S. URL check. Spam Filtering Data Leak Prevention Content summary content archiving Full content archiving Full content archiving for HTTPS.Firewall Protection Profile SSL content scanning and inspection FortiGuard Web Filtering FortiGuard Web Filtering options for HTTPS: • Enable FortiGuard Web Filtering • Enable FortiGuard Web Filtering Overrides • Provide details for blocked HTTP 4xx and 5xx errors • Rate images by URL (blocked images will be replaced with blanks) • Allow websites when a rating error occurs • Strict Blocking • Rate URLs by domain and IP address Go to Firewall > Profile. To view archived content go to Log&Report > Content Archive. POP3S. Select E-mail to view IMAPS. POP3S. Spam filtering options for IMAPS. See “Adding or editing a rule in a DLP sensor” on page 513. Add DLP rules for the protocol to a DLP sensor and select Archive for full content archiving. FortiGate Version 4. IMAPS. POP3S. if you set Protocol Recognition > HTTPS Content Filtering Mode to URL Filtering. you must also configure the FortiGate unit to send log messages to a FortiAnalyzer unit. and SMTPS. and SMTPS.com/ • Feedback 403 .fortinet. For full content archiving. DLP rules cannot inspect HTTPS. Add DLP rules to the protocol. Content summary content archiving for HTTPS. Add or edit a protection profile and use Data Leak Prevention Sensor to add the DLP sensor to a protection profile. POP3S. To apply DLP.0 Administration Guide 01-400-89802-20090424 http://docs. For more information. Add or edit a protection profile and configure Spam Filtering for IMAPS. see “FortiGuard Web Filtering options” on page 413. POP3S. and SMTPS content. • Go to UTM > Data Leak Prevention > Sensor and add the DLP rules to a DLP sensor. you must configure the FortiGate unit to send log messages to a FortiAnalyzer unit or to the FortiGuard Analysis and Management Service (FAMS). • Go to Firewall > Policy and add the protection profile to a firewall policy. For IMAPS. add an Email rule and select IMAPS. See “Data Leak Prevention Sensor options” on page 419. Select Web to view HTTPS content. and SMTPS. For HTTPS. For more information. Select Web to view HTTPS content summary information.

To add a protection profile. These options display meta-information on the Statistics dashboard widget. and SMTPS. POP3S. select IMAPS. POP3S. For more information. go to Firewall > Protection Profile and select Create New.fortinet. IMAPS. IMAPS. POP3S.com/ • Feedback . Content archiving SPAM email Content archiving of email tagged as spam by FortiGate Spam Filtering in IMAPS. see “Data Leak Prevention Sensor options” on page 419 and “Content Archive” on page 667. Add or edit a protection profile and select the Expand Arrow to view Data Leak Prevention Sensor. For Archive SPAMed emails to FortiAnalyzer/FortiGuard. see “Statistics” on page 71. you can create custom protection profiles.0 Administration Guide 01-400-89802-20090424 http://docs. and SMTPS as required. For more information. meta-information on the system dashboard Go to Firewall > Protection Profile. Content archiving SPAM email is available only if you have configured logging to a FortiAnalyzer unit or to the FortiGuard Analysis and Management Service. Configuring a protection profile If the default protection profiles do not provide the settings required.Configuring a protection profile Firewall Protection Profile Displaying content Meta-information on the system dashboard for HTTPS. Go to Firewall > Protection Profile. and SMTPS sessions. POP3S. Figure 250: New Protection Profile Expand Arrow 404 FortiGate Version 4. For Displaying content metainformation on the system dashboard select HTTPS. Add or edit a protection profile and open Data Leak Prevention Sensor. and SMTPS as required.

Protocol recognition options You configure protocol recognition options to set the HTTPS content filtering mode and to select the TCP port numbers that the protection profile monitors for the HTTP. By default the protection profile monitors the default content protocol port numbers (for example. For more information. You can also configure the HTTPS content filtering mode.com/ • Feedback 405 . If your FortiGate unit supports SSL content scanning and inspection you can also select the TCP port numbers for SMTPS. or select one or more port numbers to monitor for that protocol. see “SSL content scanning and inspection” on page 399. See “Spam Filtering options” on page 416. See “Data Leak Prevention Sensor options” on page 419. See “IPS options” on page 411.Firewall Protection Profile Configuring a protection profile Expand Arrow Profile Name Comments Protocol Recognition Anti-Virus IPS Web Filtering Spam Filtering Data Leak Prevention Sensor Application Control Logging Enter a name for the protection profile. and IMAPS. Enter a description of the profile. and FTP content protocols. FortiGate Version 4. See “Web Filtering options” on page 411. The maximum length is 63 characters. POP3S. HTTPS. FortiGuard Web Filtering See “FortiGuard Web Filtering options” on page 413.fortinet. POP3. port 80 for HTTP). See “Protocol recognition options” on page 405. See “Application Control options” on page 420 See “Logging options” on page 421. IMAP. You can edit the settings for each content protocol and select inspection for all port numbers for that protocol. See “Anti-Virus options” on page 407. SMTP. NNTP.0 Administration Guide 01-400-89802-20090424 http://docs.

Then select the Expand Arrow beside Protocol Recognition. 406 FortiGate Version 4.fortinet. you must set HTTPS Content Filtering Mode to Deep Scan before you can configure additional HTTPS content scanning protection profile options. Select Create New to add a protection profile.com/ • Feedback . and select OK. Figure 251: Protection profile Protocol Recognition options (SSL content scanning and inspection) Add or Remove Port Numbers Edit Monitored Ports Figure 252: Protection profile Protocol Recognition options Add or Remove Port Numbers Edit Monitored Ports Note: If your FortiGate unit supports SSL content scanning and inspection. enter the information as described below.0 Administration Guide 01-400-89802-20090424 http://docs. go to Firewall > Protection Profile.Configuring a protection profile Firewall Protection Profile To configure protocol recognition options. or the Edit icon beside an existing protection profile.

go to Firewall > Protection Profile. enter the information as described below. IMAP. and FTP you can also select Inspect All Ports to monitor all ports for these content protocols. Under Web Filtering you can select only Web URL Filter and Block invalid URLs for HTTPS. and FTP. you can also apply antivirus scanning options through a protection profile for HTTPS. You can select multiple port numbers to monitor for each content protocol. Then select the Expand Arrow beside Anti-Virus. and content protocols. POP3S. Note: You cannot select Anti-Virus options for HTTPS if under protocol recognition HTTPS Content Filtering Mode is set to URL Filtering. NNTP. For HTTP. Selecting URL Filtering also limits the FortiGuard Web Filtering options that you can select for HTTPS. For more information.fortinet. Instead the FortiGate unit just applies web filtering to HTTPS URLs. If your FortiGate unit includes SSL content inspection and filtering. POP3. and FTP. you can select the content filtering mode used for HTTPS traffic. see “Protocol recognition options” on page 405. IMAPS. HTTPS. NNTP. POP3. POP3. FortiGate Version 4. If you select this option the FortiGate unit does not perform SSL content scanning and inspection of HTTPS traffic. SMTP. Select one of the following options: Select to monitor all ports for the content protocol. Select this option and then enter the port numbers to monitor for the content protocol. Deep Scan (Decryption on SSL Traffic) Protocol Monitored Ports Edit icon Inspect All Ports Specify Ports Anti-Virus options You can apply antivirus options through a protection profile for the HTTP. NNTP. Monitoring all ports means the protection profile uses protocol recognition techniques to determine the protocol of a communication session independent of the port number that the session uses. Also. SMTP. Select Create New to add a protection profile. For more information.com/ • Feedback 407 . see “AntiVirus” on page 439. see “SSL content scanning and inspection” on page 399. NNTP. IMAP. you cannot select any Anti-Virus options for HTTPS. Select this option to apply full SSL content scanning and inspection of HTTPS traffic. SMTP. You can specify up to 20 ports for each content protocol. The port numbers that the protection profile monitors for each content protocol. IMAP. This option is available for HTTP.0 Administration Guide 01-400-89802-20090424 http://docs. If your FortiGate unit supports SSL content scanning and inspection the content protocols also include SMTPS. and select OK. IMAP. if you select URL Filtering. To configure antivirus options. and SMTPS content protocols. SMTP. or the Edit icon beside an existing protection profile. and IMAPS. POP3S. For more antivirus configuration options.Firewall Protection Profile Configuring a protection profile HTTPS Content Filtering Mode If your FortiGate unit supports SSL content scanning and inspection. The names of the content protocols that you can configure recognition for: HTTP. The mode can be: URL Filtering This option limits HTTPS content filtering to URL filtering only. Select Edit for a content protocol to configure how the protection profile monitors traffic for that content protocol. POP3.

com/ • Feedback . For details on configuring splicing. However. scanning by splice. In addition to the FortiGuard Antivirus wild list database. then under Option. by default neither is enabled. the FortiGate unit simultaneously scans and streams traffic to the destination. see the Knowledge Center article FortiGate Proxy Splice and Client Comforting Technical Note. This option appears only on some FortiGate models. Extended AV Database File Filter 408 FortiGate Version 4. Virus Scan includes grayware. see the splice option for each protocol in the config firewall profile command in the FortiGate CLI Reference. see “File Filter” on page 443. To enable specific grayware. go to UTM > AntiVirus > Grayware.fortinet. For details on splicing behavior for each protocol. see the config antivirus heuristic command in the FortiGate CLI Reference. Select to filter files. is enabled automatically. When scanning by splice. which contains viruses currently being detected in the wild. Select to scan for viruses that have not been recently observed in the wild. terminating the stream to the destination if a virus is detected. To enable heuristic scanning. some FortiGate models are also equipped with an extended antivirus database that contains viruses not recently observed in the wild. specify a file filter.Configuring a protection profile Firewall Protection Profile Figure 253: Protection Profile Anti-Virus options Figure 254: Protection Profile Anti-Virus options (SSL content scanning and inspection) Virus Scan Select virus scanning for each protocol. also called streaming mode. which can consist of file name patterns and file types.0 Administration Guide 01-400-89802-20090424 http://docs. as well as heuristic scanning. For more information. Note: When you enable virus scanning.

