Fortigate Admin

FortiGate
Version 4.0 MR1

Administration Guide
Visit http://support.fortinet.com to register your FortiGate product. By registering you can
receive product updates, technical support, and FortiGuard services.
FortiGate Administration Guide
Version 4.0 MR1
22 October 2009
01-410-89802-20091022
Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam,
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,
Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.
Contents
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20091022 3
http://docs.fortinet.com/ Feedback
Contents
Introduction ............................................................................................ 23
Fortinet products .......................................................................................................... 23
Before you begin........................................................................................................... 24
How this guide is organized......................................................................................... 24
Document conventions ................................................................................................ 27
IP addresses............................................................................................................. 27
Cautions, Notes and Tips ......................................................................................... 27
Typographical conventions....................................................................................... 27
CLI command syntax................................................................................................ 28
Registering your Fortinet product ............................................................................... 29
Fortinet products End User License Agreement ....................................................... 29
Customer service and technical support .................................................................... 29
Training .......................................................................................................................... 29
Fortinet documentation ............................................................................................... 30
Tools and Documentation CD................................................................................... 30
Fortinet Knowledge Base ......................................................................................... 30
Comments on Fortinet technical documentation ..................................................... 30
Whats new in FortiOS 4.0 MR1 ............................................................ 31
New SIP ALG configuration options ........................................................................... 32
Opening and closing SIP register and non-register pinholes.................................... 32
Support for RFC 2543-compliant branch commands ............................................... 32
Easy FortiCare and FortiGuard services registration and renewal .......................... 32
Endpoint control enhancements ................................................................................. 32
Per-VDOM replacement messages.............................................................................. 33
Content archiving is now DLP archive........................................................................ 33
Topology viewer is now a custom web-based manager page.................................. 33
Usage page shows application, policy, and DLP archive usage.............................. 34
Alert Message Console enhancements ...................................................................... 34
WCCP widget ................................................................................................................. 34
SSL VPN enhancements............................................................................................... 34
Single Sign-On.......................................................................................................... 34
IP address ranges are now defined as firewall addresses ....................................... 35
OS Check changes................................................................................................... 35
Client check changes................................................................................................ 35
Virtual Desktop enhancements................................................................................. 35
Virtual Desktop Application Control .......................................................................... 35
Contents
4 01-410-89802-20091022
Two-factor authentication ............................................................................................ 36
Force UTF-8 login..................................................................................................... 36
FortiGate wireless controller ....................................................................................... 36
Interface status detection for gateway load balancing ............................................. 36
Enhanced ECMP route failover and load balancing .................................................. 36
SCEP extensions........................................................................................................... 37
Dynamic routing for IPv6 traffic................................................................................... 37
router bgp command................................................................................................. 37
router access-list6..................................................................................................... 37
router ospf6............................................................................................................... 37
router prefix-list6....................................................................................................... 37
router ripng............................................................................................................... 38
get router info6 {bgp | ospf | protocols | rip}.............................................................. 38
IPv6 DNS ........................................................................................................................ 38
IPv6 Transparent mode ................................................................................................ 38
IPv6 administrative access .......................................................................................... 38
Network interface changes for IPv6 ............................................................................ 38
UTM features support IPv6 traffic................................................................................ 38
HTTP basic authentication in firewall policies ........................................................... 39
VDOM dashboard .......................................................................................................... 39
IPsec protocol improvements...................................................................................... 39
Support for IKE v2.................................................................................................... 39
Support for DH-2048 (Group 14) .............................................................................. 39
Support for SHA256.................................................................................................. 39
Auto-configuration of IPsec VPNs............................................................................... 40
IPsec Phase 1 configuration for IKE Configuration Method...................................... 40
IPsec Phase 2 configuration for IKE Configuration Method...................................... 40
Integral basic DNS server............................................................................................. 40
Creating local DNS entries ....................................................................................... 40
Enabling DNS on an interface.................................................................................. 41
Per-VDOM DNS configuration...................................................................................... 41
Password policy............................................................................................................ 41
Use LDAP groups in firewall and SSL-VPN authentication ...................................... 41
Traffic shaping enhancements .................................................................................... 42
Shared traffic shaping............................................................................................... 42
Per-IP traffic shaping................................................................................................ 42
Accounting and quota enforcement.......................................................................... 42
Logging enhancements................................................................................................ 42
Support for per-VDOM FortiAnalyzer units or syslog devices .................................. 42
SQL log format for Executive Summary reports ....................................................... 43
Contents
01-410-89802-20091022 5
Antivirus changes ......................................................................................................... 43
Reliable syslog .............................................................................................................. 44
Web filtering combined block/exempt list .................................................................. 44
Web filtering by content header .................................................................................. 44
Safe search .................................................................................................................... 44
Data Leak Prevention supports international character sets ................................... 44
SNMPv3 enhancements................................................................................................ 45
Support for snmpEngineID....................................................................................... 45
Authentication and privacy........................................................................................ 45
Schedule groups ........................................................................................................... 45
RAID support ................................................................................................................. 46
Web-based manager .............................................................................. 47
Common web-based manager tasks ........................................................................... 48
Connecting to the web-based manager.................................................................... 48
Changing your FortiGate administrator password.................................................... 49
Changing the web-based manager language........................................................... 49
Changing administrative access to your FortiGate unit............................................ 50
Changing the web-based manager idle timeout....................................................... 50
Connecting to the FortiGate CLI from the web-based manager............................... 51
Button bar features ....................................................................................................... 51
Contacting Customer Support ..................................................................................... 51
Backing up your FortiGate configuration ................................................................... 52
Using FortiGate Online Help ........................................................................................ 52
Searching the online help......................................................................................... 54
Logging out ................................................................................................................... 55
Web-based manager pages.......................................................................................... 55
Using the web-based manager menu....................................................................... 56
Using web-based manager lists................................................................................ 57
Adding filters to web-based manager lists................................................................ 57
Using page controls on web-based manager lists.................................................... 60
Using column settings to control the columns displayed.......................................... 61
Using filters with column settings.............................................................................. 63
Web-based manager icons........................................................................................... 63
Contents
6 01-410-89802-20091022
System Status ........................................................................................ 67
Viewing the system dashboard ................................................................................... 67
VDOM and global dashboards.................................................................................. 68
Viewing the system dashboard................................................................................. 68
System Information................................................................................................... 69
License Information.................................................................................................. 70
Unit Operation........................................................................................................... 73
System Resources.................................................................................................... 75
Alert Message Console............................................................................................. 76
Log and Archive Statistics ........................................................................................ 77
CLI Console.............................................................................................................. 79
Top Sessions............................................................................................................ 80
Viewing the current sessions list............................................................................... 82
Top Viruses............................................................................................................... 83
Top Attacks............................................................................................................... 83
Traffic History............................................................................................................ 84
RAID monitor............................................................................................................ 84
Changing system information ..................................................................................... 86
Configuring system time........................................................................................... 86
Changing the FortiGate unit host name.................................................................... 87
Changing the FortiGate firmware ................................................................................ 87
Upgrading to a new firmware version....................................................................... 88
Reverting to a previous firmware version................................................................. 89
Viewing operational history ......................................................................................... 90
Manually updating FortiGuard definitions .................................................................. 91
Viewing Log and Archive Statistics ............................................................................ 91
Viewing DLP Archive information on the Statistics widget........................................ 91
Viewing the Attack Log............................................................................................. 93
Configuring the RAID array .......................................................................................... 94
RAID disk configuration............................................................................................ 94
RAID Level................................................................................................................ 96
Rebuilding the RAID array........................................................................................ 97
Configuring AMC modules........................................................................................... 98
Auto-bypass and recovery for AMC bridge module............................................ 99
Enabling or disabling bypass mode for AMC bridge modules ................................ 101
Viewing application, policy, and DLP archive usage data ...................................... 102
Top Application Usage............................................................................................ 102
Top Policy Usage.................................................................................................... 104
DLP Archive Usage................................................................................................ 106
Using the topology viewer ......................................................................................... 107
Adding a subnet object........................................................................................... 110
Customizing the topology diagram......................................................................... 111
Contents
01-410-89802-20091022 7
Managing firmware versions............................................................... 113
Backing up your configuration .................................................................................. 114
Backing up your configuration through the web-based manager ........................... 114
Backing up your configuration through the CLI....................................................... 114
Backing up your configuration to a USB key.......................................................... 115
Testing firmware before upgrading........................................................................... 116
Upgrading your FortiGate unit ................................................................................... 117
Upgrading to FortiOS 4.0 through the web-based manager................................... 117
Upgrading to FortiOS 4.0 through the CLI .............................................................. 118
Verifying the upgrade.............................................................................................. 119
Reverting to a previous firmware image................................................................... 120
Downgrading to a previous firmware through the web-based manager................. 120
Verifying the downgrade......................................................................................... 121
Downgrading to a previous firmware through the CLI ............................................ 121
Restoring your configuration..................................................................................... 123
Restoring your configuration settings in the web-based manager.......................... 123
Restoring your configuration settings in the CLI ..................................................... 123
Using virtual domains.......................................................................... 125
Virtual domains ........................................................................................................... 125
Benefits of VDOMs ................................................................................................. 125
VDOM configuration settings.................................................................................. 126
Global configuration settings .................................................................................. 129
Enabling virtual domains ........................................................................................... 130
Configuring VDOMs and global settings .................................................................. 131
VDOM licenses....................................................................................................... 132
Creating a new VDOM............................................................................................ 133
Disabling a VDOM.................................................................................................. 134
Working with VDOMs and global settings............................................................... 134
Adding interfaces to a VDOM................................................................................. 135
Inter-VDOM links .................................................................................................... 136
Assigning an interface to a VDOM.......................................................................... 137
Assigning an administrator to a VDOM................................................................... 138
Changing the management VDOM......................................................................... 139
Configuring VDOM resource limits ........................................................................... 139
Setting VDOM global resource limits...................................................................... 140
Configuring resource usage for individual VDOMs................................................. 141
Contents
8 01-410-89802-20091022
System Network ................................................................................... 145
Configuring interfaces................................................................................................ 145
Switch Mode........................................................................................................... 150
Configuring interface settings................................................................................. 151
Adding VLAN interfaces.......................................................................................... 158
Adding loopback interfaces..................................................................................... 158
Adding 802.3ad aggregate interfaces..................................................................... 159
Adding redundant interfaces................................................................................... 160
Configuring DHCP on an interface......................................................................... 161
Configuring PPPoE on an interface........................................................................ 162
Configuring Dynamic DNS on an interface............................................................. 163
Configuring virtual IPSec interfaces........................................................................ 164
Configuring administrative access to an interface.................................................. 165
Configuring interface status detection for gateway load balancing......................... 165
Changing interface MTU packet size...................................................................... 167
Adding secondary IP addresses to an interface..................................................... 167
Adding software switch interfaces .......................................................................... 169
Configuring zones....................................................................................................... 170
Configuring the modem interface.............................................................................. 170
Configuring modem settings................................................................................... 171
Redundant mode configuration............................................................................... 173
Standalone mode configuration.............................................................................. 174
Adding firewall policies for modem connections..................................................... 175
Connecting and disconnecting the modem............................................................. 175
Checking modem status ......................................................................................... 176
Configuring Networking Options............................................................................... 176
DNS Servers........................................................................................................... 177
Configuring FortiGate DNS services ......................................................................... 177
About split DNS ...................................................................................................... 178
Configuring FortiGate DNS services....................................................................... 178
Configuring the FortiGate DNS database............................................................... 180
Configuring the explicit web proxy ........................................................................... 182
Configuring WCCP...................................................................................................... 183
Routing table (Transparent Mode)............................................................................. 184
System Wireless................................................................................... 187
FortiWiFi wireless interfaces ..................................................................................... 187
Channel assignments ................................................................................................. 188
IEEE 802.11a channel numbers............................................................................. 188
IEEE 802.11b channel numbers............................................................................. 188
IEEE 802.11g channel numbers............................................................................. 189
Wireless settings......................................................................................................... 190
Adding a wireless interface..................................................................................... 191
Contents
01-410-89802-20091022 9
Wireless MAC Filter .................................................................................................... 193
Managing the MAC Filter list................................................................................... 194
Wireless Monitor ......................................................................................................... 195
Rogue AP detection .................................................................................................... 196
Viewing wireless access points .............................................................................. 196
System DHCP....................................................................................... 199
FortiGate DHCP servers and relays .......................................................................... 199
Configuring DHCP services ....................................................................................... 200
Configuring an interface as a DHCP relay agent.................................................... 201
Configuring a DHCP server.................................................................................... 201
Viewing address leases.............................................................................................. 203
Reserving IP addresses for specific clients ............................................................ 203
System Config ...................................................................................... 205
HA ................................................................................................................................. 205
HA options .............................................................................................................. 205
Cluster members list............................................................................................... 209
Viewing HA statistics .............................................................................................. 211
Changing subordinate unit host name and device priority...................................... 212
Disconnecting a cluster unit from a cluster............................................................. 212
SNMP............................................................................................................................ 213
Configuring SNMP .................................................................................................. 214
Configuring an SNMP community........................................................................... 215
Fortinet MIBs .......................................................................................................... 217
Fortinet and FortiGate traps.................................................................................... 218
Fortinet and FortiGate MIB fields............................................................................ 221
Contents
10 01-410-89802-20091022
Replacement messages ............................................................................................. 225
VDOM and global replacement messages ............................................................. 225
Viewing the replacement messages list.................................................................. 225
Changing replacement messages .......................................................................... 226
Mail replacement messages................................................................................... 228
HTTP replacement messages ................................................................................ 229
FTP replacement messages................................................................................... 230
NNTP replacement messages................................................................................ 230
Alert Mail replacement messages........................................................................... 231
Spam replacement messages ................................................................................ 231
Administration replacement message..................................................................... 232
User authentication replacement messages........................................................... 232
FortiGuard Web Filtering replacement messages .................................................. 234
IM and P2P replacement messages....................................................................... 234
Endpoint NAC replacement messages................................................................... 235
NAC quarantine replacement messages................................................................ 235
Traffic quota control replacement messages.......................................................... 236
SSL VPN replacement message............................................................................ 236
Replacement message tags ................................................................................... 236
Operation mode and VDOM management access ................................................... 238
Changing operation mode...................................................................................... 238
Management access............................................................................................... 239
System Admin ...................................................................................... 241
Administrators............................................................................................................. 241
Viewing the administrators list................................................................................ 243
Configuring an administrator account..................................................................... 244
Changing an administrator account password........................................................ 246
Configuring regular (password) authentication for administrators .......................... 246
Configuring remote authentication for administrators............................................. 246
Configuring PKI certificate authentication for administrators.................................. 252
Admin profiles ............................................................................................................. 254
Viewing the admin profiles list ................................................................................ 257
Configuring an admin profile................................................................................... 258
Central Management ................................................................................................... 260
Settings ........................................................................................................................ 261
Monitoring administrators.......................................................................................... 264
FortiGate IPv6 support ............................................................................................... 264
Configuring IPv6 on FortiGate units........................................................................ 265
Customizable web-based manager ........................................................................... 268
Contents
01-410-89802-20091022 11
System Certificates.............................................................................. 279
Local Certificates ....................................................................................................... 280
Generating a certificate request.............................................................................. 281
Downloading and submitting a certificate request.................................................. 282
Importing a signed server certificate....................................................................... 283
Importing an exported server certificate and private key........................................ 283
Importing separate server certificate and private key files...................................... 284
Remote Certificates .................................................................................................... 284
Importing Remote (OCSP) certificates ................................................................... 285
CA Certificates ............................................................................................................ 286
Importing CA certificates......................................................................................... 286
CRL............................................................................................................................... 287
Importing a certificate revocation list ...................................................................... 288
System Maintenance............................................................................ 289
About the Maintenance menu .................................................................................... 289
Backing up and restoring........................................................................................... 290
Basic backup and restore options........................................................................... 291
Upgrading and downgrading firmware.................................................................... 294
Upgrading and downgrading firmware through FortiGuard.................................... 295
Configuring advanced options ................................................................................ 296
Managing configuration revisions............................................................................. 297
Using script files ......................................................................................................... 298
Creating script files ................................................................................................. 299
Uploading script files............................................................................................... 299
Configuring FortiGuard Services .............................................................................. 300
FortiGuard Distribution Network............................................................................. 300
FortiGuard services ................................................................................................ 300
Configuring the FortiGate unit for FDN and FortiGuard subscription services ....... 302
Troubleshooting FDN connectivity ........................................................................... 306
Updating antivirus and attack definitions................................................................. 307
Enabling push updates............................................................................................... 308
Enabling push updates when a FortiGate unit IP address changes....................... 309
Enabling push updates through a NAT device....................................................... 309
Adding VDOM Licenses.............................................................................................. 311
Contents
12 01-410-89802-20091022
Router Static ........................................................................................ 313
Routing concepts ....................................................................................................... 313
How the routing table is built .................................................................................. 314
How routing decisions are made ........................................................................... 314
Multipath routing and determining the best route................................................... 314
Route priority ......................................................................................................... 315
Blackhole Route...................................................................................................... 315
Static Route ................................................................................................................ 316
Working with static routes ...................................................................................... 316
Default route and default gateway ......................................................................... 318
Adding a static route to the routing table ............................................................... 320
ECMP route failover and load balancing .................................................................. 322
Configuring spill-over or usage-based ECMP......................................................... 323
Configuring weighted static route load balancing................................................... 326
Policy Route ............................................................................................................... 328
Adding a policy route.............................................................................................. 329
Moving a policy route.............................................................................................. 332
Router Dynamic.................................................................................... 333
RIP ................................................................................................................................ 334
Viewing and editing basic RIP settings................................................................... 334
Selecting advanced RIP options............................................................................. 336
Configuring a RIP-enabled interface....................................................................... 337
OSPF ............................................................................................................................ 338
Defining an OSPF ASOverview.......................................................................... 339
Configuring basic OSPF settings............................................................................ 340
Selecting advanced OSPF options......................................................................... 342
Defining OSPF areas.............................................................................................. 343
Specifying OSPF networks..................................................................................... 344
Selecting operating parameters for an OSPF interface.......................................... 344
BGP .............................................................................................................................. 346
Viewing and editing BGP settings........................................................................... 346
Multicast ....................................................................................................................... 348
Viewing and editing multicast settings.................................................................... 348
Overriding the multicast settings on an interface.................................................... 350
Multicast destination NAT....................................................................................... 350
Bi-directional Forwarding Detection (BFD) .............................................................. 351
Configuring BFD..................................................................................................... 351
Contents
01-410-89802-20091022 13
Customizable routing widgets ................................................................................... 353
Access List.............................................................................................................. 353
Distribute List.......................................................................................................... 354
Key Chain............................................................................................................... 355
Offset List................................................................................................................ 355
Prefix List................................................................................................................ 356
Route Map.............................................................................................................. 357
Router Monitor ..................................................................................... 359
Viewing routing information ...................................................................................... 359
Searching the FortiGate routing table....................................................................... 361
Firewall Policy ...................................................................................... 363
How list order affects policy matching ..................................................................... 363
Moving a policy to a different position in the policy list........................................... 364
Enabling and disabling policies............................................................................... 365
Multicast policies ........................................................................................................ 365
Viewing the firewall policy list ................................................................................... 366
Configuring firewall policies ...................................................................................... 367
Adding authentication to firewall policies................................................................ 372
Configuring identity-based firewall policies............................................................. 373
Configuring IPSec firewall policies.......................................................................... 376
Configuring SSL VPN identity-based firewall policies............................................. 376
Using DoS policies to detect and prevent attacks ................................................... 379
Viewing the DoS policy list...................................................................................... 380
Configuring DoS policies ........................................................................................ 381
Using one-arm sniffer policies to detect network attacks ...................................... 382
Viewing the sniffer policy list................................................................................... 383
Configuring sniffer policies...................................................................................... 384
How FortiOS selects unused NAT ports ................................................................... 385
Global pool.............................................................................................................. 386
Global per-protocol pool ......................................................................................... 386
Per NAT IP pool...................................................................................................... 386
Per NAT IP, destination IP, port, and protocol pool................................................ 387
Firewall policy examples ............................................................................................ 389
Scenario one: SOHO-sized business ..................................................................... 389
Scenario two: enterprise-sized business ................................................................ 392
Firewall Address .................................................................................. 395
About firewall addresses............................................................................................ 395
About IPv6 firewall addresses ................................................................................... 396
Viewing the firewall address list ................................................................................ 397
Configuring addresses ............................................................................................... 397
Contents
14 01-410-89802-20091022
Viewing the address group list .................................................................................. 398
Configuring address groups ...................................................................................... 399
Firewall Service.................................................................................... 401
Viewing the predefined service list ........................................................................... 401
Viewing the custom service list ................................................................................. 406
Configuring custom services..................................................................................... 406
Viewing the service group list ................................................................................... 408
Configuring service groups ....................................................................................... 408
Firewall Schedule................................................................................. 411
Viewing the recurring schedule list ........................................................................... 411
Configuring recurring schedules .............................................................................. 412
Viewing the one-time schedule list ........................................................................... 412
Configuring one-time schedules ............................................................................... 413
Configuring schedule groups .................................................................................... 413
Traffic Shaping ..................................................................................... 415
Guaranteed bandwidth and maximum bandwidth ................................................... 415
Traffic priority .............................................................................................................. 416
Traffic shaping considerations.................................................................................. 416
Configuring shared traffic shapers ........................................................................... 417
Configuring Per IP traffic shaping............................................................................. 419
Accounting and quota enforcement .......................................................................... 420
Firewall Virtual IP................................................................................. 421
How virtual IPs map connections through FortiGate units..................................... 421
Inbound connections............................................................................................... 421
Outbound connections............................................................................................ 424
Virtual IP, load balance virtual server and load balance real server limitations...... 425
Viewing the virtual IP list ............................................................................................ 425
Configuring virtual IPs................................................................................................ 426
Adding a static NAT virtual IP for a single IP address ............................................ 428
Adding a static NAT virtual IP for an IP address range.......................................... 429
Adding static NAT port forwarding for a single IP address and a single port.......... 431
Adding static NAT port forwarding for an IP address range and a port range........ 432
Adding dynamic virtual IPs ..................................................................................... 434
Adding a virtual IP with port translation only........................................................... 435
Virtual IP Groups......................................................................................................... 436
Viewing the VIP group list .......................................................................................... 436
Configuring VIP groups.............................................................................................. 436
Contents
01-410-89802-20091022 15
Configuring IP pools ................................................................................................... 437
IP pools and dynamic NAT..................................................................................... 438
IP Pools for firewall policies that use fixed ports..................................................... 438
Source IP address and IP pool address matching.................................................. 438
Viewing the IP pool list ............................................................................................... 439
Configuring IP Pools................................................................................................... 440
Double NAT: combining IP pool with virtual IP........................................................ 440
Adding NAT firewall policies in transparent mode.................................................. 442
Firewall Load Balance ......................................................................... 445
How FortiGate load balancing works ........................................................................ 445
Configuring virtual servers ........................................................................................ 446
Configuring real servers............................................................................................. 450
Configuring health check monitors........................................................................... 451
Monitoring the servers ............................................................................................... 453
Load balancing examples .......................................................................................... 454
Configuring a virtual web server with three real web servers ................................. 454
Adding a server load balance port forwarding virtual IP ......................................... 459
Weighted load balancing configuration................................................................... 460
HTTP and HTTPS persistence configuration.......................................................... 462
Firewall Protection Profile................................................................... 467
What is a protection profile?...................................................................................... 467
Adding a protection profile to a firewall policy ........................................................ 468
Default protection profiles ......................................................................................... 468
Viewing the protection profile list ............................................................................. 469
SSL content scanning and inspection ...................................................................... 469
Supported FortiGate models................................................................................... 470
Setting up certificates to avoid client warnings....................................................... 470
Configuring SSL content scanning and inspection................................................. 472
Configuring a protection profile ................................................................................ 474
Protocol recognition options ................................................................................... 475
Anti-Virus options.................................................................................................... 477
IPS options ............................................................................................................. 480
Web Filtering options.............................................................................................. 480
FortiGuard Web Filtering options............................................................................ 483
Email Filtering options ............................................................................................ 485
Data Leak Prevention Sensor options .................................................................... 488
Application Control options..................................................................................... 489
Logging options ...................................................................................................... 489
Contents
16 01-410-89802-20091022
SIP support ........................................................................................... 493
VoIP and SIP................................................................................................................ 493
The FortiGate unit and VoIP security ........................................................................ 495
SIP NAT.................................................................................................................. 495
How SIP support works .............................................................................................. 497
Configuring SIP........................................................................................................... 498
Enabling SIP support and setting rate limiting from the web-based manager........ 498
Enabling SIP support from the CLI ......................................................................... 500
More about rate limiting.......................................................................................... 501
Enabling SIP logging.............................................................................................. 501
Enabling advanced SIP features in an application list............................................ 502
Turning on SIP tracking.......................................................................................... 503
Managing RTP pinholing........................................................................................ 504
Blocking SIP requests............................................................................................. 504
Archiving SIP communication................................................................................. 504
Preserving NAT IP .................................................................................................. 505
Controlling SIP client connections .......................................................................... 505
Accepting SIP register responses........................................................................... 505
Controlling how SIP handles contact header NAT.................................................. 506
Opening and closing SIP register and non-register pinholes.................................. 506
Blocking SIP requests............................................................................................. 507
Support for RFC 2543-compliant branch parameters............................................. 508
AntiVirus ............................................................................................... 509
Order of operations..................................................................................................... 509
Antivirus tasks ............................................................................................................ 510
FortiGuard antivirus ................................................................................................ 511
Antivirus settings and controls ................................................................................. 512
File Filter ...................................................................................................................... 513
Built-in patterns and supported file types................................................................ 513
Viewing the file filter list catalog.............................................................................. 514
Creating a new file filter list..................................................................................... 515
Viewing the file filter list .......................................................................................... 515
Configuring the file filter list..................................................................................... 516
File Quarantine............................................................................................................ 516
Viewing the AutoSubmit list.................................................................................... 517
Configuring the AutoSubmit list .............................................................................. 517
Configuring quarantine options............................................................................... 518
Selecting the virus database...................................................................................... 519
Antivirus CLI configuration........................................................................................ 520
Contents
01-410-89802-20091022 17
Intrusion Protection ............................................................................. 523
About intrusion protection......................................................................................... 523
Intrusion Protection settings and controls............................................................... 524
When to use Intrusion Protection............................................................................ 524
Signatures.................................................................................................................... 524
Viewing the predefined signature list...................................................................... 525
Using display filters................................................................................................. 526
Custom signatures...................................................................................................... 527
Viewing the custom signature list ........................................................................... 527
Creating custom signatures.................................................................................... 527
Protocol decoders....................................................................................................... 528
Viewing the protocol decoder list............................................................................ 528
Upgrading the IPS protocol decoder list................................................................. 529
IPS sensors.................................................................................................................. 529
Viewing the IPS sensor list..................................................................................... 529
Adding an IPS sensor............................................................................................. 530
Configuring IPS sensors......................................................................................... 530
Configuring filters.................................................................................................... 532
Configuring pre-defined and custom overrides....................................................... 533
Packet logging........................................................................................................ 535
DoS sensors ................................................................................................................ 537
Viewing the DoS sensor list.................................................................................... 538
Configuring DoS sensors........................................................................................ 538
Understanding the anomalies................................................................................. 539
Intrusion protection CLI configuration ..................................................................... 540
Web Filter .............................................................................................. 541
Order of web filtering.................................................................................................. 541
How web filtering works ............................................................................................. 542
Web filter controls....................................................................................................... 542
Web content filter ........................................................................................................ 544
Viewing the web content filter list catalog............................................................... 545
Creating a new web content filter list...................................................................... 545
Viewing the web content filter list............................................................................ 545
Configuring the web content filter list...................................................................... 546
URL filter ...................................................................................................................... 547
Viewing the URL filter list catalog........................................................................... 548
Creating a new URL filter list.................................................................................. 548
Viewing the URL filter list........................................................................................ 549
Configuring the URL filter list.................................................................................. 550
URL formats............................................................................................................ 550
Moving URLs in the URL filter list........................................................................... 551
Contents
18 01-410-89802-20091022
FortiGuard Web Filtering............................................................................................ 552
Configuring FortiGuard Web Filtering..................................................................... 552
FortiGuard Web filtering overrides............................................................................ 552
Administrative overrides and user overrides........................................................... 552
Configuring administrative override rules ............................................................... 553
Creating local categories........................................................................................ 555
Viewing the local ratings list.................................................................................... 555
Configuring local ratings ......................................................................................... 556
Category block CLI configuration ............................................................................. 557
FortiGuard Web Filtering reports .............................................................................. 557
Email filtering ....................................................................................... 559
FortiGuard Email Filtering (also called the FortiGuard Antispam Service) ........... 559
Order of email filtering............................................................................................ 559
Email filter controls ................................................................................................. 560
Banned word ............................................................................................................... 562
Viewing the banned word list catalog..................................................................... 562
Creating a new banned word list ............................................................................ 563
Viewing the email filtering banned word list............................................................ 563
Adding words to the banned word list..................................................................... 564
IP address and email address black/white li sts ....................................................... 565
Viewing the Email Filter IP address list catalog...................................................... 565
Creating a new IP address list................................................................................ 566
Viewing the IP address list...................................................................................... 566
Adding an IP address ............................................................................................. 567
Viewing the Email Filter email address list catalog................................................. 568
Creating a new email address list........................................................................... 568
Viewing the email address list ................................................................................ 568
Configuring the email address list........................................................................... 570
Advanced Email Filter configuration......................................................................... 570
config spamfilter mheader ...................................................................................... 570
config spamfilter dnsbl............................................................................................ 571
Using wildcards and Perl regular expressions ........................................................ 571
Perl regular expression formats.............................................................................. 572
Example regular expressions ................................................................................. 573
Data Leak Prevention........................................................................... 575
DLP Sensors................................................................................................................ 575
Viewing the DLP sensor list.................................................................................... 575
Adding and configuring a DLP sensor.................................................................... 577
Adding or editing a rule or compound rule in a DLP sensor................................... 577
Contents
01-410-89802-20091022 19
DLP archiving .............................................................................................................. 580
Configuring DLP archiving...................................................................................... 581
Configuring spam email message archiving........................................................... 585
Viewing DLP archives............................................................................................. 586
DLP Rules .................................................................................................................... 586
Viewing the DLP rule list......................................................................................... 586
Adding or configuring DLP rules............................................................................. 588
DLP Compound Rules ................................................................................................ 591
Viewing the DLP compound rule list....................................................................... 592
Adding and configuring DLP compound rules ........................................................ 592
Application Control .............................................................................. 595
What is application control? ...................................................................................... 595
FortiGuard application control database.................................................................. 595
Viewing the application control black/white lists .................................................... 596
Creating a new application control black/white list ................................................. 597
Configuring an application control black/white list ................................................. 597
Adding or configuring an application control black/white list entry...................... 598
Application control statistics..................................................................................... 600
IPSec VPN............................................................................................. 603
Overview of IPSec VPN configuration....................................................................... 603
Policy-based versus route-based VPNs ................................................................... 604
Auto Key ...................................................................................................................... 605
Creating a new phase 1 configuration.................................................................... 606
Defining phase 1 advanced settings....................................................................... 608
Creating a new phase 2 configuration.................................................................... 611
Defining phase 2 advanced settings....................................................................... 611
Manual Key .................................................................................................................. 614
Creating a new manual key configuration .............................................................. 614
Internet browsing configuration ................................................................................ 616
Concentrator ............................................................................................................... 617
Defining concentrator options................................................................................. 617
Monitoring VPNs ......................................................................................................... 618
PPTP VPN ............................................................................................. 621
PPTP configuration using FortiGate web-based manager ...................................... 621
PPTP configuration using CLI commands ............................................................... 623
SSL VPN................................................................................................ 625
ssl.root ......................................................................................................................... 626
Configuring SSL VPN ................................................................................................. 626
Contents
20 01-410-89802-20091022
SSL VPN web portal .................................................................................................... 627
Default web portal configurations ........................................................................... 628
Configuring web portal settings .............................................................................. 628
Configuring the virtual desktop............................................................................... 629
Configuring security control .................................................................................... 631
Configuring web portal layout................................................................................. 632
Session Information widget..................................................................................... 633
Bookmarks widget .................................................................................................. 634
Connection Tool widget.......................................................................................... 636
Tunnel Mode widget ............................................................................................... 637
Virtual Desktop Application Control ......................................................................... 639
Host Check list ............................................................................................................ 640
SSL VPN monitor list .................................................................................................. 641
User ....................................................................................................... 643
Getting started - User authentication........................................................................ 643
Local user accounts ................................................................................................... 644
Configuring Local user accounts ............................................................................ 644
Remote......................................................................................................................... 647
RADIUS ........................................................................................................................ 647
Configuring a RADIUS server................................................................................. 648
LDAP ............................................................................................................................ 649
Configuring an LDAP server................................................................................... 650
TACACS+..................................................................................................................... 652
Configuring TACACS+servers............................................................................... 653
Directory Service......................................................................................................... 654
Configuring a Directory Service server................................................................... 655
PKI ............................................................................................................................... 656
Configuring peer users and peer groups ................................................................ 657
User Group .................................................................................................................. 658
Firewall user groups ............................................................................................... 659
Directory Service user groups ................................................................................ 660
SSL VPN user groups............................................................................................. 660
Viewing the User group list..................................................................................... 661
Configuring a user group........................................................................................ 661
Configuring FortiGuard Web filtering override options............................................ 664
Dynamically assigning VPN client IP addresses from a user group ............... 665
Options......................................................................................................................... 667
Monitor ......................................................................................................................... 668
Firewall user monitor list......................................................................................... 668
IM user monitor list ................................................................................................. 669
Contents
01-410-89802-20091022 21
NAC quarantine and the Banned User list ................................................................ 670
NAC quarantine and DLP ....................................................................................... 670
NAC quarantine and DLP replacement messages................................................. 671
Configuring NAC quarantine................................................................................... 671
The Banned User list.............................................................................................. 672
WAN optimization and web caching .................................................. 675
Configuring WAN optimization .................................................................................. 675
Moving a rule to a different position in the rule list.................................................. 677
Configuring a WAN optimization rule ....................................................................... 677
About WAN optimization addresses ....................................................................... 679
Configuring WAN optimization peers ....................................................................... 680
Configuring authentication groups ........................................................................... 681
WAN optimization monitoring.................................................................................... 682
Changing web cache settings.................................................................................... 684
Endpoint NAC....................................................................................... 687
Configuring Endpoint NAC overview........................................................................ 687
Configuring FortiClient installer download and version enforcement .................. 688
Configuring application detection lists..................................................................... 689
Viewing the application list...................................................................................... 691
Configuring Endpoint NAC profiles .......................................................................... 692
Monitoring endpoints ................................................................................................. 693
Wireless Controller .............................................................................. 697
Configuration overview .............................................................................................. 697
Enabling the wireless controller ................................................................................ 697
Configuring FortiWiFi units as managed access points ......................................... 698
Configuring a virtual wireless access point ............................................................. 698
Configuring a physical access point ......................................................................... 699
Configuring DHCP for your wireless LAN ................................................................ 701
Configuring firewall policies for the wireless LAN.................................................. 701
Monitoring wireless clients ........................................................................................ 701
Monitoring rogue APs................................................................................................. 702
Contents
22 01-410-89802-20091022
Log&Report .......................................................................................... 703
Configuring how a FortiGate unit stores logs .......................................................... 704
Remote logging to a FortiAnalyzer unit................................................................... 704
Remote logging to the FortiGuard Analysis and Management Service.................. 706
Remote logging to a syslog server ......................................................................... 707
Local logging to memory......................................................................................... 708
Local logging to disk............................................................................................... 708
Configuring Alert Email .............................................................................................. 709
Configuring Event logging ......................................................................................... 711
Data Leak Prevention log....................................................................................... 712
Application Control log............................................................................................ 712
Antivirus log............................................................................................................ 713
Web filter log........................................................................................................... 713
Email filter log......................................................................................................... 713
Attack log (IPS)....................................................................................................... 714
Accessing and viewing log messages ...................................................................... 714
Accessing logs stored in memory........................................................................... 715
Accessing logs stored on the hard disk.................................................................. 716
Accessing logs stored on the FortiAnalyzer unit..................................................... 716
Accessing logs stored on the FortiGuard Analysis and Management Service....... 717
Customizing the display of log messages............................................................... 717
Column settings...................................................................................................... 718
Filtering log messages............................................................................................ 719
Viewing DLP Archives ................................................................................................ 719
Viewing the File Quarantine list ................................................................................. 720
Configuring FortiAnalyzer report schedules ............................................................ 721
Viewing Executive Summary reports from SQL logs .............................................. 724
Viewing FortiAnalyzer reports ................................................................................... 724
Printing your FortiAnalyzer report........................................................................... 725
Viewing basic traffic reports ...................................................................................... 725
Log severity levels ...................................................................................................... 727
Log types ..................................................................................................................... 728
Traffic log................................................................................................................ 728
Example configuration: logging all FortiGate traffic ............................................... 729
Index...................................................................................................... 731
Introduction Fortinet products
01-410-89802-20091022 23
Introduction
Ranging from the FortiGate-50 series for small businesses to the FortiGate-5000 series
for large enterprises, service providers and carriers, the FortiGate line combines the
FortiOS security operating system with FortiASIC processors and other hardware to
provide a high-performance array of security and networking functions including:
firewall, VPN, and traffic shaping
Intrusion Prevention system (IPS)
antivirus/antispyware/antimalware
web filtering
antispam
application control (for example, IM and P2P)
VoIP support (H.323, SIP, and SCCP)
Layer 2/3 routing
multiple redundant WAN interface options
FortiGate appliances provide cost-effective, comprehensive protection against network,
content, and application-level threats, including complex attacks favored by
cybercriminals, without degrading network availability and uptime. FortiGate platforms
include sophisticated networking features, such as high availability (active/active,
active/passive) for maximum network uptime, and virtual domain capabilities to separate
various networks requiring different security policies.
This chapter contains the following sections:
Fortinet products
Before you begin
How this guide is organized
Registering your Fortinet product
Fortinet products End User License Agreement
Customer service and technical support
Training
Fortinet documentation
Fortinet products
Fortinet's portfolio of security gateways and complementary products offers a powerful
blend of ASIC-accelerated performance, integrated multi-threat protection, and constantly
updated, in-depth threat intelligence. This unique combination delivers network, content,
and application security for enterprises of all sizes, managed service providers, and
telecommunications carriers, while providing a flexible, scalable path for expansion. For
more information on the Fortinet product family, go to www.fortinet.com/products.
Before you begin Introduction
24 01-410-89802-20091022
Before you begin
This FortiGate Version 4.0 MR1 Administration Guide provides detailed information for
system administrators about FortiGate web-based manager and FortiOS options and
how to use them. It is assumed that you have already successfully installed a FortiGate
unit by following the instructions in the FortiGate Installation Guide for your model.
At this stage:
You have administrative access to the web-based manager and/or CLI.
The FortiGate unit is integrated into your network.
The operation mode has been configured.
The system time, DNS settings, administrator password, and network interfaces have
been configured.
Firmware, FortiGuard Antivirus and FortiGuard Antispam updates are completed.
Once that basic installation is complete, you can use this document. This document
explains how to use the web-based manager to:
maintain the FortiGate unit, including backups
reconfigure basic items that were configured during installation
configure advanced features.