You can select Source IP Address to add the sender’s source IP address to the banned users list. Amount Oversized File/Email Threshold Allow Invalid Server Certificate Quarantine Virus Sender (to Banned Users List) Method Expires Add signature to outgoing Create and enable a signature to append to outgoing SMTP email messages. Select Enabled to quarantine or ban either the IP address of the sender of the virus or the FortiGate interface that received the virus. FortiGate Version 4. Comfort Clients Interval Select client comforting for the HTTP. POP3S. A FortiGate administrator can manually remove a virus sender from the banned user list before the expiry time. Select Block or Pass for files and email messages exceeding configured thresholds for each protocol. or you can select Virus’s Incoming Interface to add the interface that received the virus to the banned user list. IMAPS. and also the time interval between sending subsequent data. IMAPS.com/ • Feedback 409 . If a virus is found. For email scanning. some result in larger file sizes than the original attachment. The most common encoding. the oversize threshold refers to the final size of the email. If your FortiGate unit supports SSL content scanning and inspection. Pass Fragmented Emails Select to allow fragmented email for mail protocols (IMAP. Select Indefinite to permanently quarantine virus senders. the file is passed or blocked. see “File Quarantine” on page 446. Only a FortiGate administrator can remove them from the banned users list. POP3S. and SMTPS sessions that include an invalid server certificate. For more information. and will take effect only if you have first enabled and configured the quarantine. hours. The maximum threshold for scanning in memory is 10% of the FortiGate unit’s RAM. The number of bytes sent at each interval. If the file is larger than the threshold value in megabytes. a file may be blocked or logged as oversized even if the attachment is several megabytes smaller than the configured oversize threshold. The time in seconds before client comforting starts sending data after the download has begun. translates 3 bytes of binary data into 4 bytes of base64 data. and SMTPS with invalid server certificates are blocked. The sender’s IP address or the interface that received the virus is added to the banned users list. Email clients can use a variety of encoding types. This option appears only if the FortiGate unit has a hard drive or a configured FortiAnalyzer unit. select the method used to quarantine the virus sender. or days. HTTPS. Fragmented email messages cannot be scanned for viruses. base64. Use this feature to validate server certificates. you can allow HTTPS. If these options are not selected. POP3.Firewall Protection Profile Configuring a protection profile Quarantine Select for each protocol to quarantine suspect files for later inspection or submission to Fortinet for analysis. and SMTP as well as IMAPS. configure how long the virus sender remains on the banned user list in minutes.fortinet. including attachments. see “NAC quarantine and the Banned User list” on page 595. POP3S. See “HTTP and FTP client comforting” on page 410. The signature will also be appended to outgoing SMTPS emails email messages if your FortiGate unit supports SSL content scanning and inspection. FTP. and SMTPS if SSL content scanning and inspection is supported). after encoding by the email client. As a result. and HTTPS protocols. Or. For more information about the banned user list including how to manage the duration of items and how to remove them manually.0 Administration Guide 01-400-89802-20090424 http://docs.

so after 20 seconds about one half of the file has been buffered. 2 The FortiGate unit buffers the file from the server. The number of URLs in the cache is limited by the size of the cache. the FortiGate unit sends the rest of the file to the client. 4 After 20 more seconds. then the FortiGate unit caches the URL and drops the connection. and the user is left with a partially downloaded file. Client comforting does this by sending the first few packets of the file or web page being downloaded to the client at configured time intervals so that the client is not aware that the download has been delayed. The client is the web browser or FTP client. If the user tries to download the same file again within a short period of time. The client receives the Infection cache message replacement message as a notification that the download has been blocked. Without client comforting. there will be no visual client comforting cue. the FortiGate unit closes the data connection but cannot send a message to the client. a progress bar) is clientdependent. the FortiGate unit closes the data connection and sends the FTP Virus replacement message to the client. 5 When the file has been completely buffered. Keeping the client comforting interval high and the amount low will reduce the amount of potentially infected data that is downloaded. HTTP client: If the file does not contain a virus. You should only enable client comforting if you are prepared to accept this risk. The appearance of a client comforting message (for example. 410 FortiGate Version 4.com/ • Feedback . FTP and HTTP client comforting steps The following steps show how client comforting works for an FTP or HTTP download of a 10 Mbyte file with the client comforting interval set to 20 seconds and the client comforting amount set to 512 bytes. During this delay users may cancel or repeatedly retry the transfer. The client does not receive any notification of what happened because the download to the client had already started. 1 The FTP or HTTP client requests the file. the FortiGate unit sends the next 512 bytes of the buffered file to the client. the FortiGate unit sends the rest of the file to the client. client comforting provides a visual display of progress for web page loading or HTTP or FTP file downloads. where ca is the client comforting amount.fortinet. and also sends 512 bytes to the client. T is the buffering time and ci is the client comforting interval. if the file being downloaded is found to be infected. 3 The FortiGate unit continues buffering the file from the server. then the cached URL is matched and the download is blocked.0 Administration Guide 01-400-89802-20090424 http://docs. the client has received the following amount of data: ca * (T/ci) bytes == 512 * (40/20) == 512 * 2 == 1024 bytes. Instead the download stops. If the file is infected. Caution: Client comforting can send unscanned and therefore potentially infected content to the client. The connection is slow. clients and their users have no indication that the download has started until the FortiGate unit has completely buffered and scanned the download.Configuring a protection profile Firewall Protection Profile HTTP and FTP client comforting In general. In some instances. thinking it has failed. If the file is infected. During client comforting. 6 FTP client: If the file does not contain a virus.

fortinet. Then select the Expand Arrow beside IPS. or the Edit icon beside an existing protection profile. select an IPS Sensor. or if you have set HTTPS Content Filtering Mode to URL Filtering. go to Firewall > Protection Profile. users may require access to web sites that are blocked by a policy. see “DoS sensors” on page 469. go to Firewall > Protection Profile. To configure web filtering options. Select Create New to add a protection profile. In some instances. you can only select URL filtering and blocking invalid URLs for HTTPS. You can configure web filtering for HTTP and HTTPS traffic. Figure 255: Protection Profile IPS options IPS Select to enable and use the specified IPS sensor.0 Administration Guide 01-400-89802-20090424 http://docs. or the Edit icon beside an existing protection profile. For more information on IPS. For information about FortiGuard Web Filtering.Firewall Protection Profile Configuring a protection profile IPS options You can use the IPS options in a protection profile to enable IPS for the protection profile and add an IPS sensor. and FortiGuard web filter provides many additional categories by which to filter web traffic. see “FortiGuard Web Filtering options” on page 413. If your FortiGate unit supports SSL content scanning and inspection and if you have set HTTPS Content Filtering Mode in the Protocol Recognition part of this protection profile to Deep Scan. URL filtering uses URLs and URL patterns to exempt or block web pages from specific sources. you can select the same web filtering options for HTTPS and HTTP. Select Create New to add a protection profile. see “Web Filter” on page 475. Content block uses words and patterns to block web pages containing the words or patterns. enter the information as described below. block or monitor. FortiGate Version 4. For more information. select the check box to enable IPS. and select OK. Filters defined in the web filtering settings are turned on through a protection profile. For more information about overrides. To add an IPS sensor. Note: If your FortiGate unit does not support SSL content scanning and inspection.com/ • Feedback 411 . Then select the Expand Arrow beside Web Filtering. and select OK. An administrator can give the user the ability to override the block for a specified period of time. see “SSL content scanning and inspection” on page 399 and “Protocol recognition options” on page 405. You cannot select denial of service (DoS) sensors through this option. Web Filtering options Web filtering sorts millions of web pages into a wide range of categories that you can allow. see “Intrusion Protection” on page 455. Note: Protection profile web filtering also includes FortiGuard Web Filtering. For information on configuring DoS sensors.

For more information. When the total score for a web page equals or exceeds the threshold the page is blocked. see “Web content block” on page 478. If a web page matches more than one entry the score for the web page increases.com/ • Feedback . see “URL filter” on page 483. For more information.fortinet. Web content block list Select the web content block list to add to the protection profile. Select to block HTTP and HTTPS web pages based on matching the URL of the web page with a URL in the selected URL filter list. The default score for content block list entry is 10 and the default threshold is 10. see “Creating a new URL filter list” on page 484.Configuring a protection profile Firewall Protection Profile Figure 256: Protection Profile Web Filtering options Figure 257: Protection Profile Web Filtering options (SSL content scanning and inspection) Web Content Block Select to block HTTP and HTTPS web pages based on matching the content of the web page with the words or patterns in the selected web content block list. For more information. Select to exempt HTTP and HTTPS web pages from web filtering and virus scanning based on matching the content of the web page with the words or patterns in the selected web exempt block list. Threshold Enter a web content block threshold. see “Web content block” on page 478. This means that by default a web page is blocked by a single match. When a web page is matched with an entry in the content block list the score is recorded. For more information. Select the web content exempt list add to the protection profile. see “Creating a new web content exempt list” on page 482. For more information.0 Administration Guide 01-400-89802-20090424 http://docs. Select the URL filter list to add to this protection profile. You can change the scores and threshold so that web pages can only be blocked if there are multiple matches. For more information. Web Content Exempt Web content exempt list Web URL Filter Web URL filter list 412 FortiGate Version 4. Each entry in the web content block list added to the protection profile incudes a score. see “Creating a new web content block list” on page 479.

rating queries by either or both the IP address and the domain name is not reliable. You can configure FortiGuard Web Filtering for HTTP and HTTPS traffic. not the domain name. Select to block web sites whose SSL certificate’s CN field does not contain a valid domain name. For more information on web filter configuration options. If your FortiGate unit does not support SSL content scanning and inspection or if you have set HTTPS Content Filtering Mode to URL Filtering you can have fewer options for HTTPS. you can use the FortiGate web filtering override feature. rather than a web server proxy. Select this option to prevent a server timeout when scanning or other filtering tool is turned on.Firewall Protection Profile Configuring a protection profile ActiveX Filter Cookie Filter Java Applet Filter Web Resume Download Block Select to block ActiveX controls. Block invalid URLs HTTP POST Action Normal Block Comfort Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy. go to System > Config > Replacement Messages. Enabling this option will prevent the unintentional download of virus files hidden in fragmented files. and that selecting this option can cause download interruptions with these types. the FortiGate unit does not perform FortiGuard Web Filtering. If you have blocked a pattern using the FortiGuard Web Filtering. the real IP address of the web server is not known. To configure replacement messages. Select to block cookies. • If the request is to a web server proxy. Note that some types of files. see “URL formats” on page 486.0 Administration Guide 01-400-89802-20090424 http://docs. if this option is not selected. see “Web Filter” on page 475. the FortiGate unit queries for FortiGuard Web Filtering category or class ratings using the IP address only. the following behavior occurs: • If the request is made directly to the web server. For details on how web URL filter lists are used with HTTP and HTTPS URLs. For more information about FortiGuard web filtering. Therefore. Do not affect HTTP POST traffic. FortiGate units always validate the CN field. In this case. FortiGate Version 4. see “FortiGuard . Select to block downloading parts of a file that have already been downloaded.Web Filter” on page 487. regardless of whether this option is enabled. However. Select the action to take with HTTP POST traffic. Select to block Java applets. When the post request is blocked the FortiGate unit sends a web page to the user’s web browser instead of the requested POST page. You can configure the content of this web page by going to from System > Config > Replacement Messages by customizing the HTTP > POST message. but want certain users to have access to URLs within the pattern. Use the comfort amount and interval settings to send “comfort” bytes to the server in case the client connection is too slow.fortinet. are fragmented to increase download speed. See the field descriptions below for details. FortiGuard Web Filtering options You can enable and apply FortiGuard Web Filtering options using a protection profile.com/ • Feedback 413 . such as PDFs. Block HTTP POST requests. If your FortiGate unit supports SSL content scanning and inspection and if you have set HTTPS Content Filtering Mode in the Protocol Recognition part of this protection profile to Deep Scan you can select all but one of the same web filtering options for HTTPS and HTTP.

To configure FortiGuard Web Filtering options. and select OK. or the Edit icon beside an existing protection profile.com/ • Feedback . Select Create New to add a protection profile. Then select the Expand Arrow beside Web Filtering and scroll down to FortiGuard Web Filtering. Figure 258: Protection Profile FortiGuard Web Filtering options 414 FortiGate Version 4. go to Firewall > Protection Profile.fortinet.Configuring a protection profile Firewall Protection Profile For more information. see “SSL content scanning and inspection” on page 399 and “Protocol recognition options” on page 405. Enter the information as described below.0 Administration Guide 01-400-89802-20090424 http://docs.

Rate images by URL (blocked Block images that have been rated by FortiGuard. For more information. Only blanks) supported for HTTPS if your FortiGate unit supports SSL content scanning and inspection. Display a replacement message for 400 and 500-series HTTP errors. and TIFF. Allow websites when a rating Allow web pages that return a rating error from the web filtering service.com/ • Feedback 415 . JPEG. Rated image file types include GIF.fortinet.Firewall Protection Profile Configuring a protection profile Figure 259: Protection Profile FortiGuard Web Filtering options (SSL content scanning and inspection) Enable FortiGuard Web Filtering Enable FortiGuard Web Filtering Overrides Provide details for blocked HTTP 4xx and 5xx errors Select to enable FortiGuard Web Filtering for this protection profile. BMP. Only supported for HTTPS if your FortiGate unit supports SSL content scanning and inspection. see “Viewing the override list” on page 488 and “Configuring administrative override rules” on page 489. PNG.0 Administration Guide 01-400-89802-20090424 http://docs. Select to enable category overrides. malicious or objectionable sites can use these common error pages to circumvent web filtering. Blocked images images will be replaced with are replaced on the originating web pages with blanks. error occurs FortiGate Version 4. If the error is allowed through.

and can be configured separately from. Many web sites use HTTP redirects legitimately. or video searches. Category Classification Spam Filtering options Several spam filters can be configured in the protection profile. if the category is blocked. If the IP address is found. You can also select to log each traffic occurrence of the category.0 Administration Guide 01-400-89802-20090424 http://docs.com” falls into the General Interest / Search Engines category and the Image Search classification. Using classifications. FortiGuard AntiSpam extracts the email server source address and sends the IP address to a FortiGuard Antispam server to check if this IP address matches the list of known spammers.com/ • Feedback . However. In addition to content categories. Strict Blocking only has an effect when either a URL fits into a protection profile category and classification or Rate URLs by domain and IP address is enabled. It would be blocked only if both the Search Engines category and Image Search classification were blocked. rather than the web site’s subject matter. FortiGuard Web Filtering provides functional classifications that block whole classes of web sites based upon their functionality. the category. With Strict Blocking disabled. If FortiGuard Antispam does not find a match. All URLs belong to at least one category (including the Unrated category) and may also belong to a classification. a site is blocked if it is in at least one blocked category or classification and only allowed if all categories or classifications it falls under are allowed. in some cases. a site is allowed if it belongs to at least one allowed category or classification and only blocked if all categories or classifications it falls under are allowed. you can block web sites that host cached content or that facilitate image. FortiGuard Antispam checks the body of email messages to 416 FortiGate Version 4. select to Allow or Block and. if the class is blocked. because IP rating is not updated as quickly as URL rating. With the IP address filter. and that the URL “images. all URLs have two categories and up to two classifications (one set for the domain and one set for the IP address). as the initial web page could have a different rating than the destination web page of the redirect. For each class.example. FortiGuard Web Filtering provides many content categories for filtering web traffic. and thus provide additional security against address attempts to bypass the FortiGuard system. media type. Rate URLs by domain and IP Select to send both the URL and the IP address of the requested site for checking.fortinet. the email server sends the email to the recipient. or source. however. the URL is allowed because it is classified as Image Search. or web sites from spam URLs. select to Allow or Block and. which the profile allows. redirects may be designed specifically to circumvent web filtering. Categories reflect the subject matter of the content. which is blocked. If you do not enable Strict Blocking. For example. suppose that a protection profile blocks Search Engines but allows “Image Search”. With the URL filter. Block HTTP redirects by rating Enable to block HTTP redirects. Not supported for HTTPS. Classification is in addition to. this URL is blocked because it belongs to the Search Engines category. If you enable Strict Blocking. some false ratings may occur. For each category. You can also select to log each traffic occurrence of the class. FortiGuard Antispam terminates the session. With Strict Blocking enabled. audio. whether or not to Allow Override to permit users to override the filter if they successfully authenticate. whether or not to Allow Override to permit users to override the filter if they successfully authenticate. With Rate URLs by domain and IP address enabled.Configuring a protection profile Firewall Protection Profile Strict Blocking This option is enabled by default.

Note: Some popular email clients cannot filter messages based on the MIME header. If a URL match is found. see “FortiGuard Antispam service” on page 265 and “Configuring the FortiGate unit for FDN and FortiGuard subscription services” on page 266. see “SSL content scanning and inspection” on page 399. These URL links are sent to a FortiGuard Antispam server to determine if any are listed. To configure spam filtering options. You can configure spam filtering for IMAP. and select OK. see “Antispam” on page 495. For information about SSL content scanning and inspection.fortinet. The FortiGate unit then passes or marks/blocks the email message according to the server response. POP3S. For more spam filter configuration options.0 Administration Guide 01-400-89802-20090424 http://docs. the email server sends the email to the recipient. POP3. enter the information as described below. Spam messages often contain URL links to advertisements (also called spamvertizing). and SMTPS email. Then select the Expand Arrow beside Spam Filtering. The email checksum filter calculates the checksum of an email message and sends this checksum to the FortiGuard servers to determine if the checksum is in the blacklist. Select Create New to add a protection profile. If your FortiGate unit supports SSL content scanning and inspection you can also configure spam filtering for IMAPS. For more information about this service. select to tag email message subject lines instead. Figure 260: Protection Profile Spam Filtering options FortiGate Version 4. FortiGuard Antispam terminates the session.Firewall Protection Profile Configuring a protection profile extract any URL links. For these clients. and SMTP email. go to Firewall > Protection Profile. If FortiGuard Antispam does not find a match.com/ • Feedback 417 . or the Edit icon beside an existing protection profile.

IP address check URL check E-mail checksum check Select to enable the FortiGuard Antispam email message checksum blacklist. For more information. POP3S. Select to enable the FortiGuard AntiSpam filtering IP address blacklist. see “Creating a new antispam IP address list” on page 501. SMTP). then apply the options that you need. to take the action configured in the list for the IP address. Select the IP address black/white list to add to the protection profile. see “IP address and email address black/white lists” on page 501. POP3. if a match is found.com/ • Feedback . and SMTPS. Return e-mail DNS check Select to enable checking that the domain specified in the reply-to or from address has an A or MX record. he or she can use the link in the message to inform FortiGuard Antispam. For more information. If your FortiGate unit supports SSL content scanning and inspection you can also enable FortiGuard Antispam for IMAPS.0 Administration Guide 01-400-89802-20090424 http://docs. For more information. Select to compare the email address of message senders to the selected email address black/white list and if a match is found to take the action configured in the list for the email address. You can change the content of this message by going to System > Config > Replacement Messages and customizing the Spam > Spam submission message. For more information. Select to look up the source domain name (from the SMTP HELO command) for SMTP email messages. Select to enable the FortiGuard AntiSpam spam filtering URL blacklist. Select to compare the IP address of email message senders to the selected IP address black/white list and.fortinet. For more information. Spam submission Select to add a spam submission message and a link to the message body of all email messages marked as spam by FortiGuard Antispam. see “Creating a new antispam email address list” on page 504. see “Spam replacement messages” on page 200.Configuring a protection profile Firewall Protection Profile Figure 261: Protection Profile Spam Filtering options (SSL content scanning and inspection) FortiGuard AntiSpam Select one or more check boxes to enable protocols (IMAP. see “IP address and email address black/white lists” on page 501. 418 FortiGate Version 4. IP address BWL check IP address BWL check list HELO DNS lookup E-mail address BWL check E-mail address BWL list Select the email address black/white list to add to the protection profile. If the receiver considers that the email message is not spam.