This guide also contains some information about the FortiGate command line interface
(CLI), but not all the commands. For detailed information on the CLI, see the FortiGate
CLI Reference.
This document is intended for administrators, not end users.
How this guide is organized
This section of the guide contains a brief explanation of the structure of the guide and
provides a chapter-by-chapter summary. The first chapters provide an overview to help
you start using the product or to learn whats new. Following these chapters, the guide
describes web-based manager functions in the same order as the web-based manager (or
GUI) menu, and then concludes with a detailed index.
Virtual domain (VDOM) and Global icons appear in this administration guide to indicate
that a chapter or section is part of either the VDOM or Global configuration. VDOM and
Global configuration settings apply only to a FortiGate unit operating with virtual domains
enabled. No distinction is made between these configuration settings when virtual
domains are not enabled.
The most recent version of this document is available from the FortiGate page of the
Fortinet Technical Documentation web site. The information in this document is also
available in a slightly different form as FortiGate web-based manager online help.
You can also learn more about the FortiOS product from the same FortiGate page, as well
as from the Fortinet Knowledge Base.
This administration guide contains the following chapters:
Whats new in FortiOS 4.0 MR1 lists and describes some of the new features and
changes in FortiOS Version 4.0 MR1.
Web-based manager introduces the features of the FortiGate web-based manager,
and explains how to connect to it. It also explains how to use the web-based manager
online help.
Introduction How this guide is organized
01-410-89802-20091022 25
System Status describes the System Status page, the dashboard of your FortiGate
unit. At a glance you can view the current system status of the FortiGate unit including
serial number, uptime, FortiGuard license information, system resource usage, alert
messages and network statistics. You can also access the CLI from this page. This
section also describes status changes that you can make, including changing the unit
firmware, host name, and system time. Finally this section describes the topology
viewer that is available on all FortiGate models except those with model numbers 50
and 60.
Managing firmware versions describes upgrading and managing firmware versions.
You should review this section before upgrading your FortiGate firmware because it
contains important information about how to properly back up your current
configuration settings and what to do if the upgrade is unsuccessful.
Using virtual domains describes how to use VDOMs to operate your FortiGate unit as
multiple virtual FortiGate units, which effectively provides multiple separate firewall and
routing services to multiple networks.
System Network explains how to configure physical and virtual interfaces and DNS
settings on the FortiGate unit.
System Wireless describes how to configure the Wireless LAN interface on a
FortiWiFi-60 unit.
System DHCP explains how to configure a FortiGate interface as a DHCP server or
DHCP relay agent.
System Config contains procedures for configuring HA and virtual clustering,
configuring SNMP and replacement messages, and changing the operation mode.
System Admin guides you through adding and editing administrator accounts, defining
admin profiles for administrators, configuring central management using the
FortiGuard Management Service or FortiManager, and defining general administrative
settings such as language, timeouts, and web administration ports.
System Certificates explains how to manage X.509 security certificates used by
various FortiGate features such as IPSec VPN and administrator authentication.
System Maintenance details how to back up and restore the system configuration
using a management computer or a USB disk, as well as how to use revision control,
enable FortiGuard services and FortiGuard Distribution Network (FDN) updates, and
enter a license key to increase the maximum number of virtual domains.
Router Static explains how to define static routes and create route policies. A static
route causes packets to be forwarded to a destination other than the factory-configured
default gateway.
Router Dynamic explains how to configure dynamic protocols to route traffic through
large or complex networks.
Router Monitor explains how to interpret the Routing Monitor list. The list displays the
entries in the FortiGate routing table.
Firewall Policy describes how to add firewall policies to control connections and traffic
between FortiGate interfaces, zones, and VLAN subinterfaces. This chapter also
describes how to add DoS policies to apply DoS sensors to network traffic and how to
add sniffer policies to operate the FortiGate unit as an Intrusion Detection System
(IDS) appliance by sniffing packets for attacks without actually receiving and otherwise
processing the packets.
Firewall Address describes how to configure addresses and address groups for firewall
policies.
How this guide is organized Introduction
26 01-410-89802-20091022
Firewall Service describes available services and how to configure service groups for
firewall policies.
Firewall Schedule describes how to configure one-time and recurring schedules for
firewall policies.
Traffic Shaping describes how to create traffic shaping instances and add them to
firewall policies.
Firewall Virtual IP describes how to configure and use virtual IP addresses and IP
pools.
Firewall Load Balance describes how to use FortiGuard load balancing to intercept
incoming traffic and balance it across available servers.
Firewall Protection Profile describes how to configure protection profiles for firewall
policies.
SIP support includes some high-level information about VoIP and SIP and describes
how FortiOS SIP support works and how to configure the key SIP features.
The AntiVirus, Intrusion Protection, Web Filter, and Email filtering chapters explain how
to configure these options associated with a firewall protection profile.
Data Leak Prevention explains how to use FortiGate data leak prevention to prevent
sensitive data from leaving your network.
Application Control describes how to configure the application control options
associated with firewall protection profiles.
IPSec VPN provides information about the tunnel-mode and route-based (interface
mode) Internet Protocol Security (IPSec) VPN options available through the web-
based manager.
PPTP VPN explains how to use the web-based manager to specify a range of IP
addresses for PPTP clients.
SSL VPN provides information about basic SSL VPN settings.
User describes how to control access to network resources through user
authentication.
WAN optimization and web caching describes how to use FortiGate units to improve
performance and security of traffic passing between locations on your wide area
network (WAN) or over the Internet.
Endpoint NAC describes how to use FortiGate endpoint NAC to enforce the use of
FortiClient End Point Security (Enterprise Edition) in your network.
Wireless Controller describes how to configure a FortiGate unit to act as a wireless
network controller, managing the wireless Access Point (AP) functionality of FortiWiFi
units
Log&Report describes how to enable logging, view log files, and view the basic reports
available through the web-based manager.
Introduction Document conventions
01-410-89802-20091022 27
Document conventions
Fortinet technical documentation uses the conventions described below.
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow the documentation guidelines specific to Fortinet. The addresses used are from the
private IP address ranges defined in RFC 1918: Address Allocation for Private Internets,
available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Cautions, Notes and Tips
Fortinet technical documentation uses the following guidance and styles for cautions,
notes and tips.
Typographical conventions
Fortinet documentation uses the following typographical conventions:
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Note: Presents useful information, usually focused on an alternative, optional method, such
as a shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
Table 1: Typographical conventions in Fortinet technical documentation
Convention Example
Button, menu, text box,
field, or check box label
From Minimum log level, select Notification.
CLI input* conf i g syst emdns
set pr i mar y <addr ess_i pv4>
end
CLI output FGT- 602803030703 # get syst emset t i ngs
comment s : ( nul l )
opmode : nat
Emphasis HTTP connections are not secure and can be intercepted by a third
party.
File content <HTML><HEAD><TI TLE>Fi r ewal l
Aut hent i cat i on</ TI TLE></ HEAD>
<BODY><H4>You must aut hent i cat e t o use t hi s
ser vi ce. </ H4>
Hyperlink Visit the Fortinet Technical Support web site,
https://support.fortinet.com.
Keyboard entry Type a name for the remote VPN peer or client, such as
Cent r al _Of f i ce_1.
Navigation Go to VPN >IPSEC >Auto Key (IKE).
Document conventions Introduction
28 01-410-89802-20091022
* For conventions used to represent command syntax, see CLI command syntax on page 28.
CLI command syntax
This guide uses the following conventions to describe syntax to use when entering
commands in the Command Line Interface (CLI).
Brackets, braces, and pipes are used to denote valid permutations of the syntax.
Constraint notations, such as <addr ess_i pv4>, indicate which data types or string
patterns are acceptable value input.
For more information, see the FortiGate CLI Reference.
Publication For details, see the FortiGate Administration Guide.
Note: Links typically go to the most recent version. To access earlier
releases, go to http://docs.fortinet.com/. This link appears at the bottom
of each page of this document.
The chapter or section contains VDOM configuration settings, see
VDOM configuration settings on page 126.
The chapter or section contains Global configuration settings, see
Global configuration settings on page 129.
Table 1: Typographical conventions in Fortinet technical documentation
Table 2: Command syntax
Convention Description
Square brackets [ ] A non-required word or series of words. For example:
[ ver bose {1 | 2 | 3}]
indicates that you may either omit or type both the ver bose word and
its accompanying option, such as:
ver bose 3
Angle brackets < > A word constrained by data type.
To define acceptable input, the angled brackets contain a descriptive
name followed by an underscore ( _ ) and suffix that indicates the
valid data type. For example:
<r et r i es_i nt >
indicates that you should enter a number of retries, such as 5.
Data types include:
<xxx_name>: A name referring to another part of the
configuration, such as pol i cy_A.
<xxx_i ndex>: An index number referring to another part of the
configuration, such as 0 for the first static route.
<xxx_pat t er n>: A regular expression or word with wild cards
that matches possible variations, such as *@exampl e. comto
match all email addresses ending in @exampl e. com.
<xxx_i pv4>: An IPv4 address, such as 192. 168. 1. 99.
<xxx_i pv4r ange>: An IPv4 address range.
<xxx_i pv4/ mask>: A dotted decimal IPv4 address and CIDR-
notation netmask separated by a slash, such as such as
192. 168. 1. 99/ 24.
<xxx_i pv6>: An IPv6 address.
<xxx_v6mask>: A dotted decimal IPv6 netmask.
<xxx_i pv6mask>: A dotted decimal IPv6 address and netmask
separated by a space.
<xxx_st r >: A string of characters that is not another data type,
such as P@ssw0r d. Strings containing spaces or special
characters must be surrounded in quotes or use escape
sequences
<xxx_i nt >: An integer number that is not another data type,
such as 15 for the number of minutes.
Introduction Registering your Fortinet product
01-410-89802-20091022 29
Registering your Fortinet product
Before you begin configuring and customizing features, take a moment to register your
Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.
Many Fortinet customer services, such as firmware updates, technical support, and
FortiGuard Antivirus and other FortiGuard services, require product registration.
For more information, see the Fortinet Knowledge Base article Registration Frequently
Asked Questions.
Fortinet products End User License Agreement
See the Fortinet products End User License Agreement.
Customer service and technical support
Fortinet Technical Support provides services designed to make sure that you can install
your Fortinet products quickly, configure them easily, and operate them reliably in your
network.
To learn about the technical support services that Fortinet provides, visit the Fortinet
Technical Support web site at https://support.fortinet.com.
You can dramatically improve the time that it takes to resolve your technical support ticket
by providing your configuration file, a network diagram, and other specific information. For
a list of required information, see the Fortinet Knowledge Base article What does Fortinet
Technical Support require in order to best assist the customer?
Training
Fortinet Training Services provides a variety of training programs to serve the needs of
our customers and partners world-wide. Visit the Fortinet Training Services web site at
http://campus.training.fortinet.com, or email training@fortinet.com.
Curly braces { } A word or series of words that is constrained to a set of options
delimited by either vertical bars or spaces.
You must enter at least one of the options, unless the set of options is
surrounded by square brackets [ ].
Options delimited
by vertical bars |
Mutually exclusive options. For example:
{enabl e | di sabl e}
indicates that you must enter either enabl e or di sabl e, but must
not enter both.
Options delimited
by spaces
Non-mutually exclusive options. For example:
{ht t p ht t ps pi ng snmp ssh t el net }
indicates that you may enter all or a subset of those options, in any
order, in a space-delimited list, such as:
pi ng ht t ps ssh
Note: To change the options, you must re-type the entire list. For
example, to add snmp to the previous example, you would type:
pi ng ht t ps snmp ssh
If the option adds to or subtracts from the existing list of options,
instead of replacing it, or if the list is comma-delimited, the exception
will be noted.
Table 2: Command syntax
Fortinet documentation Introduction
30 01-410-89802-20091022
Fortinet documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the
most up-to-date versions of Fortinet publications, as well as additional technical
documentation such as technical notes.
In addition to the Fortinet Technical Documentation web site, you can find Fortinet
technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet
Knowledge Base.
Tools and Documentation CD
The documentation for your product is available on the Fortinet Tools and Documentation
CD shipped with your product. The documents on this CD are current at shipping time. For
the most current versions of Fortinet documentation, visit the Fortinet Technical
Documentation web site, http://docs.fortinet.com.
Fortinet Knowledge Base
The Fortinet Knowledge Base provides additional Fortinet technical documentation, such
as troubleshooting and how-to articles, examples, FAQs, technical notes, a glossary, and
more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this or any Fortinet technical
document to techdoc@fortinet.com
Whats new in FortiOS 4.0 MR1
01-410-89802-20091022 31
Whats new in FortiOS 4.0 MR1
This section lists and describes some of the new features and changes in FortiOS Version
4.0 MR1.
New SIP ALG configuration options
Easy FortiCare and FortiGuard services registration and renewal
Endpoint control enhancements
Per-VDOM replacement messages
Content archiving is now DLP archive
Topology viewer is now a custom web-based manager page
Usage page shows application, policy, and DLP archive usage
Alert Message Console enhancements
WCCP widget
SSL VPN enhancements
Two-factor authentication
FortiGate wireless controller
Interface status detection for gateway load balancing
Enhanced ECMP route failover and load balancing
SCEP extensions
Dynamic routing for IPv6 traffic
IPv6 DNS
IPv6 Transparent mode
IPv6 administrative access
UTM features support IPv6 traffic
HTTP basic authentication in firewall policies
VDOM dashboard
IPsec protocol improvements
Auto-configuration of IPsec VPNs
Integral basic DNS server
Per-VDOM DNS configuration
Password policy
Use LDAP groups in firewall and SSL-VPN authentication
Traffic shaping enhancements
Logging enhancements
Antivirus changes
Note: As noted in this section, some new features are available from the FortiGate CLI
only. See the FortiGate CLI Reference for more information about them.
New SIP ALG configuration options Whats new in FortiOS 4.0 MR1
32 01-410-89802-20091022
Reliable syslog
Web filtering combined block/exempt list
Web filtering by content header
Safe search
Data Leak Prevention supports international character sets
SNMPv3 enhancements
Schedule groups
RAID support
New SIP ALG configuration options
The following SIP application level gateway (ALG) configuration options have been added
to FortiOS 4.0 MR1.
Opening and closing SIP register and non-register pinholes
You can use open- r egi st er - pi nhol e and open- cont act - pi nhol e to control
whether the FortiGate unit opens register and non-register pinholes. Non-register pinholes
are usually opened for SIP invite requests.
For more information, see Opening and closing SIP register and non-register pinholes
on page 506.
Support for RFC 2543-compliant branch commands
The r f c2543- br anch CLI keyword of the conf i g appl i cat i on l i st command has
been added to support RFC 2543-complaint SIP calls involving branch commands that
are missing or that are valid for RFC 2543 but invalid for RFC 3261.
For more information, see Support for RFC 2543-compliant branch parameters on
page 508.
Easy FortiCare and FortiGuard services registration and renewal
FortiOS 4.0 MR1 firmware helps you to register your FortiGate unit for FortiGuard and
FortiCare services. When a new FortiGate unit is powered on, it automatically searches
for FortiGuard services. If the unit is configured for central management, it will look for
FortiGuard services on its FortiManager system. The FortiGate unit sends its serial
number to FortiGuard services, which then determines whether the FortiGate unit is
registered and has a valid contract for either a FortiGuard subscription or FortiCare
support services.
For more information, see License Information on page 70.
Endpoint control enhancements
Endpoint Control is now called Endpoint NAC (Network Access Control), which better
describes its role in controlling endpoint access to the network.
The configuration for required the FortiClient software version is now in Endpoint NAC >
Config. Configuration options are the same as in the previous release.
Whats new in FortiOS 4.0 MR1 Per-VDOM replacement messages
01-410-89802-20091022 33
FortiOS 4.0 provided software detection on endpoints. Using FortiOS 4.0 MR1, you can
now also allow or block endpoints based on detected software. The Software Detection
List is now called an Application Detection List and you can create multiple lists.
FortiGuard services provide all application signatures. You create your application
detection list entries by selecting applications from lists of categories, vendors, and
application names. Go to Endpoint NAC > Application Detection > Detection List to create
detection lists. To view application information from FortiGuard services, go to
Endpoint NAC > Application Detection > Predefined.
Endpoint check options are no longer configured in the firewall policy. These options and
the application detection list are now selected in an Endpoint NAC profile. In the firewall
policy, you simply enable Endpoint NAC and select the Endpoint NAC profile to apply.
For more information, see Endpoint NAC on page 687.
Per-VDOM replacement messages
FortiOS 4.0 MR1 enables you to define replacement messages in each VDOM. In
previous releases, replacement messages were defined only at the global level. By
default, the VDOM uses the global replacement messages. You can modify any message
for your VDOM as needed.
When defining replacement messages, you can optionally reset the message to its
original value. At the global level, you can reset the message to the factory default. At the
VDOM level, you can reset the message to the current global value.
Go to System > Config > Replacement Messages. Modify the messages as needed.
For more information, see Replacement messages on page 225.
Content archiving is now DLP archive
In FortiOS 4.0 MR1 the content archiving feature has been renamed DLP archive. J ust
like content archiving, administrators use DLP archiving to collect and view historical logs
that have been archived to a FortiAnalyzer unit or FortiGuard Analysis server. When you
add a FortiAnalyzer unit to the FortiGate configuration, you can log DLP archives to the
FortiAnalyzer unit. A FortiGuard Analysis server becomes available when you subscribe to
the FortiGuard Analysis and Management Service.
For more information, see DLP archiving on page 580.
Topology viewer is now a custom web-based manager page
The Topology page is no longer part of the default web-based manager configuration. To
access this feature, create a custom menu layout in your administrative profile and add
the Topology page. It is in the Additional content category.
For more information, see Customizable web-based manager on page 268.
Usage page shows application, policy, and DLP archive usage Whats new in FortiOS 4.0 MR1
34 01-410-89802-20091022
Usage page shows application, policy, and DLP archive usage
In FortiOS 4.0 MR1, you can now view statistics about application traffic passing through
your FortiGate unit.
The Usage widget has three modules:
Top Application Usage
Top Policy Usage
DLP Archive Usage
By default, the Usage widget displays on the System > Status > Usage page for both
global and VDOM administrators. You can also add the Usage widget to custom web-
based manager pages.
For more information, see Viewing application, policy, and DLP archive usage data on
page 102.
Alert Message Console enhancements
In FortiOS 4.0 MR1, the Alert Message Console provides more options that you can
configure and more types of alerts, and enables you to acknowledge messages one at a
time.
To view the Alert Message Console, go to System > Status.
For more information, see Alert Message Console on page 76.
WCCP widget
Using the FortiOS 4.0 customizable GUI feature, you can add a WCCP widget to the
web-based manager and use this widget to add WCCP entries to the FortiGate
configuration.
For more information, see Configuring WCCP on page 183.
SSL VPN enhancements
FortiOS 4.0 MR1 includes the following SSL VPN enhancements.
Single Sign-On
With the new single sign-on feature, a web bookmark can include login credentials to
automatically log the SSL VPN user into the web site. This means that once the user logs
into the SSL VPN, he or she does not have to enter any more credentials to visit
preconfigured web sites. When the administrator configures bookmarks, the web site
credentials must be the same as the users SSL VPN credentials. Users configuring their
own bookmarks can specify alternative credentials for the web site.
For more information, see Bookmarks widget on page 634.
Whats new in FortiOS 4.0 MR1 SSL VPN enhancements
01-410-89802-20091022 35
IP address ranges are now defined as firewall addresses
The following SSL VPN IP address ranges are now defined in FortiOS 4.0 MR1 using
range and subnet firewall addresses:
The IP Pools part of the basic SSL VPN configuration (go to VPN > SSL > Config)
IP Pools added to the SSL VPN Portal Tunnel Mode configuration (go to VPN > SSL >
Portal and add a Tunnel Mode widget to an SSL VPN portal)
For more information, see SSL VPN on page 625.
Tunnel mode client address ranges
In the SSL VPN settings, the t unnel - st ar t i p and t unnel - endi p keywords have
been removed. Instead, use the new t unnel - i p- pool s keyword to specify one or more
ranges of IP addresses reserved for remote clients:
conf i g vpn ssl set t i ngs
set t unnel - i p- pool s i p_pool 1 i p_pool 2
end
You define i p_pool 1 and i p_pool 2 using the conf i g f i r ewal l addr ess
command. Only range and subnet address types are allowed.
OS Check changes
You can now configure the client operating system checks only in the CLI, but the
supported operating systems now include Windows Vista.
conf i g vpn ssl web por t al
edi t <por t al _name>
set os- check enabl e
conf i g os- check- l i st {wi ndows- 2000 | wi ndows- xp |
wi ndows- vi st a}
set act i on {al l ow | check- up- t o- dat e | deny}
set l at est - pat ch- l evel {di sabl e | 0 - 255}
set t ol er ance {t ol er ance_num}
end
Client check changes
The client check, which ensures that clients have antivirus or firewall software installed, is
now called Host Check. You no longer specify whether to check for FortiClient Endpoint
Security or third-party software. If the client computer is running any antivirus or firewall
software that the Windows Security Center recognizes, it will pass the Host Check. You
can also add applications to the FortiGate units list of acceptable host check software.
For more information, see Configuring security control on page 631.
Virtual Desktop enhancements
In FortiOS 4.0 MR1, the virtual desktop can now interact with removable media, network
shares, and printers. You can also configure more options. See Configuring security
control on page 631 for a complete list.
Virtual Desktop Application Control
You can control which applications users can run on their virtual desktop. To do this, you
create a list of either allowed or blocked applications which you then select when you
configure the virtual desktop.
For more information, see Virtual Desktop Application Control on page 639.
Two-factor authentication Whats new in FortiOS 4.0 MR1
36 01-410-89802-20091022
In FortiOS 4.0 MR1, PKI users can be required to authenticate by password in addition to
their certificate authentication, for both administrative and SSL VPN access. This two-
factor authentication provides additional security to meet ICSA 4.0 requirements.
For more information, see Configuring peer users and peer groups on page 657.
You can also configure two-factor authentication in an SSL VPN, by using these settings:
set f or ce- t wo- f act or - aut h enabl e
end
If this option is enabled, only users with two-factor authentication can log in to the SSL
VPN.
Force UTF-8 login
To facilitate authentication with some LDAP servers, the login credentials must use UTF-8
encoding. Enable this as follows:
set f or ce- ut f 8- l ogi n enabl e
end
FortiGate wireless controller
Most FortiGate units, but not FortiWiFi models, can act as a wireless network controller,
managing the wireless Access Point (AP) functionality of FortiWiFi units. All units must be
running the most recent FortiOS 4.0 MR1 firmware.
For more information, see Wireless Controller on page 697.
Interface status detection for gateway load balancing
FortiOS 4.0 MR1 interface status detection now includes enabling up to three different
protocols to confirm that an interface can connect to the IP address of a server. Usually
the server is the next-hop router that leads to an external network or the Internet.
For more information, see Configuring interface status detection for gateway load
balancing on page 165.
Enhanced ECMP route failover and load balancing
Previous FortiOS versions provided source IP-based load balancing for ECMP routes.
FortiOS 4.0 MR1 now includes three configuration options for ECMP route failover and
load balancing:
Source based
(also called
source IP based)
The FortiGate unit load balances sessions among ECMP routes based on the
source IP address of the sessions to be load balanced.
Whats new in FortiOS 4.0 MR1 SCEP extensions
01-410-89802-20091022 37
For more information, see ECMP route failover and load balancing on page 322.
SCEP extensions
FortiOS 4.0 MR1 supports automatic update of system certificates. When a certificate is
about to expire, the FortiGate unit uses SCEP to request and download a new certificate.
This applies to both Local and CA certificates. You can also configure periodic updating of
a Certificate Revocation List (CRL).
Certificate auto-update is configured in the CLI.
Dynamic routing for IPv6 traffic
FortiOS Version 4.0 MR1 adds support for IPv6 dynamic routing using RIPng, BGP, or
OSPF protocols.
You can configure IPv6 dynamic routing only in the CLI.
The following dynamic routing commands were added or modified to support IPv6 traffic:
router bgp command
Support for IPv6 traffic was added to the r out er bgp command.
conf i g aggr egat e- addr ess6
conf i g nei ghbor
conf i g net wor k6
conf i g r edi st r i but e6
router access-list6
Use the new r out er access- l i st 6 command to add, edit, or delete access lists for
IPv6 traffic. Access lists are filters used by FortiGate unit routing processes. For an access
list to take effect, it must be called by a FortiGate unit routing process (for example, a
process that supports RIPng or OSPF).
router ospf6
Use the new r out er ospf 6 command to configure OSPF routing for IPv6 traffic.
router prefix-list6
Use the new r out er pr ef i x- l i st 6 command to add, edit, or delete prefix lists for IPv6
traffic. A prefix list is an enhanced version of an access list that allows you to control the
length of the prefix netmask.
Weighted (also
called
weight-based)
The FortiGate unit load balances sessions among ECMP routes based on
weights added to ECMP routes. More traffic is directed to routes with higher
weights.
Spill-over (also
called
usage-based)
The FortiGate unit distributes sessions among ECMP routes based on how busy
the FortiGate interfaces added to the routes are.
Tip: An IPv6 command is often denoted by the number 6 at the end of the command.
IPv6 DNS Whats new in FortiOS 4.0 MR1
38 01-410-89802-20091022
router ripng
Use this command to configure FortiGate support for RIPng. RIPng is the next generation
(ng) version of RIP that supports IPv6. See RFC 2080 for details about RIPng for IPv6.
get router info6 {bgp | ospf | protocols | rip}
Use these new commands to display information about the IPv6 dynamic routing
protocols. The get r out er i nf o6 pr ot ocol s command returns information about all
of the protocols.
IPv6 DNS
In FortiOS 4.0 MR1, you can configure DNS server addresses for IPv6 traffic. For more
information about IPv6 DNS, see Configuring Networking Options on page 176.
IPv6 Transparent mode
FortiOS 4.0 MR1 supports IPv6 traffic in Transparent mode.
IPv6 administrative access
You can configure remote administration over an IPv6 network. This is possible because
of changes to network interface and administrator configurations. For more information,
see Configuring an administrator account on page 244.
Network interface changes for IPv6
In the web-based manager, the network interface configuration (go to System > Network >
Interface) provides new fields for the IPv6 Address and IPv6 Administrative Access. By
default, no administrative access is enabled for IPv6. In previous FortiOS releases, only
ping administrative access was available for IPv6.
For more information, see Configuring interfaces on page 145.
UTM features support IPv6 traffic
FortiOS Version 4.0 MR1 can perform antivirus scanning on IPv6 traffic. As with IPv4
traffic, in the firewall policy you select a protection profile that includes AV scanning.
URL filtering using FortiGuard ratings, local ratings or local categories is supported for
IPv6 traffic. Rating by IP address is not supported.
Note: IPS for IPv6 traffic is supported using DoS policy in both Transparent and
NAT/Route mode (same as 4.0).
Whats new in FortiOS 4.0 MR1 HTTP basic authentication in firewall policies
01-410-89802-20091022 39
HTTP basic authentication in firewall policies
HTTP basic authentication uses an authentication dialog box that is built into the browser
instead of an HTML form. This type of authentication is useful for mobile devices that
cannot work with HTML forms.
You can enable HTTP basic authentication at the VDOM level using a new option in the
user settings from the FortiGate CLI:
conf i g user set t i ng
set aut h- ht t p- basi c {di sabl e | enabl e}
end
VDOM dashboard
In previous FortiOS versions, only administrators with the super_admin profile could view
the dashboard. In FortiOS 4.0 MR1, VDOM administrators see their own VDOM-specific
dashboard when they log in or go to System > Status. The super_admin can view only the
global dashboard.
For more information, see VDOM and global dashboards on page 68.
IPsec protocol improvements
The following IPSec Protocol improvements have been added to FortiOS 4.0 MR1.
Support for IKE v2
FortiOS 4.0 MR1 supports IKEv2 (RFC 4306) for route-based VPNs only. Selecting the
IKE version is part of IPSec VPN Phase 1 advanced settings.
For more information, see Defining phase 1 advanced settings on page 608.
Support for DH-2048 (Group 14)
In Phase 1 and Phase 2 auto-key IPsec VPN configurations, Diffie-Hellman Group 14 is
available. This provides a key strength of 2048 bits. In previous releases of FortiOS,
group 14 was available only in FIPS-CC mode.
In the web-based manager, you go to VPN > IPsec > Auto Key to create Phase 1 or
Phase 2 configurations. For both Phase 1 and Phase 2, the Diffie-Hellman groups
selection is part of the Advanced settings.
For more information, see Defining phase 1 advanced settings on page 608.
Support for SHA256
In FortiOS 4.0 MR1, you can use the SHA256 authentication digest, which is more secure
than the SHA1 and MD5 algorithms. The SHA256 option is available in the web-based
manager locations:
P1 Proposal, Authentication in VPN > IPsec > Auto Key (IKE) > Create Phase 1. see
Creating a new phase 1 configuration on page 606.
P2 Proposal, Authentication in VPN > IPsec > Auto Key (IKE) > Create Phase 2. See
see Creating a new phase 2 configuration on page 611.
Authentication Algorithm, in VPN > IPsec > Manual Key > Create New. See Creating
a new manual key configuration on page 614.
Auto-configuration of IPsec VPNs Whats new in FortiOS 4.0 MR1
40 01-410-89802-20091022
Auto-configuration of IPsec VPNs
FortiOS Version 4.0 MR1 supports automatic configuration of IPsec VPNs using the
proposed IKE Configuration Method described in The ISAKMP Configuration Method
(draft-dukes-ike-mode-cfg-02). Several network equipment vendors support IKE
Configuration Method, which is an alternative to DHCP over IPSec.
Dialup VPN clients connect to a FortiGate unit that acts as a VPN server, providing the
client the necessary configuration information to establish a VPN tunnel. The configuration
information typically includes a virtual IP address, netmask, and DNS server address.
IKE Configuration Method is available only for VPNs that are interface-based, also known
as route-based. A FortiGate unit can function as either an IKE Configuration Method
server or client.
IPsec Phase 1 configuration for IKE Configuration Method
The IDKI Configuration Method is available only through the CLI. The mode- cf g keyword
enables IKE Configuration Method. The t ype keyword, although unchanged from
previous releases, determines whether you are creating a server or a client. Setting t ype
to dynami c creates a server configuration, otherwise the configuration is a client.
The following syntax lists only the keywords that pertain to IKE Configuration Method. All
of these keywords can be used to configure a server. Required keywords are i nt er f ace,
pr oposal , either i p4- st ar t - i p, i p4- end- i p and i pv4- net mask or
i p6- st ar t - i p, i p6- end- i p and i p6- pr ef i x, depending on the value of
mode- cf g- i p- ver si on.
To configure a client, the required keywords are i nt er f ace, r emot e- gw, and
pr oposal .
IPsec Phase 2 configuration for IKE Configuration Method
The IKI Configuration Method is available only through the CLI. There are several
changes to the phase2- i nt er f ace configuration when IKE Configuration Method is
configured in the corresponding phase1- i nt er f ace configuration.
The dhcp- i psec keyword is not available if the corresponding phase1- i nt er f ace has
mode- cf g enabled. IKE Configuration Method is an alternative to DHCP over IPsec.
The keywords beginning with sr c- and dst - are not available if the corresponding
phase1- i nt er f ace configuration has mode- cf g enabled and t ype is set to st at i c
or ddns. This is the configuration for an IKE Configuration Method client, which receives
information about destination subnets from the server and thus must not specify any traffic
selectors itself.
Integral basic DNS server
FortiOS 4.0 MR1 provides DNS service that you can make available on your networks. It
can resolve local domain names and optionally recurse to the DNS server configured for
the FortiGate unit.
Creating local DNS entries
In the web-based manager, you first go to System > Network > DNS Database to
configure local DNS entries. This configuration is available per VDOM and globally. After
creating the DNS zone, you add DNS entries.
For more information, see Configuring FortiGate DNS services on page 177.
Whats new in FortiOS 4.0 MR1 Per-VDOM DNS configuration
01-410-89802-20091022 41
Enabling DNS on an interface
In FortiOS 4.0 MR1, DNS relay can be configured on any FortiGate model for any network
interface. To enable DNS on an interface, go to System > Network > Interface and select
an interface to edit. Select DNS Query and then choose one of the following options:
recursive Look up a domain name in local database. If the entry is not found,
relay the request to the DNS server configured for the FortiGate unit.
non-recursive Look up a domain name in local database. Do not relay the request
to the DNS server configured for the FortiGate unit.
For more information, see Configuring interface settings on page 151.
Per-VDOM DNS configuration
In FortiOS 4.0 MR1, from the CLI you can optionally define separate DNS servers for each
non-management VDOM. The management VDOM always uses the global DNS servers.
You configure the global DNS servers using the CLI command conf i g syst emdns.
The VDOM-level configuration is similar, using conf i g syst emvdom- dns.
Password policy
Optionally, you can set a password policy to require more secure passwords than the
FortiGate defaults. The password policy can apply to administrators or IPsec VPN pre-
shared keys. You can:
require the use of special characters in the password
require periodic password changes
set a minimum amount of change in the new password (available in CLI only).
For more information, see Settings on page 261.
Use LDAP groups in firewall and SSL-VPN authentication
Membership in specific user groups on an LDAP server can be part of the authentication
requirements for firewall or SSL VPN users. This enables you to use the group
memberships on a Windows AD system to control user access to resources on the
FortiGate unit.
In the CLI, when you define a FortiGate user group, you can specify the required LDAP
server user group memberships using the new l dap- member of keyword.
conf i g user gr oup
edi t <FGTgr oupname>
set gr oup- t ype {ssl vpn | f i r ewal l }
set member <user 1> [ <user 2>] [ <user n>. . . ]
set l dap- member of <LDAPgr oupst r i ng>
end
<LDAPgr oupst r i ng> is an LDAP Distinguished Name (DN) specifying the group, for
example CN=group1,CN=Users,DC=test,DC=com. You can specify multiple groups by
separating the group DNs with a semicolon (;).
When the FortiGate unit authenticates an LDAP user in the FortiGate user group, the
users group memberships on the LDAP server must match at least one of the groups
listed in the l dap- member of keyword value.
Traffic shaping enhancements Whats new in FortiOS 4.0 MR1
42 01-410-89802-20091022
Traffic shaping enhancements
FortiOS 40 MR1 introduces accounting, traffic quotas, and per-IP traffic shaping. The
existing traffic shaper is now called a shared traffic shaper.
Shared traffic shaping
The traffic shaper is renamed to Shared Traffic Shaper. To configure shared traffic
shapers, go to Firewall > Traffic Shaper > Shared. Traffic shaping options are unchanged
from the previous version, but accounting and traffic quota options have been added. See
Shared traffic shaping, below.
Per-IP traffic shaping
In FortiOS 4.0 MR1, you can configure traffic shaping that is applied per IP address,
instead of per policy or per shaper. As with the shared traffic shaper, you select the per-IP
traffic shaper in firewall policies. For more information, see Configuring Per IP traffic
shaping on page 419.
Accounting and quota enforcement
Both the shared and per-IP traffic shapers provide traffic accounting with enforceable
quotas. For more information, see Accounting and quota enforcement on page 420.
Logging enhancements
Due to the new per-VDOM FortiAnalyzer unit feature, there are some general changes to
logging configuration.
Web-based manager changes
On the Log&Report > Log Config > Log Setting page, the logging device radio buttons
are now check boxes. You can enable multiple logging devices. See Configuring how
a FortiGate unit stores logs on page 704.
Automatic FortiAnalyzer discovery is now available only in the CLI.
For local logs on FortiGate unit with hard disks, the new SQL log storage format is the
default for all log types except DLP archiving and traffic logs. SQL log storage is the
only format from which you can generate reports. DLP archiving is not available in SQL
format.See Configuring how a FortiGate unit stores logs on page 704.
CLI changes
In the CLI, the global FortiAnalyzer configuration has moved from
syst emf or t i anal yzer to l og f or t i anal yzer set t i ng. The keywords within the
command are unchanged.
Support for per-VDOM FortiAnalyzer units or syslog devices
FortiOS 4.0 MR1 supports the use of multiple FortiAnalyzer units or syslog devices that
are configurable per-VDOM. By default, VDOMs use the global remote logging and
quarantine configuration. Currently, per-VDOM remote logging configuration is available
only in the CLI.
If you want to use a different FortiAnalyzer or syslog configuration for your VDOM, you
must override the global configuration using the following commands:
{f or t i anal yzer | sysl ogd} over r i de- f i l t er
Whats new in FortiOS 4.0 MR1 Antivirus changes
01-410-89802-20091022 43
f or t i anal yzer over r i de- set t i ng
sysl ogd over r i de- set t i ng
ant i vi r us quar - over r i de- set t i ng
SQL log format for Executive Summary reports
On FortiGate units that contain a hard drive, you can display Executive Summary reports
based on logs stored in an SQL database. The log messages are stored in text format in
the database.
You can also customize the appearance of existing reports and create new reports from
the FortiGate CLI using the conf i g r epor t CLI commands.
For more information, see Viewing Executive Summary reports from SQL logs on
page 724.
Antivirus changes
For FortiOS 4.0 MR1, if you enable VDOMs, all UTM > Antivirus options are now
configured separately for each VDOM. In FortiOS 4.0 GA, only administrators with global
access could configure and manage the file quarantine, view the virus list, and configure
the grayware list.
In addition, the following antivirus functionality has been renamed or moved:
Go to Log & Report > Quarantined Files to view the quarantined files list. The
functionality of the quarantined files list is unchanged except that with VDOMs
enabled, the Quarantined files list is now available for each VDOM and only shows
files quarantined from that VDOM.
UTM > Antivirus > Quarantine was UTM > Antivirus > Config. Functionally is
unchanged.
Go to UTM > Virus Database to view information about the current virus database on
the FortiGate unit. For FortiGate units that support the extended virus database, you
can go to UTM > Virus Database and select the virus database to use for virus
scanning. With VDOMs enabled, you select the virus database to use for virus
scanning for the VDOM.
For FortiGate units that support the extended virus database, you can select the virus
database to use for individual protection profiles from the CLI. The Protection Profile
Antivirus > Extended AV Database option has been removed from the web-based
manager. New CLI options for selecting the antivirus database for a protection profile
are available for each protocol. For example, to select the antivirus database in the
scan protection profile for http and for FTP, enter:
conf i g f i r ewal l pr of i l e
edi t scan
set ht t p- avdb {def aul t | ext ended | nor mal }
set f t p- avdb {def aul t | ext ended | nor mal }
end
Go to UTM > Virus Database to enable grayware detection. The previous UTM >
Grayware page has been removed and you can no longer enable or disable individual
grayware categories.
For more information, see Selecting the virus database on page 519.
Reliable syslog Whats new in FortiOS 4.0 MR1
44 01-410-89802-20091022
Reliable syslog
Reliable syslog protects log information through authentication and data encryption and
ensures that the log messages are reliably delivered in order. FortiOS 4.0 MR1
implements the RAW profile of RFC 3195. You can configure this feature only in the CLI.
For more information, see Remote logging to a syslog server on page 707.
Web filtering combined block/exempt list
FortiOS 4.0 MR1 combines the Web Content Block and Web Content Exempt lists into
one list. Go to Web Filter > Web Content. As before, you first create a list and then add
entries. In the Action field, you select Block or Exempt. The new entry dialog box looks like
this:
In the CLI, conf i g webf i l t er cont ent replaces conf i g webf i l t er bl ock and
conf i g webf i l t er exempt .
For more information, see Web content filter on page 544.
Web filtering by content header
FortiOS 4.0 MR1 introduces web filtering by MIME content header. You can use this
feature to broadly block content by type. But it is also useful to exempt audio and video
streaming files from antivirus scanning. Scanning these file types can be problematic.
The content header list is available in the CLI only, under the command conf i g
webf i l t er cont ent - header .
Safe search
FortiOS 4.0 MR1 can prevent users from disabling the safe search feature of the Google,
Yahoo!, or Bing search engines. This is important in environments such as education
where web filtering is used to block sites with inappropriate content. If users can bypass
the search engine safe search feature, the returned search results can contain
inappropriate material in either summary text or thumbnail images.
Safe search is enabled in the Web Filtering part of a protection profile.
For more information, see Web Filtering options on page 480.
Data Leak Prevention supports international character sets
Data Leak Prevention (DLP) in FortiOS Version 4.0 MR1 has improved the ability to detect
data leaks where international character sets are used. DLP performs text comparisons
according to its rules after converting the text to UTF-8.
Because character sets are not always accurately indicated in HTTP posts, you can
optionally specify up to five character set encodings that will be checked in addition to the
indicated character set. This feature can affect performance, however. You can configure
this feature only in the CLI:
edi t <pr of i l e_name>
set ht t p- post - l ang [ <char set 1> . . . <char set 5>]
end
Whats new in FortiOS 4.0 MR1 SNMPv3 enhancements
01-410-89802-20091022 45
To view the list of available character sets, enter set ht t p- post - l ang ? from within
the edit shell for the profile.
For more information, see Character sets and Web content filtering, Email filtering
banned word, and DLP scanning on page 483.
SNMPv3 enhancements
FortiOS 4.0 introduced basic support for SNMPv3, the latest version of the Simple
Network Management Protocol. FortiOS Version 4.0 MR1 adds support for
snmpEngineID
user authentication and encryption capabilities.
You can configure these new features only in the CLI.
Support for snmpEngineID
FortiOS 4.0 MR1 adds the SNMPv3 snmpEngineID value defined in RFC3414.
Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the
SNMP engine. This value is included in each message sent to or from the SNMP engine.
In FortiOS 4.0 MR1, the snmpEngineID is composed of two parts:
Fortinet prefix 0x8000304404
the engi ne- i d string, 24 characters maximum, defined in the CLI
conf i g syst emsnmp sysi nf o command
The snmpEngineID is optional, so you are not required to define an engi ne- i d value.
To specify engine-id
conf i g syst emsnmp sysi nf o
set engi ne- i d <st r i ng>
end
Authentication and privacy
FortiOS 4.0 MR1 SNMP implements the user security model of RFC 3414. You can
require the user to authenticate with a password and you can use encryption to protect the
communication with the user.
The following syntax description includes only the new keywords related to security.
conf i g syst emsnmp user
edi t <user name>
set secur i t y- l evel <sl evel >
set aut h- pr ot o {md5 | sha}
set aut h- pwd <passwor d>
set pr i v- pr ot o {aes | des}
set pr i v- pwd <key>
end
Schedule groups
You can now create schedule groups, similar to address groups or service groups. In a
firewall policy you can select either an individual schedule or a schedule group.
For more information, see Configuring schedule groups on page 413.
RAID support Whats new in FortiOS 4.0 MR1
46 01-410-89802-20091022
RAID support
Some FortiGate units that contain multiple hard disks also support redundant array of
independent disks (RAID). For more information, see Configuring the RAID array on
page 94.
Web-based manager
01-410-89802-20091022 47
Web-based manager
This section describes the features of the user-friendly web-based manager administrative
interface (sometimes referred to as a graphical user interface, or GUI) of your FortiGate
unit.
Using HTTP or a secure HTTPS connection from any management computer running a
web browser, you can connect to the FortiGate web-based manager to configure and
manage the FortiGate unit. The recommended minimum screen resolution for the
management computer is 1280 by 1024. Some of the information displayed by the
web-based manager uses features only supported by the most recent versions most
popular web browsers. Older versions of these web browsers may not always work
correctly with the web-based manager.
You can configure the FortiGate unit for HTTP and HTTPS web-based administration from
any FortiGate interface. To connect to the web-based manager you require a FortiGate
administrator account and password. The web-based manager supports multiple
languages, but by default appears in English on first use.
You can go to System > Status to view detailed information about the status of your
FortiGate unit on the system dashboard. The dashboard displays information such as the
current FortiOS firmware version, antivirus and IPS definition versions, operation mode,
connected interfaces, and system resources. It also shows whether the FortiGate unit is
connected to a FortiAnalyzer unit and a FortiManager unit or other central management
services.
You can use the web-based manager menus, lists, and configuration pages to configure
most FortiGate settings. Configuration changes made using the web-based manager take
effect immediately without resetting the FortiGate unit or interrupting service. You can
back up your configuration at any time using the Backup Configuration button on the
button bar. The button bar is located in the upper right corner of the web-based manager.
The saved configuration can be restored at any time.
The web-based manager also includes detailed context-sensitive online help. Selecting
Online Help on the button bar displays help for the current web-based manager page.
You can use the FortiGate command line interface (CLI) to configure the same FortiGate
settings that you can configure from the web-based manager, as well as additional CLI-
only settings. The system dashboard provides an easy entry point to the CLI console that
you can use without exiting the web-based manager.
This section describes:
Common web-based manager tasks
Changing your FortiGate administrator password
Changing the web-based manager language
Changing administrative access to your FortiGate unit
Changing the web-based manager idle timeout
Connecting to the FortiGate CLI from the web-based manager
Button bar features
Contacting Customer Support
Backing up your FortiGate configuration
Common web-based manager tasks Web-based manager
48 01-410-89802-20091022
Using FortiGate Online Help
Logging out
Web-based manager pages
Web-based manager icons
Common web-based manager tasks
This section describes the following common web-based manager tasks:
Connecting to the web-based manager
Connecting to the web-based manager
To connect to the web-based manager, you require:
a FortiGate unit connected to your network according to the instructions in the
QuickStart Guide and Install Guide for your FortiGate unit
the IP address of a FortiGate interface that you can connect to
a computer with an Ethernet connection to a network that can connect to the FortiGate
unit
a supported web browser. See the Knowledge Center articles Supported Windows web
browsers and Using a Macintosh and the web-based manager.
To connect to the web-based manager
1 Start your web browser and browse to https:// followed by the IP address of the
FortiGate unit interface that you can connect to.
For example, if the IP address is 192.168.1.99, browse to https://192.168.1.99.
(remember to include the s in https://).
To support a secure HTTPS authentication method, the FortiGate unit ships with a self-
signed security certificate, which is offered to remote clients whenever they initiate a
HTTPS connection to the FortiGate unit. When you connect, the FortiGate unit
displays two security warnings in a browser.
The first warning prompts you to accept and optionally install the FortiGate units self-
signed security certificate. If you do not accept the certificate, the FortiGate unit
refuses the connection. If you accept the certificate, the FortiGate login page appears.
The credentials entered are encrypted before they are sent to the FortiGate unit. If you
choose to accept the certificate permanently, the warning is not displayed again.
J ust before the FortiGate login page is displayed, a second warning informs you that
the FortiGate certificate distinguished name differs from the original request. This
warning occurs because the FortiGate unit redirects the connection. This is an
informational message. Select OK to continue logging in.
2 Type admi n or the name of a configured administrator in the Name field.
3 Type the password for the administrator account in the Password field.
4 Select Login.
Web-based manager Common web-based manager tasks
01-410-89802-20091022 49
By default you can log into the web-based manager by using the admin administrator
account and no password. You should add a password to the admin administrator account
to prevent anybody from logging into the FortiGate and changing configuration options.
For improved security you should regularly change the admin administrator account
password and the passwords for any other administrator accounts that you add.
To change an administrator account password
1 Go to System > Admin > Administrators.
This web-based manager page lists the administrator accounts that can log into the
FortiGate unit. The default configuration includes the admin administrator account.
2 Select the Change Password icon and enter a new password.
3 Select OK.
You can change the web-based manager to display language in English, Simplified
Chinese, J apanese, Korean, Spanish, Traditional Chinese, or French. For best results,
you should select the language that the management computer operating system uses.
To change the web-based manager language
1 Go to System > Admin > Settings.
2 Under display settings, select the web-based manager display language.
3 Select Apply.
The web-based manager displays the dashboard in the selected language. All
web-based manager pages are displayed with the selected language.
Note: See the Fortinet Knowledge Center article Recovering lost administrator account
passwords if you forget or lose an administrator account password and cannot log into your
FortiGate unit.
Note: You can also add new administrator accounts by selecting Create New. For more
information about adding administrators, changing administrator account passwords and
related configuration settings, see System Admin on page 241.
Common web-based manager tasks Web-based manager
50 01-410-89802-20091022
Figure 1: System > Admin > Settings displayed in Simplified Chinese
Through administrative access an administrator can connect to the FortiGate unit to view
and change configuration settings. The default configuration of your FortiGate unit allows
administrative access to one or more of the interfaces of the unit as described in your
FortiGate unit QuickStart Guide and Install Guide.
You can change administrative access by:
enabling or disabling administrative access from any FortiGate interface
enabling or disabling securing HTTPS administrative access to the web-based
manager (recommended)
enabling or disabling HTTP administrative access to the web-based manager (not
recommended)
enabling or disabling secure SSH administrative access to the CLI (recommended)
enabling or disabling SSH or Telnet administrative access to the CLI (not
recommended).
To change administrative access to your FortiGate unit
1 Go to System > Network > Interface.
2 Choose an interface for which to change administrative access and select Edit.
3 Select one or more Administrative Access types for the interface.
4 Select OK.
For more information about changing administrative access see Configuring
administrative access to an interface on page 165.
By default, the web-based manager disconnects administrative sessions if no activity
takes place for 5 minutes. This idle timeout is recommended to prevent someone from
using the web-based manager from a PC that is logged into the web-based manager and
then left unattended. However, you can use the following steps to change this idle timeout.
Web-based manager Button bar features
01-410-89802-20091022 51
To change the web-based manager idle timeout
2 Change the Idle Timeout minutes as required.
3 Select Apply.
You can connect to the FortiGate CLI from the web-based manager dashboard by using
the CLI console widget. You can use the CLI to configure all configuration options
available from the web-based manager. Some configuration options are available only
from the CLI. As well, you can use the CLI to enter diagnose commands and perform
other advanced operations that are not available from the web-based manager. For more
information about the FortiGate CLI see the FortiGate CLI Reference.
To connect to the FortiGate CLI from the web-based manager
1 Go to System > Status.
2 Locate and select the CLI Console.
Selecting the CLI console logs you into the CLI. For more information, see CLI
Console on page 79.
Button bar features
The button bar in the upper right corner of the web-based manager provides access to
several important FortiGate features.
Figure 2: Web-based manager button bar
Contacting Customer Support
The Contact Customer Support button opens the Fortinet Support web page in a new
browser window. From this page you can:
visit the Fortinet Knowledge Center
log into Customer Support (Support Login)
register your Fortinet product (Product Registration)
view Fortinet Product End of Life information
find out about Fortinet Training and Certification
visit the FortiGuard Center.
Back up your FortiGate
configuration
Contact Customer
Online Help
Logout
Support
Backing up your FortiGate configuration Web-based manager
52 01-410-89802-20091022
You must register your Fortinet product to receive product updates, technical support, and
FortiGuard services. To register a Fortinet product, go to Product Registration and follow
the instructions.
Backing up your FortiGate configuration
The Backup Configuration button opens a dialog box for backing up your FortiGate
configuration to:
the local PC that you are using to manage the FortiGate unit.
a management station. This can be a FortiManager unit or the FortiGuard
Management Service. This option changes depending on your central management
configuration (see Central Management on page 260).
a USB disk, if your FortiGate unit has a USB port and you have connected a USB disk
to it (see Formatting USB Disks on page 296).
For more information, see Backing up and restoring on page 290.
Figure 3: Backing up your FortiGate configuration
Using FortiGate Online Help
The Online Help button displays context-sensitive online help for the current web-based
manager page. The online help page that is displayed is called a content pane and
contains information and procedures related to the current web-based manager page.
Most help pages also contain hyperlinks to related topics. The online help system also
includes a number of links that you can use to find additional information.
FortiGate context-sensitive online help topics also include a VDOM or Global icon to
indicate whether the web-based manager page is for VDOM-specific or global
configuration settings. VDOM and Global configuration settings apply only to a FortiGate
unit operating with virtual domains enabled. If you are not operating your FortiGate unit
with virtual domains enabled, you can ignore the VDOM and Global icons. For more
information about virtual domains, see Using virtual domains on page 125.
Web-based manager Using FortiGate Online Help
01-410-89802-20091022 53
Figure 4: A context-sensitive online help page (content pane only)
To view the online help table of contents or index, and to use the search feature, select
Online Help in the button bar in the upper right corner of the web-based manager. From
the online help, select Show Navigation.
Figure 5: Online help page with navigation pane and content pane
Show Navigation Open the online help navigation pane. From the navigation pane you
can use the online help table of contents, index, and search to access
all of the information in the online help. The online help is organized in
the same way as the FortiGate web-based manager and the FortiGate
Administration Guide.
Previous Display the previous page in the online help.
Next Display the next page in the online help
Email Send an email to Fortinet Technical Documentation at
techdoc@fortinet.com if you have comments on or corrections for the
online help or any other Fortinet technical documentation product.
Print Print the current online help page.
Bookmark Add an entry for this online help page to your browser bookmarks or
favorites list to make it easier to find useful online help pages. Not
supported by all browsers.
When you select help for a VDOM configuration settings web-based
manager page the help display includes the VDOM icon. For
information about VDOM configuration settings, see VDOM
configuration settings on page 126.
When you select help for a Global configuration settings web-based
manager page the help display includes the Global icon. For
information about Global configuration settings, see Global
configuration settings on page 129.
Show Navigation
Email
Previous
Next
Print
Bookmark
Contents Search Index Show in Contents
Using FortiGate Online Help Web-based manager
54 01-410-89802-20091022
Searching the online help
Using the online help search, you can search for one word or multiple words in the full text
of the FortiGate online help system. Please note the following:
If you search for multiple words, the search finds only those help pages that contain all
of the words that you entered. The search does not find help pages that only contain
one of the words that you entered.
The help pages found by the search are ranked in order of relevance. The higher the
ranking, the more likely the help page includes useful or detailed information about the
word or words that you are searching for. Help pages with the search words in the help
page title are ranked highest.
You can use the asterisk (*) as a search wildcard character that is replaced by any
number of characters. For example, if you search for auth* the search finds help pages
containing auth, authenticate, authentication, authenticates, and so on.
In some cases the search finds only exact matches. For example, if you search for
windows the search may not find pages containing the word window. You can work
around this using the * wildcard (for example by searching for window*).
To search in the online help system
1 From any web-based manager page, select the online help button.
2 Select Show Navigation.
3 Select Search.
4 In the search field, enter one or more words to search for and then press the Enter key
on your keyboard or select Go.
The search results pane lists the names of all the online help pages that contain all the
words that you entered. Select a name from the list to display that help page.
Contents Display the online help table of contents. You can navigate through the
table of contents to find information in the online help. The online help
is organized in the same way as the FortiGate web-based manager
and the FortiGate Administration Guide.
Index Display the online help index. You can use the index to find
information in the online help.
Search Display the online help search. For more information, see Searching
the online help on page 54.
Show in Contents If you have used the index, search, or hyperlinks to find information in
the online help, the table of contents may not be visible or the table of
contents may be out of sync with the current help page. You can select
Show in Contents to display the location of the current help page
within the table of contents.
Web-based manager Logging out
01-410-89802-20091022 55
Figure 6: Searching the online help system
Using the keyboard to navigate in the online help
You can use the keyboard shortcuts listed in Table 3 to display and find information in the
online help.
Logging out
The Logout button immediately logs you out of the web-based manager. Log out before
you close the browser window. If you simply close the browser or leave the web-based
manager, you remain logged in until the idle timeout (default 5 minutes) expires. To
change the timeout, see Changing the web-based manager idle timeout on page 50.
Web-based manager pages
The web-based manager interface consists of a menu and pages. Many of the pages
have multiple tabs. When you select a menu item, such as System, the web-based
manager expands to reveal a submenu. When you select one of the submenu items, the
associated page opens at its first tab. To view a different tab, select the tab.
The procedures in this manual direct you to a page by specifying the menu item, the
submenu item and the tab, for example:
Search
Field
Go
Search
Results
Table 3: Online help navigation keys
Key Function
Alt+1 Display the table of contents.
Alt+2 Display the index.
Alt+3 Display the Search tab.
Alt+4 Go to the previous page.
Alt+5 Go to the next page.
Alt+7 Send an email to Fortinet Technical Documentation at
techdoc@fortinet.com if you have comments on or corrections for the
online help or any other Fortinet technical documentation product.
Alt+8 Print the current online help page.
Alt+9 Add an entry for this online help page to your browser bookmarks or
favorites list, to make it easier to find useful online help pages.
Web-based manager pages Web-based manager
56 01-410-89802-20091022
Figure 7: Parts of the web-based manager
Using the web-based manager menu
The web-based manager menu provides access to configuration options for all major
FortiGate features (see Figure 7 on page 56).
Tabs
Menu
Page
Button bar
System Configure system settings, such as network interfaces, virtual
domains, DHCP services, administrators, certificates, High Availability
(HA), system time and set system options.
Router Configure FortiGate static and dynamic routing and view the router
monitor.
Firewall Configure firewall policies and protection profiles that apply network
protection features. Also configure virtual IP addresses and IP pools.
UTM Configure antivirus and antispam protection, web filtering, intrusion
protection, data leak prevention, and application control.
VPN Configure IPSec and SSL virtual private networking. PPTP is
configured in the CLI.
User Configure user accounts for use with firewall policies that require user
authentication. Also configure external authentication servers such as
RADIUS, LDAP, TACACS+, and Windows AD. Configure monitoring of
Firewall, IPSec, SSL, IM, and Banned Users.
WAN Opt. & Cache Configure WAN optimization and web caching to improve
performance and security of traffic passing between locations on your
wide area network (WAN) or from the Internet to your web servers.
Endpoint NAC Configure end points, view FortiClient configuration information, and
configure software detection patterns.
Wireless Controller Configure a FortiGate unit to act as a wireless network controller,
managing the wireless Access Point (AP) functionality of FortiWiFi
units.
Log&Report Configure logging and alert email. View log messages and reports.
Web-based manager Web-based manager pages
01-410-89802-20091022 57
Using web-based manager lists
Many of the web-based manager pages contain lists. There are lists of network interfaces,
firewall policies, administrators, users, and others.
If you log in as an administrator with an admin profile that allows Read-Write access to a
list, depending on the list you will usually be able to:
select Create New to add a new item to the list
select the Edit icon for a list item to view and change the settings of the item
select the Delete icon for a list item to delete the item. The delete icon will not be
available if the item cannot be deleted. Usually items cannot be deleted if they have
been added to another configuration; you must first find the configuration settings that
the item has been added to and remove the item from them. For example, to delete a
user that has been added to a user group you must first remove the user from the user
group (see Figure 8).
Figure 8: A web-based manager list (read-write access)
If you log in as an administrator with an admin profile that allows Read Only access to a
list, you will only be able to view the items on the list (see Figure 9).
Figure 9: A web-based manager list (read only access)
For more information, see Admin profiles on page 254.
Adding filters to web-based manager lists
You can add filters to control the information that is displayed complex lists in the
web-based manager. See the following web-based manager pages for examples of lists
with filters:
Session list (see Viewing the current sessions list on page 82)
Firewall policy and IPv6 policy lists (see Viewing the firewall policy list on page 366,
Viewing the DoS policy list on page 380, and Viewing the sniffer policy list on
page 383)
Intrusion protection predefined signatures list (see Viewing the predefined signature
list on page 525)
Firewall user monitor list (see Firewall user monitor list on page 668)
IPSec VPN Monitor (see Monitoring VPNs on page 618)
Edit
Delete
View
58 01-410-89802-20091022
Endpoint NAC list of known endpoints (see Monitoring endpoints on page 693)
Log and report log access list (see Accessing and viewing log messages on
page 714).
Filters are useful for reducing the number of entries that are displayed on a list so that you
can focus on the information that is important to you.
For example, you can go to System > Status, and, in the Statistics section, select Details
on the Sessions line to view the communications sessions that the FortiGate unit is
currently processing. A busy FortiGate unit may be processing hundreds or thousands of
communications sessions. You can add filters to make it easier to find specific sessions.
For example, you might be looking for all communications sessions being accepted by a
specific firewall policy. You can add a Policy ID filter to display only the sessions for a
particular Policy ID or range of Policy IDs.
You add filters to a web-based manager list by selecting any filter icon to display the Edit
Filters window. From the Edit Filters window you can select any column name to filter, and
configure the filter for that column. You can also add filters for one or more columns at a
time. The filter icon remains gray for unfiltered columns and changes to green for filtered
columns.
Figure 10: An intrusion protection predefined signatures list filtered to display all signatures
containing apache with logging enabled, action set to drop, and severity set to
high
The filter configuration is retained after leaving the web-based manager page and even
after logging out of the web-based manager or rebooting the FortiGate unit.
Different filter styles are available depending on the type of information displayed in
individual columns. In all cases, you configure filters by specifying what to filter on and
whether to display information that matches the filter, or by selecting NOT to display
information that does not match the filter.
On firewall policy, IPv6 policy, predefined signature and log and report log access lists,
you can combine filters with column settings to provide even more control of the
information displayed by the list. See Using filters with column settings on page 63 for
more information.
Filters for columns that contain numbers
If the column includes numbers (for example, IP addresses, firewall policy IDs, or port
numbers) you can filter by a single number or a range of numbers. For example, you could
configure a source address column to display only entries for a single IP address or for all
addresses in a range of addresses. To specify a range, separate the top and bottom
values of the range with a hyphen, for example 25-50.
Filter added to
display names that
include apache
No filter added
Note: Filter settings are stored in the FortiGate configuration and will be maintained the
next time that you access any list for which you have added filters.
01-410-89802-20091022 59
Figure 11 shows a numeric filter configured to control the source addresses that are
displayed on the session list. In this example, a filter is enabled for the Source Address
column. The filter is configured to display only source addresses in the range of 1.1.1.1-
1.1.1.2. To view the session list, go to System > Status. In the Statistics section, beside
Sessions, select Details.
Figure 11: A session list with a numeric filter set to display sessions with source IP address
in the range of 1.1.1.1-1.1.1.2
Filters for columns containing text strings
If the column includes text strings (for example, names and log messages) you can filter
by a text string. You can also filter information that is an exact match for the text string
(equals), that contains the text string, or that does not equal or does not contain the text
string. You can also specify whether to match the capitalization (case) of the text string.
The text string can be blank and it can also be very long. The text string can also contain
special characters such as <, &, >and so on. However, filtering ignores characters
following a <unless the <is followed by a space (for example, filtering ignores <st r i ng
but not < st r i ng). Filtering also ignores matched opening and closing <and >
characters and any characters inside them (for example, filtering ignores <st r i ng>but
does not ignore >st r i ng>).
Figure 12: A firewall policy list filter set to display all policies that do not include a source
address with a name that contains My_Address
60 01-410-89802-20091022
Filters for columns that can contain only specific items
For columns that can contain only specific items (for example, a log message severity or a
pre-defined signature action) you can select a single item from a list. In this case, you can
only filter on a single selected item.
Figure 13: An intrusion protection predefined signature list filter set to display all signatures
with Action set to block
Custom filters
Other custom filters are also available. You can filter log messages according to date
range and time range. You can also set the level filter to display log messages with
multiple severity levels.
Figure 14: A log access filter set to display all log messages with level of alert, critical, error,
or warning
Using page controls on web-based manager lists
The web-based manager includes page controls to make it easier to view lists that contain
more items than you can display on a typical browser window. Web-based manager pages
with page controls include:
session list (see Viewing the current sessions list on page 82)
Router Monitor (see Router Monitor on page 359)
01-410-89802-20091022 61
intrusion protection predefined signatures list (see Viewing the predefined signature
list on page 525)
web filtering lists (see Web Filter on page 541)
antispam lists (see Email filtering on page 559)
Banned user list (see NAC quarantine and the Banned User list on page 670)
log and report log access lists (see Accessing and viewing log messages on
page 714).
Figure 15: Page controls
Using column settings to control the columns displayed
Using column settings, you can format some web-based manager lists so that information
that is important to you is easy to find and less important information is hidden or less
distracting.
On web-based manager pages that contain complex lists, you can change column
settings to control the information columns that are displayed for the list and to control the
order in which they are displayed. Web-based manager pages with column settings
controls include:
Network interface list (see Configuring interfaces on page 145)
Firewall policy and IPv6 policy (see Viewing the firewall policy list on page 366)
Intrusion protection predefined signatures list (see Viewing the predefined signature
list on page 525)
First Page Display the first page of items in the list.
Previous Page Display the previous page of items in the list.
Current Page The current page number of list items that are displayed. You can
enter a page number and press Enter to display the items on that
page. For example if there are 5 pages of items and you enter 3, page
3 of the sessions will be displayed.
Total Number of Pages The number of pages of list items that you can view.
Next Page Display the next page of items in the list.
Last Page Display the last page of items in the list.
First Page
Previous Page
Next Page
Last Page
Total Number of Pages
Current Page
(enter a page number
to display that page)
62 01-410-89802-20091022
Log and report log access lists (see Accessing and viewing log messages on
page 714).
To change column settings on a list that supports it, select Column Settings. From
Available fields, select the column headings to be displayed and then select the Right
Arrow to move them to the Show these fields in this order list. Similarly, to hide column
headings, use the Left Arrow to move them back to the Available fields list. Use Move Up
and Move Down to change the order in which to display the columns.
For example, you can change interface list column headings to display only the
IP/Netmask, MAC address, MTU, and interface Type for each interface.
Figure 16: Example of interface list column settings
Figure 17: A FortiGate-5001SX interface list with column settings changed
Note: Any changes that you make to the column settings of a list are stored in the FortiGate
configuration and will display the next time that you access the list.
Right Arrow Left Arrow
Web-based manager Web-based manager icons
01-410-89802-20091022 63
Using filters with column settings
On firewall policy, IPv6 policy, predefined signature, firewall user monitor, IPSec monitor
and log and report log access lists you can combine filters with column settings to provide
even more control of the information displayed by the list.
For example, you can go to Intrusion Protection > Signature > Predefined and configure
the Intrusion Protection predefined signatures list to show only the names of signatures
that protect against vulnerabilities for a selected application. To do this, set Column
Settings to only display Applications and Name. Then apply a filter to Applications so that
only selected applications are listed. In the pre-defined signatures list you can also sort
the list by different columns; you might want to sort the list by application so that all
signatures for each application are grouped together.
Figure 18: A pre-defined signatures list displaying pre-defined signatures for the Veritas and
Winamp applications
For more information, see Adding filters to web-based manager lists on page 57.
Web-based manager icons
The web-based manager has icons in addition to buttons to help you to interact with your
FortiGate unit. There are tooltips to assist you in understanding the function of most icons.
Pause the mouse pointer over the icon to view the tooltip. Table 4 describes the icons that
are available in the web-based manager.
Table 4: web-based manager icons
Icon Name Description
Add
User/Group
Add a user or group (Directory Service).
Administrative
status down
The administrative status of a FortiGate interface is down
and the interface will not accept traffic.
Administrative
status up
The administrative status of a FortiGate interface is up and
the interface accepts traffic.
Change
Password
Change the administrator password. This icon appears in the
Administrators list if your admin profile enables you to give
write permission to administrators.
Clear Clear all or remove all entries from the current list. For
example, on a URL filter list you can use this icon to remove
all URLs from the current URL filter list.
Web-based manager icons Web-based manager
64 01-410-89802-20091022
Clone Make a new item based on this item.
Comment Hover the mouse pointer over this icon to view the text from
the Comment field.
Delete Delete an item. This icon appears in lists where the item can
be deleted and you have edit permission for the item.
Description The tooltip for this icon displays the Description or
Comments field for this table entry.
Diff Determine the differences between two revisions of the
FortiGate unit configuration.
Disconnect
from cluster
Disconnect a FortiGate unit from a functioning HA cluster.
Download Download information from a FortiGate unit. For example,
you can download certificates and debug logs.
Edit Edit a configuration. This icon appears in lists where you
have write permission for the item.
Edit
User/Group
Edit user or group (Directory Service).
Enter a VDOM Enter a virtual domain and use the web-based manager to
configure settings for the virtual domain.
Expand Arrow
(closed)
Expand this section to reveal more fields. This icon is used in
some dialog boxes and lists.
Expand Arrow
(open)
Close this section to hide some fields. This icon is used in
some dialog boxes and lists.
Filter Set a filter on one or more columns in this table. See Adding
filters to web-based manager lists on page 57.
First page View the first page of a list.
Forget AP Forget the Rogue or Accepted Status of a detected wireless
access point and return the AP to Unknown status.
Insert before Add a new item to a list so that it precedes the current item.
Used in lists when the order of items in the list is significant,
for example firewall policies, IPS Sensors, and DoS Sensors.
Last page View the last page of a list.
Mark as
Accepted
Exempt
Temporarily
Move the detected wireless access point to the Accepted
Access Points list.
Exempt the selected endpoint from endpoint NAC.
Mark as
Rogue
Restore to
Blocked State
Move the detected wireless access point to the Rogue
Access Points list.
Resume blocking access for a temporarily exempted
endpoint (Endpoint NAC).
Move to Change the position of an item in a list. Used in lists when the
order of items in the list is significant, for example firewall
policies, IPS Sensors, and DoS Sensors.
Table 4: web-based manager icons (Continued)
Web-based manager Web-based manager icons
01-410-89802-20091022 65
Next page View the next page of a list.
Previous page View the previous page of a list.
Refresh Update the information on this page.
Reset Revert to the global version of this replacement message.
Reset Reset to default value (Global resource limits).
Revert Revert to this revision of the unit configuration.
View View a configuration. This icon appears in lists instead of the
Edit icon when you have read-only access to a web-based
manager list.
View details View detailed information about an item. For example, you
can use this icon to view details about certificates.
Table 4: web-based manager icons (Continued)
Web-based manager icons Web-based manager
66 01-410-89802-20091022
System Status Viewing the system dashboard
01-410-89802-20091022 67
System Status
This section describes the System Status page, the dashboard of your FortiGate unit. At a
glance you can view the current system status of the FortiGate unit including serial
number, uptime, FortiGuard license information, system resource usage, alert
messages and network statistics.
If you enable virtual domains (VDOMs) on the FortiGate unit, the status page is available
globally and system status settings are configured globally for the entire FortiGate unit.
The Topology viewer is not available when VDOMs are enabled. For details, see Using
virtual domains on page 125.
Viewing the system dashboard
Changing system information
Changing the FortiGate firmware
Viewing operational history
Manually updating FortiGuard definitions
Viewing Log and Archive Statistics
Configuring the RAID array
Configuring AMC modules
Viewing application, policy, and DLP archive usage data
Using the topology viewer
View the system dashboard for a snapshot and detailed information about the current
operating status of the FortiGate unit. To view the system dashboard go to System >
Status > Dashboard. FortiGate administrators whose admin profiles permit write access to
system configuration can change or update FortiGate unit information. For more
information on admin profiles, see Admin profiles on page 254.
When the FortiGate unit is part of an HA cluster, the System Status page includes basic
high availability (HA) cluster status such as including the name of the cluster and the
cluster members including their host names. To view more specialized HA status
information for the cluster, go to System > Config > HA. For more information, see HA on
page 205.
FortiGate administrators whose admin profiles permit write access to system configuration
can change or update FortiGate unit information. For information on admin profiles, see
Admin profiles on page 254.
Note: Your browser must support J avascript to view the System Status page.
Note: The information on the System Status page applies to the whole HA cluster, not just
the primary unit. This includes information such as URLs visited, emails sent and received,
and viruses caught.
Viewing the system dashboard System Status
68 01-410-89802-20091022
VDOM and global dashboards
VDOM administrators can view and configure the VDOM-specific
dashboard for their VDOM. From a VDOM go to System > Dashboard to
view the VDOM dashboard. The System Information, Unit Operation, System Resources,
Log and Archive Status, CLI Console, Top Sessions, and Traffic History dashboard
widgets are available in the VDOM dashboard.
The available widgets differ from their global equivalents as follows:
Global administrators with the super_admin admin profile can view only the
global dashboard.
The system dashboard page displays by default when you log in to the web-based
manager.
Go to System > Status > Dashboard to view the dashboard.
To view the dashboard, your admin profile must permit read access to system
configuration. If you also have system configuration write access, you can modify system
information and update FortiGuard - AV and FortiGuard - IPS definitions. For information
on admin profiles, see Admin profiles on page 254.
The System Status page is customizable. You can select which widgets to display, where
they are located on the page, and if they are minimized or maximized. Each display has
an icon associated with it for easy recognition when minimized.
Select Add Content to add any of the widgets not currently shown on the System Status
page. Any widgets currently on the System Status page will be greyed out in the Add
Content menu, as you can only have one of each display on the System Status page.
Optionally select Back to Default to restore the historic System Status page configuration.
Position your mouse over a displays titlebar to see your available options for that display.
The options vary slightly from display to display.
Figure 19: A minimized display
System information Cannot enable/disable Virtual Domains. No listing of current
administrators.
CLI Console User is logged into the current VDOM and cannot access global
configurations.
Unit Operation Unit reboot and shutdown are not available.
Cannot configure management service or FortiAnalyzer unit.
No information about network ports.
Top Sessions Shows only sessions for this VDOM.
Traffic History Can select only interfaces or VLANs belonging to this VDOM.
Widget Title Shows the name of the display
Open/Close arrow Select to open or close the display.
History Select to show an expanded set of data.
Not available for all widgets.
Open/Close arrow Refresh
Close
Widget title
Edit
History
01-410-89802-20091022 69
The available dashboard widgets are:
System Information
License Information
Unit Operation
System Resources
Alert Message Console
Log and Archive Statistics
CLI Console
Top Sessions
Top Viruses
Top Attacks
RAID monitor
System Information
Go to System > Status > Dashboard to find System Information.
To add the System Information widget to the dashboard go to System > Status >
Dashboard, select Add Content and select System Information from the list.
Figure 20: System Information
Edit Select to change settings for the display.
Refresh Select to update the displayed information.
Close Select to close the display. You will be prompted to confirm the action.
Serial Number The serial number of the FortiGate unit. The serial number is specific to the
FortiGate unit and does not change with firmware upgrades.
Uptime The time in days, hours, and minutes since the FortiGate unit was started.
System Time The current date and time according to the FortiGate units internal clock.
Select Change to change the time or configure the FortiGate unit to get the
time from an NTP server. For more information, see Configuring system time
on page 86.
HA Status The status of high availability for this unit.
Standalone indicates the unit is not operating in HA mode.
Active-Passive or Active-Active indicate the unit is operating in HA mode.
Select Configure to configure the HA status for this unit. For more information,
see HA on page 205.
70 01-410-89802-20091022
License Information
License Information displays the status of your technical support contract and FortiGuard
subscriptions. The FortiGate unit updates the license information status indicators
automatically when attempting to connect to the FortiGuard Distribution Network (FDN).
FortiGuard Subscriptions status indicators are green if the FDN was reachable and the
license was valid during the last connection attempt, grey if the FortiGate unit cannot
connect to the FDN, and orange if the FDN is reachable but the license has expired.
Host Name The host name of the current FortiGate unit.
Select Change to change the host name.
For more information, see Changing the FortiGate unit host name on
page 87.
If the FortiGate unit is in HA mode, this field is not displayed.
Cluster Name The name of the HA cluster for this FortiGate unit. For more information, see
HA on page 205.
The FortiGate unit must be operating in HA mode to display this field.
Cluster Members The FortiGate units in the HA cluster. Information displayed about each
member includes host name, serial number, and whether the unit is a primary
(master) or subordinate (slave) unit in the cluster. For more information, see
HA on page 205.
The FortiGate unit must be operating in HA mode with virtual domains
disabled to display this field.
Virtual Cluster 1
Virtual Cluster 2
The role of each FortiGate unit in virtual cluster 1 and virtual cluster 2. For
more information, see HA on page 205.
The FortiGate unit must be operating in HA mode with virtual domains enabled
to display these fields.
Firmware Version The version of the current firmware installed on the FortiGate unit. The format
for the firmware version is
Select Update to change the firmware.
For more information, see Upgrading to a new firmware version on page 88.
FortiClient Version The currently version of FortiClient uploaded to your FortiGate unit used for
endpoint control. This field appears if you can upload a FortiClient image onto
your FortiGate unit. For more information, see Configuring FortiClient installer
download and version enforcement on page 688.
Operation Mode The operating mode of the current FortiGate unit. A FortiGate unit can operate
in NAT mode or Transparent mode. Select Change to switch between NAT and
Transparent mode. For more information, see Changing operation mode on
page 238
If virtual domains are enabled, this field shows the operating mode of the
current virtual domain. Each virtual domain can be operating in either NAT
mode or Transparent mode.
If virtual domains are enabled, the Global System Status dashboard does not
include this field.
Virtual Domain Status of virtual domains on your FortiGate unit. Select Enable or Disable to
change the status of virtual domains feature.
If you enable or disable virtual domains, your session will be terminated and
you will need to log in again. For more information, see Using virtual domains
on page 125.
Current
Administrators
The number of administrators currently logged into the FortiGate unit.
Select Details to view more information about each administrator that is
currently logged in. The additional information includes user name, type of
connection, IP address from which they are connecting, and when they logged
in.
Current User The name of the admin account that you have used to log into the FortiGate
unit. If you are authenticated locally by password, not by PKI or remote
authentication, you can select Change Password to change the password for
this account. When you change the password you are logged out and must log
back in with the new password. For more information, see Changing an
administrator account password on page 246.
01-410-89802-20091022 71
When a new FortiGate unit is powered on, it automatically searches for FortiGuard
services. If the unit is configured for central management, it will look for FortiGuard
services on the configured FortiManager system. The FortiGate unit sends its serial
number to the FortiGuard service provider, which then determines whether the FortiGate
unit is registered and has valid contracts for FortiGuard subscriptions and FortiCare
support services. If the FortiGate unit is registered and has a valid contract, the License
Information is updated.
If the FortiGate unit is not registered, any administrator with the super_admin profile sees
a reminder message that provides access to a registration form.
When a contract is due to expire within 30 days, any administrator with the super_admin
profile sees a notification message that provides access to an Add Contract form. Simply
enter the new contract number and select Add. Fortinet Support also sends contract
expiry reminders.
Optionally, you can disable notification for registration or contract inquiry.
To disable registration notification
conf i g syst emgl obal
set r egi st r at i on- not i f i cat i on di sabl e
end
To disable contract expiry notification
set ser vi ce- expi r e- not i f i cat i on di sabl e
end
Selecting any of the Configure options will take you to the Maintenance page. For more
information, see System Maintenance on page 289.
Figure 21: License Information (example)
72 01-410-89802-20091022
Support Contract Displays details about your current Fortinet Support contract including
expiry dates and registration status.
If Not Registered appears, select Register to register the unit.
If Expired appears, select Renew for information on renewing your
technical support contract. Contact your local reseller.
If Registered appears the name of the support that registered this
FortiGate unit is also displayed.
You can select Login Now to log into the Fortinet Support account that
registered this FortiGate unit.
FortiGuard Services
AntiVirus The FortiGuard Antivirus version, license issue date and service status. If
your license has expired, you can select Renew to renew the license.