terminating the stream to the destination if a virus is detected. scanning by splice. see “Creating a new banned word list” on page 499. you can choose to either tag or discard SMTP spam. To add the tag to the MIME header. For more information. The number of characters constituting 64 bytes of data varies by text encoding. When an email message is matched with an entry in the banned word list. Tag text using other encodings may not be accepted. Discarding immediately drops the connection. For details on configuring splicing. You can change the scores and threshold so email messages are only tagged as spam if there are multiple matches. is enabled automatically. This means that by default an email message is tagged as spam by a single match.Firewall Protection Profile Configuring a protection profile Banned word check Select to block email messages based on matching the content of the message with the words or patterns in the selected spam filter banned word list. to UTF-8 format. the message is tagged as spam. The default score for a banned word list entry is 10 and the default threshold is 10. You can use DLP to prevent sensitive data from leaving your network and to provide content archiving. For more information. When virus scanning is enabled for SMTP the FortiGate unit can only discard spam email if a virus is detected. you must enable spamhdrcheck in the CLI for each protocol (IMAP. When typing a tag. see the Knowledge Center article FortiGate Proxy Splice and Client Comforting Technical Note. see “Settings” on page 228. the score for the email message increases. If you select to add the tag to the subject line. which may vary by the FortiGate administrator language setting. Select to either tag or discard email that the FortiGate unit determines to be spam. FortiGate Version 4. Note: When you enable virus scanning for SMTP and SMTPS in the Anti-virus section of the protection profile. also called streaming mode. including the tag. If an email message matches more than one entry. For example. the FortiGate unit will not accept a spam tag written in Japanese characters while the administrator language setting is English. Enter a word or phrase with which to tag email identified as spam. see the “System Settings” chapter of the FortiGate CLI Reference. use the same language as the FortiGate unit’s current administrator language setting. Select to add the tag to the subject or MIME header of email identified as spam. Tagging adds the text in the Tag Format field to the subject line or header of email identified as spam. see the splice option for each protocol in the config firewall profile command in the FortiGate CLI Reference. Banned word list Threshold Spam Action Tag Location Tag Format Data Leak Prevention Sensor options You apply data leak prevention (DLP) to traffic by selecting a data leak prevention sensor. first verify that the administrator language setting is Japanese. Select the banned word list to add to the protection profile. This improves display for some email clients that cannot properly display subject lines that use more than one encoding.com/ • Feedback 419 . the score is recorded. the FortiGate unit simultaneously scans and streams traffic to the destination. For more information see “profile” in the FortiGate CLI Reference. For details on preventing conversion of subject line to UTF-8. and POP3). when entering a spam tag that uses Japanese characters. the FortiGate unit converts the entire subject line.fortinet. SMTP. If virus scanning is not enabled. Each entry in the banned word list added to the protection profile incudes a score.0 Administration Guide 01-400-89802-20090424 http://docs. see “Banned word” on page 498. When scanning by splice. When the total score for an email message equals or exceeds the threshold. Tags must not exceed 64 bytes. For details on splicing behavior for SMTP. For details on changing the language setting. Enter a spam filter banned word block threshold.

POP3S. For more information about application control.Configuring a protection profile Firewall Protection Profile You can also use protection profile DLP settings to: • • display content meta-information on the system dashboard content archive spam email (requires a FortiAnalyzer unit or the FortiGuard Analysis and Management Service). and select OK. select to content archive email messages identified as spam by the FortiGate spam filtering or by FortiGuard Antispam. go to Firewall > Protection Profile. Application Control options You can apply application control options through a protection profile. Then select the Expand Arrow beside Application Control and select the application control list to add to the protection profile. enter the information as described below. select whether or not to display the content summary in the Dashboard Statistics widget. see “Adding and configuring a DLP sensor” on page 512. Select Create New to add a protection profile.fortinet. FTP. If your FortiGate unit supports SSL content scanning and inspection you can also select HTTPS. and SMTPS. see “Data Leak Prevention” on page 511 and “Content Archive” on page 667. 420 FortiGate Version 4. To configure DLP sensor options.com/ • Feedback .0 Administration Guide 01-400-89802-20090424 http://docs. see “Application Control” on page 523. IMAP. or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Data Leak Prevention Sensor. You must configure the FortiGate unit to log to a FortiAnalyzer unit to configure this option. see “Configuring spam email message content archiving” on page 668. For more information about the statistics widget. and SMTP. Figure 262: Data Leak Prevention Sensor options Figure 263: Data Leak Prevention Sensor options (SSL content scanning inspection and FortiAnalyzer unit configured) Data Leak Prevention Sensor Display content metainformation on the system dashboard Archive SPAMed emails to FortiAnalyzer/ FortiGuard Select the check box and then specify the DLP sensor to add to the protection profile. For information about content archiving spam. To configure application control options. For each protocol. Select Create New to add a protection profile. For more information. see “Statistics” on page 71. or the Edit icon beside an existing protection profile. IMAPS. You can select HTTP. go to Firewall > Protection Profile. For more information. POP3. For each email protocol.

com/ • Feedback 421 . if you enable antivirus protection you could also enable the antivirus protection profile logging options to write an event log message every time a virus is detected by this protection profile. see “Creating a new application List control list” on page 524. go to Firewall > Protection Profile. To configure Logging options. Select Create New to add a protection profile. Figure 265: Protection Profile Replacement Message options Figure 266: Adding an MMS protection profile to a protection profile Logging options You can enable logging options in a protection profile to write event log messages when the options that you have enabled in this protection profile perform an action. enter the information as described below.0 Administration Guide 01-400-89802-20090424 http://docs. For more information. Then select the Expand Arrow beside Logging. and select OK. FortiGate Version 4. For more information about enabling and configuring event logs. see “Event log” on page 659. or the Edit icon beside an existing protection profile.Firewall Protection Profile Configuring a protection profile Figure 264: Protection Profile Application Control options Application Control Select the check box and then specify the application control list to add to the protection profile.fortinet. For example.

Select to log detected spam. Select to log DLP events.0 Administration Guide 01-400-89802-20090424 http://docs. Select to log Application Control events. Select to log blocked Java applets. Select to log oversize files and email messages. Web Filtering Content Block URL Filter ActiveX Filter Cookie Filter Java Applet Filter FortiGuard Web Rating Errors Filtering (HTTP only) Spam Filtering IPS Application Control Data Leak Prevention Sensor Log Spam Log Intrusions Log Application Control Log DLP 422 FortiGate Version 4.Configuring a protection profile Firewall Protection Profile Figure 267: Protection Profile Logging options Antivirus Viruses Blocked Files Oversized Files / E-mails Select to log detected viruses. Select to log IPS signature and anomaly events. Select to log rating errors.fortinet. Select to log blocked and exempted URLs. Select to log content blocking events. Select to log blocked files. Select to log blocked cookies. Select to log blocked Active X plugins.com/ • Feedback .

For example. you may want to give a higher guaranteed bandwidth to your ecommerce traffic. all of these communications sessions must share from the bandwidth available for the policy. Note: For more information about traffic shaping you can also see the FortiGate Traffic Shaping Technical Note. Traffic shaping is available for firewall policies whose Action is ACCEPT.0 Administration Guide 01-400-89802-20090424 http://docs.com/ • Feedback 423 .323. the guaranteed and maximum bandwidth is the total bandwidth available to all traffic controlled by the policy. It is also available for all supported services. controls the bandwidth available to. you may want to limit the bandwidth of IM traffic usage.fortinet. Traffic shaping cannot increase the total amount of bandwidth available. ICMP. and sets the priority of the traffic processed by. For example. TCP. and ESP. or SSLVPN. you guarantee the amount of bandwidth available for selected network traffic (in Kbytes/sec). UDP. Guaranteed and maximum bandwidth in combination with queuing ensures minimum and maximum bandwidth is available for traffic. you limit the amount of bandwidth available for selected network traffic (in Kbytes/sec). if guaranteed bandwidth is applied to an internal and an external FTP policy. This section describes: • • • • Guaranteed bandwidth and maximum bandwidth Traffic priority Traffic shaping considerations Configuring traffic shaping Guaranteed bandwidth and maximum bandwidth When you enter a value in the Guaranteed Bandwidth field when adding a traffic shaper. For more information about firewall policy. FortiGate Version 4. both the put and get sessions share the bandwidth available to the traffic controlled by the policy. The bandwidth available for traffic set in a traffic shaper is used for both the control and data sessions and for traffic in both directions. the policy for the corporate web server might be given higher priority than the policies for most employees’ computers. For example. An employee who needs extra high speed Internet access could have a special outgoing policy set up with higher bandwidth. the policy. but you can use it to improve the quality of bandwidth-intensive and sensitive traffic. IPSEC. Traffic shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the FortiGate unit. For example. and a user on an internal network uses FTP to put and get files. see “Firewall Policy” on page 319. If multiple users start multiple communications session using the same policy.Traffic Shaping Guaranteed bandwidth and maximum bandwidth Traffic Shaping Traffic shaping. to save some bandwidth for the more important e-commerce traffic. including H. Once included in a firewall policy. once included in a firewall policy. When you enter a value in the Maximum Bandwidth field when adding a traffic shaper.

Traffic priority Traffic Shaping However. you can create one FTP policy to limit the amount of bandwidth available for FTP for one network address and create another FTP policy with a different bandwidth availability for another network address. since the excessive discarding of packets can create additional overhead at the upper layers that may be attempting to recover from these errors. bandwidth availability is not shared between multiple instances of using the same service if these multiple instances are controlled by different policies. and latency are likely to occur. But there is a physical limitation to the amount of data which can be buffered and to the length of time. you can set traffic priority to manage the relative priorities of different types of traffic. if the FortiGate unit cannot process all of the traffic it receives. in order to retrieve email. will have traffic shaping applied even if the data stream flows external to internal.0 Administration Guide 01-400-89802-20090424 http://docs. Since packets must be received by the FortiGate unit before they are subject to traffic shaping. Once these thresholds have been surpassed. Traffic shaping applied to a firewall policy is enforced for traffic which may flow in either direction. 424 FortiGate Version 4. For example. A basic traffic shaping approach is to prioritize certain traffic flows over other traffic whose potential discarding is less advantageous. Traffic shaping considerations Traffic shaping attempts to “normalize” traffic peaks/bursts to prioritize certain flows over others. you are applying bandwidth limitations to certain flows. For example. incorrect traffic shaping configurations may actually further degrade certain network flows. frames and packets will be dropped. the higher priority voice traffic will be transmitted before the ecommerce traffic. then dropped packets. Note: If you set both guaranteed bandwidth and maximum bandwidth to 0 (zero). Then you can assign a high priority to the policy that controls voice traffic and a medium priority to the policy that controls e-commerce traffic. the policy does not allow any traffic. Less important and less sensitive traffic should be assigned a low priority. During a busy time. Therefore a session which may be set up by an internal host to an external one.fortinet. you must accept the fact that these sessions can be limited and therefore negatively impacted. delays. Traffic priority when adding a traffic shaper.com/ • Feedback . for example. Note that traffic shaping is effective for normal IP traffic at normal traffic rates. The FortiGate unit provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections. through an Internal-to-External policy. Important and latency-sensitive traffic should be assigned a high priority. One example may be an FTP “get” or a SMTP server connecting to an external one. you can add policies to guarantee bandwidth for voice and ecommerce traffic. Traffic shaping is not effective during periods when traffic exceeds the capacity of the FortiGate unit. and sessions will be affected in other ways. in order to increase or guarantee performance and stability to high-priority traffic. if both voice and e-commerce traffic are competing for bandwidth. For example. This would mean that you accept sacrificing certain performance and stability on low-priority traffic. If.