AV Definitions The currently installed version of the FortiGuard Antivirus definitions. To
update the definitions manually, select Update. For more information, see
Manually updating FortiGuard definitions on page 91.
Extended set The currently installed version of the extended FortiGuard Antivirus
definitions. For more information about the extended antivirus database,
see Selecting the virus database on page 519.
To update the definitions manually, select Update. For more information,
see Manually updating FortiGuard definitions on page 91.
The extended antivirus database is not available on all models.
Intrusion
Protection
The FortiGuard Intrusion Prevention System (IPS) license version, license
issue date and service status. If your license has expired, you can select
Renew to renew the license.
IPS Definitions The currently installed version of the IPS attack definitions. To update the
definitions manually, select Update. For more information, see Manually
updating FortiGuard definitions on page 91.
Web Filtering The FortiGuard Web Filtering license status, expiry date and service status.
If your license has expired, you can select Renew to renew the license.
Email Filtering The FortiGuard Email Filtering or Antispam license status, license expiry
date and service status. If your license has expired, you can select Renew
to renew the license.
Email Filtering
Rule Set
The currently installed version of the FortiGuard Email Filtering rule set. To
update the rule set manually, select Update. For more information, see
Manually updating FortiGuard definitions on page 91.
Analysis &
Management
Service
The FortiGuard Analysis Service and Management Service license, license
expiry date, and reachability status. For more information, see Configuring
FortiGuard Analysis & Management Service Options on page 306.
Services Account
ID
Select Change to enter a different Service Account ID. This ID is used to
validate your license for subscription services such as FortiGuard
Management Service and FortiGuard Analysis Service. For more
information, see Configuring FortiGuard Analysis & Management Service
Options on page 306.
Virtual Domain
VDOMs Allowed The maximum number of virtual domains the unit supports with the current
license.
For high-end FortiGate models, you can select the Purchase More link to
purchase a license key through Fortinet technical support to increase the
maximum number of VDOMs. For more information, see Adding VDOM
Licenses on page 311.
01-410-89802-20091022 73
Unit Operation
In the Unit Operation widget, an illustration of the FortiGate units front panel shows the
status of the units Ethernet network interfaces. If a network interface is green, that
interface is connected. Pause the mouse pointer over the interface to view the name, IP
address, netmask and current status of the interface.
If you select Reboot or ShutDown, a pop-up window opens allowing you to enter the
reason for the system event.
You can only have one management and one logging/analyzing method displayed for
your FortiGate unit. The graphic for each will change based on which method you choose.
If none are selected, no graphic is shown.
Figure 22: Unit Operation examples
Endpoint Security
FortiClient
Software
Windows Installer
View information about the latest version of the FortiClient application
available from FortiGuard for EndPoint NAC. Select Download to download
the FortiClient application installer to your PC. For more information, see
Configuring FortiClient installer download and version enforcement on
page 688.
Application
Signature
package
The version number of the current endpoint NAC application detection
predefined signature package. For more information, see Configuring
application detection lists on page 689.
Caution: Abruptly powering off your FortiGate unit may corrupt its configuration. Using the
reboot and shutdown options here or in the CLI ensure proper shutdown procedures are
followed to prevent any loss of configuration.
Note: Your reason will be added to the Disk Event Log if disk logging, event logging, and
admin events are enabled. For more information on Event Logging, see Configuring Event
logging on page 711.
74 01-410-89802-20091022
INT / EXT / DMZ / HA /
WAN1 / WAN2 / 1 / 2 /
3 / 4
The network interfaces on the FortiGate unit. The names and number of
these interfaces vary by model.
The icon below the interface name indicates its up/down status by color.
Green indicates the interface is connected. Grey indicates there is no
connection.
For more information about the configuration and status of an interface,
pause the mouse over the icon for that interface. A tooltip displays the full
name of the interface, its alias if one is configured, the IP address and
netmask, the status of the link, the speed of the interface, and the number
of sent and received packets.
AMC-SW1/1, ...
AMC-DW1/1, ...
If your FortiGate unit supports Advanced Mezzanine Card (AMC) modules
and if you have installed an AMC module containing network interfaces (for
example, the ASM-FB4 contains 4 interfaces) these interfaces are added to
the interface status display. The interfaces are named for the module, and
the interface. For example AMC-SW1/3 is the third network interface on the
SW1 module, and AMC-DW2/1 is the first network interface on the DW2
module.
AMC modules support hard disks as well, such as the ASM-S08 module.
When a hard disk is installed, ASM-S08 is visible as well as a horizontal bar
and percentage indicating how full the hard disk is.
You can also add the ASM-CX4 and ASM-FX2 modules to bridge FortiGate
interfaces when the FortiGate unit is operating in transparent mode.
For more information about AMC modules, see Configuring AMC modules
on page 98.
FortiAnalyzer The icon on the link between the FortiGate unit graphic and the
FortiAnalyzer graphic indicates the status of their OFTP connection. An X
on a red icon indicates there is no connection. A check mark on a green
icon indicates there is OFTP communication.
Select the FortiAnalyzer graphic to configure remote logging tot he
FortiAnalyzer unit on your FortiGate unit. For more information, see
Remote logging to a FortiAnalyzer unit on page 704.
FortiGuard Analysis
Service
The icon on the link between the FortiGate unit graphic and the FortiGuard
Analysis Service graphic indicates the status of their OFTP connection. An
X on a red icon indicates there is no connection. A check mark on a green
icon indicates there is OFTP communication.
Select the FortiGuard Analysis Service graphic to configure remote logging
to the FortiGuard Analysis Service. For more information, see the
FortiGuard Analysis and Management Service Administration Guide.
FortiManager The icon on the link between the FortiGate unit graphic and the
FortiManager graphic indicates the status of the connection. An X on a red
icon indicates there is no connection. A check mark on a green icon
indicates there is communication between the two units.
Select the FortiManager graphic to configure central management on your
FortiGate unit. For more information, see Central Management on
page 260.
FortiGuard
Management Service
The icon on the link between the FortiGate unit graphic and the FortiGuard
Management Service graphic indicates the status of the connection. An X
on a red icon indicates there is no connection. A check mark on a green
icon indicates there is communication.
Select the FortiGuard Management Service graphic to configure central
management on your FortiGate unit. For more information, see Central
Management on page 260.
Reboot Select to shutdown and restart the FortiGate unit. You will be prompted to
enter a reason for the reboot that will be entered into the logs.
Shutdown Select to shutdown the FortiGate unit. You will be prompted for
confirmation, and also prompted to enter a reason for the shutdown that will
be entered into the logs.
01-410-89802-20091022 75
System Resources
The System Resources widget displays basic FortiGate unit resource usage, such as
CPU and memory (RAM) usage. Any System Resources that are not displayed on the
status page can be viewed as a graph by selecting the History icon.
To see the most recent CPU and memory usage, select the Refresh icon.
Figure 23: System Resources
History A graphical representation of the last minute of CPU, memory, sessions, and
network usage. This page also shows the virus and intrusion detections over
the last 20 hours. For more information, see Viewing operational history on
page 90.
CPU Usage The current CPU status displayed as a dial gauge and as a percentage.
The web-based manager displays CPU usage for core processes only. CPU
usage for management processes (for example, for HTTPS connections to
the web-based manager) is excluded.
The displayed CPU usage is equivalent to using the CLI command get
syst emper f or mance st at us and adding user , syst em, and ni ce
percentages. Both the web-based CPU Usage and the CLI command access
the same CPU information.
Memory Usage The current memory (RAM) status displayed as a dial gauge and as a
percentage.
The web-based manager displays memory usage for core processes only.
Memory usage for management processes (for example, for HTTPS
connections to the web-based manager) is excluded.
FortiAnalyzer Usage The current status of the FortiAnalyzer disk space used by this FortiGate
units quota, displayed as a pie chart and a percentage.
You can use the System Resources edit menu to select not to display this
information.
This is available only if you have configured logging to a FortiAnalyzer unit.
Disk Usage The current status of the FortiGate unit disk space used, displayed as a pie
chart and a percentage.
This is available only if you have a hard disk on your FortiGate unit.
Edit
Refresh
Close
View History
76 01-410-89802-20091022
Alert Message Console
Alert messages help you track system events on your FortiGate unit such as firmware
changes, network security events, or virus detection events.
Each message shows the date and time that the event occurred.
Figure 24: Alert Message Console
The following types of messages can appear in the Alert Message Console:
To configure the Alert Message Console
You can configure the alert message console settings to control what types of messages
are displayed on the console.
1 Go to System > Status > Dashboard.
2 Select the Edit icon in the Alert Message Console title bar.
3 Select the types of alerts that the Alert Message Console should display.
By default, all alert types are enabled.
History View all alert messages.
Edit Configure Alert Message Console settings.
Refresh Update displayed information.
Close Close the module.
Acknowledge
this message
Select to remove this message.
The Acknowledge icon is also available for each alert message in the History
window.
System restart The system restarted. The restart could be due to operator
action or power off/on cycling.
System shutdown An administrator shut down the FortiGate unit from the
web-based manager or CLI.
Firmware upgraded by
<admin_name>
The named administrator upgraded the firmware to a more
recent version on either the active or non-active partition.
Firmware downgraded by
<admin_name>
The named administrator downgraded the firmware to an older
version on either the active or non-active partition.
FortiGate has reached connection
limit for <n>seconds
The antivirus engine was low on memory for the duration of
time shown and entered conserve mode. Depending on model
and configuration, content can be blocked or can pass
unscanned under these conditions.
Found a new FortiAnalyzer
Lost the connection to FortiAnalyzer
Shows that the FortiGate unit has either found or lost the
connection to a FortiAnalyzer unit. For more information, see
New firmware is available from
FortiGuard
An updated firmware image is available to be downloaded to
this FortiGate unit.
History
Edit
Refresh
Close
Acknowledge this
message
01-410-89802-20091022 77
Figure 25: Configuring the Alert Message Console
4 Select OK.
Log and Archive Statistics
The Log and Archive Statistics widget allows you to see at a glance what is happening on
your FortiGate unit with regards to DLP archiving, network traffic, and security problems
including attack attempts, viruses caught, and spam emails caught.
You can quickly see the amount and type of traffic as well as any attack attempts on your
system. To investigate an area that draws your attention, select Details for a detailed list of
the most recent activity.
The information displayed in the Log and Archive Statistics widget is derived from log
messages. You can use the information gathered by log messages to see trends in
network activity or attacks over time. Various configuration settings are required to
actually collect data for the Log and Archive Statistics widget as described below.
For detailed procedures involving the Statistics list, see Viewing Log and Archive
Statistics on page 91.
Figure 26: Log and Archive Statistics
Reset
Refresh
Close
78 01-410-89802-20091022
Figure 27: Statistics
Since The date and time when the counts were last reset.
Counts are reset when the FortiGate unit reboots, or when you select Reset.
Reset Reset the Log and Archive Statistic counts to zero.
DLP
Archive
A summary of the HTTP, HTTPS, email, FTP IM, and VoIP (also called session
control) traffic that has passed through the FortiGate unit, and has archived by DLP.
The Details pages list the last 64 items of the selected type and provides links to the
FortiAnalyzer unit where the archived traffic is stored. If logging to a FortiAnalyzer unit
is not configured, the Details pages provide a link to Log & Report > Log Config >
Log Settings.
You configure the FortiGate unit to collect DLP archive data for the widget by
configuring protection profiles to display content meta-information on the system
dashboard. To configure a protection profile, see To configure a protection profile
(DLP archive) on page 79.
You must also add the protection profile to a firewall policy. When the firewall policy
receives sessions for the selected protocols, meta-data is added to the statistics
widget.
The Email statistics are based on email protocols. POP3 and IMAP traffic is registered
as email received, and SMTP is email sent. If your FortiGate unit supports SSL content
scanning and inspection, incoming email also includes POP3S and IMAPS and
outgoing email also includes SMTPS. If incoming or outgoing email does not use these
protocols, these statistics will not be accurate.
The IM statistics are based on the AIM, ICQ, MSN, and Yahoo! protocols and
configured by selecting Archive in DLP Sensors for IM DLP rules.
The VoIP statistics are based on the SIP, SIMPLE and SCCP session control protocols
and configured by selecting Archive in DLP Sensors for Session Control DLP rules.
Log A summary of traffic, viruses, attacks, spam email messages, and blocked URLs that
the FortiGate unit has logged. Also displays the number of sessions matched by DLP
and event log messages. The Details pages list the 20 most recent items, providing the
time, source, destination and other information.
DLP data loss detected actually displays the number of sessions that have matched
DLP sensors added to protection profiles. DLP collects meta-data about all sessions
matched by DLP sensors and records this meta-data in the DLP log. Every time a DLP
log message is recorded, the DLP data loss detected number increases. If you are
using DLP for summary or full archiving the DLP data loss detected number can get
very large. This number may not indicate that data has been lost or leaked.
Reset
Refresh
Close
01-410-89802-20091022 79
To configure a protection profile (DLP archive)
1 Go to Firewall >Protection Profile.
2 Create or edit a protection profile.
3 Configure Data Leak Prevention Sensor > Display content meta-information on the
system dashboard.
4 Select the protocols to collect statistics for.
By default meta-data is collected and displayed on the statistics widget for all protocols.
For more information, see Data Leak Prevention Sensor options on page 488.
CLI Console
The System Status page can include a CLI console. To use the console, select it to
automatically log in to the admin account you are currently using in the web-based
manager. You can copy (CTRL-C) and paste (CTRL-V) text from or to the CLI Console.
Figure 28: CLI Console
The two controls located on the CLI Console widget title bar are Customize, and Detach.
Detach moves the CLI Console widget into a pop-up window that you can resize and
reposition. The two controls on the detached CLI Console are Customize and Attach.
Attach moves the CLI console widget back onto the System Status page.
Customize allows you to change the appearance of the console by defining fonts and
colors for the text and background.
Figure 29: Customize CLI Console window
Customize
80 01-410-89802-20091022
Top Sessions
Top Sessions displays either a bar graph or a table showing the IP addresses that have
the most sessions currently open on the FortiGate unit. The sessions are sorted by their
source or destination IP address, or the port address. The sort criteria being used is
displayed in the top right corner.
The Top Sessions widget polls the FortiGate unit for session information, and this slightly
impacts the FortiGate unit performance. For this reason when this display is not shown on
the dashboard, it is not collecting data, and not impacting system performance. When the
display is shown, information is only stored in memory.
Figure 30: Top sessions bar graph showing destination IP addresses
Preview A preview of your changes to the CLI Consoles appearance.
Text Select the current color swatch next to this label, then select a color from
the color palette to the right to change the color of the text in the CLI
Console.
Background Select the current color swatch next to this label, then select a color from
the color palette to the right to change the color of the background in the
CLI Console.
Use external
command input box
Select to display a command input field below the normal console
emulation area. When this option is enabled, you can enter commands by
typing them into either the console emulation area or the external command
input field.
Console buffer length Enter the number of lines the console buffer keeps in memory. Valid
numbers range from 20 to 9999.
Font Select a font from the list to change the display font of the CLI Console.
Size Select the size of the font. The default size is 10 points.
Note: Rebooting the FortiGate unit will reset the Top Session statistics to zero.
Report By Number of
active
sessions
Number of
current sessions
Last updated
View the session list
Customize the Top Sessions Display
Detach
Refresh
Close
01-410-89802-20091022 81
Select Details to view the current sessions list, a list of all sessions currently processed by
the FortiGate unit. For more information, see Viewing the current sessions list on
page 82.
To view detailed information about the sessions represented by a bar in the chart, click on
the bar.
To change the information displayed on the Top Sessions widget
1 Selecting edit icon to change the information displayed by the Top Sessions widget:
2 Change the Top Sessions settings as required:
Figure 31: Edit menu for Top Sessions
Sort Criteria Select the method used to sort the Top Sessions on the System Status
display. Choose one of:
Source Address
Destination Address
Port Address
Display User Name Select to include the username associated with this source IP address, if
available. In the table display format this will be a separate column.
Display UserName is available only when the sort criteria is Source
Address.
Resolve Host Name Select to resolve the IP address to the host name.
Resolve Host Name is not available when the sort criteria is Destination
Port.
Resolve Service Select to resolve a port addresses into their commonly associated service
names. Any port address without a service, will continue to be displayed as
the port address. For example port 443 would resolve to HTTPS.
Resolve Service is only available when the sort criteria is Destination Port.
Display Format Select how the Top Session information is displayed. Choose one of:
Chart
Table
Top Sessions to
Show
Select the number of sessions to display. Choose to display 5, 10, 15, or 20
sessions.
Refresh Interval Select how often the display is updated. The refresh interval range is from
10 to 240 seconds. Selecting 0 will disable the automatic refresh of the
display. You will still be able to select the manual refresh option on the Top
Sessions title bar.
Shorter refresh intervals may impact the performance of your FortiGate
unit. If this occurs, try increasing the refresh interval or disabling the
automatic refresh.
82 01-410-89802-20091022
Viewing the current sessions list
The current sessions list displays all sessions currently processed by the FortiGate unit.
For each session the current session list displays:
the session protocol such as tcp or udp
source address and port
destination address and port
the ID of the policy, if any, that applies to the session
how long until the session expires
which virtual domain the session belongs to
To view the current sessions list
2 In the Top Sessions widget, select Details at the bottom of the widget.
3 The current sessions list appears.
Optionally select Detach to detach and expand the browser window to see the entire
list.
4 Select Return to return to the Top Sessions bar chart display.
Figure 32: Current sessions list
Virtual Domain Select a virtual domain to list the sessions being processed by that virtual
domain. Select All to view sessions being processed by all virtual domains.
This is only available if virtual domains are enabled. For more information see
Using virtual domains on page 125.
Refresh Icon Update the session list.
First Page Select to go to the first displayed page of current sessions.
Edit Filters
Edit the Top Sessions display Attach the widget to the dashboard
Delete a Session
01-410-89802-20091022 83
Top Viruses
Top Viruses displays a bar graph representing the virus threats that have been detected
most frequently by the FortiGate unit.
The Top Viruses display is not part of the default dashboard display. It can be displayed by
selecting Add Content >Top Viruses from the drop down menu.
Selecting the history icon opens a window that displays up to the 20 most recent viruses
that have been detected with information including the virus name, when it was last
detected, and how many times it was detected. The system stores up to 1024 entries, but
only displays up to 20 in the web-based manager.
Selecting the edit icon for Top Viruses allows changes to the:
refresh interval
top viruses to show
Top Attacks
Top Attacks displays a bar graph representing the most numerous attacks detected by the
FortiGate unit.
The Top Attacks display is not part of the default dashboard display. It can be displayed by
selecting Add Content > Top Attacks from the drop down menu.
Previous Page Select to go to the page of sessions immediately before the current page
Page Enter the page number of the session to start the displayed session list. For
example if there are 5 pages of sessions and you enter 3, page 3 of the
sessions will be displayed.
The number following the / is the number of pages of sessions.
Next Page Select to go to the next page of sessions.
Last Page Select to go to the last displayed page of current sessions.
Total The total number sessions.
Clear All Filters Select to reset any display filters that may have been set.
Return Return to the Top Sessions display.
Filter Icon The icon at the top of all columns except #, and Expiry. When selected it brings
up the Edit Filter dialog allowing you to set the display filters by column. See
Adding filters to web-based manager lists on page 57.
Protocol The service protocol of the connection, for example, udp, tcp, or icmp.
Source Address The source IP address of the connection.
Source Port The source port of the connection.
Destination
Address
The destination IP address of the connection.
Destination Port The destination port of the connection.
Policy ID The number of the firewall policy allowing this session or blank if the session
involves only one FortiGate interface (admin session, for example).
Expiry (sec) The time, in seconds, before the connection expires.
Duration The age of each session in seconds. The age is the amount of time the session
has been active.
Delete icon Stop an active communication session. Your admin profile must include read
and write access to System Configuration.
84 01-410-89802-20091022
Selecting the history icon opens a window that displays up to the 20 most recent attacks
that have been detected with information including the attack name, when it was last
detected, and how many times it was detected. The FortiGate unit stores up to 1024
entries, but only displays up to 20 in the web-based manager.
Selecting the Edit icon for Top Attacks allows changes to the:
refresh interval
top attacks to show
Traffic History
The traffic history display shows the traffic on one selected interface over the last hour,
day, and month. This feature can help you locate peaks in traffic that you need to address
as well as their frequency, duration, and other information.
Only one interface at a time can be monitored. You can change the interface being
monitored by selecting Edit, choosing the interface from the drop down menu, and
selecting Apply. Doing this will clear all the traffic history data.
Figure 33: Traffic History
RAID monitor
The RAID monitor display shows the current state of the RAID array and each RAID disk.
For information on configuring the RAID array, see Configuring the RAID array on page 94.
The RAID monitor display is not part of the default dashboard display. It can be displayed
by selecting Add Content > RAID Monitor from the drop down menu.
The RAID monitor will not be displayed unless your FortiGate unit has more than one disk
installed.
Interface The interface that is being monitored .
kbit/s The units of the traffic graph. The scale varies based on traffic levels to
allow it to show traffic levels no matter how little or how much traffic there is.
Last 60 Minutes
Last 24 Hours
Last 30 Days
Three graphs showing the traffic monitored on this interface of the FortiGate
unit over different periods of time.
Certain trends may be easier to spot in one graph over the others.
Traffic In The traffic entering the FortiGate unit on this interface is indicated with a
thin red line.
Traffic Out The traffic leaving the FortiGate unit on this interface is indicated with a dark
green line, filled in with light green.
Interface being
monitored
01-410-89802-20091022 85
Figure 34: RAID monitor
Configure Select to configure the RAID array, or rebuild a degraded array. For
more information, see Configuring the RAID array on page 94.
Array Status
Array status icon Shows the status of the RAID array.
Green with a check mark shows a healthy RAID array.
Yellow triangle shows the array is in a degraded state but it is still
functioning. A degraded array is slower than a healthy array. Rebuild
the array to fix the degraded state.
A wrench shows the array is being rebuilt.
Positioning the mouse over the array status icon displays a text
message of the status of the array.
Disk status icon There is one icon for each disk in the array.
Green with a check mark shows a healthy disk.
Red with an X shows the disk has failed and needs attention.
Positioning the mouse over the disk status icon displays the status of
the disk, and the storage capacity of the disk.
RAID Level The RAID level of this RAID array. The RAID level is set as part of
configuring the RAID array. For more information, see RAID Level on
page 96.
Disk Space Usage
Status bar The bar shows the percentage of the RAID array that is currently in
use.
Used/Free/Total These three numbers show the amount of RAID array storage that is
being used, the amount of storage that is free, and the total storage in
the RAID array. The values are in GB.
Used added to Free should equal Total.
Array status icon
Disk status icon
Changing system information System Status
86 01-410-89802-20091022
Changing system information
FortiGate administrators whose admin profiles permit write access to system configuration
can change the system time, host name, and the operation mode for the VDOM. For more
information on changing the operation mode, see Changing operation mode on
page 238.
Configuring system time
2 In the System Information section, select Change on the System Time line.
3 Select the time zone and then either set the date and time manually or configure
synchronization with an NTP server.
Figure 35: Time Settings
Synchronizing status Display the percent complete of the RAID array synchronization.
Synchronizing may take several hours.
When synchronizing the status of the RAID array will indicate
synchronizing is happening in the background.
Synchronizing progress bar is visible only when the RAID array is
synchronizing.
You may need to select the refresh icon in the widget title bar to update
this progress bar.
Rebuild status Display the percent complete of the RAID array rebuild. Rebuilding the
array may take several hours.
While rebuilding the array, it is in a degraded and vulnerable state
any disk failure during a rebuild will result in data loss.
A warning is displayed indicating the RAID array is running in reduced
reliability mode until the rebuild is completed.
You may need to select the refresh icon in the widget title bar to update
this progress bar.
System Time The current FortiGate system date and time.
Refresh Update the display of the current FortiGate system date and time.
Time Zone Select the current FortiGate system time zone.
Automatically adjust
clock for daylight
saving changes
Select to automatically adjust the FortiGate system clock when your
time zone changes between daylight saving time and standard time.
Set Time Select to set the FortiGate system date and time to the values you set
in the Hour, Minute, Second, Year, Month and Day fields.
System Status Changing the FortiGate firmware
01-410-89802-20091022 87
Changing the FortiGate unit host name
The FortiGate host name appears on the Status page and in the FortiGate CLI prompt.
The host name is also used as the SNMP system name. For information about SNMP, see
SNMP on page 213.
The default host name is the FortiGate unit serial number. For example the serial number
FGT8002805030003 is a FortiGate-800 unit.
Administrators whose admin profiles permit system configuration write access can change
the FortiGate unit host name.
To change the FortiGate unit host name
If the host name is longer than 16 characters, it will be displayed as being truncated
and end with a ~. The full host name will be displayed under System > Status >
Dashboard, but the truncated host name will be displayed on the CLI and other places
it is used.
2 In the Host Name field of the System Information section, select Change.
3 In the New Name field, type a new host name.
4 Select OK.
The new host name is displayed in the Host Name field and the CLI prompt. It is also
added to the SNMP System Name.
Changing the FortiGate firmware
FortiGate administrators whose admin profiles permit maintenance read and write access
can change the FortiGate firmware. Firmware images can be transferred from a number of
sources including a local hard disk, a local USB disk, or the FortiGuard Network.
Synchronize with
NTP Server
Select to use a Network Time Protocol (NTP) server to automatically
set the system date and time. You must specify the server and
synchronization interval.
FortiGate units use NTP Version 4. No RFC is currently available for
NTP version 4. The RCF for NTP Version 3 is RFC 1305. For more
information about NTP see http://www.ntp.org.
Server Enter the IP address or domain name of an NTP server. To find an NTP
server that you can use, see http://www.ntp.org.
Sync Interval Specify how often the FortiGate unit should synchronize its time with
the NTP server. For example, a setting of 1440 minutes causes the
FortiGate unit to synchronize its time once a day.
Note: If the FortiGate unit is part of an HA cluster, you should use a unique host name to
distinguish the unit from others in the cluster.
Note: To access firmware updates for your FortiGate model, you will need to register your
FortiGate unit with Customer Support. For more information go to
http://support.fortinet.com or contact Customer Support.
Caution: By installing an older firmware image, some system settings may be lost. You
should always backup your configuration before changing the firmware image.
Changing the FortiGate firmware System Status
88 01-410-89802-20091022
For more information about using the USB disk, and the FortiGuard Network see System
Maintenance on page 289.
Figure 36: Firmware Upgrade/Downgrade
Firmware changes either upgrade to a newer version or revert to an earlier version. Follow
the appropriate procedure to change your firmware.
For more information about managing firmware, see Managing firmware versions on
page 113.
Upgrading to a new firmware version
When an update for your FortiGate unit is available, you can update your unit with the new
firmware version.
To determine what version firmware you have, refer to Firmware version on System >
Status > Dashboard > System Information.
The firmware version is in the format W, X, Y (Z). W is the major version number. X is the
build number. Y is the release date in the form of YYMMDD. Z is the minor release number
and the patch number, if applicable.
For example the FortiOS firmware image v4. 0, bui l d0178, 101220 ( MR1 Pat ch1) is
FortiOS major version 4.0 minor version 1 patch 1 (v4.0 MR1 Patch 1), and build number
178 released on December 20, 2010.
Use the following procedure to upgrade the FortiGate unit to a newer firmware version.
To upgrade the firmware using the web-based manager
1 Copy the new firmware image file to your management computer.
The firmware images for FortiGate units are available at the Fortinet Support web site.
2 Log into the web-based manager as the super admin, or an administrator account that
has system configuration read and write privileges.
Upgrade From Select the firmware source from the drop down list of available sources.
Possible sources include Local Hard Disk, USB, and FortiGuard Network.
This field does not appear on all models.
Upgrade File Browse to the location of the firmware image on your local hard disk.
This field is available for local hard disk and USB only.
Allow Firmware
Downgrade
Select to confirm the the installation of an older firmware image (downgrade).
This field only displayed when attempting to downgrade firmware.
More Info Go to the FortiGuard Center to learn more about firmware updates through
the FortiGuard network.
Note: Installing firmware replaces the current antivirus and attack definitions with the
definitions included with the firmware release that you are installing. After you install new
firmware, use the procedure To update antivirus and attack definitions on page 307 to
make sure that antivirus and attack definitions are up to date.
System Status Changing the FortiGate firmware
01-410-89802-20091022 89
4 In the System Information section, select Update on the Firmware Version line.
5 Type the path and filename of the firmware image file, or select Browse and locate the
file.
6 Select OK.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, closes all sessions, restarts, and displays the FortiGate login. This process
takes a few minutes.
7 Log into the web-based manager.
8 Go to System > Status > Dashboard and check the Firmware Version to confirm that
the expected firmware upgrade was successfully installed.
9 Update antivirus and attack definitions. For information about updating antivirus and
attack definitions, see Configuring FortiGuard Services on page 300.
Reverting to a previous firmware version
Use the following procedure to revert your FortiGate unit to a previous firmware version.
This also reverts the FortiGate unit to its factory default configuration and deletes IPS
custom signatures, web content lists, email filtering lists, and changes to replacement
messages. Back up your FortiGate unit configuration to preserve this information. For
information, see About the Maintenance menu on page 289.
If you are reverting to a previous FortiOS version (for example, reverting from FortiOS
v3.0 to FortiOS v2.8), you might not be able to restore the previous configuration from the
backup configuration file.
To revert to a previous firmware version using the web-based manager
1 Copy the firmware image file to your management computer.
The firmware images for FortiGate units are available at the Fortinet Support web site.
2 Log into the web-based manager as the super admin, or an administrator account that
has system configuration read and write privileges.
4 In the System Information section, select Update on the Firmware Version line.
5 Type the path and filename of the firmware image file, or select Browse and locate the
file.
6 Select OK.
The FortiGate unit uploads the firmware image file, reverts to the old firmware version,
resets the configuration, restarts, and displays the FortiGate login. This process takes
a few minutes.
7 Log into the web-based manager.
8 Go to System > Status > Dashboard and check the Firmware Version to confirm that
the firmware is successfully installed.
Note: Installing firmware replaces the current antivirus and attack definitions with the
definitions included with the firmware release that you are installing. After you install new
firmware, use the procedure To update antivirus and attack definitions on page 307 to
make sure that antivirus and attack definitions are up to date.
Viewing operational history System Status
90 01-410-89802-20091022
9 Restore your configuration.
For information about restoring your configuration, see About the Maintenance menu
on page 289.
10 Update antivirus and attack definitions.
For information about antivirus and attack definitions, see To update antivirus and
attack definitions on page 307.
Viewing operational history
The System Resource History page displays six graphs representing different system
resources and protection activity over time.
If no units are displayed on the vertical axis of a graph, it is in percentage.
Note the refresh rate is 3 second intervals for the graphs.
To view the operational history
2 Select History in the upper right corner of the System Resources widget.
Figure 37: Sample system resources history
Time Interval Select the time interval to display along the bottom axis of
the graphs.
CPU Usage History Percentage CPU usage for the preceding interval.
Memory Usage History Percentage memory usage for the preceding interval.
Session History Number of sessions over the preceding interval.
Network Utilization History Network utilization for the preceding interval.
Virus History Number of Viruses detected over the preceding interval.
Intrusion History Number of intrusion attempts detected over the preceding
interval.
System Status Manually updating FortiGuard definitions
01-410-89802-20091022 91
Manually updating FortiGuard definitions
You can update your FortiGuard antivirus database, Intrusion Protection definitions, and
antispam rule set at any time from the License Information section of the System Status
page.
To update FortiGuard antivirus definitions, IPS definitions, or antispam rule set
manually
1 Download the latest update file from Fortinet support site and copy it to the computer
that you use to connect to the web-based manager.
2 Start the web-based manager and go to System > Status > Dashboard.
3 In the License Information section, in the AV Definitions, IPS Definitions, or AS Rule
Set field of the FortiGuard Subscriptions, select Update.
4 Select Browse and locate the update file or type the path and filename.
5 Select OK to copy the update file to the FortiGate unit.
The FortiGate unit updates the AV definitions. This takes about 1 minute.
6 Go to System > Status > Dashboard to confirm that the version information for the
selected definition or rule set has updated.
Viewing Log and Archive Statistics
The Log and Archive Statistics widget provides information about sessions, DLP archiving
and network protection activity.
Viewing DLP Archive information on the Statistics widget
From the Statistics widget of the System Status page, you can view statistics about HTTP,
HTTPS, FTP and IM traffic through the FortiGate unit. You can select the Details link
beside each traffic type to view more information. You can select Reset on the header of
the Statistics section to clear the DLP archive and attack log information, and reset the
counts to zero.
Viewing HTTP content information
2 In the DLP archive section, select Details for HTTP.
Note: For information about configuring automatic FortiGuard updates, see Configuring
FortiGuard Services on page 300.
Viewing Log and Archive Statistics System Status
92 01-410-89802-20091022
Viewing Email content information
2 In the DLP archive section, select Details for Email.
Viewing archived FTP content information
2 In the DLP archive section, select Details for FTP.
Viewing IM content information
2 In the DLP archive section, select Details for IM.
Date and Time The time when the URL was accessed.
From The IP address from which the URL was accessed.
URL The URL that was accessed.
Date and Time The time that the email passed through the FortiGate unit.
From The senders email address.
To The recipients email address.
Subject The subject line of the email.
Date and Time The time of access.
Destination The IP address of the FTP server that was accessed.
User The User ID that logged into the FTP server.
Downloads The names of files that were downloaded.
Uploads The names of files that were uploaded.
System Status Viewing Log and Archive Statistics
01-410-89802-20091022 93
Viewing the Attack Log
From the Statistics section of the System Status page, you can view statistics about the
network attacks that the FortiGate unit has stopped. You can view statistics about viruses
caught, attacks detected, spam email detected, and URLs blocked. You can also view
information about sessions matched by DLP rules. You can select the Details link beside
each attack type to view more information.
You can select Reset on the header of the Statistics section to clear the DLP archive and
attack log information and reset the counts to zero.
Viewing viruses caught
2 In the Attack Log section, select Details for AV.
Viewing attacks blocked
2 In the Attack Log section, select Details for IPS.
Viewing spam email detected
2 In the Attack Log section, select Details for Spam.
Date / Time The time of access.
Protocol The protocol used in this IM session.
Kind The kind of IM traffic this transaction is.
Local The local address for this transaction.
Remote The remote address for this transaction
Direction If the file was sent or received.
Date and Time The time when the virus was detected.
From The senders email address or IP address.
To The intended recipients email address or IP address.
Service The service type, such as POP or HTTP.
Virus The name of the virus that was detected.
Date and Time The time that the attack was detected.
From The source of the attack.
To The target host of the attack.
Service The service type.
Attack The type of attack that was detected and prevented.
Date and Time The time that the spam was detected.
From->To IP The sender and intended recipient IP addresses.
From->To Email Accounts The sender and intended recipient email addresses.
Service The service type, such as SMTP, POP or IMAP.
SPAM Type The type of spam that was detected.
Configuring the RAID array System Status
94 01-410-89802-20091022
Viewing URLs blocked
2 In the Attack Log section, select Details for Web.
Viewing the sessions matched by DLP
2 In the Attack Log section, select Details for DLP.
Configuring the RAID array
Some FortiGate models have two or more disk drives configured in a RAID array to store
log messages locally on the FortiGate unit. RAID arrays can provide faster disk access,
redundancy in case of partial failure, or both depending on the RAID level that is selected.
When switching RAID levels, you may see the message RAID status is OK and RAID is
doing background synchronization. Synchronization of the disks in the array will take
considerable time it will take longer for larger arrays and for disks with more storage
capacity.
This section includes:
RAID disk configuration
RAID Level
Rebuilding the RAID array
RAID disk configuration
To configure the RAID array, go to System > Dashboard and select Configure on the RAID
Monitor widget.
Date and Time The time that the attempt to access the URL was detected.
From The host that attempted to view the URL.
URL Blocked The URL that was blocked.
Date and Time The time that the attempt to access the URL was detected.
Service The service type, such as HTTP, SMTP, POP or IMAP.
Source The source address of the session.
From The host that attempted to view the URL.
URL Blocked The URL that was blocked.
From The senders email address or IP address.
To The intended recipients email address or IP address.
Caution: Do not remove a disk while the RAID array is synchronizing you may loose
stored information. Also this will cause a degraded array and will require a rebuild.
Caution: A RAID array provides no redundancy in a degraded state. Any disk failure while
the raid is in a degraded state will cause data loss.
System Status Configuring the RAID array
01-410-89802-20091022 95
Figure 38: RAID disk configuration
RAID level Select the level of RAID. Options include:
RAID-0 (striping) better performance, no redundancy
RAID-1 (mirroring) half the storage capacity, but totally redundant
RAID-5 striping with parity checking, and redundancy
Available RAID level options depend on the available number of hard disks.
Two or more disks are required for RAID 0 or RAID 1. Three or more disks
are required for RAID 5.
Changing the RAID level will take effect when Apply is selected.
Changing the RAID level will erase any stored log information on the array,
and reboot the FortiGate unit. The unit will remain offline while it reconfigures
the RAID array. When it reboots, the array will need to synchronize before
being fully operational.
For more information on RAID levels, see RAID Level on page 96.
Status The status, or health, of RAID array. This status can be one of:
OK standard status, everything is normal
OK (Background-Synchronizing) (%) synchronizing the disks after
changing RAID level, Synchronizing progress bar shows percent complete
Degraded One or more of the disks in the array has failed, been removed,
or is not working properly. A warning is displayed about the lack of
redundancy in this state. Also, a degraded array is slower than a healthy
array. Select Rebuild RAID to fix the array.
Degraded (Background-Rebuilding) (%) The same as degraded, but the
RAID array is being rebuilt in the background. The array continues to be in a
fragile state until the rebuilding is completed.
Size The size of the RAID array in gigabytes (GB). The size of the array depends
on the RAID level selected, and the number of disks in the array.
Rebuild RAID Select to rebuild the array after a new disk has been added to the array, or
after a disk has been swapped in for a failed disk.
If you try to rebuild a RAID array with too few disks you will get a rebuild error.
After inserting a functioning disk, the rebuild will start.
This button is only available when the RAID array is in a degraded state and
has enough disks to be rebuilt.
You cannot restart a rebuild once a rebuild is already in progress.
Note: If a disk has failed, the number of working disks may not be enough for
the RAID level to function. In this case, replace the failed disk with a working
disk to rebuild the RAID array.
Disk# The disks position in the array. This corresponds to the physical slot of the
disk.
If a disk is removed from the FortiGate unit, the disk is marked as not a
member of the array and its position is retained until a new disk is inserted in
that drive bay.
Status The status of this disk. Options include OK, and unavailable.
A disk is unavailable if it is removed or has failed.
Configuring the RAID array System Status
96 01-410-89802-20091022
RAID Level
When changing the RAID level, the available levels depend on the number of working
disks that are actually present in the unit. For example, RAID 5 is not available on units
with fewer than three disks. When a disk fails, becomes corrupt, or is removed you must
rebuild the RAID array. For more information, see Rebuilding the RAID array on page 97.
If the FortiGate unit only has one disk installed, the RAID monitor widget will not be
displayed as it is not possible to configure a RAID array with only one disk.
Available RAID levels include:
RAID 0
RAID 1
RAID 5
RAID 0
A RAID 0 array is also referred to as striping. The FortiGate unit writes information evenly
across all hard disks. The total space available is that of all the disks in the RAID array.
There is no redundancy available. If any single drive fails, the data on that drive cannot be
recovered. This RAID level is beneficial because it provides better performance, since the
FortiGate unit can distribute disk writing across multiple disks.
For example if your FortiGate unit has three disks each with a one TeraByte (TB) capacity,
your RAID 0 array will have a three TB capacity.
RAID 1
A RAID 1 array is also referred to as mirroring. The FortiGate unit writes information to
one hard disk, and writes a copy (a mirror image) of all information to all other hard disks.
The total disk space available is that of only one hard disk, as the others are solely used
for mirroring. This provides redundant data storage with no single point of failure. Should
any of the hard disks fail, there are several backup hard disks available. For example, if
one disk fails, the unit can still access three other hard disks and continue functioning.
In a RAID 1 array, if you have four disks of one TB capacity, the array will have a two TB
capacity. Since RAID 1 pairs disks for mirroring, if you have an odd number of disks then
one disk will not be used. If you have three disks, only two will be used in the RAID 1 array.
Member Display if the selected disk is part of the RAID array.
A green icon with a check mark indicates the disk is part of the array.
A grey icon with an X indicates the disk is not part of the RAID array.
A disk may be displayed as healthy on the dashboard display even when it is
not a member in the RAID array.
A disk may be available but not used in the RAID array. For example three
disks in a RAID 1 array, only two are used.
Capacity The storage capacity that this drive contributes to the RAID array.
The full storage capacity of the disk is used for the RAID array automatically.
The total storage capacity of the RAID array depends on the capacity and
numbers of the disks, and the RAID level of the array.
System Status Configuring the RAID array
01-410-89802-20091022 97
RAID 5
A RAID 5 array employs striping with a parity check. Similar to RAID 0, the FortiGate unit
writes information evenly across all drives but additional parity blocks are written on the
same stripes. The parity block is staggered for each stripe. The total disk space is the total
number of disks in the array, minus one disk for parity storage. For example, with four hard
disks, the total capacity available is actually the total for three hard disks. RAID 5
performance is typically better with reading than with writing, although performance is
degraded when one disk has failed or is missing. With RAID 5, one disk can fail without
the loss of data. If a drive fails, it can be replaced and the FortiGate unit will restore the
data on the new disk by using reference information from the parity volume.
Rebuilding the RAID array
A RAID array has multiple disks with writing to the disks being spread out so that if one
disk in the array fails, the array can still provide all the stored information. Some forms of
RAID do not provide redundancy, however most do.
When a disk fails, or the RAID array becomes degraded
The Alert Message Console widget, located in System > Dashboard, displays any
messages about events or activities that need urgent attention, such as a failed hard disk.
This widget provides detailed messages that contain the date and time of the event or
activity, as well as an explanation about what happened.
Why rebuild the RAID array?
How to rebuild the RAID array
Why rebuild the RAID array?
When the RAID array has redundancy and one disk in the array fails, becomes corrupted,
or is removed the array becomes degraded. In a degraded state the array can still
function, but there are some changes. The two main changes are that there is no longer
redundancy and accessing the array takes longer than before.
There is no redundancy because with one disk removed from the array, the information
that was stored on that disk can be retrieved using the other disks in the array. However,
removing another disk from the array would remove information that has no backup or
parity data. This second disks removal would result in data loss and the array will fail. This
delicate state of the RAID array is displayed in the warning message on the dashboard
RAID monitor when the status is degraded in the form of a warning.
The array takes longer to access data because instead of the data being retrieved in the
format and order it is expected, the array has to jump around to find it and at times
recreate the missing data from the parity information. This all takes longer than just the
usual straight read operation and will continue until the RAID array has been rebuilt.
The reasons you rebuild a RAID array include:
a disk has failed
the array has become corrupted
a disk has been removed
How to rebuild the RAID array
When the RAID array is in its normal OK state, there is no option to rebuild the array
because there is no need for it. You only need to rebuild the array when it is in a degraded
state and in danger of loosing data.
Configuring AMC modules System Status
98 01-410-89802-20091022
Before you rebuild the RAID array, you should have a replacement disk for the one that
failed if that is the cause of the degraded array. You cannot rebuild an array that is missing
a disk. A replacement disk should be the same storage capacity as the disk it is replacing.
Also before rebuilding the array, you should backup the data if possible. As soon as the
RAID array becomes degraded you should backup the array if possible to prevent data
loss.
To rebuild the RAID array
1 Go to Status > Dashboard > RAID Monitor > Configure.
2 Verify the status of the RAID array is degraded, and the Rebuild button is not greyed
out.
3 Remove the failed disk from the FortiGate unit.
Ensure you have the correct disk.
Press the green button to unlock the disk.
Gently push the lever to the left as far as it will go to disconnect the disk.
Remove the disk from the FortiGate unit by pulling on the lever.
4 Insert the new disk into the FortiGate unit that is replacing the failed disk.
Insert the disk carefully into the FortiGate unit.
Push the front panel of the disk to make the connectionthe lever will start to move
to the right. Ensure that both sides of the disk are in line with the other disks.
When in place push the bar fully to the right, until the green button clicks.
5 Refresh your display to ensure the new disk is installed properly. If it is not recognized,
repeat steps 3 and 4 with the new disk to ensure it is properly installed.
6 On the configure screen, select Rebuild RAID.
Rebuilding the RAID array will normally take several hours. You can follow its progress
on the RAID Monitor display on the dashboard.
7 When the rebuild is complete, the status of the RAID array will change to OK.
Configuring AMC modules
Most FortiGate models with AMC slots have one single-width or dual width AMC slot. The
FortiGate-3810A has two single-width and two dual width AMC slots.
By default, FortiGate units automatically recognize the AMC modules installed in their
AMC slots or automatically recognize that an AMC slot is empty. If the module contains
interfaces, FortiOS automatically adds the interfaces to the FortiGate configuration. If the
module contains a hard disk, the hard disk is automatically added to the configuration.
However, when the FortiGate unit is powered down and the module removed from the
slot, when the FortiGate unit restarts it automatically recognizes that the slot is empty and
will not retain any configuration settings for the missing module.
This default behavior is usually acceptable in most cases. However, it can be useful when
a module is present in a slot to add the name of the module to the FortiGate configuration.
Then, if the module fails or if you temporarily remove it from the slot, the FortiGate unit
keeps the modules configuration settings so that when the module is replaced you will not
have to re-configure it.
System Status Configuring AMC modules
01-410-89802-20091022 99
If you have added the name of a module to a slot and you are planning or removing the
module and replacing it with a different type of module (for example, if you are removing a
FortiGate-ASM-S08 and replacing it with a FortiGate-ASM-FX2) you should reset the slot
to the default before removing the module. Then after adding the new module you should
add its name to the slot.
You configure AMC slot settings from the FortiGate CLI using the conf i g syst emamc
command. For information about this command, see the FortiGate CLI Reference.
To change the default setting for an AMC slot
The following procedure shows how to add a FortiGate-ADM-FB8 to the first double-width
AMC slot (dw1) and how to add the name of the module to the slot configuration.
1 Enter the following CLI command to verify that the slot that you will insert the
FortiGate-ADM-FB8 module into is set to the default configuration.
This command lists the AMC slots and the settings for each one. Example command
output for a FortiGate-5001A with an empty double-width AMC slot:
get syst emamc
dw1 : aut o
2 Power down the FortiGate unit.
3 Insert the FortiGate-ADM-FB8 module into the double-width AMC slot.
4 Power up the FortiGate unit.
As long as the slot that you have inserted the FortiGate-ADM-FB8 module into is set to
aut o the FortiGate unit should automatically find the module when it powers up.
5 Add the name of the FortiGate-ADM-FB8 module to the FortiGate configuration.
conf i g syst emamc
set dw1 adm- f b8
end
Auto-bypass and recovery for AMC bridge module
The FortiGate-ASM-CX4 and FortiGate-ASM-FX2 modules provide fail open protection for
interface pairs of FortiGate units operating in Transparent mode and that have a single-
width AMC slot. The FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module bridges
FortiGate interfaces, monitors the interfaces for traffic failures, and operate as pass-
through devices if the interfaces or the entire FortiGate unit fails or for some reason
cannot pass traffic between the interfaces. If a failure occurs, traffic bypasses the
FortiGate unit and passes through the FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module
to make sure that the network can continue processing traffic after a FortiGate failure.
This section describes how to configure a FortiGate unit to use a FortiGate-ASM-CX4 or
FortiGate-ASM-FX2 module to bridge FortiGate interfaces. The FortiGate unit must
operate in Transparent mode and the FortiGate-ASM-CX4 and FortiGate-ASM-FX2
modules are not compatible with FortiGate HA.
The FortiGate-ASM-CX4 and FortiGate-ASM-FX2 modules include a bypass watchdog
that continually verifies that traffic is flowing through the bridged FortiGate interfaces. If
traffic stops flowing, for example if the FortiGate unit fails, and if the bypass watchdog
detects this, the bridge module switches to bypass mode to ensure the flow of traffic on
the network.
Configuring AMC modules System Status
100 01-410-89802-20091022
In bypass mode all traffic flows between interfaces on the FortiGate-ASM-CX4 and
FortiGate-ASM-FX2 modules and not through the FortiGate unit. You can configure a
recovery watchdog to verify that the bridged FortiGate interfaces cannot process traffic. If
you fix the problem or the problem fixes itself, the recovery watchdog automatically
detects that traffic can resume and switches the module back to normal operation by
turning off bypass mode.
To configure a FortiGate unit to operate with a FortiGate-ASM-CX4 or
FortiGate-ASM-FX2 module
1 Switch the FortiGate unit to operate in Transparent mode.
conf i g syst emset t i ngs
set opmode t r anspar ent
set managei p <management _I Pv4> <net mask_i pv4>
set gat eway <gat eway_i pv4>
end
After a short pause the FortiGate unit is operating in Transparent mode.
2 Enter the following command to verify that the slot that you will insert the
FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module into is set to aut o.
This command lists the AMC slots and the settings for each one. Example command
output for a FortiGate-620B with an empty AMC slot:
get syst emamc
sw1 : aut o
3 Power down the FortiGate unit.
4 Insert the FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module into a single-width AMC
slot.
5 Power up the FortiGate unit.
As long as the slot that you have inserted the module into is set to aut o the FortiGate
unit should automatically find the module when it powers up.
6 Add the name of the module to the FortiGate configuration and configure bypass and
recovery settings.
The following command configures AMC single width slot 1 (sw1) for a FortiGate-ASM-
CX4.
This command also enables the bypass watchdog and increases the bypass timeout
from the default value of 10 seconds to 60 seconds. This means that if a failure occurs
the bridge module will change to bypass mode 60 seconds after the bypass watchdog
detects the failure.
This command also enables watchdog recovery and sets the watchdog recovery
period to 30 seconds. This means that if a failure occurs, while the FortiGate-ASM-CX4
module is bridging the connection the AMC bypass watchdog monitors FortiGate
processes and will revert to normal operating mode (that is disable the bridging the
interfaces with the FortiGate-ASM-CX4 module) if the FortiGate unit recovers from the
failure.
conf i g syst emamc
set sw1 asm- cx4
set bypass- wat chdog enabl e
set bypass- t i meout 60
set wat chdog- r ecover y enabl e
set wat chdog- r ecover y- per i od 30
end
System Status Configuring AMC modules
01-410-89802-20091022 101
Enabling or disabling bypass mode for AMC bridge modules
Use the execut e amc bypass command to switch between normal mode and bypass
mode for a FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module installed in an single-width
AMC slot in a FortiGate unit. Normally the FortiGate-ASM-CX4 and FortiGate-ASM-FX2
modules operate with bypass mode disabled and traffic passes through the FortiGate
interfaces bridged by the FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module. You can
use this command manually enable bypass mode and force traffic to bypass the FortiGate
interfaces and pass through the FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module.
Also, if bypass mode has been enabled (using this command or because of a failure), you
can also use this command to manually disable bypass mode and resume normal
operation. This can be useful if the problem that caused the failure has been fixed and
normal operation can resume.
To manually enable bypass mode
1 Use the following command to manually enable bypass mode:
execut e amc bypass enabl e
2 Use the following diagnose command to view the status of the AMC modules installed
in a FortiGate unit, including whether they are operating in bypass mode.
For example if you have installed a FortiGate-ASM-CX4 module in AMC slot 2 of a
FortiGate-3810A and bypass mode is enabled:
di agnose sys amc bypass st at us
ASM- CX4 i n sl ot 2:
amc- sw2/ 1 <- - > amc- sw2/ 2: mode=bypass ( admi n act i on)
amc- sw2/ 3 <- - > amc- sw2/ 4: mode=bypass ( admi n act i on)
Daemon hear t beat st at us: nor mal
Last hear t beat r ecei ved: 0 second( s) ago
3 Log into the web-based manager and go to System > Status > Dashboard and view the
Unit Operation widget to see the status of the AMC bridge module.
Figure 39 shows bypass mode enabled.
Figure 39: FortiGate-3810A with FortiGate-ASM-CX4 module installed in AMC slot 2
To manually disable bypass mode
1 Use the following command to manually disable bypass mode:
execut e amc bypass di sabl e
2 Use the following diagnose command to view the status of the AMC modules installed
in a FortiGate unit, including whether they are operating in bypass mode.
For example if you have installed a FortiGate-ASM-CX4 module in AMC slot 2 of a
FortiGate-3810A and bypass mode is disabled:
di agnose sys amc bypass st at us
Viewing application, policy, and DLP archive usage data System Status
102 01-410-89802-20091022
ASM- CX4 i n sl ot 2:
amc- sw2/ 1 <- - > amc- sw2/ 2: mode=nor mal
amc- sw2/ 3 <- - > amc- sw2/ 4: mode=nor mal
Daemon hear t beat st at us: nor mal
Last hear t beat r ecei ved: 1 second( s) ago
3 Log into the web-based manager and go to System > Status > Dashboard and view the
Unit Operation widget to see the status of the AMC bridge module.
Figure 40 shows bypass mode disabled.
Figure 40: FortiGate-3810A with FortiGate-ASM-CX4 module installed in AMC slot 2
Viewing application, policy, and DLP archive usage data
You can go to System > Status > Usage to view application, policy, and DLP archive
usage statistics about traffic passing through your FortiGate unit. Usage displays on the
System > Status > Usage page for both global and VDOM administrators.
None of the usage statistics are displayed by default, and must be selected using the +
Add Content drop-down menu. You can also add the Usage widget to custom web-based
manager pages.
Top Policy Usage
DLP Archive Usage
Top Application Usage shows the volume of traffic passing through the FortiGate unit
classified by application type as either a chart or a table. The chart displays applications in
order of use.
From the chart or table display you can:
View traffic volumes by pausing the mouse pointer over each bar.
Select an application type on the graph to view information about the source addresses
that used the application and the amount of data transferred by sessions from each
source address.
Top Application Usage data collection is started by adding application control black/white
lists to protection profiles. Only information about applications matched by application
control is added to the chart or table. Sessions accepted by firewall policies that do not
include protection profiles with application control configured do not contribute to the data
displayed.
System Status Viewing application, policy, and DLP archive usage data
01-410-89802-20091022 103
Figure 41: Top Application Usage chart display
Figure 42: Top Application Usage table display
To configure the Top Application Usage module - web-based manager
1 Go to System > Status > Usage.
2 Select the Edit icon in the Top Application Usage module title bar.
Reset Reset all counts to zero.
Edit Configure module settings.
Applications Application names in order of use.
Bytes or
Messages
Traffic volume in bytes or number of messages, depending on Sort Criteria setting.
Reset
Edit
Refresh
Close
Reset
Edit
Refresh
Close
104 01-410-89802-20091022
Figure 43: Configuring the Top Application Usage module
Top Policy Usage
Top Policy Usage shows the volume of traffic passing through the FortiGate unit classified
by firewall policy as either a chart or a table.
From the chart or table display you can:
View details about firewall policies by pausing the mouse pointer over each bar in the
chart.
Select a firewall policy on the graph to view and optionally change the firewall policy.
Top Policy Usage data is collected by all firewall policies. You can configure Top Policy
Usage to show data for up to 20 firewall policies. Only firewall policies that have accepted
sessions appear on the chart or table.
Sort Criteria Select whether to sort the applications by number of Bytes or number
of Messages.
Report By Select Source Address or Destination Address.
Display User Name Select the check box to show the user name (when known) instead of
the IP address.
Resolve Host Name Select to use reverse-DNS lookup to determine the host name instead
of displaying the IP address.
VDOM Select the VDOM to monitor or select Global. This is available for
global administrators only. VDOM administrators see only their only
VDOM.
Display Format Select Chart or Table display.
Top Entries To Show Select whether to display top 5, 10, 15, or 20 applications.
Refresh Interval Select display update interval in seconds. Range 10 to 240 seconds.
Select 0 to disable updating. You can also update using the Refresh
icon in the module header.
System Status Viewing application, policy, and DLP archive usage data
01-410-89802-20091022 105
Figure 44: Top Policy Usage chart display
Figure 45: Top Policy Usage table display
To configure the Top Policy Usage module
2 Select the Edit icon in the Top Policy Usage module title bar.
3 Enter the following information and select OK.
Policy ID The firewall policy identifier.
Total Bytes or
Total Packets
The cumulative traffic volume for the firewall policy in bytes or packets,
depending on the Sort Criteria setting.
Reset
Edit
Refresh
Close Close
Reset
Edit
Refresh
Close
106 01-410-89802-20091022
Figure 46: Configuring the Top Policy Usage module
DLP Archive Usage
DLP Archive Usage shows the volume of data that the FortiGate unit has sent to content
archiving (DLP Archive). You can categorize the information by DLP Rule, firewall policy,
protection profile, or protocol.
From the table display you can:
View details about the data by pausing the mouse pointer over each bar in the chart.
Select a bar on the graph to view more information about the data.
DLP Archive Usage data is collected by adding DLP sensors to protection profiles. Only
information about sessions matched by DLP sensors is added to the chart or table.
Sessions accepted by firewall policies that do not include protection profiles with DLP
sensors configured do not contribute to the data displayed.
Figure 47: DLP Archive Usage module
Sort Criteria Select whether to sort the policies by number of Bytes or number of
Packets.
global administrators only. VDOM administrators see only their only
VDOM.
Display Format Select Chart or Table display.
Top Entries To Show Select whether to display top 5, 10, 15, or 20 applications.
Refresh Interval Select display update interval in seconds. Range 10 to 240 seconds.
Select 0 to disable updating. You can also update using the Refresh
icon in the module header.
Reset
Edit
Refresh
Close
System Status Using the topology viewer
01-410-89802-20091022 107
To configure the DLP Archive Usage module
2 Select the Edit icon in the DLP Archive Usage module title bar.
Figure 48: Configuring the DLP Archive module
Using the topology viewer
The Topology page provides a way to diagram and document the networks connected to
your FortiGate unit. The Topology viewer is not available if Virtual Domains (VDOMs) are
enabled.
To access the Topology viewer feature, go to System > Admin > Admin Profile and create
a custom menu layout in your administrative profile and add the Topology page. It is in the
Additional content category. See Configuring an admin profile on page 258.
DLP Rule or
Policy or
Profile or
Protocol
The DLP Rule, firewall policy, protection profile or protocol, depending on the
Report By setting.
Bytes or
Messages
The volume of archived data in bytes or messages, depending on the
Sort Criteria setting.
Report By Select one of: DLP Rule, Profile, Policy, or Protocol.
Sort Criteria Select whether to sort the results by number of Bytes or number
of Messages.
Protocol Select the protocols to include.
global administrators only. VDOM administrators see only their
only VDOM.
This field is not available if Report By is Protocol.
Top Entries To Show Select whether to display top 5, 10, 15, or 20 items.
Refresh Interval Select display update interval in seconds. Range 10 to 240
seconds. Select 0 to disable updating. You can also update
using the Refresh icon in the module header.
Using the topology viewer System Status
108 01-410-89802-20091022
The Topology page consists of a large canvas upon which you can draw a network
topology diagram of your FortiGate installation.
Figure 49: Topology page
Viewport and viewport control
The viewport displays only a portion of the drawing area. The viewport control, at the
bottom right of the topology page, represents the entire drawing area. The darker
rectangle represents the viewport. Drag the viewport rectangle within the viewport control
to determine which part of the drawing area the viewport displays.
The + and - buttons in the viewport control have the same function as the Zoom in and
Zoom out controls.
FortiGate unit object
The FortiGate unit is a permanent part of the topology diagram. You can move it, but not
delete it.
The FortiGate unit object shows the link status of the units interfaces. Green indicates the
interface is up. Gray indicates the interface is down. Select the interface to view its IP
address and netmask, if assigned.
Text object
Zoom/Edit controls
Viewport
Viewport
control
Subnet object
FortiGate unit object
01-410-89802-20091022 109
Zoom and Edit controls
The toolbar at the top left of the Topology page shows controls for viewing and editing the
topology diagram.
Table 5: Zoom and Edit controls for Topology
Refresh the displayed diagram.
Zoom in. Select to display a smaller portion of the drawing area in the viewport, making
objects appear larger.
Zoom out. Select to display a larger portion of the drawing area in the viewport, making
objects appear smaller.
Select to begin editing the diagram.
This button expands the toolbar to show the editing controls described below:
Save changes made to the diagram.
Note: If you switch to any other page in the web-based manager without saving your
changes, your changes are lost.
Add a subnet object to the diagram. The subnet object is based on the firewall address
that you select, and is connected by a line to the interface associated with that
address. See Adding a subnet object on page 110.
Insert Text. Select this control and then click on the diagram where you want to place
the text object. Type the text and then click outside the text box.
Delete. Select the object(s) to delete and then select this control or press the Delete
key.
Customize. Select to change the colors and the thickness of lines used in the drawing.
See Customizing the topology diagram on page 111.
Drag. Select this control and then drag objects in the diagram to arrange them.
Scroll. Select this control and then drag the drawing area background to move the
viewport within the drawing area. This has the same effect as moving the viewport
rectangle within the viewport control.
Select. Select this control and then drag to create a selection rectangle. Objects within
the rectangle are selected when you release the mouse button.
Exit. Select to finish editing the diagram. Save changes first.
The toolbar contracts to show only the Refresh and Zoom controls.
110 01-410-89802-20091022
Adding a subnet object
While editing the topology diagram, you can select the Add Subnet control to define a
subnet object. The object is drawn and connected by a line to the interface associated with
the address.
Figure 50: Adding an existing subnet to the topology diagram
Figure 51: Adding a new subnet to the topology diagram
Select from existing
address/group
Create a subnet object based on an existing firewall address. The
object has the name of the firewall address and is connected by a line
to the interface associated with that address. For more information
about firewall addresses, see Firewall Address on page 395.
Address Name Enter a name to identify the firewall address. Addresses, address
groups, and virtual IPs must have unique names to avoid confusion in
firewall policies.
Connect to interface Select the interface or zone to associate with this address. If the field
already displays a name, changing the setting changes the interface
or zone associated with this existing address.
If the address is currently used in a firewall policy, you can choose
only the interface selected in the policy.
New addresses Create a new firewall address and add a subnet object based on that
address to the topology diagram. The address is associated with the
interface you choose.
Address Name Enter a name to identify the firewall address. Addresses, address
groups, and virtual IPs must have unique names to avoid confusion in
firewall policies.
Type Select the type of address: Subnet/IP Range or FQDN.
Subnet / IP Range If Type is Subnet / IP Range, enter the firewall IP address, followed by
a forward slash and then the subnet mask. Alternatively, enter IP
range start address, followed by a hyphen (-) and the IP range end
address.
FQDN If Type is FQDN, enter the fully qualified domain name.
Connect to interface Select the interface or zone to associate with this address.
01-410-89802-20091022 111
Customizing the topology diagram
Select the Customize button to open the Topology Customization window. Modify the
settings as needed and select OK when you are finished.
Figure 52: Topology Customization window
Preview A simulated topology diagram showing the effect of the selected appearance
options.
Canvas Size The size of the drawing in pixels.
Resize to Image If you selected an image as Background, resize the diagram to fit within the
image.
Background One of:
Solid A solid color selected in Background Color.
U.S. Map A map of the United States.
World Map A map of the world.
Upload My
Image
Upload the image from Image Path
Background
Color
Select the color of the diagram background.
Image path If you selected Upload My Image for Background, enter the path to your image,
or use the Browse button to find it.
Exterior Color Select the color of the border region outside your diagram.
Line Color Select the color of connecting lines between subnet objects and interfaces.
Line Width Select the thickness of connecting lines.
Reset to Default Reset all topology diagram settings to default.
112 01-410-89802-20091022
Managing firmware versions
01-410-89802-20091022 113
Managing firmware versions
Fortinet recommends reviewing this section before upgrading because it contains
important information about how to properly back up your current configuration settings
and what to do if the upgrade is unsuccessful.
You should also review the FortiGate Upgrade Guide when a new firmware version is
released, or the Whats New chapter of this guide when a new firmware maintenance
release is released. Both contain valuable information about the changes and new
features that may cause issues with the current configuration.
In addition to firmware images, Fortinet releases patch releasesmaintenance release
builds that resolve important issues. Fortinet strongly recommends reviewing the release
notes for the patch release before upgrading the firmware. Follow the steps below:
Download and review the release notes for the patch release.
Download the patch release.
Back up the current configuration.
Install the patch release using the procedure Testing firmware before upgrading on
page 116.
Test the patch release until you are satisfied that it applies to your configuration.
Installing a patch release without reviewing release notes or testing the firmware may
result in changes to settings or unexpected issues.
With FortiOS 4.0, you can also configure your FortiGate unit to use NAT while in
transparent mode. For more information, see the Fortinet Knowledge Center article,
Configuring NAT in Transparent mode.
If you enable virtual domains (VDOMs) on the FortiGate unit, system firmware versions
are configured globally. For more information, see Using virtual domains on page 125.
Backing up your configuration
Testing firmware before upgrading
Upgrading your FortiGate unit
Reverting to a previous firmware image
Restoring your configuration
Note: For more information about the settings that are available on the Backup and
Restore page, (such as remotely backing up to a FortiManager unit), see System
Maintenance on page 289.
Backing up your configuration Managing firmware versions
114 01-410-89802-20091022
Backing up your configuration
You can back up configuration settings to a local PC, a FortiManager unit, FortiGuard
Management server, or to a USB key. You can also back up to a FortiGuard Management
server if you have FortiGuard Analysis and Management Service enabled.
Fortinet recommends backing up all configuration settings from your FortiGate unit before
upgrading to FortiOS 4.0. This ensures all configuration settings are still available if you
require downgrading to FortiOS 3.0 MR7 and want to restore those configuration settings.
Backing up your configuration through the web-based manager
You can back up your configuration to a variety of locations, such as a FortiManager unit
or a FortiGuard Management server. The following procedure describes how to properly
back up your current configuration in the web-based manager.
To back up your configuration file through the web-based manager
1 Go to System > Maintenance > Backup & Restore.
2 Select to back up the configuration to either a Local PC, FortiManager, or FortiGuard (if
your FortiGate unit is configured for FortiGuard Analysis and Management Service).
If you want to encrypt your configuration file to save VPN certificates, select the
Encrypt configuration file check box, enter a password, and then enter it again to
confirm.
3 Select Backup.
4 Save the file.
Backing up your configuration through the CLI
You can back up your configuration file using a TFTP or FTP server, or the USB key. If you
have the FortiGuard Analysis and Management Service configured, you can also back up
your configuration to the FortiGuard Management server.
When backing up your configuration in the CLI, you can choose to back up the entire
configuration (execut e backup f ul l - conf i g) or part of the configuration (execut e
backup conf i g). If you have virtual domains, there are limitations to what certain
administrators are allowed to back up. For more information, see the FortiGate CLI
Reference.
The following procedure describes how to back up your current configuration in the CLI
and assumes that you are familiar with the following commands. For more information
about the individual commands used in the following procedure, see the FortiGate CLI
Reference.
To back up your configuration file through the CLI
1 Enter the following to back up the configuration file to a USB key:
execut e backup conf i g usb <backup_f i l ename> <encr ypt _passwd>
Caution: Always back up your configuration before installing a patch release,
upgrading/downgrading firmware, or resetting configuration to factory defaults.
Managing firmware versions Backing up your configuration
01-410-89802-20091022 115
2 Enter the following to back up the configuration file to a TFTP or FTP server:
execut e backup conf i g {t f t p | f t p}<backup_f i l ename>
<t f t p_ser ver _i paddr ess> <f t p ser ver [ : f t p por t ] <f t p_user name>
<f t p_passwd> <encr ypt _passwd>
3 Enter the following to back up the configuration to a FortiGuard Management server:
execut e backup conf i g management - st at i on <comment >
To back up the entire configuration file through the CLI
Enter the following to back up the entire configuration file:
execut e backup f ul l - conf i g {t f t p | f t p | usb} <backup_f i l ename>
<backup_f i l ename> <t f t p_ser ver _i paddr ess> <f t p ser ver [ : f t p
por t ] <f t p_user name> <f t p_passwd> <encr ypt _passwd>
Backing up your configuration to a USB key
If your FortiGate unit has a USB port, you can back up your current configuration to a USB
key. When backing up a configuration file to a USB key, verify that the USB key is
formatted as a FAT16 disk. The FAT16 format is the only supported partition type. For
more information, see Formatting USB Disks on page 296.
Before proceeding, ensure that the USB key is inserted in the FortiGate units USB port.
To back up your configuration to the USB key
2 Select USB Disk from Backup configuration to list.
If you want to encrypt your configuration file to save VPN certificates, select the
Encrypt configuration file check box, enter a password, and then enter it again to
confirm.
3 Select Backup.
After successfully backing up your configuration file, either from the CLI or the web-based
manager, proceed with upgrading to FortiOS 4.0.
Testing firmware before upgrading Managing firmware versions
116 01-410-89802-20091022
Testing firmware before upgrading
You may want to test the firmware that you need to install before upgrading to a new
firmware version, or to a maintenance or patch release. By testing the firmware, you can
familiarize yourself with the new features and changes to existing features, as well as
understand how your configuration works with the firmware. A firmware image is tested by
installing it from a system reboot, and then saving it to system memory. After the firmware
is saved to system memory, the FortiGate unit operates using the firmware with the
current configuration.
The following procedure does not permanently install the firmware; the next time the
FortiGate unit restarts, it operates using the firmware originally installed on the FortiGate
unit. You can install the firmware permanently by using the procedures in Upgrading your
FortiGate unit on page 117.
You can use the following procedure for either a regular firmware image or a patch
release.
The following procedure assumes that you have already downloaded the firmware image
to your management computer.
To test the firmware image before upgrading
1 Copy the new firmware image file to the root directory of the TFTP server.
2 Start the TFTP server.
3 Log in to the CLI.
4 Enter the following command to ping the computer running the TFTP server:
execut e pi ng <ser ver _i paddr ess>
Pinging the computer running the TFTP server verifies that the FortiGate unit and
TFTP server are successfully connected.
5 Enter the following to restart the FortiGate unit.
execut e r eboot
6 As the FortiGate unit reboots, a series of system startup messages appears. When the
following message appears, immediately press any key to interrupt the system startup:
Pr ess any key t o di spl ay conf i gur at i on menu
You have only three seconds to press any key. If you do not press a key soon enough,
the FortiGate unit reboots and you must log in and repeat steps 5 to 6 again.
If you successfully interrupt the startup process, the following message appears:
[ G] : Get f i r mwar e i mage f r omTFTP ser ver .
[ F] : For mat boot devi ce.
[ Q] : Qui t menu and cont i nue t o boot wi t h def aul t f i r mwar e.
[ H] : Di spl ay t hi s l i st of opt i ons.
7 Type G to get the new firmware image from the TFTP server.
The following message appears:
Ent er TFTP ser ver addr ess [ 192. 168. 1. 168] :
8 Type the address of the TFTP server and press Enter.
Ent er Local Addr ess [ 192. 168. 1. 188] :
Managing firmware versions Upgrading your FortiGate unit
01-410-89802-20091022 117
9 Type the internal IP address of the FortiGate unit.
This IP address connects the FortiGate unit to the TFTP server. This IP address must
be on the same network as the TFTP server, but make sure you do not use an IP
address of another device on the network.
Ent er Fi l e Name [ i mage. out ] :
10 Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and the
following appears:
Save as Def aul t f i r mwar e/ Backup f i r mwar e/ Run i mage wi t hout
savi ng: [ D/ B/ R]
11 Type R.
The FortiGate firmware image installs and saves to system memory. The FortiGate unit
starts running the new firmware image with the current configuration.
When you have completed testing the firmware, you can reboot the FortiGate unit and
resume using the original firmware.
Upgrading your FortiGate unit
If your upgrade is successful, and your FortiGate unit has a hard drive, you can use the
Boot alternate firmware option located in System > Maintenance > Backup and Restore.
This option enables you to have two firmware images, such as FortiOS 3.0 MR7 and
FortiOS 4.0, available for downgrading or upgrading.
If the upgrade was not successful, go to Reverting to a previous firmware image on
page 120.
You can also use the following procedure when installing a patch release. A patch release
is a firmware image that resolves specific issues, but does not contain new features or
changes to existing features. You can install a patch release whether or not you upgraded
to the current firmware version.
Upgrading to FortiOS 4.0 through the web-based manager
The following procedure describes how to upgrade to FortiOS 4.0 in the web-based
manager. Fortinet recommends using the CLI to upgrade to FortiOS 4.0. The CLI upgrade
procedure reverts all current firewall configurations to factory default settings.
To upgrade to FortiOS 4.0 through the web-based manager
1 Download the firmware image file to your management computer.
2 Log in to the web-based manager.
3 Go to System > Status and locate the System Information widget.
4 Beside Firmware Version, select Update.
5 Enter the path and filename of the firmware image file, or select Browse and locate the
file.
Upgrading your FortiGate unit Managing firmware versions
118 01-410-89802-20091022
6 Select OK.
version, restarts, and displays the FortiGate login. This process may take a few
minutes.
When the upgrade is successfully installed:
ping to your FortiGate unit to verify there is still a connection.
clear the browsers cache and log in to the web-based manager.
After logging back in to the web-based manager, you should save the configuration
settings that carried forward. Some settings may have carried forward from FortiOS
3.0 MR7, while others may not have, such as certain IPS group settings. Go to System >
Maintenance > Backup and Restore to save the configuration settings that carried
forward.
Upgrading to FortiOS 4.0 through the CLI
The following procedure uses a TFTP server to upgrade the firmware. The CLI upgrade
procedure reverts all current firewall configurations to factory default settings.
See the Fortinet Knowledge Center article, Loading FortiGate firmware using TFTP for
CLI procedure, for additional information about upgrading firmware in the CLI.
To upgrade to FortiOS 4.0 through the CLI
5 Enter the following command to copy the firmware image from the TFTP server to the
FortiGate unit:
execut e r est or e i mage <name_st r > <t f t p_i pv4>
Where <name_st r > is the name of the firmware image file and <t f t p_i pv4>is the
IP address of the TFTP server. For example, if the firmware image file name is
i mage. out and the IP address of the TFTP server is 192. 168. 1. 168, enter:
execut e r est or e i mage. out 192. 168. 1. 168
The FortiGate unit responds with a message similar to the following:
Thi s oper at i on wi l l r epl ace t he cur r ent f i r mwar e ver si on!
Do you want t o cont i nue? ( y/ n)
Note: After upgrading to FortiOS 4.0, perform an Update Now to retrieve the latest
FortiGuard signatures from the FortiGuard Distribution Network (FDN) as these signatures
included in the firmware may be older than those currently available on the FDN.
Managing firmware versions Upgrading your FortiGate unit
01-410-89802-20091022 119
6 Type y.
version, and restarts. This process takes a few minutes.
7 Reconnect to the CLI.
8 Enter the following command to confirm the firmware image installed successfully:
get syst emst at us
9 To update antivirus and attack definitions from the CLI, enter the following:
execut e updat e- now
If you want to update antivirus and attack definitions from the web-based manager
instead, log in to the web-based manager and go to System > Maintenance >
FortiGuard.
Verifying the upgrade
After logging back in to the web-based manager, most of your FortiOS 3.0 MR7
configuration settings have been carried forward. For example, if you go to System >
Network > Options you can see your DNS settings carried forward from your FortiOS
3.0 MR7 configuration settings.
You should verify what configuration settings carried forward. You should also verify that
administrative access settings carried forward as well. Verifying your configuration
settings allows you to familiarize yourself with the new features and changes in FortiOS
4.0.
You can verify your configuration settings by:
going through each menu and tab in the web-based manager
using the show shell command in the CLI.
Reverting to a previous firmware image Managing firmware versions
120 01-410-89802-20091022
Reverting to a previous firmware image
You may need to revert to a previous firmware image (or version, for example, FortiOS
3.0) if the upgrade was not successfully installed. The following procedures describe how
to properly downgrade to a previous firmware image using either the web-based manager
or CLI, and include steps on how to restore your previous configuration.
The following are included in this topic:
Downgrading to a previous firmware through the web-based manager
Downgrading to a previous firmware through the CLI
Downgrading to a previous firmware through the web-based manager
When downgrading to a previous firmware, only the following settings are retained:
operation mode
Interface IP/Management IP
route static table
DNS settings
VDOM parameters/settings
admin user account
session helpers
system accprofiles.
If you created additional settings in FortiOS 4.0, make sure to back up the current
configuration before downgrading. For more information, see Backing up your
configuration on page 114.
To downgrade through the web-based manager
1 Go to System > Status and locate the System Information widget.
2 Beside Firmware Version, select Update.
3 Enter the path and filename of the firmware image file, or select Browse and locate the
file..
4 Select OK.
Thi s ver si on wi l l downgr ade t he cur r ent f i r mwar e ver si on. Ar e
you sur e you want t o cont i nue?
5 Select OK.
The FortiGate unit uploads the firmware image file, reverts to the old firmware version,
resets the configuration, restarts, and displays the FortiGate login. This process takes
a few minutes.
Go to System > Status to verify that the firmware version under System Information
has changed to the correct firmware.
upgrading/downgrading, or when resetting to factory defaults.
Managing firmware versions Reverting to a previous firmware image
01-410-89802-20091022 121
Verifying the downgrade
After successfully downgrading to a previous firmware, verify your connections and
settings. If you are unable to connect to the web-based manager, make sure your
administration access settings and internal network IP address are correct. The
downgrade may change your configuration settings to default settings.
Downgrading to a previous firmware through the CLI
When downgrading to a previous firmware, only the following settings are retained:
operation mode
Interface IP/Management IP
route static table
DNS settings
VDOM parameters/settings
admin user account
session helpers
system accprofiles.
If you have created additional settings in FortiOS 4.0, make sure you back up your
configuration before downgrading. For more information, see Backing up your
To downgrade through the CLI
5 Enter the following command to copy the firmware image from the TFTP server to the
FortiGate unit:
execut e r est or e i mage t f t p <name_st r > <t f t p_i pv4>
Where <name_st r > is the name of the firmware image file and <t f t p_i pv4> is the
IP address of the TFTP server. For example, if the firmware image file name is
i mage. out and the IP address of the TFTP server is 192. 168. 1. 168, enter:
execut e r est or e i mage t f t p i mage. out
192. 168. 1. 168
The FortiGate unit responds with the message:
Thi s oper at i on wi l l r epl ace t he cur r ent f i r mwar e ver si on! Do you
want t o cont i nue? ( y/ n)
upgrading/downgrading, or when resetting to factory defaults.