Guaranteed Bandwidth Select a value to ensure there is enough bandwidth available for a high-priority service. collisions or buffer overruns. Configuring traffic shaping Configure traffic shapers to be included in firewall policies.com/ • Feedback 425 . Figure 268: Traffic shaper list Edit Delete Create New Name Delete icon Edit icon Add a traffic shaper. see “To create a traffic shaper” on page 425. Select to remove a traffic shaper. The name of a traffic shaper. To view the traffic shaper list. Apply Shaping Select Per Policy to apply this traffic shaper to a single firewall policy that uses it. go to Firewall > Traffic Shaping > Traffic Shaping.fortinet. FortiGate Version 4. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies is significantly less than the bandwidth capacity of the interface.Traffic Shaping Configuring traffic shaping To ensure that traffic shaping is working at its best. make sure that the interface ethernet statistics show no errors. see the FortiGate Traffic Shaping Technical Note.0 Administration Guide 01-400-89802-20090424 http://docs. If any of these problems do appear. Select to modify a traffic shaper. Select For all policies using this shaper to apply this traffic shaper to all firewall policies that use it. To create a traffic shaper 1 Go to Firewall > Traffic Shaping > Traffic Shaping. For more information. 2 Select Create New. The name of a traffic shaper. Figure 269: Creating traffic shapers Name Name Type a name for this traffic shaper. then FortiGate and switch settings may require adjusting. For more information.

the policy is set to high priority by default. Less important services should be assigned a low priority.Configuring traffic shaping Traffic Shaping Maximum Bandwidth Select to limit bandwidth in order to keep less important services from using bandwidth needed for more important ones.fortinet. If you do not apply any traffic shaping rule to a policy. a policy for connecting to a secure web server needed to support ecommerce traffic should be assigned a high traffic priority. Medium. Be sure to enable traffic shaping on all firewall policies. For example. 3 Select OK. Distribute firewall policies over all three priority queues. 426 FortiGate Version 4. or Low. Traffic Priority Select High.com/ • Feedback .0 Administration Guide 01-400-89802-20090424 http://docs. Select Traffic Priority so the FortiGate unit manages the relative priorities of different types of traffic. The firewall provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections.

even if the firewall is stateful. This lightweight text-based signaling protocol is transported over either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). For more configuration information. FortiGate Version 4. SIP uses invitations to create Session Description Protocol (SDP) messages that allow participants to agree on a set of compatible media types. see the FortiGate CLI Reference.SIP support VoIP and SIP SIP support The Session Initiation Protocol (SIP) is a signaling protocol used for establishing and conducting multiuser calls over TCP/IP networks using any media.com/ • Feedback 427 . Due to the complexity of the call setup. The FortiGate unit has a pre-defined SIP firewall service that tracks and scans SIP calls and makes adjustments. It also describes how FortiOS SIP support works and how to configure the key SIP features. to both the firewall state and call data. The FortiGate unit supports the following SIP features: • • • • • • • • • • • • • • • stateful SIP tracking RTP Pinholing request control rate limiting vents logging communication archiving NAT IP preservation client connection control register response acceptance Application Layer Gateway (ALG) control SIP stateful HA VoIP and SIP The FortiGate unit and VoIP security How SIP support works Configuring SIP This section describes: VoIP and SIP SIP is an IETF protocol for establishing Voice over IP (VoIP) connections. to ensure a seamless call is established through the FortiGate unit regardless of its operation mode. NAT. Many VoIP networks choose SIP to handle multimedia sessions between endpoints. SIP applications are based on a client-server structure and support user mobility with two operating modes: proxy and redirect. You can use protection profiles to control the SIP protocol and SIP call activity.fortinet. route. A statistical summary of SIP protocol activity is also available for managing SIP use.0 Administration Guide 01-400-89802-20090424 http://docs. or transparent. not every firewall can handle SIP calls correctly. This section includes some information about VoIP and SIP.

To the other users on the VoIP network.com) 1.fortinet. Client B is notified of incoming call by redirect server – phone rings SIP Client A (a@example. SIP clients send requests to the proxy server. Proxy servers can insulate and hide SIP users by proxying the signaling messages.com) 5.com/ • Feedback . RTP session opens when Client B answers SIP Client B (b@example. who uses it to signal the destination SIP client. which then looks up the destination address. RTP session opens when Client B answers SIP Client B (b@example. Client A dials Client B and a request is sent to the SIP proxy server 3. SIP clients register with SIP server When the SIP server operates in redirect mode (shown in Figure 271). Client A sends invitation to Client B IP Network RTP Session 5.com) 1. the SIP client sends its signaling request to a SIP server. The proxy server either handles the requests or forwards them to other SIP servers. Proxy server looks up phone number or URL of destination client (Client B) and sends invite to Client B IP Network RTP Session 4. Figure 271: SIP in redirect mode SIP Redirect Server 2. SIP clients register with SIP server 428 FortiGate Version 4. Figure 270: SIP in proxy mode SIP Proxy Server 2. Client B is notified of incoming call by proxy server – phone rings SIP Client A (a@example. Redirect server looks up phone number or URL of destination client (Client B) and sends address back to the caller (Client A) 4. The SIP server returns the destination address to the originator of the call. Client A dials Client B and request is sent to SIP redirect server 3.0 Administration Guide 01-400-89802-20090424 http://docs.com) 6. the signaling invitations look as if they come from the SIP proxy server.VoIP and SIP SIP support In proxy mode (shown in Figure 270).

SIP NAT The FortiGate unit supports network address translation (NAT) of SIP because the FortiGate ALG can modify the SIP headers correctly. Using SIP ALG controls.fortinet. tampering.11 RTP Server SIP service provider has a SIP server and a separate RTP server 217. The FortiGate intrusion prevention system (IPS) provides another strategic line of defense. Figure 272: SIP source NAT 217.9 SIP Server 217.10.233.72. a SIP phone connects to the Internet through a FortiGate unit with PPPoE. This section uses scenarios to explain the FortiGate SIP NAT support.132 Internet 10. the FortiGate unit can interpret the VoIP signaling protocols used in the network and dynamically open and close ports (pinholes) for each specific VoIP call to maintain security. MGCP. VoIP networks are vulnerable to many of the same security risks.69.57 FortiGate Version 4. The IPS has deep-packet inspection capabilities to provide continuous surveillance across multiple network sectors simultaneously. particularly against VoIP network predators. including denial of service (DoS) attacks.SIP support The FortiGate unit and VoIP security The FortiGate unit and VoIP security Like data networks. VoIP calls cannot go through these firewalls unless a range of ports are opened – which exposes the network for unauthorized access.79. For more information about firewall policies. service theft. recognizing network traffic expected within each and alerting network managers to malicious packets and other protocol anomalies.com/ • Feedback 429 .10. see “Firewall Policy” on page 319. Many conventional firewalls cannot protect VoIP networks from attacks because VoIP is implemented at both the signaling and media layers.323. Source NAT (SIP and RTP) In the source NAT scenario shown in Figure 272. and associates state at the signaling layer with packet flows at the media layer.0.122. You need to configure an internal to external UDP firewall policy with NAT checked and a SIP-enabled protection profile. The FortiGate unit can effectively secure VoIP solutions since it supports VoIP protocols such as SIP.0 Administration Guide 01-400-89802-20090424 http://docs. The FortiGate ALG translates all private IPs in the SIP contact header into public IPs. and fraud. and H.

0.99 219.The FortiGate unit and VoIP security SIP support Destination NAT (SIP and RTP) In the destination NAT scenario. The FortiGate unit also supports a variation of this scenario—the RTP server hides its real address.29.81.60).fortinet.90. The VoIP service provider only publishes a single public IP (a VIP).21 RTP Server 10. The SIP server changes the SIP/SDP connection information (which tells the SIP phone which RTP IP it should contact) also to 217.79.60) and the FortiGate unit then translates the SIP contact header to the SIP server (10.233.10.79.0.60 Internet SIP Server In this scenario. The SIP phone connects to the FortiGate unit (217.72.0. The FortiGate SIP ALG translates the SIP contact header to 217.233. The FortiGate ALG will open the Real-time Transport Protocol (RTP) pinholes and manage NAT. The FortiGate unit translates the SIP contact header to the IP of the real SIP server located outside. shown in Figure 273.0.60).72.90. Figure 273: SIP destination NAT 217.69.11 RTP Server SIP service provider has a SIP server and a separate RTP server 10.233.90.60 217. a SIP phone can connect to a local IP using a FortiOS VIP. 430 FortiGate Version 4. a SIP phone connects to the Internet.168. the SIP phone connects to a VIP (10.132 Internet 10.57 In the scenario.9 SIP Server 217.0 Administration Guide 01-400-89802-20090424 http://docs.0.10.0.0.com/ • Feedback .233.60.10.60 217. Figure 274: SIP destination NAT-RTP server hidden 192. shown in Figure 274.9.122.72.200.

29.20 > 217.233.81.65 RTP-2: 217.0. Different source and destination NAT for SIP and RTP This is a more complex scenario that a SIP service provider may use.60 RTP-1: 217.23 219.81.0.70 Internet SIP Server SIP: 217.90.90.0.29. This configuration also applies to destination NAT.90.233. The SIP server is configured so that the SIP phone (219.20) will connect to 217.60. What happens is as follows: 1 The SIP phone connects to the SIP VIP.90.81.65.233.192.90.60). 4 RTP is sent to the RTP-VIP (217.29.0 Administration Guide 01-400-89802-20090424 http://docs. assume there is a SIP server and a separate media gateway.65. The FortiGate unit segments the VoIP network. 2 The SIP server carries out RTP to 217.21.29.fortinet. 3 The FortiGate ALG opens pinholes.90.0.233.65.0. shown in Figure 275. How SIP support works The FortiGate unit uses firewall policies to protect communications between servers and VoIP end devices.81. The FortiGate ALG translates the SIP contact header to the SIP server: 219.0. separating the voice traffic from other traffic to ensure that appropriate priority and policies are applied.168.60 In this scenario. The FortiGate ALG interprets this configuration and translates the SIP header accordingly.10 219.168. It can also be deployed in large-scale SIP environments where RTP has to be processed by the FortiGate unit and the RTP server IP has to be translated differently than the SIP server IP. Figure 275: Different source and destination NAT for SIP and RTP RTP Servers 192.233. The media gateway (RTP server: 219.20 RTP Server 10.) The FortiGate ALG translates the SIP contact header to 192.81. These policies restrict VoIP communication based on authorized end devices or traffic sourced or destined for a particular IP address or interface.21 .com/ • Feedback 431 .90. FortiGate Version 4.60 (> 10.0.233.29.168. assuming that it knows the ports to be opened.233.233.10) will connect to 217.90.SIP support How SIP support works Source NAT with IP pool You can choose NAT with the Dynamic IP Pool option when configuring a firewall policy if the source IP of the SIP packets is different from the interface IP.

SIP rate limiting is useful for protecting a SIP server within a company. see “Application Control” on page 523. When creating a protection profile. 4 Set Application to SIP. Rate limiting for SIP also limits SIMPLE traffic. 3 Then. 6 Make sure the application control list is selected in a protection profile and that the protection profile is added to a firewall policy. select the Edit icon for an application control list. you configure SIP features using the web-based manager and CLI. however. When the FortiGate unit receives a SIP packet. Once the profile is included in a policy. For more information about application control. select Create New to add a new application list. From the web-based manager. enable SIP logging. see “Firewall Policy” on page 319. select the “SIP” or “Any” pre-defined service for the policy.fortinet. set two rate limits. You need to configure most features. select Create New in the application list to add a new application to the application control list. Configuring SIP You can enable SIP support. through the CLI.0 Administration Guide 01-400-89802-20090424 http://docs. You can apply a profile to multiple policies.com/ • Feedback . the ALG will parse the SIP traffic and open the RTP ports for each specific VoIP call. and view SIP statistics using the web-based manager. 2 If you want to enable SIP for an existing application control list.Configuring SIP SIP support You need to configure the FortiOS SIP support in the following order: 1 Create a firewall protection profile that enables SIP (see “Enabling SIP support and setting rate limiting from the web-based manager” on page 432). If the packet matches a policy. 3 Configure advanced SIP features as required (see “Configuring SIP” on page 432). For more information about firewall policies. To enable SIP and set rate limiting from the web-based manager 1 Go to UTM > Application Control. You then apply the profile to a firewall policy. the FortiGate firewall inspects and processes the packet according to the SIP profile applied to the policy. 2 Create a firewall policy that allows SIP and includes a SIP-enabled protection profile. Most SIP servers do not have integrated controls and it is very easy to flood SIP servers with INVITE or REGISTER requests. 432 FortiGate Version 4. 5 Select OK. Enabling SIP support and setting rate limiting from the web-based manager To enable SIP support you need to: • • • enable SIP in an application control list select this application control list in a protection profile add this protection profile to a firewall policy that accepts SIP traffic. Specifically. it checks the packet against the firewall policies. you can also configure some SIP rate limiting settings. Otherwise.

FortiGate Version 4. Use the following command to enable SIP support in an application list: config application list edit <list_name> config entries edit 12 end end Entering this command enables SIP support with all SIP settings set to defaults. For more information. From the CLI. Limit the rates depending on the amount of SIP and SCCP traffic that you expect the FortiGate unit to be handling. REFER. SIP is application number 12. the extra messages are dropped.fortinet. When VoIP rate limiting is enabled. PRACK.0 Administration Guide 01-400-89802-20090424 http://docs. you can enable rate limiting for a more extensive range of SIP requests. Rate limiting protects against SIP DoS attacks by limiting the number of SIP REGISTER and INVITE requests that the FortiGate unit receives per second. SUBSCRIBE. Setting SIP rate limiting from the CLI Use the following command to enable SIP support in an application list and configure SIP rate limiting: config application list edit <list_name> config entries edit 12 set register-rate 100 set invite-rate 30 end end More about rate limiting FortiGate units support rate limiting for the following types of VoIP traffic: • • • Session Initiation Protocol (SIP) Skinny Call Control Protocol (SCCP) Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions (SIMPLE). See the FortiGate CLI Reference for information about all of the SIP settings and their defaults. and UPDATE. You can use rate limiting of these VoIP protocols to protect the FortiGate unit and your network from SIP and SCCP Denial of Service (DoS) attacks.SIP support Configuring SIP Enabling SIP support from the CLI From the FortiGate CLI. you can enable VoIP rate limiting and limit the rates for your network. you enable SIP support using the config application list command to add SIP to an application list.com/ • Feedback 433 . including ACK. if the FortiGate unit receives more messages per second (or minute) than the configured rate. INFO. You can adjust the settings if some calls are lost or if the amount of SIP or SCCP traffic is affecting FortiGate unit performance. see the FortiGate CLI Reference. OPTIONS. Rate limiting protects against SCCP DoS attacks by limiting the number of SCCP call setup messages that the FortiGate unit receives per minute. If you are experiencing denial of service attacks from traffic using these VoIP protocols. The config application list command uses application list numbers to identify applications. NOTIFY.

This may be useful in cases where the FortiGate unit only acts as a signalling firewall while RTP is bypassed. From the CLI. A SIP session (or SIP dialog) is normally established after the SIP INVITE procedure. From the CLI. For more information.com/ • Feedback . see “Log&Report” on page 647. You can also manually close RTP ports. Select Log VoIP Activity to log VoIP events. A session can end by regular BYE procedure. type the following commands: config application list edit <list_name> config entries edit 12 set call-keepalive <integer> end end Managing RTP pinholing Once you create a firewall policy that allows SIP. For more information. or by an unexpected signalling or transport error. Go to Firewall > Protection Profile.Configuring SIP SIP support From the CLI you can configure additional SIP. Turning on SIP tracking The FortiGate SIP ALG (Application Level Gateway) tracks the SIP session over its life span. see the description of the config sip. no pinholes need to be created. SCCP. Therefore.fortinet. config sccp. see “Application Control” on page 523. You can continue tracking a SIP session for a specified period of time even when RTP (Real-time Transport Protocol) is lost. type the following commands: config application list edit <list_name> config entries edit 12 set rtp disable end end 434 FortiGate Version 4. Open an existing profile or select Create New to create a new profile. For more information. as well as SIMPLE extensions. such as callers hanging up the phone.0 Administration Guide 01-400-89802-20090424 http://docs. You can also block SIMPLE sessions by enabling block login for the SIMPLE application. The ALG then tracks this call as a SIP session. Enabling SIP logging You can log SIP events in a protection profile. see the FortiGate CLI Reference. For more information about enabling and configuring logging. the FortiGate ALG will automatically open the respective RTP ports as long as the SIP session is alive. and config simple subcommands of the application command in the FortiGate CLI Reference. Expand Logging. Enabling advanced SIP features in an application list You can configure advanced SIP features for an application list.

fortinet. INVITE. To prevent your site from being used as an intermediary in an attack. This allows the SIP server to parse this IP for billing purposes.com/ • Feedback 435 . you can type the following commands to block INVITE requests: config application list edit <list_name> config entries edit 12 set block-invite enable end end Archiving SIP communication You can content archive SIP call metadata. type the following commands: config application list edit <list_name> config entries edit 12 set sip-archive-summary enable end end Preserving NAT IP In NAT operation mode. FortiGate Version 4. For example.0 Administration Guide 01-400-89802-20090424 http://docs. you can block various SIP requests including ACK. and so on directed to broadcast addresses at your router. PRACK. see “Log&Report” on page 647. For more information. INFO. you can view the archived information. Depending on your log configuration. type the following commands: config application list edit <list_name> config entries edit 12 set nat-trace enable end end In addition. you can overwrite or append the SDP i line: config application list edit <list_name> config entries edit 12 set preserve-override {enable | disable} end end where selecting enable removes the original source IP address from the SDP i line and disable appends the address. From the CLI. broadcast attacks are possible. From the CLI.SIP support Configuring SIP Blocking SIP requests Since SIP requests can be transmitted via UDP. you can preserve the original source IP address in the SDP i line.

the SIP Contact header is not translated. If contact-fixup is disabled. the FortiGate ALG does the following with contact headers: • • For Contact in Requests. For Contact in Responses.com/ • Feedback . you can enable reg-diff-port and the FortiGate SIP ALG will create a temporary pinhole when receiving a register request from a SIP client. the FortiGate ALG must be able to identify the external network. If your SIP server uses a different source port.Configuring SIP SIP support Controlling SIP client connection You can control the SIP client to only connect to the registrar itself. type the following commands: config application list edit <list_name> config entries edit 12 set reg-diff-port enable end end Controlling the SIP ALG You can enable contact-fixup so that the FortiGate ALG performs normal SIP NAT translation to SIP contact headers as SIP sessions pass through the FortiGate unit. As a result. if a Record-Route header is present and the request comes from the external network. the FortiGate unit will accept a register response with any source port number from the SIP server. may use a different source port. To identify the external network. however. Most SIP servers use 5060 as the source port in the SIP register response.fortinet. if a Record-Route header is present and the response comes from the external network.0 Administration Guide 01-400-89802-20090424 http://docs. From the CLI. Some SIP servers. you must use the config system interface command to set the external keyword to enable for the interface that is connected to the external network. This can avoid VoIP spoofing. Disable contact-fixup if you do not want the FortiGate ALG to perform normal SIP NAT translation of the SIP contact header if a Record-Route header is also available. From the CLI. type the following commands: config application list edit <list_name> config entries edit 12 set strict-register enable end end Accepting SIP register response You can enable reg-diff-port to accept a SIP register response from a SIP server even if the source port of the register response is different from the destination port of the register request. the SIP Contact header is not translated. From the CLI. If contact-fixup is disabled. type the following commands: config application list edit <list_name> config entries 436 FortiGate Version 4.