Reverting to a previous firmware image Managing firmware versions
122 01-410-89802-20091022
6 Type y.
The FortiGate unit uploads the firmware image file. After the file uploads, a message
similar to the following is displayed:
Get i mage f r omt f t p ser ver OK.
Check i mage OK.
Thi s oper at i on wi l l downgr ade t he cur r ent f i r mwar e ver si on!
7 Type y.
The FortiGate unit reverts to the old firmware version, resets the configuration to
factory defaults, and restarts. This process takes a few minutes.
After the FortiGate unit uploads the firmware, you need to reconfigure your IP address
since the FortiGate unit reverts to default settings, including its default IP address. See
your install guide for configuring IP addresses.
8 Reconnect to the CLI.
9 Enter the following command to confirm the firmware image installed successfully:
get syst emst at us
See Restoring your configuration on page 123 to restore you previous configuration
settings.
Managing firmware versions Restoring your configuration
01-410-89802-20091022 123
Your configuration settings may not carry forward after downgrading to a previous
firmware. You can restore your configuration settings for a previous firmware with the
configuration file you saved before upgrading to FortiOS 4.0.
You can also use the following procedures for restoring your configuration after installing a
current patch release or maintenance release.
Restoring your configuration settings in the web-based manager
The following procedure restores your previous firmware configuration settings in the
web-based manager.
To restore configuration settings in the web-based manager
3 Select to restore the configuration from either a Local PC, FortiManager or FortiGuard
(if your FortiGate unit is configured for FortiGuard Analysis and Management Service).
4 If required, enter your password for the configuration file.
5 Enter the location of the file or select Browse to locate the file.
6 Select Restore.
The FortiGate unit restores the configuration settings. This may take a few minutes since
the FortiGate unit will reboot.
You can verify that the configuration settings are restored by logging in to the web-based
manager and going through the various menus and tabs.
Restoring your configuration settings in the CLI
The following procedure restores your previous firmware configuration settings in the CLI.
To restore configuration settings in the CLI
1 Copy the backed-up configuration file to the root directory of the TFTP server.
Restoring your configuration Managing firmware versions
124 01-410-89802-20091022
5 Enter the following command to copy the backed -up configuration file to restore the
file on the FortiGate unit:
execut e r est or e al l conf i g <name_st r > <t f t p_i pv4> <passwr d>
Where <name_st r >is the name of the backed up configuration file and
<t f t p_i pv4> is the IP address of the TFTP server and <passwr d>is the password
you entered when you backed up your configuration settings. For example, if the
backed up configuration file is conf al l and the IP address of the TFTP server is
192. 168. 1. 168 and the password is ghr f f dt 123:
execut e r est or e al l conf i g conf al l 192. 168. 1. 168 ghr f f dt 123
The FortiGate unit responds with the message:
Thi s oper at i on wi l l over wr i t e t he cur r ent set t i ngs and t he
syst emwi l l r eboot !
6 Type y.
The FortiGate unit uploads the backed up configuration file. After the file uploads, a
message, similar to the following, is displayed:
Get t i ng f i l e conf al l f r omt f t p ser ver 192. 168. 1. 168
##
Rest or i ng f i l es. . .
Al l done. Reboot i ng. . .
This may take a few minutes.
Use the CLI show shell command to verify your settings are restored, or log in to the
web-based manager.
Using virtual domains Virtual domains
01-410-89802-20091022 125
Using virtual domains
This section describes virtual domains (VDOMs) along with some of their benefits, and
how to use VDOMs to operate your FortiGate unit as multiple virtual units.
If you enable VDOMs on the FortiGate unit, you configure virtual domains globally for the
FortiGate unit.
To get started working with virtual domains, see Enabling virtual domains on page 130.
Virtual domains
Enabling virtual domains
Configuring VDOM resource limits
Configuring VDOMs and global settings
Virtual domains
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual
units that function as multiple independent units. A single FortiGate unit is then flexible
enough to serve multiple departments of an organization, separate organizations, or to act
as the basis for a service providers managed security service.
Benefits of VDOMs
Some benefits of VDOMs are:
Easier administration
Continued security maintenance
Savings in physical space and power
Easier administration
VDOMs provide separate security domains that allow separate zones, user authentication,
firewall policies, routing, and VPN configurations. Using VDOMs can also simplify
administration of complex configurations because you do not have to manage as many
routes or firewall policies at one time. For more information, see VDOM configuration
settings on page 126.
By default, each FortiGate unit has a VDOM named root. This VDOM includes all of the
FortiGate physical interfaces, modem, VLAN subinterfaces, zones, firewall policies,
routing settings, and VPN settings.
Also you can assign an administrator account restricted to that VDOM. If the VDOM is
created to serve an organization, this feature enables the organization to manage its own
configuration.
Management systems such as SNMP, logging, alert email, FDN-based updates and NTP-
based time setting use addresses and routing in the management VDOM to communicate
with the network. They can connect only to network resources that communicate with the
management virtual domain. The management VDOM is set to root by default, but you
can change it. For more information, see Changing the management VDOM on
page 139.
Virtual domains Using virtual domains
126 01-410-89802-20091022
Continued security maintenance
When a packet enters a VDOM, it is confined to that VDOM. In a VDOM, you can create
firewall policies for connections between VLAN subinterfaces or zones in the VDOM.
Packets do not cross the virtual domain border internally. To travel between VDOMs, a
packet must pass through a firewall on a physical interface. The packet then arrives at
another VDOM on a different interface, but it must pass through another firewall before
entering the VDOM. Both VDOMs are on the same FortiGate unit. Inter-VDOMs change
this behavior in that they are internal interfaces; however their packets go through all the
same security measures as on physical interfaces.
Without VDOMs, administrators can easily access settings across the FortiGate unit. This
can lead to security issues or far-reaching configuration errors. However, administrator
permissions are specific to one VDOM. An admin on one VDOM cannot change
information on another VDOM. Any configuration changes, and potential errors, will apply
only to that VDOM and limit potential down time.
The remainder of the FortiGate units functionality is globalit applies to all VDOMs on
the unit. This means there is one intrusion prevention configuration, one antivirus
configuration, one web filter configuration, one protection profile configuration, and so on.
VDOMs also share firmware versions, as well as antivirus and attack databases. The
operating mode, NAT/Route or Transparent, can be selected independently for each
VDOM. For a complete list of shared configuration settings, see Global configuration
Savings in physical space and power
Increasing VDOMs involves no extra hardware, no shipping, and very few changes to
existing networking. They take no extra physical spaceyou are limited only by the size of
the license you buy for your VDOMs.
By default, most FortiGate units supports a maximum of 10 VDOMs in any combination of
NAT/Route and Transparent modes. For high-end FortiGate models, you can purchase a
license key to increase the maximum number of VDOMs to 25, 50, 100 or 250. For more
information see VDOM licenses on page 132.
If virtual domain configuration is enabled and you log in as the default super_admin, you
can go to System > Status and look at Virtual Domain in the License Information section to
see the maximum number of virtual domains supported on your FortiGate unit.
For more information on VDOMs, see the FortiGate VLANs and VDOMs Guide.
VDOM configuration settings
To configure and use VDOMs, you must enable virtual domain configuration. For more
information, see Enabling virtual domains on page 130.
You can configure a VDOM by adding VLAN subinterfaces, zones, firewall policies,
routing settings, and VPN settings. You can also move physical interfaces from the root
VDOM to other VDOMs and move VLAN subinterfaces from one VDOM to another. For
more information on VLANs, see the FortiGate VLAN and VDOMS Guide.
Note: During configuration on a FortiAnalyzer unit, VDOMs count toward the maximum
number of FortiGate units allowed by the FortiAnalyzer units license. The total number of
devices registered can be seen on the FortiAnalyzer units System Status page under
License Information.
01-410-89802-20091022 127
The following configuration settings are exclusively part of a virtual domain and are not
shared between virtual domains. A regular VDOM administrator sees only these settings.
The default super_admin can also access these settings, but must first select which
VDOM to configure.
Table 6: VDOM configuration settings
Configuration Object For more information, see
System
Network Zone Configuring zones on page 170
Network DNS
Database
Configuring FortiGate DNS services on page 177
Network Web Proxy Configuring the explicit web proxy on page 182
Network Routing Table
(Transparent mode)
Routing table (Transparent Mode) on page 184
Network Modem Configuring the modem interface on page 170
Wireless Settings Wireless settings on page 190
Wireless MAC Filter Wireless MAC Filter on page 193
Wireless Monitor Wireless Monitor on page 195
Wireless Rogue AP Rogue AP detection on page 196
DHCP service Configuring DHCP services on page 200
DHCP Address Leases Viewing address leases on page 203
Config Replacement
Message
Replacement messages on page 225
Config Operation mode
(NAT/Route or
Transparent)
Changing operation mode on page 238
Config Management IP
(Transparent mode)
Changing operation mode on page 238
Router
Static Router Static on page 313
Dynamic Router Dynamic on page 333
Monitor Router Monitor on page 359
Firewall
Policy Firewall Policy on page 363
Address Firewall Address on page 395
Service Firewall Service on page 401
Schedule Firewall Schedule on page 411
Virtual IP Firewall Virtual IP on page 421
Virtual IP Group Virtual IP Groups on page 436
Virtual IP, IP pool Configuring IP pools on page 437
Load Balance Firewall Load Balance on page 445
Protection Profile Firewall Protection Profile on page 467
UTM
AntiVirus File Filter File Filter on page 513
Intrusion Protection Intrusion Protection on page 523
Web Filter Web Filter on page 541
Virtual domains Using virtual domains
128 01-410-89802-20091022
Email Filter Email filtering on page 559
Data Leak Prevention Data Leak Prevention on page 575
Application Control Application Control on page 595
VPN
IPSec IPSec VPN on page 603
SSL SSL VPN on page 625
User
Local Local user accounts on page 644
Remote Remote on page 647
Directory Service Directory Service on page 654
PKI PKI on page 656
User Group User Group on page 658
Options Settings on page 261
Monitor Monitoring administrators on page 264
WAN optimization
and web caching
WAN optimization and web caching on page 675
Endpoint NAC Endpoint NAC on page 687
Wireless Controller Wireless Controller on page 697
Log&Report
Logging configuration Configuring how a FortiGate unit stores logs on page 704
Alert E-mail Configuring Alert Email on page 709
Event Log Configuring Event logging on page 711
Log access Accessing and viewing log messages on page 714
DLP Archive Viewing DLP Archives on page 719
Report Access Configuring FortiAnalyzer report schedules on page 721
Table 6: VDOM configuration settings (Continued)
01-410-89802-20091022 129
Global configuration settings
The following configuration settings affect all virtual domains. When virtual domains are
enabled, only accounts with the default super_admin profile can access global settings.
Table 7: Global configuration settings
System
Status System Time Configuring system time on page 86
Status Host name Changing the FortiGate unit host name on page 87
Status Firmware
version
Upgrading to a new firmware version on page 88 (System
Status page) or Managing firmware versions on page 113.
Network Interfaces and
VLAN subinterfaces
Configuring interfaces on page 145
(You configure interfaces as part of the global configuration
but each interface and VLAN subinterface belongs to a
VDOM. You add interfaces to VDOMs as part of the global
configuration.)
Network Options DNS DNS Servers on page 177
Network Options
Detect Interface Status
for Gateway Load
Balancing
Configuring interface status detection for gateway load
balancing on page 165
Admin Administrators Administrators on page 241
(You can add global administrators. You can also add
administrators to VDOMs. VDOM administrators cannot
add or configure administrator accounts.)
Enabling virtual domains Using virtual domains
130 01-410-89802-20091022
Enabling virtual domains
Using the default admin administration account, you can enable multiple VDOM operation
on the FortiGate unit.
To enable virtual domains
1 Log in to the web-based manager on a super_admin profile account.
3 In System Information, next to Virtual Domain select Enable.
The FortiGate unit logs you off. You can now log in again as admin.
Alternatively, through the CLI, enter:
conf i g syst emgl obal , set vdom- admi n
Admin profiles Admin profiles on page 254
Admin Central
Management
configuration
Central Management on page 260
Admin Settings Idle
and authentication
time-out
Settings on page 261 and Getting started - User
authentication on page 643
Admin Settings Web-
based manager
language
Settings on page 261
Admin Settings LCD
panel PIN, where
applicable
Settings on page 261
Wireless Settings Wireless settings on page 190
Wireless MAC Filter Wireless MAC Filter on page 193
Wireless Monitor Wireless Monitor on page 195
WIreless Rogue AP Rogue AP detection on page 196
Config HA HA on page 205
Config SNMP SNMP on page 213
Config Replacement
Message
Replacement messages on page 225
Certificates System Certificates on page 279
Configuration backup
and restore
Backing up and restoring on page 290
Maintenance Revision
Control
Managing configuration revisions on page 297
Maintenance Scripts Using script files on page 298
Maintenance FDN
update configuration
FortiGuard Distribution Network on page 300
Log&Report
Log Configuration Configuring how a FortiGate unit stores logs on page 704
Alert E-mail Configuring Alert Email on page 709
Table 7: Global configuration settings (Continued)
Using virtual domains Configuring VDOMs and global settings
01-410-89802-20091022 131
When virtual domains are enabled, the web-based manager and the CLI are changed as
follows:
Global and per-VDOM configurations are separated. For more information, see VDOM
configuration settings on page 126, and Global configuration settings on page 129.
A new VDOM entry appears under the System option.
Within a VDOM, reduced dashboard menu options are available, and a new Global
option appears. Selecting Global exits the current VDOM.
There is no operation mode option at the Global level.
Only super_admin profile accounts can view or configure Global level options.
Super_admin profile accounts can configure configurations for all VDOM.
One or more administrators can be configured for each VDOM; however, these admin
accounts cannot edit settings for any VDOMs for which they are not configured.
When virtual domains are enabled, the current virtual domain is displayed at the bottom
left of the screen, in the format Current VDOM: <name of the virtual domain>.
Configuring VDOMs and global settings
A VDOM is not useful unless it contains at least two physical interfaces or virtual
subinterfaces for incoming and outgoing traffic. Availability of the associated tasks
depends on the permissions of the admin. If your are using a super_admin profile account,
you can perform all tasks. If you are using a regular admin account, the tasks available to
you depend on whether you have read only or read/write permissions, Table 6 shows what
roles can perform which tasks.
VDOM licenses
Creating a new VDOM
Disabling a VDOM
Working with VDOMs and global settings
Adding interfaces to a VDOM
Inter-VDOM links
Table 8: Admin VDOM permissions
Tasks Regular administrator account Super_admin
profile
administrator
account
Read only
permission
Read/write
permission
View global settings yes yes yes
Configure global settings no no yes
Create or delete VDOMs no no yes
Configure multiple VDOMs no no yes
Assign interfaces to a VDOM no no yes
Create VLANs no yes - for 1 VDOM yes - for all VDOMs
Assign an administrator to a VDOM no no yes
Create additional admin accounts no yes - for 1 VDOM yes - for all VDOMs
Create and edit protection profiles no yes - for 1 VDOM yes - for all VDOMs
Configuring VDOMs and global settings Using virtual domains
132 01-410-89802-20091022
Assigning an interface to a VDOM
Assigning an administrator to a VDOM
Changing the management VDOM
VDOM licenses
All FortiGate units, except the 30B, support 10 VDOMs by default.
High-end FortiGate models support the purchase of a VDOM license key from customer
service to increase their maximum allowed VDOMs to 25, 50, 100, 250, or 500.
Configuring 250 or more VDOMs will result in reduced system performance.
To obtain a VDOM license key
1 Log in to your FortiGate unit using the admin account.
Other accounts such as other super_admin profile accounts may also have sufficient
privileges to install VDOM licenses.
3 Record your FortiGate unit serial number as shown in System Information on
page 69.
4 Under License Information > Virtual Domains, select Purchase More.
5 You will be taken to the Fortinet customer support web site where you can log in and
purchase a license key for 25, 50, 100, 250, or 500 VDOMs.
6 When you receive your license key, go to System > Maintenance > License.
7 In the License Key field, enter the 32-character license key you received from Fortinet
customer support.
8 Select Apply.
To verify the new VDOM license, go to System > Status under Global Configuration. In the
License Information area Virtual Domains, VDOMs Allowed shows the maximum number
of VDOMs allowed.
Table 9: VDOM support by FortiGate model
FortiGate model Support
VDOMs
Default VDOM
maximum
Maximum VDOM
license
30B no 0 0
Low and mid-range models yes 10 10
High-end models yes 10 500
Note: Your FortiGate unit has limited resources that are divided amongst all configured
VDOMs. These resources include system memory, and CPU. When running 250 or more
VDOMs, you cannot run Unified Threat Management (UTM) features such as proxies, web
filtering, or antivirusyour FortiGate unit can only provide basic firewall functionality.
Tip: If you do not have a System > Maintenance > License tab, your FortiGate model does
not support more than 10 VDOMs.
01-410-89802-20091022 133
Creating a new VDOM
By default, every FortiGate unit has a root VDOM that is visible when VDOMs are
enabled. To use additional VDOMs, you must first create them.
When using multiple VDOMs, it can be useful to assign fewer resources to some VDOMs
and more resources to others. This VDOM resource management will result in better
FortiGate unit performance. For more information, see Configuring resource usage for
individual VDOMs on page 141.
VDOM names have the following restrictions:
Only letters, numbers, -, and _ are allowed.
A name can have no more than 11 characters.
A name cannot contain spaces.
VDOMs cannot have the same names as interfaces, zones, switch interfaces, or other
VDOMs
Figure 53: New Virtual Domain
Note: VDOMs created on a registered FortiGate unit are recognized as real devices by
connected FortiAnalyzer units. FortiAnalyzer units include VDOMs in their total number of
registered devices. For example, if three FortiGate units are registered on a FortiAnalyzer
unit and they contain a total of four VDOMs, the total number of registered FortiGate units
on the FortiAnalyzer unit is seven units. For more information, see the FortiAnalyzer
Note: The VDOM names vsys_ha and vsys_f gf m are in use by the FortiGate unit. If
you attempt to name a new VDOM vsys_ha or vsys_f gf m, the FortiGate unit will
generate an error.
Note: When creating 250 or more VDOMs, you cannot enable UTM features such as
proxies, web filtering, and antivirus due to limited resources. Also when creating large
numbers of VDOMs, you may experience reduced performance. To improve performance
with multiple VDOMs, see Configuring resource usage for individual VDOMs on
page 141.
134 01-410-89802-20091022
To create a new VDOM
1 Log in as a super_admin profile admin.
2 Ensure VDOMs are enabled. For more information, see Enabling virtual domains on
page 130.
3 Go to System > VDOM.
4 Select Create New.
5 Enter a name for the new VDOM, up to a maximum of 11 characters. This name cannot
be changed.
6 Optionally enter a comment for the VDOM, up to a maximum of 63 characters.
7 Select OK.
Disabling a VDOM
When you have multiple VDOMs configured, it can be useful to disable one VDOM
temporarily instead of deleting and re-creating it later.
Disabling can be used during initial configuration, equipment changes, or even a DoS
attack.
A disabled VDOM has en empty Enable checkbox. A VDOM with a greyed-out checkbox
is the management VDOM can cannot be disabled.
Re-enabling is simply a matter of checking the Enable box and answering the prompt.
To disable a VDOM
1 Log in as a super_admin profile admin.
3 For the VDOM to be disabled, unselect the Enable checkbox.
4 Confirm your choice when prompted.
Working with VDOMs and global settings
When you log in as admin and virtual domains are enabled, the FortiGate unit is
automatically in global configuration, as demonstrated by the appearance of the VDOM
option under System.
To work with virtual domains, select System > VDOM.
Figure 54: VDOM list
Management VDOM
Disabled VDOM
Delete Icon
Enter Icon
Edit Icon
01-410-89802-20091022 135
Adding interfaces to a VDOM
A VDOM must contain at least two interfaces to be useful. These can be physical or virtual
interfaces such as VLAN subinterfaces. By default, all physical interfaces are in the root
virtual domain. For more information on types of interfaces, see Configuring interfaces
on page 145.
VLAN subinterfaces often need to be in a different VDOM than their physical interface. To
do this, the super administrator must first create the VDOM, create the VLAN subinterface,
and then assign the VLAN to the correct VDOM.
VDOMs can only be added in global settings, and not within VDOMs. For information on
creating VLAN subinterfaces, see Adding VLAN interfaces on page 158.
Create New Select to add a new VDOM. Enter the new VDOM name and select OK.
The VDOM must not have the same name as an existing VDOM, VLAN or
zone. The VDOM name can have a maximum of 11 characters and must
not contain spaces.
Management Virtual
Domain
Change the management VDOM to the selected VDOM in the list. The
management VDOM is then grayed out in the Enable column. The default
management VDOM is root.
For more information, see Changing the management VDOM on
page 139.
Apply Select to save your changes to the Management VDOM.
Enable There are three states this column can be in.
A green check mark indicates this VDOM is enabled, and that you can
select the Enter icon to change to that VDOM.
An empty check box indicates this VDOM is disabled. When disabled,
the configuration of that VDOM is preserved. The Enter icon is not
available.
A grayed-out check box indicates this VDOM is the management
VDOM. It cannot be deleted or changed to disabled; it is always active.
Name The name of the VDOM.
Operation Mode The VDOM operation mode, either NAT or Transparent.
When a VDOM is in Transparent mode, SNMP can display the
management address, address type and subnet
mask for that VDOM. For more information, see SNMP on page 213.
Interfaces The interfaces associated with this VDOM, including virtual interfaces.
Every VDOM includes an SSL VPN virtual interface named for that VDOM.
For the root VDOM this interface is ssl.root.
Comments Comments added by an admin when this VDOM was created.
Delete icon Delete the VDOM.
The Delete icon appears only when there are no configuration objects
associated with that VDOM. For example, you must remove all referring
interfaces, profiles, and so on before you can delete the VDOM.
If the icon does not appear and you do not want to delete all the referring
configuration, you can disable the VDOM instead. The disabled VDOM
configuration remains in memory, but the VDOM is not usable until it is
enabled.
Edit icon Change the description of the VDOM. The name of the VDOM cannot be
changed.
Enter icon Enter the selected VDOM.
After entering a VDOM you will only be able to view and change settings
specific to that VDOM.
This icon will not be displayed for disabled VDOMs.
136 01-410-89802-20091022
Inter-VDOM links
An inter-VDOM link is a pair of interfaces that enable you to communicate between two
VDOMs internally without using a physical interface. Inter-VDOM links have the same
security as physical interfaces, but allow more flexible configurations that are not limited
by the number of physical interfaces on your FortiGate unit. As with all virtual interfaces,
the speed of the link depends on the CPU load, but generally it is faster than physical
interfaces. There are no MTU settings for inter-VDOM links. DHCP support includes inter-
VDOM links.
A packet can pass through an inter-VDOM link a maximum of three times. This is to
prevent a loop. When traffic is encrypted or decrypted, it changes the content of the
packets and this resets the inter-VDOM counter. However, using IPIP or GRE tunnels
does not reset the counter.
In HA mode, inter-VDOM links must have both ends of the link within the same virtual
cluster. DHCP over IPSec is supported for inter-VDOM links, however regular DHCP
services are not available.
To view inter-VDOM links, go to System > Network > Interface. When an inter-VDOM link
is created, it automatically creates a pair of virtual interfaces that correspond to the two
internal VDOMs. Each of the virtual interfaces is named using the inter-VDOM link name
with an added 0 or 1. So if the inter-VDOM link is called vlink the interfaces are
vlink0 and vlink1. Select the Expand Arrow beside the VDOM link to display the virtual
interfaces.
Figure 55: VDOM link interfaces
To create an inter-VDOM link
1 Log in as admin.
3 Select the arrow on the Create New button.
4 Select VDOM link.
You will see the New VDOM Link screen.
Note: Inter-VDOM links cannot refer to a domain that is in transparent mode.
Edit
Down Up
Delete
01-410-89802-20091022 137
Figure 56: New VDOM link
5 Enter the name for the new VDOM link, up to a maximum of 11 characters.
The name must not contain any spaces or special characters. Hyphens (-) and
underlines (_) are allowed. Remember that the name will have a 0 or 1 attached to
the end for the actual interfaces.
6 Configure VDOM link 0.
7 Select the VDOM from the menu that this interface will connect to.
8 Enter the IP address and netmask for this interface.
9 Select the administrative access method or methods. Keep in mind that PING,
TELNET, and HTTP are less secure methods.
10 Optionally enter a description for this interface.
11 Repeat steps 7 through 10 for VDOM link 1.
12 Select OK to save your configuration and return to the System > Interface screen.
Assigning an interface to a VDOM
The following procedure describes how to reassign an existing interface from one virtual
domain to another. It assumes VDOMs are enabled and more than one VDOM exists.
You cannot delete a VDOM if it is used in any configurations. For example, if an interface
is assigned to that VDOM, you cannot delete the VDOM. You cannot remove an interface
from a VDOM if the interface is included in any of the following configurations:
DHCP server
zone
routing
load balancing
firewall policy including DoS policies and one-armed sniffer policies
proxy arp (only accessible through the CLI).
Before removing these configurations, it is recommended that you back up your
configuration, so you can restore it if you want to create this VDOM at a later date.
Delete the items in this list or modify them to remove the interface before proceeding. The
VDOM field on the Edit screen for that interface will change from being greyed out and
locked when there are no more objects tied to that interface.
138 01-410-89802-20091022
To assign an interface to a VDOM
1 Log in as admin.
3 Select Edit for the interface that you want to reassign.
4 Select the new virtual domain for the interface.
5 Configure other settings as required and select OK. For more information, see
Configuring interface settings on page 151.
The interface is assigned to the VDOM. Existing firewall virtual IP addresses for this
interface are deleted. You should manually delete any routes that refer to this interface,
and create new routes for this interface in the new VDOM. Otherwise your network
traffic will not be properly routed. For more information on creating static routes, see
Router Static on page 313.
Assigning an administrator to a VDOM
If you are creating a VDOM to serve an organization that will be administering its own
resources, you need to create an administrator account for that VDOM.
A VDOM admin can change configuration settings within that VDOM but cannot make
changes that affect other VDOMs on the FortiGate unit.
A regular administrator assigned to a VDOM can log in to the web-based manager or the
CLI only on interfaces that belong to that VDOM. The super administrator can connect to
the web-based manager or CLI through any interface on the FortiGate unit that permits
management access. Only the super administrator or a regular administrator of the root
domain can log in by connecting to the console interface.
To assign an administrator to a VDOM
1 Log in as the super_admin.
2 Ensure that virtual domains are enabled. For more information, see Enabling virtual
domains on page 130.
3 Go to System > Admin >Administrators.
4 Create a new administrator account or select the Edit icon of an existing administrator
account.
5 Go to the Virtual Domain list.
6 Select the VDOM that this administrator manages.
Administrators are assigned to a specific VDOM when the account is created unless
they are super_admin administrators. For more information, see Configuring an
administrator account on page 244.
Note: You can reassign or remove an interface or subinterface once the Delete icon is
displayed. Absence of the icon means that the interface is being used in a configuration
somewhere.
Tip: You can disable a VDOM instead of deleting it. Your configuration will be preserved,
saving time you would otherwise need to remove and reconfigure it. For more information,
see Working with VDOMs and global settings on page 134.
Note: If an admin account is assigned to a VDOM, that VDOM cannot be deleted until that
account is assigned to another VDOM or removed.
Using virtual domains Configuring VDOM resource limits
01-410-89802-20091022 139
7 Configure other settings as required.
For detailed information, see Configuring an administrator account on page 244.
8 Select OK.
Changing the management VDOM
The management VDOM on your FortiGate unit is where some default types of traffic
originate, including:
SNMP
logging
alert email
FDN-based updates
NTP-based time setting.
Before you change the management VDOM, ensure that virtual domains are enabled on
the system dashboard screen. For more information, see Enabling virtual domains on
page 130.
Only one VDOM can be the management VDOM at any given time.
Global events are logged with the VDOM set to the management VDOM.
To change the management VDOM
2 From the list of VDOMs, select the VDOM to be the new management VDOM.
This list is located to the immediate left of the Apply button.
3 Select Apply to make the change.
At the prompt, confirm the change.
Management traffic will now originate from the new management VDOM.
Configuring VDOM resource limits
Super administrators can configure VDOM resource limits to control how many resources
each VDOM can use. This means you can provide tiered services for different VDOMs.
You can also use resource limits to share resources evenly among VDOMs, preventing
one VDOM from affecting the performance of others.
You can set limits for dynamic and some static resources. Dynamic resources are
resources that are not controlled by the FortiGate configuration. You can limit dynamic
resources to limit the amount of traffic that a VDOM processes and so limit the amount of
FortiGate processing resources the VDOM can use. If you do not limit the number of
dynamic resources each VDOM will use as many as it can until the capacity of the
FortiGate unit becomes the limiting factor. You can set the following dynamic resource
limits:
The total number of communication Sessions that can be started in a VDOM. When
this limit is reached additional sessions are dropped.
The number of IPSec VPN Dal-up Tunnels that can be started in a VDOM. When this
limit is reached, additional tunnels are dropped.
Note: You cannot change the management VDOM if any administrators are using RADIUS
authentication.
Configuring VDOM resource limits Using virtual domains
140 01-410-89802-20091022
The number of SSL VPN user sessions that can be started in a VDOM. When this limit
is reached the VDOM displays a system busy message instead of the login page when
a user attempts to login to start an SSL VPN session.
Static resources are controlled by limits in the FortiGate configuration. These limits vary by
model and are listed in the FortiGate Maximum Values Matrix. Limiting static resources
does not limit the amount of traffic that the VDOM process. Instead limiting static
resources controls the number of configuration elements that can be added to a VDOM.
You can set the following static resource limits:
The number of VPN IPSec Phase 1 and Phase 2 tunnels that can be added to a VDOM
configuration. The number of tunnels is limited by the maximum values for the
FortiGate model.
The number of Firewall policies, Protection Profiles, Firewall Addresses, Firewall
Address Groups, Firewall Custom Services, Firewall Service Groups, Firewall
One-Time Schedules, and Firewall Recurring Schedules that can be added to a VDOM
configuration.
The number of Local Users and User Groups that can be added to a VDOM
configuration.
Setting VDOM global resource limits
Use global resource limits to configure resource limits that will apply to all VDOMs. When
you set a global resource limit, you cannot exceed that resource limit in any VDOM.
For example, if you want to limit all VDOMS to 100 VPN IPSec Phase 1 Tunnels, go to
System > VDOM > Global Resources and edit the VPN IPsec Phase1 Tunnels resource
limit and set the global resource limit to 100. With this global limit set you can add a
maximum of 100 VPN IPSec Phase 1 Tunnels to any VDOM.
You can also edit the resource limits for individual VDOMs to further limit the number of
resources that you can add to individual VDOMs. See Configuring resource usage for
individual VDOMs on page 141.
A resource limit of 0 means no limit. No limit means the resource is not being limited by
the resource limit configuration. Instead the resource is being limited by other factors. The
FortiGate unit limits dynamic resources by the capacity of the FortiGate unit and can vary
depending on how busy the system is. Limits for static resources are set by limitations in
the FortiGate configuration as documented in the FortiGate Maximum Values Matrix
document.
01-410-89802-20091022 141
Figure 57: Configuring global resource limits that apply to all VDOMs
Configuring resource usage for individual VDOMs
You can configure resource usage for individual VDOMS to override global limits and
specify guaranteed usage for that VDOM.
When you add a new VDOM, after giving the VDOM a name and selecting OK you can
configure resource usage for the VDOM. You can also configure resource usage for a
VDOM at any time by going to System > VDOM and selecting the edit icon for a VDOM.
When configuring resource usage for a VDOM you can set the Maximum and Guaranteed
value for each resource.
Resource Name of the resource. Includes dynamic and static resources.
Configured
Maximum
The maximum amount of the resource allowed for each VDOM. This amount
matches the default maximum until you change it.
Default
Maximum
The default maximum value for each VDOM for this resource. This value depends
on the FortiGate model. Dynamic resources (Sessions, Dial-up Tunnels, and SSL
VPN) do not have default maximums so the default maximum for dynamic
resources is always 0 (meaning unlimited). Static resources may have a limit set or
many be set to 0 meaning they are limited by the resource limit configuration.
Note: If you set the maximum resource usage for a VDOM you cannot reduce the
default maximum global limit for all VDOMs below this maximum.
Current Usage The amount of the resource currently in use. For dynamic resources, current
usage is the number of the sessions or tunnels currently in use. For static
resources, current usage is the number of configuration items added to the
FortiGate unit.
Edit icon Change the configured maximum for this resource. The Edit Global Resource
Limits dialog box lists the valid range of values for the configured maximum. You
can set the maximum to zero to set no limit; which means the resource is limited
by other factors such as system capacity or max values.
Reset icon Reset the Configured Maximum to the Default Maximum value.
Reset Configured Maximum to default value
Change Configured Maximum
142 01-410-89802-20091022
The Maximum value limits the amount of the resource that can be used by the VDOM.
When you add a VDOM, all maximum resource usage settings are 0 indicating that
resource limits for this VDOM are controlled by the global resource limits. You do not
have to override the maximum settings unless you need to override global limits to
further limit the resources available for the VDOM. You cannot set maximum resource
usage higher in a VDOM than the corresponding global resource limit.
The Guaranteed value represents the minimum amount of the resource available for
that VDOM. Setting the guaranteed value makes sure that other VDOMs do not use all
of a resource. A guaranteed value of 0 means that an amount of this resource is not
guaranteed for this VDOM. You only have to change guaranteed settings if your
FortiGate may become low on resources and you want to guarantee that a minimum
level is available for this VDOM.
Figure 58: Configuring resource usage for a VDOM
Note: To set global resource limits go to System >VDOM >Global Resources. See
Setting VDOM global resource limits on page 140
Resource Name of the resource. Includes dynamic and static resources.
Maximum Override the global limit to reduce the amount of each resource available for this
VDOM. The maximum must the same as or lower than the global limit. The default
value is 0, which means the maximum is the same as the global limit.
Note: If you set the maximum resource usage for a VDOM you cannot reduce the
default maximum global limit for all VDOMs below this maximum.
Guaranteed Enter the minimum amount of the resource available to this VDOM regardless of
usage by other VDOMs. The default value is 0, which means that an amount of this
resource is not guaranteed for this VDOM.
Current The amount of the resource that this VDOM currently uses.
01-410-89802-20091022 143
144 01-410-89802-20091022
System Network Configuring interfaces
01-410-89802-20091022 145
System Network
This section describes how to configure your FortiGate unit to operate in your network.
Basic network settings include configuring FortiGate interfaces and DNS options. More
advanced configuration includes adding zones and VLAN subinterfaces to the FortiGate
network configuration. Optional configurations also include configuring the FortiGate unit
as a DNS server and an explicit web proxy server
If you enable virtual domains (VDOMs) on the FortiGate unit, you configure interface and
networking options globally for the entire FortiGate unit. All interface settings, including
adding interfaces to VDOMs, are part of the global configuration. You configure zones, the
modem interface, the DNS database, the explicit web proxy, and the Transparent mode
routing table separately for each VDOM. For more information, see Using virtual
Configuring interfaces
Configuring zones
Configuring the modem interface
Configuring Networking Options
Configuring FortiGate DNS services
Configuring the explicit web proxy
Configuring WCCP
Routing table (Transparent Mode)
Configuring interfaces
Go to System > Network > Interface to configure FortiGate interfaces. Many interface
options are available. Different options are available in NAT/Route mode and in
Transparent mode.
Some of the options available include:
modify the configuration of a physical interface
add VLAN subinterfaces
aggregate several physical interfaces into an IEEE 802.3ad aggregate interface (some
models)
combine several physical interfaces into a redundant interface (some models)
add loopback interfaces
Note: Unless stated otherwise, the term interface can refer to either a physical FortiGate
interface or to a virtual FortiGate VLAN subinterface.
Note: If you can enter both an IP address and a netmask in the same field, you can use the
short form of the netmask. For example, 192.168.1.100/255.255.255.0 can also be entered
as 192.168.1.100/24.
Configuring interfaces System Network
146 01-410-89802-20091022
add wireless interfaces (FortiWiFi models) and service set identifiers (SSIDs)
add VDOM links on FortiGate units with multiple VDOMs enabled
configure the modem interface (on some models)
detect interface status for gateway load balancing
change the information displayed about the interfaces
configure a virtual wireless access point (VAP) interface
Figure 59: Example interface list - regular admin view
Figure 60: Example FortiGate-5005FA2 list - virtual domains enabled
View Interface Description
Edit
Interface Administrative Status
Delete
Interface Link Status
VLAN Interface
View Interface Description
Loopback Interface
VLAN Interface
Aggregate Interface
Interface Link Status
Edit
Delete
Virtual Wireless Access Point (VAP) Interface
Show Backplane Interfaces
01-410-89802-20091022 147
Figure 61: Example switch mode interface list (on supported models)
Figure 62: Example interface list including AMC interfaces
Switch Interface
Change Switch Mode (Switch, Interface, or hub mode)
AMC
Interfaces
148 01-410-89802-20091022
Create New Select Create New to add a new interface. Depending on the model you can
add a VLAN interface, a loopback interface, a IEEE 802.3ad aggregated
interface, or a redundant interface.
Adding VLAN interfaces on page 158
Adding loopback interfaces on page 158
Adding 802.3ad aggregate interfaces on page 159
Adding redundant interfaces on page 160
When VDOMs are enabled, you can also select Create New to add Inter-
VDOM links. For more information see Inter-VDOM links on page 136.
Switch Mode On supported models, select Switch Mode to change between switch mode
and interface mode. Switch mode combines some FortiGate interfaces into one
switch with one IP address. Interface mode allows you to configure them as
separate interfaces.
On some FortiGate models you can also select Hub Mode. Hub mode is similar
to switch mode except that in hub mode the interfaces do not learn the MAC
addresses of the devices on the network they are connected to and may also
respond quicker to network changes. Normally, you would only select Hub
Mode if you are having network performance issues when operating with
switch mode. The configuration of the FortiGate unit is the same whether in
switch mode or hub mode.
Before switching modes, all configuration settings for the interfaces affected by
the change must be set to defaults. When you select Switch Mode the
web-based manager displays the list of affected interfaces.
See Switch Mode on page 150.
Show backplane
interfaces
Select to make FortiGate-5000 series backplane interfaces visible. Once
visible these interfaces can be configured as regular physical interfaces.
Column Settings Select to change the columns of information that are displayed on the interface
list. Fore more information, see Using column settings to control the columns
displayed on page 61.
Description icon Display a description for the interface is one has been added. For more
information, see Configuring interface settings on page 151.
01-410-89802-20091022 149
Name The names of the physical interfaces on your FortiGate unit. This includes any
alias names that have been configured.
The names of the physical interfaces depend on the model. Some names
indicate the default function of the interface such as internal, external, wan1
(wide are network), wlan (wireless LAN) and dmz. Other names are more
generic such as port1, port20, and so on.
Some FortiGate models also include a modem interface named modem. See
Configuring the modem interface on page 170.
When you combine several interfaces into an aggregate or redundant
interface, only the aggregate or redundant interface is listed, not the
component interfaces. See Adding 802.3ad aggregate interfaces on
page 159 or Adding redundant interfaces on page 160.
On FortiGate models that support switch mode, the individual interfaces in the
switch are not displayed when in switch mode. For more information, see
Switch Mode on page 150.
If you have added VLAN interfaces, they also appear in the name list, below
the physical or aggregated interface to which they have been added. See the
FortiGate VLANs and VDOMs Guide.
If you have added loopback interfaces, they also appear in the interface list,
below the physical interface to which they have been added.
If you have software switch interfaces configured, you will be able to view
them. For more information, see Adding software switch interfaces on
page 169.
If you have interface mode enabled on a FortiGate model with a switch
interface, you will see multiple internal interfaces. If switch mode is enabled,
there will only be one internal interface. For more information see Switch
Mode on page 150.
If your FortiGate unit supports AMC modules and have installed an AMC
module containing interfaces (for example, the ASM-FB4 contains 4 interfaces)
these interfaces are added to the interface status display. The interfaces are
named amc-sw1/1, amc-dw1/2, and so on. sw1 indicates it is a single width or
double width card respectively in slot 1. The last number /1 indicates the
interface number on that card - for the ASM-FB4 card there would be /1
through /4.
IP/Netmask The current IP address/netmask of the interface.
In VDOM mode, when VDOMs are not all in NAT or Transparent mode some
values may not be available for display and will be displayed as - instead.
When IPv6 Support is enabled on the web-based manager, IPv6 addresses
may be displayed in this column.
Access The administrative access configuration for the interface.
For more information, see Configuring administrative access to an interface
on page 165.
Administrative
Status
The administrative status for the interface.
If the administrative status is a green arrow, the interface is up and can accept
network traffic. If the administrative status is a red arrow, the interface is
administratively down and cannot accept traffic. To change the administrative
status of an interface, select the Edit icon to edit the interface and change the
Administrative Status setting for the interface.
Link Status The status of the interface physical connection. Link status can be either up or
down. If link status is up there is an active physical connection between the
physical interface and a network switch. If link status is down the interface is
not connected to the network or there is a problem with the connection. You
cannot change link status from the web-based manager.
Link status is only displayed for physical interfaces.
MAC The MAC address of the interface.
Mode Shows the addressing mode of the interface. The addressing mode can be
manual, DHCP, or PPPoE.
MTU The maximum number of bytes per transmission unit (MTU) for the interface.
See Changing interface MTU packet size on page 167.
Secondary IP Displays the secondary IP addresses added to the interface. See Adding
secondary IP addresses to an interface on page 167.
150 01-410-89802-20091022
Switch Mode
Select switch mode to switch a group of related FortiGate interfaces to operate as a multi-
port switch with one IP address. Switch mode is available on FortiGate models with switch
hardware.
The switch mode feature has two states - switch mode and interface mode. Switch mode
is the default mode with only one interface and one address for the entire internal switch.
Interface mode allows you to configure each of the internal switch physical interface
connections separately. This allows you to assign different subnets and netmasks to each
of the internal physical interface connections.
Selecting Switch Mode on the System > Network > Interface screen displays the Switch
Mode Management screen.
Figure 63: Switch Mode Management
Type The type of the interface. Valid types include:
Physical - a physical network interface, including the modem interface
VLAN - a VLAN interface
Aggregate - a group of 802.3ad aggregated interfaces
Redundant - a group of redundant interfaces
VDOM Link - a pair of virtual interfaces that link two VDOMs
Pair - one two interfaces that are joined together, such as 2 VDOM links
Switch - two or more interfaces joined together to create a software switch
interface
Tunnel - a virtual IPSec VPN interface
VAP - a wireless controller virtual access point (VAP or virtual AP) interface
Virtual Domain The virtual domain to which the interface belongs. This column is visible when
VDOM configuration is enabled.
VLAN ID The configured VLAN ID for VLAN subinterfaces.
Delete icon Delete the interface. Available for interfaces added by selecting Create New.
For example, you can delete VLAN, loopback, aggregate, and redundant
interfaces. You can only deleted an interface if it is not used in another
configuration.
Edit icon Change the interfaces configuration.
View icon View the interfaces configuration.
Note: From the FortiGate CLI you can also add software switch interfaces. See Adding
software switch interfaces on page 169.
Caution: Before you are able to change between switch mode and interface mode all
configuration settings for the affected interfaces must be set to defaults. This includes
firewall policies, routing, DNS forwarding, DHCP services, VDOM interface assignments,
and routing. If they are not removed, you will not be able to switch modes, and you will see
an error message. The web-based manager displays the list of affected interfaces.
01-410-89802-20091022 151
Configuring interface settings
Go to System > Network > Interface and select the Edit icon to change the settings for an
interface or select Create New to add and configure a VLAN, loopback, IEEE 802.3ad
aggregated, or a redundant interface.
Switch Mode Select Switch Mode. Only one internal interface is displayed. This is the default
mode.
Interface Mode Select Interface Mode. All internal i nterfaces on the switch are displayed as
individually configurable interfaces.
Hub Mode On some FortiGate models you can select Hub Mode. Hub mode is similar to
switch mode except t hat in hub mode the interfaces do not learn the MAC
addresses of the devices on the network they are connected to and may also
respond quicker to network changes in some circumstances. You should only
select Hub Mode if you are having network performance issues when operating
with switch mode. The configuration of the FortiGate unit is the same whether
in switch mode or hub mode.
152 01-410-89802-20091022
Figure 64: Editing the configuration of a physical interface
01-410-89802-20091022 153
Figure 65: Adding and configuring a VLAN interface
154 01-410-89802-20091022
Figure 66: Interface configuration including IPv6 options
01-410-89802-20091022 155
Name The name of the interface. You can specify and change the names of VLAN,
loopback, IEEE 802.3ad aggregated, and redundant interfaces.
You cannot change the name of an existing interface.
The interface display also includes the MAC address of the physical interface.
Alias Enter another name for the interface that will easily distinguish this interface from
another. This is available only for physical interfaces where you cannot configure
the name. The alias can be a maximum of 15 characters.
The alias name is not part of the interface name, but it will appear in brackets
beside the interface name. It will not appears in logs.
Link Status Indicates whether the interface is connected to a network (link status is Up) or not
(link status is Down).
156 01-410-89802-20091022
Type When adding a new interface, set Type to the type of interface that you want to
add:
Set Type to VLAN to add a VLAN interface. SeeAdding VLAN interfaces on
page 158
Set Type to Loopback Interface to add a loopback interface. See Adding
loopback interfaces on page 158
On some models you can set Type to 802.3ad Aggregate to add an aggregate
interface. SeeAdding 802.3ad aggregate interfaces on page 159)
On some models you can set Type to Redundant Interface to add a redundant
interface. SeeAdding redundant interfaces on page 160
Other types include:
Software Switch - a software switch interface. See Adding software switch
interfaces on page 169.
Tunnel - a virtual IPSec VPN interface. See Configuring virtual IPSec
interfaces on page 164.
VAP Interface - a wireless controller virtual access point (VAP or virtual AP)
interface. See Configuring a virtual wireless access point on page 698.
You cannot change the Type except when adding a new interface.
Interface Select the name of the physical interface to which to add a VLAN interface. Once
created, the VLAN interface is listed below its physical interface in the Interface
list.
You cannot change the physical interface of a VLAN interface except when
adding a new VLAN interface.
Displayed when Type is set to VLAN.
VLAN ID Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface. You cannot change the VLAN ID except when add a new
VLAN interface.
The VLAN ID can be any number between 1 and 4094 and must match the VLAN
ID added by the IEEE 802.1Q-compliant router or switch connected to the VLAN
subinterface. For more information, see Adding VLAN interfaces on
page 158.
Displayed when Type is set to VLAN.
Virtual Domain Select the virtual domain to add the interface to.
Admin accounts with super-admin profile can change the Virtual Domain.
Physical
Interface
Members
This section has two different forms depending on the interface type:
Software switch interface - this section is a display-only field showing the
interfaces that belong to the software switch virtual interface. See Adding
software switch interfaces on page 169.
802.3ad aggregate or Redundant interface - this section includes available
interface and selected interface lists to enable adding or removing interfaces
from the interface. See Adding 802.3ad aggregate interfaces on page 159
and Adding redundant interfaces on page 160.
Available
Interfaces
Select interfaces from this list to include in the grouped interface - either
redundant or aggregate interface. Select the right arrow to add an interface to the
grouped interface.
Selected
interfaces
These interfaces are included in the aggregate or redundant interface.
Select the left arrow to remove an interface from the grouped interface.
For redundant interfaces, the interfaces will be activated during failover from the
top of the list to the bottom
Addressing
mode
Select the addressing mode for the interface.
Select Manual and add an IP/Netmask for the interface. If IPv6 configuration is
enabled you can add both a IPv4 and an IPv6 IP address.
Select DHCP to get the interface IP address and other network settings from a
DHCP server. See Configuring DHCP on an interface on page 161
Select PPPoE to get the interface IP address and other network settings from
a PPPoE server. See Configuring PPPoE on an interface on page 162.
IP/Netmask If Addressing Mode is set to Manual, enter an IPv4 address/subnet mask for the
interface.
Two FortiGate interfaces cannot have IP addresses on the same subnet.
01-410-89802-20091022 157
IPv6 Address If Addressing Mode is set to Manual and IPv6 support is enabled on the
web-based manager, enter an IPv6 address/subnet mask for the interface. A
single interface can have both an IPv4 and IPv6 address or just one or the other.
Enable one-arm
sniffer
Select to configure this interface to operate as a one-armed sniffer as part of
configuring a FortiGate unit to operate as an IDS appliance by sniffing packets for
attacks without actually receiving and otherwise processing the packets. Once the
interface is enabled for sniffing you cannot use the interface for other traffic. You
must add sniffer policies for the interface to actually sniff packets.
For more information on one-armed IPS, see Firewall Policy Using one-arm
sniffer policies to detect network attacks on page 382.
Enable explicit
Web Proxy
Select to enable explicit web proxying on this interface. When enabled, this
interface will be displayed on System > Network > Web Proxy under Listen on
Interfaces and web traffic on this interface will be proxied according to the Web
Proxy settings. For more information, see Configuring the explicit web proxy on
page 182.
Enable DDNS Select Enable DDNS to configure a Dynamic DNS service for this interface. For
more information, see Configuring Dynamic DNS on an interface on page 163.
Override
Default MTU
Value
To change the MTU, select Override default MTU value (1 500) and enter the
MTU size based on the addressing mode of the interface
68 to 1 500 bytes for static mode
576 to 1 500 bytes for DHCP mode
576 to 1 492 bytes for PPPoE mode
larger frame sizes if supported by the FortiGate model
Only available on physical interfaces. Virtual interfaces associated with a physical
interface inherit the physical interface MTU size.
For more information on MTU size, see Changing interface MTU packet size on
page 167.
Note: In Transparent mode, if you change the MTU of an interface, you must
change the MTU of all interfaces to match the new MTU.
Enable DNS
Query
Select to configure the interface to accept DNS queries. Select recursive or non-
recursive. For more information, see Configuring FortiGate DNS services on
page 177.
recursive Look up domain names in the FortiGate DNS database. If the entry is not found,
relay the request to the DNS servers configured under System > Network >
Options.
non-
recursive
Look up domain names in the FortiGate DNS database. Do not relay the request
to the DNS servers configured under System > Network > Options.
Administrative
Access
Select the types of administrative access permitted for IPv4 connections to this
interface.
Ipv6
Administrative
Access
Select the types of administrative access permitted for IPv6 connections to this
interface.
HTTPS Allow secure HTTPS connections to the web-based manager through this
interface.
PING Interface responds to pings. Use this setting to verify your installation and for
testing.
HTTP Allow HTTP connections to the web-based manager through this interface. HTTP
connections are not secure and can be intercepted by a third party.
SSH Allow SSH connections to the CLI through this interface.
SNMP Allow a remote SNMP manager to request SNMP information by connecting to
this interface. See Configuring SNMP on page 214.
TELNET Allow Telnet connections to the CLI through this interface. Telnet connections are
not secure and can be intercepted by a third party.
158 01-410-89802-20091022
Adding VLAN interfaces
A VLAN interface, sometimes called a VLAN or a VLAN subinterface, is a virtual interface
on a physical interface that accepts VLAN-tagged packets using that physical interface.
To add a VLAN interface
2 Select Create New and set Type to VLAN.
3 Configure the VLAN subinterface settings.
The VLAN subinterface must have a Name, and parent physical Interface, and a VLAN
ID. See Configuring interface settings on page 151.
4 Select OK.
To view the new VLAN subinterface, go to System > Network > Interface and select the
expand arrow next to the parent physical interface of the VLAN interface. This will expand
the display to show all VLAN subinterfaces on this physical interface. If there is no expand
arrow displayed, there are no subinterfaces configured on that physical interface.
For more information, see the FortiGate VLANs and VDOMs Guide.
Adding loopback interfaces
A loopback interface is an always up virtual interface that is not connected to any other
interfaces. Loopback interfaces connect to a FortiGate units interface IP address without
depending on a specific external port.
Loopback interfaces were added to assist with blackhole routing which drops packets sent
to a particular network address. For more information on blackhole routing, see Blackhole
Route on page 315.
A loopback interface is not connected to hardware, so it is not affected by hardware
problems. As long as the FortiGate unit is functioning, the loopback interface is active.
This always up feature is useful in dynamic routing where the FortiGate unit relies on
remote routers and the local Firewall policies to access to the loopback interface.
To add a loopback interface - web-based manager
2 Select Create New and set Type to Loopback Interface to add a loopback interface.
3 Configure the loopback interface settings.
The loopback interface must have a Name. You can also configure administrative
access and add a description. Fore more information, see Configuring interface
Detect Interface
Status for
Gateway Load
Balancing
Configure interface status detection for the main interface IP address. See
Configuring interface status detection for gateway load balancing on page 165.
Secondary IP
Address
Add additional IPv4 addresses to this interface. Select the blue arrow to expand
or hide the section. See Adding secondary IP addresses to an interface on
page 167.
Description Enter a description up to 63 characters to describe the interface.
Administrative
Status
Select either Up (green arrow) or Down (red arrow) as the status of this interface.
Up indicates the interface is active and can accept network traffic.
Down indicates the interface is not active and cannot accept traffic.
01-410-89802-20091022 159
4 Select OK.
To add a loopback interface - CLI
The CLI command to configure a loopback interface called l oop1 with an IP address of
10.0.0.10 is:
conf i g syst emi nt er f ace
edi t l oop1
set t ype l oopback
set i p 10. 0. 0. 10 255. 255. 255. 0
end
For more information, see config system interface in the FortiGate CLI Reference.
Adding 802.3ad aggregate interfaces
On some FortiGate models you can aggregate (combine) two or more physical interfaces
into an IEEE standard 802.3ad link aggregate interface to increase bandwidth and provide
some link redundancy. An aggregate interface is similar to a redundant interface.
Aggregate interfaces provides more bandwidth for the connection to a network, but also
create more points of failure than redundant interfaces. Aggregate interfaces must all
connect to the same next-hop routing destination.
An interface is available to be an aggregate interface if:
it is a physical interface, not a VLAN interface
it is not already part of an aggregate or redundant interface
it is in the same VDOM as the aggregated interface
it does not have a IP address and is not configured for DHCP or PPPoE
it does not have a DHCP server or relay configured on it
it does not have any VLAN subinterfaces
it is not referenced in any firewall policy, VIP, or multicast policy
it is not an HA heartbeat interface
it is not one of the FortiGate-5000 series backplane interfaces
Interfaces included in an aggregate interface are not listed on the System > Network >
Interface list. You cannot configure the interface individually and it is not available for
inclusion in firewall policies, firewall virtual IPs, or routing.
Figure 67: Settings for an 802.3ad aggregate interface
Note: You can add an accelerated interface (FA2 interfaces) to an aggregate link, but you
will lose the FA2 acceleration. For example, if you aggregate two accelerated interfaces
you will get slower throughput than if the two interfaces were separate.
160 01-410-89802-20091022
To create an 802.3ad Aggregate interface
3 In the Name field, enter a name for the aggregated interface.
The interface name must be different from any other interface, zone or VDOM.
4 From the Type list, select 802.3ad Aggregate.
5 In the Available Interfaces list, move two or more interfaces to include in the aggregate
interface to the Selected Interfaces list.
6 Configure other interface options as required. See Configuring interface settings on
page 151.
7 Select OK.
Adding redundant interfaces
On some FortiGate models you can combine two or more physical interfaces to provide
link redundancy. This feature allows you to connect to two or more switches to ensure
connectivity in the event one physical interface or the equipment on that interface fails.
In a redundant interface, traffic is only going over one interface at any time. This differs
from an aggregated interface where traffic is going over all interfaces for increased
bandwidth. This difference means redundant interfaces can have more robust
configurations with fewer possible points of failure. This is important in a fully-meshed HA
configuration.
An interface is available to be in a redundant interface if:
it is a physical interface, not a VLAN interface
it is not already part of an aggregated or redundant interface
it is in the same VDOM as the redundant interface
it has no defined IP address and is not configured for DHCP or PPPoE
it has no DHCP server or relay configured on it
it does not have any VLAN subinterfaces
it is not referenced in any firewall policy, VIP, or multicast policy
it is not monitored by HA
it is not one of the FortiGate-5000 series backplane interfaces
When an interface is included in a redundant interface, it is not listed on the System >
Network > Interface page. You cannot configure the interface individually and it is not
available for inclusion in firewall policies, VIPs, or routing.
Figure 68: Settings for a redundant interface
01-410-89802-20091022 161
To create a redundant interface
3 In the Name field, enter a name for the redundant interface.
The interface name must different from any other interface, zone or VDOM.
4 From the Type list, select Redundant Interface.
5 In the Available Interfaces list, select each interface that you want to include in the
redundant interface and move it to the Selected Interfaces list.
In a failover situation, the interface activated will be the next interface down the
Selected Interfaces list.
6 Configure other interface options as required. See Configuring interface settings on
page 151.
7 Select OK.
Configuring DHCP on an interface
If you configure an interface to use DHCP, the FortiGate unit automatically broadcasts a
DHCP request from the interface. The interface is configured with the IP address and any
DNS server addresses and default gateway address that the DHCP server provides.
By default, low-end models are configured to DHCP addressing mode with Override
Internal DNS and Retrieve default Gateway from DHCP server both enabled. These
settings allow for easy out-of-the-box configuration.
To configure DHCP on an interface
2 Select Create New or select the Edit icon of an existing interface.
3 In the Addressing mode section, select DHCP.
Figure 69: Interface DHCP settings
Status Displays DHCP status messages as the interface connects to the DHCP
server and gets addressing information. Select Status to refresh the
addressing mode status message.
Status can be one of:
initializing - No activity.
connecting - interface attempts to connect to the DHCP server.
connected - interface retrieves an IP address, netmask, and other
settings from the DHCP server.
failed - interface was unable to retrieve an IP address and other
settings from the DHCP server.
Obtained
IP/Netmask
The IP address and netmask leased from the DHCP server.
Only displayed if Status is connected.
162 01-410-89802-20091022
Configuring PPPoE on an interface
If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a
PPPoE request from the interface.
FortiGate units support many PPPoE RFC features (RFC 2516) including unnumbered
IPs, initial discovery timeout and PPPoE Active Discovery Terminate (PADT).
To configure an interface for PPPoE
2 Select Create New or select the Edit icon of an existing interface.
3 In the Addressing mode section, select PPPoE.
Figure 70: Interface PPPoE settings
Renew Select to renew the DHCP license for this interface.
Expiry Date The time and date when the leased IP address and netmask is no longer
valid.
Default Gateway The IP address of the gateway defined by the DHCP server.
Only displayed if Status is connected, and if Receive default gateway
from server is selected.
Distance Enter the administrative distance for the default gateway retrieved from
the DHCP server. The administrative distance, an integer from 1-255,
specifies the relative priority of a route when there are multiple routes to
the same destination. A lower administrative distance indicates a more
preferred route. The default distance for the default gateway is 5.
Retrieve default
gateway from server
Enable to retrieve a default gateway IP address from the DHCP server.
The default gateway is added to the static routing table.
Enabled by default on low-end models.
Override internal DNS Enable to use the DNS addresses retrieved from the DHCP server
instead of the DNS server IP addresses on the DNS page.
On low end models, this is enabled by default.
When VDOMs are enabled, you can override the internal DNS only on
the management VDOM.
Status Displays PPPoE status messages as the FortiGate unit connects to the
PPPoE server and gets addressing information. Select Status to refresh the
addressing mode status message.
Only displayed if you selected Edit.
Status can be one of the following 4 messages.
initializing No activity.
connecting The interface is attempting to connect to the PPPoE server.
01-410-89802-20091022 163
Configuring Dynamic DNS on an interface
When the FortiGate unit has a static domain name and a dynamic public IP address, you
can use a Dynamic DNS (DDNS) service to update Internet DNS servers when the IP
address for the domain changes.
DDNS is available only in NAT/Route mode.
To configure DDNS on an interface
1 Get the DDNS configuration information from your DDNS service.
4 Enable DDNS.
5 Enter DDNS configuration information.
If at any time your FortiGate unit cannot contact the DDNS server, it will retry three times
at one minute intervals and then change to retrying at three minute intervals. This is to
prevent flooding the DDNS server.
connected The interface retrieves an IP address, netmask, and other settings from the
PPPoE server.
When the status is connected, PPPoE connection information is displayed.
failed The interface was unable to retrieve an IP address and other information from
the PPPoE server.
Reconnect Select to reconnect to the PPPoE server.
User Name The PPPoE account user name.
Password The PPPoE account password.
Unnumbered IP Specify the IP address for the interface. If your ISP has assigned you a block
of IP addresses, use one of them. Otherwise, this IP address can be the
same as the IP address of another interface or can be any IP address.
Initial Disc Timeout Enter Initial discovery timeout. Enter the time to wait before starting to retry a
PPPoE discovery.
Initial PADT timeout Enter Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds.
Use this timeout to shut down the PPPoE session if it is idle for this number of
seconds. PADT must be supported by your ISP. Set initial PADT timeout to 0
to disable.
Distance Enter the administrative distance for the default gateway retrieved from the
PPPoE server. The administrative distance, an integer from 1-255, specifies
the relative priority of a route when there are multiple routes to the same
destination. A lower administrative distance indicates a more preferred route.
The default distance for the default gateway is 1.
Retrieve default
gateway from
server
Enable to retrieve a default gateway IP address from a PPPoE server. The
default gateway is added to the static routing table.
Override internal
DNS
Enable to replace the DNS server IP addresses on the System DNS page
with the DNS addresses retrieved from the PPPoE server.
When VDOMs are enabled, you can override the internal DNS only on the
management VDOM.
164 01-410-89802-20091022
Figure 71: DDNS service configuration
Configuring virtual IPSec interfaces
You create a virtual IPSec interface by selecting Enable IPSec Interface Mode when
configuring Advanced options for an IPSec VPN Phase 1. To configure an IPSec VPN
Phase 1, go to VPN > IPSec > Auto Key (IKE) and select Create Phase 1. You can also
select IPsec Interface Mode when configuring an IPSec VPN Manual Key configuration.
To configure IPSec VPN Manual Key go to VPN > IPSec > Manual Key and select Create
New.
In both cases the IPSec VPN virtual interface is added to the physical interface you select
in the IPSec VPN configuration.
Virtual IPSec interfaces are listed System > Network > Interface list. For more about
configuring IPSec VPN, see Auto Key on page 605 and Manual Key on page 614.
To edit an IPSec VPN interface, go to System > Network > Interface and select Edit for an
IPSec interface. For an IPSec VPN interface you can:
configure IP addresses for the local and remote endpoints of the IPSec interface so
that you can run dynamic routing over the interface or use ping to test the tunnel
enable administrative access through the IPSec interface
enter a description for the interface
Figure 72: Virtual IPSec interface settings
Server Select a DDNS server to use. The client software for these services is built into the
FortiGate firmware. The FortiGate unit can connect only to one of these services.
Domain Enter the fully qualified domain name of the DDNS service.
Username Enter the user name to use when connecting to the DDNS server.
Password Enter the password to use when connecting to the DDNS server.
Name The name of the IPSec interface.
Virtual Domain Select the VDOM of the IPSec interface.
01-410-89802-20091022 165
Configuring administrative access to an interface
Administrative access is how an administrator can connect to the FortiGate unit to view
and change configuration settings.
You can allow remote administration of the FortiGate unit running in NAT/Route mode, but
allowing remote administration from the Internet could compromise the security of the
FortiGate unit. You should avoid this unless it is required for your configuration.
To improve the security of a FortiGate unit that allows remote administration from the
Internet:
Use secure administrative user passwords.
Change these passwords regularly.
Enable secure administrative access to this interface using only HTTPS or SSH.
Do not change the system idle timeout from the default value of 5 minutes (see
Settings on page 261).
For more information on configuring administrative access in Transparent mode, see
Operation mode and VDOM management access on page 238.
To control administrative access to an interface
2 Choose an interface and select Edit.
3 Select the Administrative Access methods for the interface.
4 Select OK.
Configuring interface status detection for gateway load balancing
Interface status detection consists of the FortiGate unit confirming that packets sent from
an interface result in a response from a server. You can use up to three different protocols
to confirm that an interface can connect to the server. Usually the server is the next-hop
router that leads to an external network or the Internet. Interface status detection sends a
packets using the configured protocols. If a response is received from the server, the
FortiGate unit assumes the interface can connect to the network. If a response is not
received, the FortiGate unit assumes that the interface cannot connect to the network.
IP
Remote IP
If you want to use dynamic routing with the tunnel or be able to ping the tunnel
interface, enter IP addresses for the local and remote ends of the tunnel. These
two addresses must not be used anywhere else in the network.
Administrative
Access
Select the types of administrative access permitted on this interface.
interface.
PING Allow the interface to respond to pings. Use this setting to verify your
installation and for testing.
HTTP Allow HTTP connections to the web-based manager through this interface.
HTTP connections are not secure and can be intercepted by a third party.
SSH Allow SSH connections to the CLI through this interface.
SNMP Allow a remote SNMP manager to request SNMP information by connecting to
this interface. See Configuring SNMP on page 214.
TELNET Allow Telnet connections to the CLI through this interface. Telnet connections
are not secure and can be intercepted by a third party.
Description Enter a description of the interface. It can be up to 63 characters.
166 01-410-89802-20091022
Interface status detection is used for ECMP route failover and load balancing. See ECMP
route failover and load balancing on page 322.
Since its possible that a response may not be received, even if the server and the network
are operating normally, the dead gateway detection configuration controls the time interval
between testing the connection to the server and the number times the test can fail before
the FortiGate unit assumes that the interface cannot connect to the server. See
Configuring Networking Options on page 176 for information about configuring dead
gateway detection.
To configure gateway failover detection for an interface, from the web-based manager go
to System > Network > Interface and edit an interface. Select Detect Interface Status for
Gateway Load Balancing, enter the IP address of the server to test connecting to and
select one or more protocols to use to test the connection to the server. If you have added
secondary IP addresses to an interface you can also configure interface status detection
separately for each secondary IP address.
Figure 73: Interface status detection settings
Note: As long as the FortiGate unit receives responses for at least one of the protocols that
you select, the FortiGate unit assumes the server is operating and can forward packets.
Responses received to more than one protocol does not enhance the status of the server
or interface and receiving responses from fewer protocols does not reduce the status of the
server or interface.
Detect Server The IP address of the server to test connecting to.
Ping Use standard ICMP ping to confirm that the server is responding. Ping confirms
that the server can respond to an ICMP ping request.
TCP Echo Use TCP echo to confirm that the server is responding. Select this option if the
server is configured to provide TCP echo services. In some cases a server may be
configured to reply to TCP echo requests but not to reply to ICMP pings.
TCP echo uses TCP packets on port number 7 to send a text string to the server
and expect an echo reply back from the server. The echo reply just echoes back
the same text to confirm that the server can respond to TCP requests.
FortiGate units do not recognize RST (reset) packets from TCP Echo servers as
normal TCP echo replies. If the FortiGate receives an RST response to a TCP
echo request, the FortiGate unit assumes the server is unreachable.
UDP Echo Use UDP echo to detect the server. Select this option of the server is configured to
provide UDP echo services. In some cases a server may be configured to reply to
UDP echo requests but not to reply ICMP pings.
UDP echo uses UDP packets on port number 7 to send a text string to the server
and expects an echo reply from the server. The echo reply just echoes back the
same text to confirm that the server can respond to UDP requests.
Spillover
Threshold
Set the spillover threshold to limit the amount of bandwidth processed by the
Interface. The Spillover Thresholds range is 0-2097000 KBps.
The FortiGate unit sends all ECMP-routed sessions to the lowest numbered
interface until the bandwidth being processed by this interface reaches its spillover
threshold. The FortiGate unit then spills additional sessions over to the next lowest
numbered interface.
For more information, including the order in which interfaces are selected, see
ECMP route failover and load balancing on page 322.
01-410-89802-20091022 167
Changing interface MTU packet size
To improve network performance, you can change the maximum transmission unit (MTU)
of the packets that the FortiGate unit transmits. Ideally, the MTU should be the same as
the smallest MTU of all the networks between the FortiGate unit and the destination of the
packets. If the packets that the FortiGate unit sends are larger than the smallest MTU,
they are broken up or fragmented, which slows down transmission. You can easily
experiment by lowering the MTU to find an MTU size for optimum network performance.
Select interfaces on some FortiGate models support frames larger than the traditional
1 500 bytes. Contact Fortinet Customer Support for the maximum frame sizes your
FortiGate unit supports.
To be able to send larger frames over a route, all Ethernet devices on that route must
support that larger frame size, otherwise your larger frames will not be recognized and are
dropped.
If you have standard size and larger size frame traffic on the same interface, routing alone
cannot route them to different routes based only on frame size. However you can use
VLANs to make sure the larger frame traffic is routed over network devices that support
that larger size. VLANs will inherit the MTU size from the parent interface. You will need to
configure the VLAN to include both ends of the route as well as all switches and routers
along the route. For more information on VLAN configurations, see the VLAN and VDOM
guide.
To change the MTU size of the packets leaving an interface
2 Choose a physical interface and select Edit.
3 Below Administrative Access, select Override default MTU value (1 500).
4 Set the MTU size.
If you select an MTU size larger than your FortiGate unit supports, an error message
will indicate this. In this situation, try a smaller MTU size until the value is supported.
Adding secondary IP addresses to an interface
If an interface is configured with a manual or static IP address, you can also add
secondary static IP addresses to the interface. Adding secondary IP addresses effectively
adds multiple IP addresses to the interface. The FortiGate unit, static and dynamic routing,
and the network see the secondary IP addresses as additional IP addresses that
terminate at the interface. Secondary IP addresses cannot be assigned using DCHP or
PPPoE.
Note: For more information about TCP echo and UDP echo, see RFC 862.
Note: If you change the MTU, you need to reboot the FortiGate unit to update the MTU
value of VLAN subinterfaces on the modified interface.
Note: In Transparent mode, if you change the MTU of an interface, you must change the
MTU of all interfaces on the FortiGate unit to match the new MTU.
168 01-410-89802-20091022
All of the IP addresses added to an interface are associated with the single MAC address
of the physical interface and all secondary IP addresses are in the same VDOM as the
interface that are added to. You configure interface status detection for gateway load
balancing separately for each secondary IP addresses. As with all other interface IP
addresses, secondary IP addresses cannot be on the same subnet as any other primary
or secondary IP address assigned to a FortiGate interface unless they are in separate
VDOMs.
To add secondary IP addresses to an interface
2 Edit the physical interface to add secondary IP addresses to.
3 Make sure the interface Addressing Mode is set to Manual and that you have added an
IP/Netmask to the interface.
4 Select the blue arrow to expand the Secondary IP Address section.
5 Configure the settings for a secondary IP address and select OK to add the address
and its configuration settings to the interface.
6 Repeat to add more secondary IP addresses.
7 Select OK or Apply at the bottom of the Edit Interface dialog to add the secondary IP
addresses to the interface.
Figure 74: Adding Secondary IP Addresses
Tip: After adding secondary IP addresses and selecting OK to save changes to the Edit
Interface dialog you should edit the interface again to make sure the secondary IP
addresses have been added as expected.
IP/Netmask Enter the IP address/subnet mask of the secondary IP address.
The Secondary IP address must be on a different subnet than the Primary IP
address. To
Detect Interface
Status for Gateway
Load Balancing
Configure interface status detection for the secondary IP address. See
Configuring interface status detection for gateway load balancing on
page 165.
Administrative
Access
Select the types of administrative access permitted on the secondary IP.
secondary IP.
Edit
Delete
01-410-89802-20091022 169
Adding software switch interfaces
You can add software switch interfaces (also called soft switch interfaces) from the
FortiGate CLI. A software switch interface forms a simple bridge between two or more
physical or wireless FortiGate interfaces. The interfaces added to a software switch
interface are called physical interface members. The members of a software switch
interface cannot be accessed as individual interfaces after being added to a software
switch interface. They are removed from the system interface table.
Similar to aggregate interfaces, a software switch interface functions like a normal
interface. A software switch interface has one IP address. You create firewall policies to
and from software switch interfaces and software switch interfaces can be added to
zones. There are some limitations; software switch interfaces cannot be monitored by HA
or used as HA heartbeat interfaces.
To add interfaces to a software switch interface, no configuration settings can refer to
those interfaces. This includes default routes, VLANs, inter-VDOM links, and policies.
Use the following CLI command to add a software switch interface called sof t _swi t ch
that includes the port1, external and dmz physical interfaces:
PING Allow secondary IP to respond to pings. Use this setting to verify your
installation and for testing.
HTTP Allow HTTP connections to the web-based manager through this secondary
IP. HTTP connections are not secure and can be intercepted by a third party.
SSH Allow SSH connections to the CLI through this secondary IP.
SNMP Allow a remote SNMP manager to request SNMP information by connecting
to this secondary IP. See Configuring SNMP on page 214.
TELNET Allow Telnet connections to the CLI through this secondary IP. Telnet
connections are not secure and can be intercepted by a third party.
OK Select to add the configured secondary IP address to the secondary IP table.
Addresses in this table are not added to the interface until you select OK or
Apply.
Secondary IP
address table
A table that displays all the secondary IP addresses that have been added to
this interface.
These addresses are not permanently added to the interface until you select
OK or Apply at the bottom of the Edit Interface dialog.
# The identifying number of the secondary IP address.
IP/Netmask The IP address and netmask for the secondary IP.
Detect Server
Enable
Indicates whether interface status detection is enabled for the secondary IP
address.
Detect Server The IP address of the detect server for the secondary IP address. The same
detect server can be shared by multiple secondary IP addresses.
Detect Protocol The detect protocols configured for the secondary IP address.
Administrative
Access
The administrative access methods for this address. They can be different
from the primary IP address.
Delete Icon Select to remove this secondary IP address.
Edit Icon Edit the selected secondary IP address. When you select the Edit icon the
settings for the secondary IP address to edit appear in the fields above the
secondary IP address table. You can edit these settings and select OK to
save changes to the secondary IP address.
Note: If you select the Edit icon to edit a secondary IP address and change
the IP/Netmask, when you select OK a new secondary IP address is added.
If you only wanted to change the IP/Netmask and not add a new secondary
IP address you should delete the secondary IP address that you selected the
Edit icon for.
Configuring zones System Network
170 01-410-89802-20091022
conf i g syst emswi t ch- i nt er f ace
edi t sof t _swi t ch
set member s por t 1 ext er nal dmz
end
Configuring zones
Group interfaces into zones to simplify policy creation. By grouping interfaces into a zone
you can add one set of firewall policies for the zone instead of adding separate policies for
each interface. Once you add interfaces to a zone you cannot configure policies for the
interfaces, but only for the zone.
You can add all types of interfaces to a zone (physical, VLAN, switch, and so on) and a
zone can consist of any combination of interface types. You can add zones, rename and
edit zones, and delete zones from the zone list. When you add a zone, you select the
names of the interfaces to add to the zone.
Zones are configured from virtual domains. If you have added multiple virtual domains to
your FortiGate configuration, make sure you are configuring the correct virtual domain
before adding or editing zones.
Figure 75: Zone list
Configuring the modem interface
FortiGate unit can include a modem interface if you connect a modem in one of the
following ways:
Create New Select to create a new zone.
Name Names of the zones.
Block intra-zone traffic Displays Yes if traffic between interfaces in the same zone is blocked and
No if traffic between interfaces in the same zone is not blocked.
Interface Members Names of the interfaces added to the zone. Interface names depend on
the FortiGate model.
Edit/View icons Edit or view a zone.
Delete icon Delete a zone.
Edit
Delete
System Network Configuring the modem interface
01-410-89802-20091022 171
You can connect a supported USB mode to any FortiGate model with a USB interface.
You can connect a supported serial model to any FortiGate model with a serial modem
port.
You can insert a supported PCMCIA modem into any FortiGate model with a PCMCIA
slot. Power off the FortiGate unit before inserting the PCMCIA modem. After inserting
the modem, when you power up the FortiGate unit it should automatically find the
modem and create the modem interface.
In NAT/Route mode the modem can be in one of two modes:
In redundant (backup) mode, the modem interface automatically takes over from a
selected ethernet interface when that ethernet interface is unavailable.
In standalone mode, the modem interface is the connection from the FortiGate unit to
the Internet.
In redundant or standalone mode when connecting to the ISP, you can configure the
FortiGate unit to automatically have the modem dial up to three dialup accounts until the
modem connects to an ISP.
Other models can connect to an external modem through a USB-to-serial converter. For
these models, you must configure modem operation using the CLI.
Initially modem interfaces are disabled, and must be enabled in the CLI to be visible in the
web-based manager. See the syst emmodemcommand in the FortiGate CLI Reference.
Configuring modem settings
Redundant mode configuration
Standalone mode configuration
Adding firewall policies for modem connections
Connecting and disconnecting the modem
Checking modem status
Configuring modem settings
Configure modem settings so that the FortiGate unit uses the modem to connect to your
ISP dialup accounts. You can configure up to three dialup accounts, select standalone or
redundant operation, and configure how the modem dials and disconnects.
For FortiGate-60B and FortiWifi-60B models with modems, the modem can be a
management interface. When enabled, a user can dial into the units modem and perform
administration actions as if logged in over one of the standard interfaces. This feature is
enabled in the CLI using
conf i g syst emdi al i nsvr .
If VDOMs are enabled, the modem can be assigned to one of the VDOMs just like the
other interfaces.
If the modem is disabled it will not appear in the interface list, and must be enabled from
the CLI using:
conf i g syst emmodem
Note: The modem interface is not the AUX port. While the modem and AUX port may
appear similar, the AUX port has no associated interface and is used for remote console
connection. The AUX port is only available on FortiGate models 1000A, 1000AFA2, and
3000A. For more information, see the conf i g syst emaux command in the
FortiGate CLI Reference.
Configuring the modem interface System Network
172 01-410-89802-20091022
set st at us enabl e
end
Figure 76 shows the only the settings specific to standalone mode. The remaining settings
are common to both standalone and redundant modes and are shown in Figure 77.
Figure 76: Modem settings (Standalone)
Figure 77: Modem settings (Redundant)
Note: You cannot configure and use the modem in Transparent mode.
Enable Modem Select to enable the FortiGate modem.
Modem status Modem status can be: not active, connecting, connected, disconnecting,
or hung up.
Dial Now/Hang Up (Standalone mode only) Select Dial Now to manually connect to a dialup
account. If the modem is connected, you can select Hang Up to
manually disconnect the modem.
01-410-89802-20091022 173
To configure the modem in Redundant mode, see Redundant mode configuration on
page 173.
To configure the modem in Standalone mode, see Standalone mode configuration on
page 174.