SIP support Configuring SIP edit 12 set contact-fixup {enable | disable} end end FortiGate Version 4.fortinet.com/ • Feedback 437 .0 Administration Guide 01-400-89802-20090424 http://docs.

com/ • Feedback .Configuring SIP SIP support 438 FortiGate Version 4.fortinet.0 Administration Guide 01-400-89802-20090424 http://docs.

grayware. FTP.0 Administration Guide 01-400-89802-20090424 http://docs. the virus list and the grayware list are part of the global configuration. The FortiGate unit performs antivirus processing in the following order: • • • • • • File size File pattern File type Virus scan Grayware Heuristics If a file fails any of the tasks of the antivirus scan. SMTP. FortiGate Version 4. From a protection profile you can configure the FortiGate unit to apply antivirus protection to HTTP. POP3. and SMTPS sessions. the FortiGate unit will send the end user a replacement message and the file will be deleted or quarantined.POP3S. view the virus list. For details. If you enable virtual domains (VDOMs) on the FortiGate unit. Only administrators with global access can configure and manage the file quarantine.AntiVirus Order of operations AntiVirus This section describes how to configure the antivirus options associated with firewall protection profiles.EXE” is recognized as a blocked pattern. and configure the grayware list.fortinet. see “SSL content scanning and inspection” on page 399. if the file “fakefile. IMAPS. no further scans are performed.com/ • Feedback 439 . the file quarantine. IMAP. heuristics. IM. However. most antivirus options are configured separately for each virtual domain. and file type scans will not be performed as the file is already been determined to be a threat and has been dealt with. Note: File filter includes file pattern and file type scans which are applied at different stages in the antivirus process. If your FortiGate unit supports SSL content scanning and inspection you can also configure antivirus protection for HTTPS. For example. For more information. and NNTP sessions. see “Using virtual domains” on page 103. The virus scan. This section describes: • • • • • • • • Order of operations Antivirus tasks Antivirus settings and controls File Filter File Quarantine Viewing the virus database information Viewing and configuring the grayware list Antivirus CLI configuration Order of operations Antivirus scanning function includes various modules and engines that perform separate tasks.

For more information. Start File or message is buffered Block Oversized file/email action Yes File/email exceeds oversized threshold Pass No Block file/email Block Matching file pattern action Yes File Pattern Match? Allow No Pass file/email File/email exceeds oversized threshold Yes Pass file/email No No Block Yes AV scan detects infection? Allow Matching file type action Yes File type match? No Antivirus tasks The antivirus tasks work in sequence to efficiently scan incoming files and offer your network unparalleled antivirus protection. the fifth. NNTP. POP3. see “Anti-Virus options” on page 407. previously unknown. the heuristics. It is enabled by setting the Oversized File/Email option under Firewall > Protection Profile > Antivirus to Pass. File size This task checks if files and email messages exceed configured thresholds. all virus definitions and signatures are updated regularly through the FortiGuard antivirus services. 440 FortiGate Version 4. SMTP.0 Administration Guide 01-400-89802-20090424 http://docs. is to cover any new.fortinet. The first four tasks have specific functions.com/ • Feedback .Antivirus tasks AntiVirus Figure 276: Order of operation FTP. To ensure that your system is providing the most protection available. The tasks will be discussed in the order that they are applied followed by FortiGuard antivirus. or IMAP traffic after web filter spam checking. virus threats.

File type Once a file passes the heuristic scan. but may also produce some false positive results. In this way.0 Administration Guide 01-400-89802-20090424 http://docs. the next level of protection is applied. If the file is not a blocked pattern the next level of protection is applied. FortiGuard antivirus FortiGuard antivirus services are an excellent resource and include automatic updates of virus and IPS (attack) engines and definitions. For more information on updating virus definitions. The connection between the FortiGate unit and FortiGuard Center is configured in System > Maintenance > FortiGuard. If the file is a blocked type. through the FortiGuard Distribution Network (FDN). The FortiGate unit will check the file against the file type setting you have configured. No other levels of protections are applied.com/ • Feedback 441 . Virus scan If the file passes the file pattern scan. See “Configuring the FortiGate unit for FDN and FortiGuard subscription services” on page 266 for more information. Note: Heuristics is configurable only through the CLI. If the file is not a blocked type.fortinet. see “FortiGuard antivirus” on page 441. Table 44 compares antivirus options in protection profiles and the antivirus menu. it is subjected to the heuristics scan.AntiVirus Antivirus settings and controls File pattern Once a file is accepted. the FortiGate unit applies the file type recognition filter. For more information on configuring grayware please see “Viewing and configuring the grayware list” on page 452. heuristic scanning may detect new viruses. See the FortiGate CLI Reference. No other levels of protections are applied. it will have a virus scan applied to it. then it is stopped and a replacement message is sent to the end user. Heuristics After an incoming file has passed the grayware scan. performs tests on the file to detect virus-like behavior or known virus indicators. Antivirus settings and controls While antivirus settings are configured for system-wide use. as well as the local spam DNSBL. the incoming file will be checked for grayware. Grayware configurations can be turned on and off as required and are kept up to date in the same manner as the antivirus definitions. The FortiGate heuristic antivirus engine.EXE” for example. If the file is a blocked pattern. the FortiGate unit applies the file pattern recognition filter. if enabled. then it is stopped and a replacement message is sent to the end user. The FortiGate unit will check the file against the file pattern setting you have configured. FortiGate Version 4. The FortiGuard Center also provides the FortiGuard antivirus virus and attack encyclopedia and the FortiGuard Bulletin. “. The list is updated on a regular basis so you do not have to wait for a firmware upgrade. Grayware Once past the virus scan. The virus definitions are keep up to date through the FortiNet Distribution Network. specific settings can be implemented on a per profile basis. Visit the Fortinet Knowledge Center for details and a link to the FortiGuard Center.

Patterns and types can also be individually enabled or disabled. 442 FortiGate Version 4. UTM > AntiVirus > Grayware Enable or disable blocking of Grayware by category.Antivirus settings and controls AntiVirus Note: If virtual domains are enabled. FTP. IM. Enable or disable passing fragmented email messages.fortinet. Fragmented email messages cannot be scanned for viruses. Add signature to outgoing email messages Create and enable a signature to append to outgoing email messages (SMTP only). IMAPS. or with a configured FortiAnalyzer unit. Set the interval and byte amount to trigger client comforting.0 Administration Guide 01-400-89802-20090424 http://docs. POP3S. Quarantine Enable or disable quarantining for each protocol. supported protocol: HTTP. UTM > AntiVirus > Quarantined Files View and sort the list of quarantined files. Comfort Clients Enable or disable for HTTP and FTP traffic (and HTTPS traffic if your FortiGate unit supports SSL content scanning and inspection and HTTPS content filtering mode is set to Deep Scan in the protocol recognition part of the protection profile). configure file patterns to upload automatically to Fortinet for analysis. POP3. IMAP. Set the size thresholds for files and email messages for each protocol in AntiVirus. UTM > AntiVirus > File Filter Configure file patterns and types to block or allow files. SMTP. File Quarantine is only available on units with a local disk. Oversized file/email Configure the FortiGate unit to block or pass oversized files and email messages for each protocol. and SMTPS. File Filter Enable or disable file pattern and file type handling for each protocol. Table 44: Antivirus and Protection Profile antivirus configuration Protection Profile antivirus options Virus Scan Antivirus setting UTM > AntiVirus > Virus Database Enable or disable virus scanning for each View a read-only list of current viruses. If your FortiGate unit supports SSL content scanning and inspection you can also enable virus scanning for HTTPS. Pass fragmented email messages. Antivirus file quarantine and grayware settings are part of the global configuration.com/ • Feedback . you configure antivirus file filtering and antivirus settings in protection profiles separately for each virtual domain. and configure quarantining options in AntiVirus.

and *.AntiVirus File Filter File Filter Configure the FortiGate file filter to block files by: • File pattern: Files can be blocked by name.zip) dynamic link libraries (*. you can specify more file patterns to block. see “Built-in patterns and supported file types” on page 443. files are passed if not explicitly blocked.gz. *.rar. When blocking by file type. At the end of the list. *. *.fortinet.tgz.*) with a block action. extension. or any other pattern. For details. If both file filter and virus scan are enabled.xl?) Microsoft Works files (*. *. Allowed files continue to antivirus scanning (if enabled) while files not matching any allowed patterns are blocked by the wildcard at the end. File pattern entries are not case sensitive.com. In effect. see “Configuring the file filter list” on page 445. without relying on the file name to indicate what type of files they are.vb?) screen saver files (*. Using the allow action. Files are compared to the enabled file patterns and then the file types from top to bottom. The FortiGate unit also writes a message to the virus log and sends an alert email message if configured to do so.tar.com/ • Feedback 443 . the FortiGate unit analyzes the file and determines the file type regardless of the file name. the FortiGate unit blocks files that match the enabled file filter and does not scan these files for viruses. • File type: Files can be blocked by type. and enable it temporarily to block specific threats as they occur.cpl) The FortiGate unit can take actions against the following file types: FortiGate Version 4.pif) control panel files (*. If a file does not match any specified patterns or types. add an all-inclusive wildcard (*.wps) Visual Basic files (*. The FortiGate unit can take any of the following three actions towards the files that match a configured file pattern or type: • • Allow: the file will be allowed to pass. For example.bat. and *. File pattern blocking provides the flexibility to block potentially harmful content.ppt. *.doc. it is passed along to antivirus scanning (if enabled). this behavior can be reversed with all files being blocked unless explicitly passed. Simply enter all the file patterns or types to be passed with the allow attribute.hta) Microsoft Office files (*. For standard operation. you can choose to disable file filter in the protection profile.dll) HTML application (*. adding *. *.0 Administration Guide 01-400-89802-20090424 http://docs.exe) compressed or archive files (*. In addition to the built-in patterns. For details about supported file types. Block: the file will be blocked and a replacement messages will be sent to the user.scr) program information files (*.exe to the file pattern list also blocks any files ending in . Built-in patterns and supported file types The FortiGate unit is preconfigured with a default list of file patterns: • • • • • • • • • • executable files (*.EXE.

The delete icon is only available if the file filter list is not selected in any protection profiles. Select to edit the file filter.com/ • Feedback . For more information.File Filter AntiVirus Table 45: Supported file types exe gzip bzip aspack unknown bat rar activemime jad ignored mime tar hlp class javascript lzh arj cod html upx base64 msc hta zip binhex petite msoffice cab uue sis elf bzip2 fsg prc Note: The “unknown” type is any file type that is not listed in the table. The file filter list will be used in protection profiles. Creating a new file filter list To add a file pattern list to the file pattern list catalog. To view the file filter list catalog. 444 FortiGate Version 4. go to UTM > AntiVirus > File Filter and select Create New.0 Administration Guide 01-400-89802-20090424 http://docs. its name and comment. The DLP rules in which each filter is used. The number of file patterns or file types in each file filter list. Optional description of each file filter list. The “ignored” type is the traffic the FortiGate unit typically does not scan. Figure 277: Sample file pattern list catalog Note: The default file pattern list catalog is called builtin-patterns. select the edit icon for the list you want to see. The available file filter lists. The protection profiles each file filter list has been applied to. see “Anti-Virus options” on page 407. Create New Name # Entries Profiles DLP Rule Comments Delete icon Edit icon Select Create New to add a new file filter list to the catalog. Select to remove the file filter list from the catalog.fortinet. To view any individual file filter list. go to UTM > AntiVirus > File Filter. This includes primarily streaming audio and video. Viewing the file filter list catalog You can add multiple file filter lists and then select the best file filter list for each protection profile.

Optional comment. Viewing the file filter list To view the file filter list. edit text in the name field and select OK. select OK to save the changes. allow. see “File Filter” on page 443. or intercept. Configuring the file filter list For file patterns.fortinet. if required.com/ • Feedback 445 . Figure 279: Sample file filter list The file filter list has the following icons and features: Name Comment OK Create New Filter Action Enable Delete icon Edit icon Move To icon File filter list name. you can only select from the supported types. Select to move the file pattern or type to any position in the list. For information about actions. Select to remove the file pattern or type from the list. enter text in comment field and select OK. Files matching the file patterns and types can be set to block.0 Administration Guide 01-400-89802-20090424 http://docs. To add or edit comment. For file types. you can add a maximum of 5000 patterns to a list. Enter a comment to describe the list. To change the name. Clear the checkbox to disable the file pattern or type. If you make changes to the list name or comments. Select to edit the file pattern/type and action. The current list of file patterns and types.AntiVirus File Filter Figure 278: New File Filter List dialog box Name Comment Enter the name of the new list. go to UTM > AntiVirus > File Filter and select the edit icon of the file filter list you want to view. FortiGate Version 4. Select Create New to add a new file pattern or type to the file filter list.

The file pattern can be an exact file name or can include wildcards. To configure quarantine to a FortiAnalyzer unit. File Quarantine FortiGate units with a local disk. or FortiGate unit with a single width AMC slot containing a FortiGate-ASM-S08 module. For details.com/ • Feedback . To enable HTTPS quarantine you must set HTTPS Content Filtering Mode to Deep Scan in the Protocol Recognition part of the protection profile. For more information. For information about supported file types. or Intercept. View the file name and status information about the file in the Quarantined Files list. 3 Go to Firewall > Policy and add the protection profile to a firewall policy. POP3. IMAPS. select File Type and then select a file type from the supported file type list.File Quarantine AntiVirus Figure 280: New file filter To add a file pattern or type go to UTM > AntiVirus > File Filter. For details. go to Log & Report > Log Config > Log Setting. see “Configuring a protection profile” on page 404. see “Configuring quarantine options” on page 449. The file pattern can be 80 characters long. For more information about actions. To configure and enable file quarantine 1 Go to UTM > AntiVirus > Config to configure the quarantine service and destination.fortinet. see “Builtin patterns and supported file types” on page 443. IMAP. Files stored on the FortiAnalyzer unit can also be viewed from the Quarantined Files list. and NNTP Traffic. FortiGate units can also quarantine blocked and infected files to a FortiAnalyzer unit.0 Administration Guide 01-400-89802-20090424 http://docs. or a FortiGate-ASM-SAS module can quarantine blocked and infected files. Submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to Fortinet for analysis. and SMTPS traffic. Select to enable the pattern. 2 Go to Firewall > Protection Profile > Antivirus to enable quarantine for required protocols in the protection profiles. FTP. Select an action from the drop down list: Block. If your FortiGate unit supports SSL content scanning and inspection you can also quarantine blocked and infected files from HTTPS. POP3S. 446 FortiGate Version 4. Filter Type Pattern File Type Action Enable Select File Name Pattern if you want to add a file pattern. SMTP. see “File Filter” on page 443. Enter the file pattern. Select the Edit icon for a file filter catalog. You can configure a protection profile to quarantine blocked and infected files from HTTP. Allow. Select Create New. see “SSL content scanning and inspection” on page 399. Select a file type from the list. IM.

Date. in the format dd/mm/yyyy hh:mm.exe is stored as 3fc155d2. or HTTPS).AntiVirus File Quarantine Viewing the File Quarantine list The Quarantined Files list displays information about each quarantined file because of virus infection or file blocking. see “Using page controls on web-based manager lists” on page 57. POP3. IM. To view the Quarantined Files list. or HTTPS. duplicate count (DC).oversize. all spaces are removed from the file name. NNTP. See “Antivirus CLI configuration” on page 453. or time to live (TTL). FTP. Figure 281: File Quarantine list The file quarantine list displays the following information about each quarantined file: Source Sort by Filter Either FortiAnalyzer or Local disk.com/ • Feedback 447 . The processed file name of the quarantined file. Apply Delete Page Controls Remove All Entries File Name Date Service FortiGate Version 4. The date and time the file was quarantined. SMTP. This value indicates the time that the first file was quarantined if the duplicate count increases. Use the controls to page through the list. Select to apply the sorting and filtering selections to the list of quarantined files. IMAP. or NNTP). or Duplicate Count. Select to delete the selected files.0 Administration Guide 01-400-89802-20090424 http://docs. POP3. IMAPS. IM. FTP. depending where you configure to quarantined files to be stored. POP3S. Choose from: Status. Filter the list to view only quarantined files with a specific status or from a specific service. The file is stored on the FortiGate hard disk with the following naming convention: <32bit_CRC>. SMTPS. POP3S. If your FortiGate unit supports SSL content scanning and inspection Service can also be IMAPS. For details. File Name. status. Service. SMTPS.exe. service. go to UTM > AntiVirus > Quarantined Files. HTTP. When a file is quarantined. SMTP. Sort the list. The checksum appears in the replacement message but not in the quarantined file. Removes all quarantined files from the local hard disk. a file named Over Size. The service from which the file was quarantined (HTTP. blocked. Select Apply to complete the filtering.<processed_filename> For example. Select Apply to complete the sort. Sort the files by file name.fortinet. TTL. This icon only appears when the files are quarantined to the hard disk. or heuristics) or Service (IMAP. Heuristics mode is configurable through the CLI only. and a 32-bit checksum is performed on the file. Choose either Status (infected. Filter the list. date.

you can configure the FortiGate unit to upload suspicious files automatically to Fortinet for analysis. The FortiGate unit uses encrypted email to autosubmit files to an SMTP server through port 25. Create a pattern by using ? or * wildcard characters.0 Administration Guide 01-400-89802-20090424 http://docs.File Quarantine AntiVirus Status Status Description DC TTL The reason the file was quarantined: infected. This option is available only if the FortiGate unit has a local hard disk. File patterns are applied for AutoSubmit regardless of file blocking settings. “File is infected with “W32/Klez. You can add file patterns to the AutoSubmit list using wildcard characters (* or ?). or blocked. for example.com/ • Feedback . This option is available only if the FortiGate unit has a local hard disk. each duplicate found refreshes the TTL. Delete icon Edit icon 448 FortiGate Version 4. Figure 282: Sample AutoSubmit list AutoSubmit list has the following icons and features: Create New File Pattern Select to add a new file pattern to the AutoSubmit list. Y indicates the file has been uploaded to Fortinet for analysis. Select to edit the following information: File Pattern and Enable. Viewing the AutoSubmit list If the FortiGate unit has a local hard disk. go to UTM > AntiVirus > AutoSubmit.fortinet. heuristics.h”” or “File was stopped by file block pattern. A count of how many duplicates of the same file were quarantined. Enable the check box to enable all file patterns in the list. the FortiGate unit labels the file as EXP under the TTL heading. only counted. Select to download the corresponding file in its original format. The current list of file patterns that will be automatically uploaded. Upload status Download icon Submit icon Note: Duplicates of files (based on the checksum) are not stored. To view the AutoSubmit list.” Duplicate count. Select to upload a suspicious file to Fortinet for analysis. In the case of duplicate files. Select to remove the entry from the list. or submit individual files directly from the file quarantine. The TTL value and the duplicate count are updated each time a duplicate of a file is found. The autosubmit feature is not available on the FortiGate models without a local hard disk. When the TTL elapses. Time to live in the format hh:mm. The TTL information is not available if the files are quarantined on a FortiAnalyzer unit. A rapidly increasing number can indicate a virus outbreak. Upload files to Fortinet based on status (blocked or heuristics). Specific information related to the status. N indicates the file has not been uploaded. This option is available only if the FortiGate unit has a local hard disk.

see “SSL content scanning and inspection” on page 399. For more information.AntiVirus File Quarantine Configuring the AutoSubmit list To add a file pattern to the AutoSubmit list. and NNTP Traffic. Note that the autosubmit feature is available only if your FortiGate unit has a local hard disk. IM. select Enable AutoSubmit. Figure 283: New File Pattern dialog box File Pattern Enable Enter the file pattern or file name to be upload automatically to Fortinet. Select to enable the file pattern Note: To enable automatic uploading of the configured file patterns. Configuring quarantine options Go to UTM > AntiVirus > Config to set quarantine configuration options. IMAPS. FTP.0 Administration Guide 01-400-89802-20090424 http://docs. go to UTM > AntiVirus > AutoSubmit. IMAP. and SMTPS traffic. POP3S. such as whether to quarantine blocked or infected files and from which service. Figure 284: Quarantine Configuration (quarantine to FortiAnalyzer unit) FortiGate Version 4. You can configure quarantine options for HTTP.com/ • Feedback 449 . SMTP. If your FortiGate unit supports SSL content scanning and inspection you can also quarantine blocked and infected files from HTTPS. POP3.fortinet. To enable HTTPS quarantine you must set HTTPS Content Filtering Mode to Deep Scan in the Protocol Recognition part of the protection profile. go to AntiVirus > File Quarantine > Config. and select Use File