Redundant mode configuration
In redundant mode the modem interface backs up a selected ethernet interface. If that
ethernet interface disconnects from its network, the modem automatically dials the
configured dialup accounts. When the modem connects to a dialup account, the FortiGate
unit routes IP packets normally destined for the selected ethernet interface to the modem
interface.
Mode Select Standalone or Redundant mode.
Auto-dial
(Standalone mode)
Select to dial the modem automatically if the connection is lost or the
FortiGate unit is restarted.
You cannot select Auto-dial if Dial on demand is selected.
Dial on demand
(Standalone mode)
Select to dial the modem when packets are routed to the modem
interface. The modem disconnects after the idle timeout period if there is
no network activity.
You cannot select Dial on demand if Auto-dial is selected.
Idle timeout
(Standalone mode)
Enter the timeout duration in minutes. After this period of inactivity, the
modem disconnects.
Redundant for
(Redundant mode)
Select the ethernet interface for which the modem provides backup
service.
Holddown
Timer
(Redundant mode)
(Redundant mode only) Enter the time (1-60 seconds) that the FortiGate
unit waits before switching back to the primary interface from the modem
interface, after the primary interface has been restored. The default is 1
second. Configure a higher value if you find the FortiGate unit switching
repeatedly between the primary interface and the modem interface.
Redial Limit The maximum number of times (1-10) that the FortiGate unit modem
attempts to reconnect to the ISP if the connection fails. The default redial
limit is 1. Select None to have no limit on redial attempts.
Wireless Modem Display a connected wireless modem if available.
Supported Modems Select to view a list of supported modems.
Usage History Display connections made on the modem interface. Information
displayed about connections includes:
date and time
duration of the connection in hours, minutes, and seconds
IP address connected to
traffic statistics including received, sent, and total
current status of the connection
Dialup Account Configure up to three dialup accounts. The FortiGate unit tries
connecting to each account in order until a connection can be
established.
The active dialup account is indicated with a green check mark.
Phone Number The phone number required to connect to the dialup account. Do not add
spaces to the phone number. Make sure to include standard special
characters for pauses, country codes, and other functions as required by
your modem to connect to your dialup account.
User Name The user name (maximum 63 characters) sent to the ISP.
Password The password sent to the ISP.
Configuring the modem interface System Network
174 01-410-89802-20091022
The FortiGate unit disconnects the modem interface and switches back to the ethernet
interface when the ethernet interface is able to connect to its network. You can set a
holddown timer that delays the switch back to the ethernet interface to ensure it is stable
and fully active before switching the traffic.
The modem will disconnect after a period of network inactivity set by the value in idle
timeout. This saves money on dialup connection charges.
For the FortiGate unit to be able to switch from an ethernet interface to the modem, you
must select the name of the interface in the modem configuration and configure a ping
server for that interface. You must also configure firewall policies for connections between
the modem interface and other FortiGate interfaces.
To configure redundant mode
1 Go to System > Network > Modem.
2 Select Redundant mode.
3 Enter the following information:
4 Select Apply.
5 Configure interface status detection for the ethernet interface the modem backs up.
See Configuring interface status detection for gateway load balancing on page 165.
6 Configure firewall policies for network connectivity through the modem interface.
See Adding firewall policies for modem connections on page 175.
Standalone mode configuration
In standalone mode, the modem connects to a dialup account to provide a connection to
the Internet. You can configure the modem to dial when the FortiGate unit restarts or when
there are unrouted packets. You can also hang up or redial the modem manually.
If the connection to the dialup account fails, the FortiGate unit will redial the modem. The
modem redials the number of times specified by the redial limit, or until it connects to a
dialup account.
The modem will disconnect after a period of network inactivity set by the value in idle
timeout. This saves money on dialup connection charges.
You must configure firewall policies for connections between the modem interface and
other FortiGate interfaces.
You must also go to Router > Static to configure static routes to route traffic to the modem
interface. For example, if the modem interface is acting as the FortiGate unit external
interface you must set the device setting of the FortiGate unit default route to modem.
Note: Do not add policies for connections between the modem interface and the ethernet
interface that the modem is backing up.
Redundant for From the list, select the interface to back up.
Holddown timer Enter the number of seconds to continue using the modem after the
network connectivity is restored.
Redial Limit Enter the maximum number of times to retry if the ISP does not answer.
Dialup Account 1
Dialup Account 2
Dialup Account 3
Enter the ISP phone number, user name and password for up to three
dialup accounts.
01-410-89802-20091022 175
To configure standalone mode
2 Select Standalone mode.
4 Select Apply.
5 Configure firewall policies for network connectivity through the modem interface.
See Adding firewall policies for modem connections on page 175.
6 Go to Router > Static and set device to modem to configure static routes to route
traffic to the modem interface.
See Adding a static route to the routing table on page 320.
Adding firewall policies for modem connections
The modem interface requires firewall addresses and policies. You can add one or more
addresses to the modem interface. For information about adding addresses, see
Configuring addresses on page 397.
You can configure firewall policies to control the flow of packets between the modem
interface and the other interfaces on the FortiGate unit. For information on configuring
firewall policies, see Configuring firewall policies on page 367.
Connecting and disconnecting the modem
To connect to a dialup account
2 Select Enable USB Modem.
3 Verify the information in Dialup Accounts.
4 Select Apply.
5 Select Dial Now.
The FortiGate unit dials into each dialup account in turn until the modem connects to
an ISP.
To disconnect from a dialup account
2 Select Hang Up to disconnect the modem.
Auto-dial Select if you want the modem to dial when the FortiGate unit restarts.
Dial on demand Select if you want the modem to connect to its ISP whenever there are
unrouted packets.
Idle timeout Enter the timeout duration in minutes. After this period of inactivity, the
modem disconnects.
Redial Limit Enter the maximum number of times to retry if the ISP does not answer.
Dialup Account 1
Dialup Account 2
Dialup Account 3
Enter the ISP phone number, user name and password for up to three
dialup accounts.
Note: The modem must be in Standalone mode before connecting or disconnecting from a
dialup account.
Configuring Networking Options System Network
176 01-410-89802-20091022
Checking modem status
You can determine the connection status of your modem and which dialup account is
active. If the modem is connected to the ISP, you can see the IP address and netmask.
To check the modem status, go to System > Network > Modem.
Modem status is one of the following:
A green check mark indicates the active dialup account.
The IP address and netmask assigned to the modem interface appears on the System
Network Interface screen of the web-based manager.
Configuring Networking Options
Network options include DNS server and dead gateway detection settings. Dead gateway
detection settings control how interface status detection functions.
Figure 78: Configuring Networking Options
not active The modem is not connected to the ISP.
connecting The modem is attempting to connect to the ISP.
connected The modem is connected to the ISP.
disconnecting The modem is disconnecting from the ISP.
hung up The modem has disconnected from the ISP. (Standalone mode only)
The modem will not redial unless you select Dial Now.
DNS Settings
Primary DNS Server Enter the primary DNS server IP address.
Secondary DNS Server Enter the secondary DNS server IP address.
Local Domain Name Enter the domain name to append to addresses with no domain
portion when performing DNS lookups.
IPv6 DNS Settings
Primary DNS Server Enter the primary IPv6 DNS server IP address.
Secondary DNS Server Enter the secondary IPv6 DNS server IP address.
System Network Configuring FortiGate DNS services
01-410-89802-20091022 177
DNS Servers
Several FortiGate functions use DNS, including alert email and URL blocking. You can
specify the IP addresses of the DNS servers to which your FortiGate unit connects. DNS
server IP addresses are usually supplied by your ISP.
You can configure FortiGate models numbered 100 and lower to obtain DNS server
addresses automatically. To obtain these addresses automatically, at least one FortiGate
unit interface must use the DHCP or PPPoE addressing mode. See Configuring DHCP
on an interface on page 161 or Configuring PPPoE on an interface on page 162.
FortiGate models 100 and lower can provide DNS Forwarding on their interfaces. Hosts
on the attached network use the interface IP address as their DNS server. DNS requests
sent to the interface are forwarded to the DNS server addresses that you configured or
that the FortiGate unit obtained automatically.
You can configure a FortiGate unit to be the DNS server for any networks that can
communicate with a FortiGate interface. You set up the DNS configuration for each
interface in one of the following ways:
The interface relays DNS requests to the DNS servers configured for the FortiGate unit
under System > Network > Options. See To configure a FortiGate interface to relay
DNS requests to external DNS servers on page 179.
The interface resolves DNS requests using a FortiGate DNS database. DNS requests
for host names not in the FortiGate DNS database are dropped. See To configure a
FortiGate interface to resolve DNS requests using only the FortiGate DNS database
on page 179.
The interface resolves DNS requests using the FortiGate DNS database and relays
DNS requests for host names not in the FortiGate DNS database to the DNS servers
configured for the FortiGate unit under System > Network > Options. This is called a
split DNS configuration.See To configure a split DNS configuration on page 180
If virtual domains are not enabled you can create one DNS databases that can be shared
by all the FortiGate interfaces.
If virtual domains are enabled, you create a DNS database in each VDOM. All of the
interfaces in a VDOM share the DNS database in that VDOM.
About split DNS
Dead Gateway Detection Configure interface status detection for one or more FortiGate
interfaces and use the dead gateway detection settings to configure
how interface status detection functions. For information, see
Configuring interface status detection for gateway load balancing
on page 165.
Detection Interval Enter a number in seconds to specify how often the FortiGate unit
detects interface status.
Fail-over Detection Enter the number of times that interface status tests fail before the
FortiGate unit assumes that the interface is no longer functioning.
Configuring FortiGate DNS services System Network
178 01-410-89802-20091022
About split DNS
In a split DNS configuration you create a DNS database on the FortiGate unit, usually for
host names on an internal network or for a local domain. When users on the internal
network attempt to connect to these host names the IP addresses are provided by the
FortiGate unit DNS database. Host names that are not in the FortiGate unit DNS database
are resolved by relaying the DNS lookup to an external DNS server.
A split DNS configuration can be used to provide internal users access to resources on
your private network that can also be accessed from the Internet. For example, you could
have a public web server behind a FortiGate unit operating in NAT/Route mode. Users on
the Internet access this web server using a port forwarding virtual IP. So the web server
has a public IP address for internet users. But you may want users on your internal
network to access the server using its private IP address to keep traffic from internal users
off of the Internet. To do this, you create a split DNS configuration on the FortiGate unit
and add the host name of the server to the FortiGate DNS database, but include the
internal IP address of server instead of the external IP address. Because the FortiGate
unit checks the FortiGate DNS database first, all DNS lookups for the server host name
will return the internal IP address of the server.
For an example of how to configure split DNS, see To configure a split DNS
This section provides a general procedure for configuring FortiGate DNS as well as
specific procedures for configuring a FortiGate interface to provide DNS services in
different ways.
General FortiGate DNS server configuration
1 Go to System > Network > Options and add the IP addresses of a Primary and
Secondary DNS server.
These should be the DNS servers provided by your ISP or other public DNS servers.
The FortiGate unit uses these DNS servers for its own DNS lookups and can be used
to supply DNS look ups for your internal networks. See Configuring Networking
2 Go to System > Network > Interface and edit the interface connected to a network that
you want the FortiGate unit to be a DNS server for.
3 Select Enable DNS Query.
When you select Enable DNS Query, the FortiGate unit relays all DNS queries
received by this interface to the DNS servers configured under System > Network >
Options. Select Recursive or Non-Recursive to control how this works.
4 Go to System > Network > DNS Database and configure the FortiGate DNS database.
Add zones and entries as required. See Configuring the FortiGate DNS database on
page 180.
recursive Look up domain names in the FortiGate DNS database. If the entry is not
found, relay the request to the DNS servers configured under System >
Network > Options. Can be used for a split DNS configuration.
non-recursive Look up domain names in the FortiGate DNS database. Do not relay the
request to the DNS servers configured under System > Network > Options.
01-410-89802-20091022 179
5 Configure the hosts on the internal network to use the FortiGate interface as their DNS
server.
If you are also using a FortiGate DHCP server to configure the hosts on this network,
add the IP address of the FortiGate interface to the DNS Server IP address list.
To configure a FortiGate interface to relay DNS requests to external DNS servers
Configure a FortiGate interface to relay DNS requests to the DNS servers configured for
the FortiGate unit under System > Network > Options.
3 Select Enable DNS Query and select Recursive.
The interface is configured to look up domain names in the FortiGate DNS database.
and relay the requests for names not in the FortiGate DNS database to the DNS
servers configured under System > Network > Options. If you do not add entries to the
FortiGate DNS database all DNS requests are relayed to the DNS servers configured
under System > Network > Options.
server.
To configure a FortiGate interface to resolve DNS requests using only the FortiGate
DNS database
Configure a FortiGate interface to resolve DNS requests using the FortiGate DNS
database and to drop requests for host names that not in the FortiGate DNS database.
3 Select Enable DNS Query and select Non-Recursive.
When you select Non-Recursive only the entries in the FortiGate DNS database are
used.
Add zones and entries as required. See Configuring the FortiGate DNS database on
page 180.
Configuring FortiGate DNS services System Network
180 01-410-89802-20091022
server.
To configure a split DNS configuration
Configure an interface to resolve DNS requests using the FortiGate DNS database and
relay DNS requests for host names not in the FortiGate DNS database to the DNS servers
configured under System > Network > Options. This is called a split DNS configuration.
See About split DNS on page 178.
3 Select Enable DNS Query and select Recursive.
The interface is configured to look up domain names in the FortiGate DNS database.
and relay the requests for names not in the FortiGate DNS database to the DNS
servers configured under System > Network > Options. You can add entries to the
FortiGate DNS database for users on the internal network.
Add zones and entries as required for users on the internal network. See Configuring
the FortiGate DNS database on page 180.
server.
Configuring the FortiGate DNS database
Configure the FortiGate DNS database so that DNS lookups from an internal network are
resolved by the FortiGate DNS database. To configure the DNS database you add zones.
Each zone has its own domain name.
You then add entries to each zone. An entry is an host name and the IP address it
resolves to. You can also specify if the entry is an IPv4 address (A), an IPv6 address
(AAAA), a name server (NS), a canonical name (CNAME), or a mail exchange (MX)
name.
Go to System > Network > DNS Database to configure the FortiGate DNS database.
01-410-89802-20091022 181
Figure 79: Configuring the FortiGate DNS database
DNS Database list
Create New Add a new DNS zone to the DNS database list.
DNS Zone The names of the DNS zones added to the DNS database list.
Domain Name The domain name of each zone.
TTL The TTL value for the domain name which is the packet time to live in seconds.
The range is 0 to 2 147 483 647.
# of Entries The number of entries in the zone.
Delete icon Delete an zone from the DNS database.
Edit icon Select Edit beside an existing zone to modify it.
Adding or modifying zones
Create New Select to add a new entry to the zone. Each zone contains entries for one domain
name.
Delete icon Delete a DNS entry from the zone.
Edit icon Select Edit beside an existing DNS entry to modify it.
Type The type of DNS entry. Can be an IPv4 address (A), an IPv6 address (AAAA), a
name server (NS), a canonical name (CNAME), or a mail exchange (MX) name.
Details A description of the entry.
Adding or modifying DNS entries
Type Select the type of entry to add. The options change depending on the type.
Hostname Enter the host name. Available for all Types.
Delete
Edit Edit Edit
Delete
Delete
Edit Edit Edit
Configuring the explicit web proxy System Network
182 01-410-89802-20091022
Configuring the explicit web proxy
You can use the Web Proxy settings and FortiGate interface settings to enable explicit
HTTP and HTTPS proxying on one or more interfaces. When enabled, the FortiGate unit
becomes a web proxy server. All HTTP and HTTPS session received by interfaces with
Explicit web proxy enabled are intercepted by the explicit web proxy relayed to their
destinations.
To use the explicit proxy, users must add the IP address of a FortiGate interface and the
explicit proxy port number to the proxy configuration settings of their web browsers.
On FortiGate units that support WAN optimization you can also enable web caching for
the explicit proxy.
To enable explicit web proxy on an interface, go to System > Network > Interface, select
the interface, and enable explicit web proxy. If VDOMs are enabled, only interfaces that
belong to the current VDOM and have explicit web proxy enabled will be displayed. If you
enable the web proxy on an interface that has VLANs on it, the VLANs will only be
enabled for web proxy if you manually enable each of them. Web proxy is not in the Global
Network section when VDOMs are enabled.
Web proxies are configured for each VDOM when VDOMs are enabled.
For a more complete description of the FortiGate web proxy, including a configuration
example, see the FortiGate WAN Optimization, Web Cache, and Web Proxy User Guide.
To configure the explicit web proxy go to System > Network > Web Proxy.
Figure 80: Configuring Web Proxy settings
IP Address Enter the hosts IP address (IPv4). Available if Type is Address (A).
IPv6 Address Enter the hosts IP address (IPv6). Available if Type is IPv6 Address (AAAA).
Canonical Name Enter the hosts fully qualified domain name. Available if Type is
Canonical Name (CNAME).
Preference Enter the MX preference value. Range 0 to 65 535. Available if Type is
Mail Exchange (Mx).
TTL (seconds) Enter the TTL value. Enter 0 to use the Zone TTL value.
Note: To enable protection profiles for explicit web proxy traffic, you must configure 2
VDOMs and use inter-VDOM routing to pass the web traffic between them.
System Network Configuring WCCP
01-410-89802-20091022 183
Configuring WCCP
Using the FortiOS 4.0 customizable GUI feature you can add a WCCP widget to the
web-based manager and use this widget to add WCCP entries to the FortiGate
configuration.
Configure settings for Web Cache Communication Protocol (WCCP) version 2 to optimize
web traffic, thus reducing transmission costs and downloading time.
When a web client (on a computer) makes a request for web content, WCCP allows the
routers on the local network to redirect the web content requests to the appropriate web
cache server on the local network. If the web cache server contains the information in the
web content request, the web cache server sends the content directly to the local client. If
the web cache does not contain the requested information, the web cache server will
download the HTTP information, cache it, and send it to the local client. The local client is
not aware this caching is taking place.
For web caching to function, local network traffic must be directed through one or more
routers that are able to forward the HTTP requests to the web cache servers. The
FortiGate unit can act as a WCCP version 2 enabled router and direct web content
requests to configured web cache servers.
Proxy FQDN Enter the fully qualified domain name (FQDN) for the proxy server.
This is the domain name to enter into browsers to access the proxy
server.
Max HTTP request length Enter the maximum length of an HTTP request. Larger requests
will be rejected.
Max HTTP message length Enter the maximum length of an HTTP message. Larger messages
will be rejected.
Add headers to Forwarded
Requests
The web proxy server will forward HTTP requests to the internal
network. You can include the following headers in those requests:
Client IP Header Enable to include the Client IP Header from the original HTTP
request.
Via Header Enable to include the Via Header from the original HTTP request.
X-forwarded-for Header Enable to include the X-Forwarded-For (XFF) HTTP header.
The XFF HTTP header identifies the originating IP address of a
web client or browser that is connecting through an HTTP proxy,
and the remote addresses it passed through to this point.
Front-end HTTPS Header Enable to include the Front-end HTTP Header from the original
HTTPS request.
Explicit Web Proxy Options Web proxies can be transparent or explicit. Transparent web proxy
does not modify the web traffic in any way, but just forwards it to the
destination. Explicit web proxy can modify web traffic to provide
extra services and administration.
Explicit web proxy is configured with the following options.
Enable Explicit Web
Proxy
Enable the explicit web proxy.
Port Enter the explicit web proxy server port. To use the explicit proxy,
users must add this port to their web browser proxy configuration.
The default value of 0 means 8080.
Listen on Interfaces Displays the interfaces that are being monitored by the explicit web
proxy server.
Unknown HTTP version Select the action to take when the proxy server must handle an
unknown HTTP version request or message. Choose from either
Reject or Best Effort. The Reject option is more secure.
Routing table (Transparent Mode) System Network
184 01-410-89802-20091022
The web caching will speed up downloads by not accessing remote websites for each
HTTP request. It will also reduce the amount of data a company network sends and
receives over the Internet, reducing costs.
To configure WCCP from the web-based manager, go to System > Admin > Admin Profile
and create a custom menu layout in your administrative profile and add the WCCP page. It
is in the Additional content category. See Configuring an admin profile on page 258.
Figure 81: Adding WCCP entries
Routing table (Transparent Mode)
If your FortiGate unit is operating in Transparent mode you can go to System > Network >
Routing Table to add static routes to control the flow of traffic through the FortiGate unit.
Service ID Enter an ID number to identify the WCCP service.
Router IP Enter an IP address known to all cache servers. This IP address identifies a
FortiGate interface IP address to the cache servers. If all cache servers
connect to the same FortiGate interface, then Router IP can be 0.0.0.0, and
the FortiGate unit uses the IP address of that interface as the Router IP.
If the cache servers can connect to different FortiGate interfaces, you must
set Router IP to a single IP address, and this IP address must be added to
the configuration of the cache servers.
Group Address The IP multicast address used by the cache servers. Enter 0.0.0.0 to have
the FortiGate unit ignore multicast WCCP traffic. Otherwise, Group Address
must be from 224.0.0.0 to 239.255.255.255.
Server List The IP addresses of the web cache servers.
Forward Method Specify how the FortiGate unit forwards traffic to cache servers. You can
select GRE (the default), L2, or Any. If Forward Method is Any the cache
server determines the forward method.
Return Method Specify how a cache server declines a redirected packet and returns it to the
FortiGate unit. You can select GRE (the default), L2, or Any. If Return
Method is Any the cache server determines the return method.
Assignment Method Specify which assignment method the FortiGate unit prefers. You can select
Hash (the default), Mask, or Any. If Assignment Method is Any the cache
server determines the assignment method.
Authentication Select to use MD5 authentication for the WCCP configuration.
Password Enter an authentication password. Maximum length is 8 characters.
Delete
Edit Edit Edit
System Network Routing table (Transparent Mode)
01-410-89802-20091022 185
Figure 82: Static routing table - Transparent Mode
Note: In NAT/Route mode the static routing table is located at System > Routing > Static.
Create New Add a new Transparent mode static route.
IP/Mask The destination IP address and netmask for the route.
Gateway The IP address of the next hop router to which the route directs traffic. For an
Internet connection, the next hop routing gateway routes traffic to the Internet.
Delete icon Remove a route.
View/edit icon Edit or view a route.
Destination IP
/Mask
Enter the destination IP address and netmask for the route.
To create a default route, set the IP and netmask to 0.0.0.0.
Delete
Edit Edit Edit
Routing table (Transparent Mode) System Network
186 01-410-89802-20091022
System Wireless FortiWiFi wireless interfaces
01-410-89802-20091022 187
System Wireless
This section describes how to configure the Wireless LAN interfaces on FortiWiFi units.
The majority of this section is applicable to all FortiWiFi units.
If you enable virtual domains (VDOMs) on the FortiGate unit, MAC filters and wireless
monitor are configured separately for each virtual domain. System wireless settings are
configured globally. For details, see Using virtual domains on page 125.
FortiWiFi wireless interfaces
Channel assignments
Wireless settings
Wireless MAC Filter
Wireless Monitor
Rogue AP detection
FortiWiFi wireless interfaces
FortiWiFi units support up to four wireless interfaces and four different SSIDs. Each
wireless interface should have a different SSID and each wireless interface can have
different security settings. For details on adding wireless interfaces, see Adding a
wireless interface on page 191.
You can configure the FortiWiFi unit to:
Provide an access point that clients with wireless network cards can connect to. This is
called Access Point mode, which is the default mode. All FortiWiFi units can have up to
4 wireless interfaces.
or
Connect the FortiWiFi unit to another wireless network. This is called Client mode. A
FortiWiFi unit operating in client mode can also can only have one wireless interface.
or
Monitor access points within radio range. This is called Monitoring mode. You can
designate the detected access points as Accepted or Rogue for tracking purposes. No
access point or client operation is possible in this mode. But, you can enable
monitoring as a background activity while the unit is in Access Point mode.
FortiWiFi units support the following wireless network standards:
IEEE 802.11a (5-GHz Band)
IEEE 802.11b (2.4-GHz Band)
IEEE 802.11g (2.4-GHz Band)
WEP64 and WEP128 Wired Equivalent Privacy (WEP)
Wi-Fi Protected Access (WPA), WPA2 and WPA2 Auto using pre-shared keys or
RADIUS servers
Channel assignments System Wireless
188 01-410-89802-20091022
Channel assignments
Depending on the wireless protocol selected, you have specific channels available to you,
depending on what region of the world you are in. Set the channel for the wireless network
by going to System > Wireless > Settings. For more information see Wireless settings on
page 190.
The following tables list the channel assignments for wireless networks for each supported
wireless protocol.
IEEE 802.11a channel numbers
Table 10 lists IEEE 802.11a channels supported for FortiWiFi products that support the
IEEE 802.11a wireless standard. 802.11a is only available on FortiWiFi-60B units.
All channels are restricted to indoor usage except in the Americas, where both indoor and
outdoor use is permitted on channels 52 through 64 in the United States.
IEEE 802.11b channel numbers
Table 11 lists IEEE 802.11b channels. All FortiWiFi units support 802.11b.
Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor
use only. Channels 9 through 11 can be used indoors and outdoors. You must make sure
that the channel number complies with the regulatory standards of Mexico.
Table 10: IEEE 802.11a (5-GHz Band) channel numbers
Channel
number
Frequency
(MHz)
Regulatory Areas
Americas Europe Taiwan Singapore Japan
34 5170
36 5180
38 5190
40 5200
42 5210
44 5220
46 5230
48 5240
52 5260
56 5280
60 5300
64 5320
149 5745
153 5765
157 5785
161 5805
System Wireless Channel assignments
01-410-89802-20091022 189
IEEE 802.11g channel numbers
Table 12 lists IEEE 802.11b channels. All FortiWiFi products support 802.11g.
Table 11: IEEE 802.11b (2.4-Ghz Band) channel numbers
Channel
number
Frequency
(MHz)
Regulatory Areas
Americas EMEA Israel Japan
1 2412
2 2417
3 2422
4 2427
5 2432
6 2437
7 2442
8 2447
9 2452
10 2457
11 2462
12 2467
13 2472
14 2484
Table 12: IEEE 802.11g (2.4-GHz Band) channel numbers
Channel
number
Frequency
(MHz)
Regulatory Areas
Americas EMEA Israel Japan
CCK ODFM CCK ODFM CCK ODFM CCK ODFM
1 2412
2 2417
3 2422
4 2427
5 2432
6 2437
7 2442
8 2447
9 2452
10 2457
11 2462
12 2467
13 2472
14 2484
Wireless settings System Wireless
190 01-410-89802-20091022
Wireless settings
To configure the wireless settings, go to System > Wireless > Settings.
By default the FortiWiFi unit includes one wireless interface, called wlan. If you are
operating your FortiWiFi unit in access point mode, you can add up to three virtual
wireless interfaces. All wireless interfaces use the same wireless parameters. That is, you
configure the wireless settings once, and all wireless interfaces use those settings. For
details on adding more wireless interfaces, see Adding a wireless interface on page 191.
When operating the FortiWiFi unit in Client mode, radio settings are not configurable.
Figure 83: FortiWiFi wireless parameters - Access Point mode
Figure 84: FortiWiFi wireless parameters - Client mode
Figure 85: FortiWiFi wireless parameters - Monitoring mode
System Wireless Wireless settings
01-410-89802-20091022 191
Adding a wireless interface
You can add up to three virtual wireless interfaces to your access point. These additional
interfaces share the same wireless parameters configured for the WLAN interface for
Band, Geography, Channel, Tx Power, and Beacon Interval. Ensure each wireless
interface has a unique SSID.
Operation Mode Select Change to switch operation modes.
Access Point The FortiWiFi unit acts as an access point for wireless users
to connect to send and receive information over a wireless network. It enables
multiple wireless network users access to the network without the need to
connect to it physically. The FortiWiFi unit can connect to the internal network
and act as a firewall to the Internet.
Client The FortiWiFi unit is set to receive transmissions from another
access point. This enables you to connect remote users to an existing network
using wireless protocols.
Monitoring Scan for other access points. These are listed in the Rogue AP
list. See Rogue AP detection on page 196.
Note: You cannot switch to Client mode or Monitoring mode if you have added
virtual wireless interfaces. For these modes, there must be only one wireless
interface, wlan.
Radio settings Access Point mode only
Band Select the wireless frequency band. Be aware what wireless cards or devices
your users have as it may limit their use of the wireless network. For example,
if you configure the FortiWiFi unit for 802.11g and users have 802.11b devices,
they may not be able to use the wireless network.
Geography Select your country or region. This determines which channels are available.
See Channel assignments on page 188 for channel information.
Channel Select a channel for your wireless network or select Auto. The channels that
you can select depend on the Geography setting. See Channel assignments
on page 188 for channel information.
Tx Power Set the transmitter power level. The higher the number, the larger the area the
FortiWiFi will broadcast. If you want to keep the wireless signal to a small area,
enter a smaller number.
Beacon Interval Set the interval between beacon packets. Access Points broadcast Beacons
or Traffic Indication Messages (TIM) to synchronize wireless networks.
A higher value decreases the number of beacons sent, however it may delay
some wireless clients from connecting if it misses a beacon packet.
Decreasing the value will increase the number of beacons sent, while this will
make it quicker to find and connect to the wireless network, it requires more
overhead, slowing throughput.
Background
Rogue AP Scan
Perform the Monitoring mode scanning function while the unit is in Access
Point mode. Scanning occurs while the access point is idle. The scan covers
all wireless channels. Background scanning can reduce performance if the
access point is busy. See Rogue AP detection on page 196.
Wireless interface list Access Point and Client modes
Interface The name of the wireless interface. To modify wireless interface settings,
select the interface name. To add more wireless interfaces in Access Point
mode, see Adding a wireless interface on page 191.
MAC Address The MAC address of the Wireless interface.
SSID The wireless service set identifier (SSID) or network name for the wireless
interface. To communicate, an Access Point and its clients must use the same
SSID.
SSID Broadcast Green checkmark icon indicates that the wireless interface broadcasts its
SSID. Broadcasting the SSID makes it possible for clients to connect to your
wireless network without first knowing the SSID.
This column is visible only in Access Point mode.
Security Mode The wireless interface security mode: WEP64, WEP128, WPA, WPA2,
WPA2 Auto or None.
Wireless settings System Wireless
192 01-410-89802-20091022
To add a wireless interface
3 Complete the following:
4 In the Wireless Settings section, complete the following and select OK:
Figure 86: Wireless interface settings (WEP)
Figure 87: Wireless interface settings (WAP)
Note: You cannot add additional wireless interfaces when the FortiWiFi unit is in Client
mode or Monitoring mode.
Name Enter a name for the wireless interface. The name cannot be the same
as an existing interface, zone or VDOM.
Type Select Wireless.
Address Mode The wireless interface can only be set as a manual address. Enter a
valid IP address and netmask.
If the FortiWiFi is running in Transparent mode, this field does not
appear. The interface will be on the same subnet as the other interfaces.
Administrative
Access
Set the administrative access for the interface.
SSID Enter the wireless service set identifier (SSID) or network name for this
wireless interface. Users who want to use the wireless network must configure
their computers with this network name.
SSID Broadcast Select to broadcast the SSID. Broadcasting the SSID enables clients to
connect to your wireless network without first knowing the SSID. For better
security, do not broadcast the SSID. If the interface is not broadcast, there is
less chance of an unwanted user connecting to your wireless network. If you
choose not to broadcast the SSID, you need to inform users of the SSID so
they can configure their wireless devices.
System Wireless Wireless MAC Filter
01-410-89802-20091022 193
Wireless MAC Filter
To improve the security of your wireless network, you can enable MAC address filtering on
the FortiWiFi unit. By enabling MAC address filtering, you define the wireless devices that
can access the network based on their system MAC address. When a user attempts to
access the wireless network, the FortiWiFi unit checks the MAC address of the user to the
list you created. If the MAC address is on the approved list, the user gains access to the
network. If the user is not in the list, the user is rejected.
Security mode Select the security mode for the wireless interface. Wireless users must use
the same security mode to be able to connect to this wireless interface.
None has no security. Any wireless user can connect to the wireless
network.
WEP64 64-bit web equivalent privacy (WEP). To use WEP64 you must
enter a Key containing 10 hexadecimal digits (0-9 a-f) and inform wireless
users of the key.
WEP128 128-bit WEP. To use WEP128 you must enter a Key containing 26
hexadecimal digits (0-9 a-f) and inform wireless users of the key.
WPA Wi-Fi protected access (WPA) security. To use WPA you must select
a data encryption method. You must also enter a pre-shared key containing at
least eight characters or select a RADIUS server. If you select a RADIUS
server the wireless clients must have accounts on the RADIUS server.
WPA2 WPA with more security features. To use WPA2 you must select a
data encryption method and enter a pre-shared key containing at least eight
characters or select a RADIUS server. If you select a RADIUS server the
wireless clients must have accounts on the RADIUS server.
WPA2 Auto the same security features as WPA2, but also accepts wireless
clients using WPA security. To use WPA2 Auto you must select a data
encryption method You must also enter a pre-shared key containing at least 8
characters or select a RADIUS server. If you select a RADIUS server the
wireless clients must have accounts on the RADIUS server.
Key Enter the security key. This field appears when selecting WEP64 or WEP128
security.
Data Encryption Select a data encryption method to be used by WPA, WPA2, or WPA Auto.
Select TKIP to use the Temporal Key Integrity Protocol (TKIP). Select AES to
use Advanced Encryption Standard (AES) encryption. AES is considered
more secure that TKIP. Some implementations of WPA may not support AES.
Pre-shared Key Enter the pre-shared key. This field appears when selecting WPA, WPA2, or
WPA2 Auto security.
RADIUS Server Select to use a RADIUS server when selecting WPA or WPA2 security. You
can use WPA or WPA2 Radius security to integrate your wireless network
configuration with a RADIUS or Windows AD server. Select a RADIUS server
name from the list. You must configure the Radius server by going to User >
RADIUS. For more information, see RADIUS on page 647.
RTS Threshold Set the Request to Send (RTS) threshold.
The RTS threshold is the maximum size, in bytes, of a packet that the
FortiWiFi will accept without sending RTS/CTS packets to the sending
wireless device. In some cases, larger packets being sent may cause
collisions, slowing data transmissions. By changing this value from the default
of 2346, you can configure the FortiWiFi unit to, in effect, have the sending
wireless device ask for clearance before sending larger transmissions. There
can still be risk of smaller packet collisions, however this is less likely.
A setting of 2346 bytes effectively disables this option.
Fragmentation
Threshold
Set the maximum size of a data packet before it is broken into smaller
packets, reducing the chance of packet collisions. If the packet is larger than
the threshold, the FortiWiFi unit will fragment the transmission. If the packet
size less than the threshold, the FortiWiFi unit will not fragment the
transmission.
A setting of 2346 bytes effectively disables this option.
Wireless MAC Filter System Wireless
194 01-410-89802-20091022
Alternatively, you can create a deny list. Similar to the allow list, you can configure the
wireless interface to allow all connections except those in the MAC address list.
Using MAC address filtering makes it more difficult for a hacker using random MAC
addresses or spoofing a MAC address to gain access to your network. Note you can
configure one list per WLAN interface.
To allow or deny wireless access to wireless clients based on the MAC address of the
client wireless cards, go to System > Wireless > MAC Filter.
Managing the MAC Filter list
The MAC Filter list enables you to view the MAC addresses you have added to a wireless
interface and their status; either allow or deny. It also enables you to edit and manage
MAC Filter lists.
Figure 88: Wireless MAC filter list
To edit a MAC filter list
1 Go to System > Wireless > MAC Filter.
2 Select Edit for the wireless interface.
Figure 89: Wireless interface MAC filter
3 Complete the following and select OK:
Interface The name of the wireless interface.
MAC address The list of MAC addresses in the MAC filter list for the wireless interface.
List Access Allow or deny access to the listed MAC addresses for the wireless interface.
Enable Select to enable MAC filtering for the wireless interface.
Edit icon Edit the MAC address list for an interface.
System Wireless Wireless Monitor
01-410-89802-20091022 195
Wireless Monitor
Go to System > Wireless > Monitor to view information about your wireless network. In
Access Point mode, you can see who is connected to your wireless LAN. In Client mode,
you can see which access points are within radio range.
Figure 90: Wireless monitor - AP mode
Figure 91: Wireless monitor - Client mode
List Access Select to allow or deny the addresses in the MAC Address list from
accessing the wireless network.
MAC Address Enter the MAC address to add to the list.
Add Add the entered MAC address to the list.
Remove Select one or more MAC addresses in the list and select Remove to
deleted the MAC addresses from the list.
Statistics Statistical information about wireless performance for each
wireless interface.
AP Name / Name The name of the wireless interface.
Frequency The frequency that the wireless interface is operating with.
Should be around 5-GHz for 802.11a interfaces and around 2.4-
GHz for 802.11b and 802.11g networks.
Signal Strength (dBm) The strength of the signal from the client.
Noise (dBm) The received noise level.
S/N (dB) The signal-to-noise ratio in deciBels calculated from signal
strength and noise level.
Rx (KBytes) The amount of data in kilobytes received this session.
Tx (KBytes) The amount of data in kilobytes sent this session.
Rogue AP detection System Wireless
196 01-410-89802-20091022
Rogue AP detection
On models that support Rogue Access Point Detection, you can select Monitoring mode to
scan for available wireless access points. You can also enable scanning in the
background while the unit is in Access Point mode.
To enable the monitoring mode
1 Go to System > Wireless > Settings.
2 Select Change beside the current operation mode.
3 Select Monitoring and then select OK.
4 Select OK to confirm the mode change.
5 Select Apply.
To enable background scanning
1 While in Access Point mode, go to System > Wireless > Settings.
2 Enable Background Rogue AP Scan and then select Apply.
Viewing wireless access points
Go to System > Wireless > Rogue AP to view detected access points. This is available in
Monitoring mode, or in Access Point mode with Background Rogue AP Scan enabled.
Access points are listed in the Unknown Access Points list until you mark them as either
Accepted or Rogue access points. This designation helps you to track access points. It
does not affect anyones ability to use these access points.
Clients list (AP mode) Real-time details about the client wireless devices that can
reach this FortiWiFi unit access point. Only devices on the
same radio band are listed.
MAC Address The MAC address of the connected wireless client.
IP Address The IP address assigned to the connected wireless client.
AP Name The name of the wireless interface that the client is connected
to.
Neighbor AP list (Client mode) Real-time details about the access points that the client can
receive.
MAC Address The MAC address of the connected wireless client.
SSID The wireless service set identifier (SSID) that this access point
broadcasts.
Channel The wireless radio channel that the access point uses.
Rate (M) The data rate of the access point in Mbits/s.
RSSI The received signal strength indication, a relative value
between 0 (minimum) and 255 (maximum).
System Wireless Rogue AP detection
01-410-89802-20091022 197
Figure 92: Rogue Access Point list
You can also enter information about accepted and rogue APs in the CLI without having to
detect them first. See the syst emwi r el ess ap- st at us command in the FortiGate
CLI Reference.
Refresh Interval Set time between information updates. none means no updates.
Refresh Updates displayed information now.
Inactive Access Points Select which inactive access points to show: all, none, those detected
less than one hour ago, or those detected less than one day ago.
Online A green checkmark indicates an active access point. A grey X indicates
that the access point is inactive.
SSID The wireless service set identifier (SSID) or network name for the
wireless interface.
Signal Strength /Noise The signal strength and noise level.
Rate The data rate of the access point.
First Seen The data and time when the FortiWifi unit first detected the access point.
Last Seen The data and time when the FortiWifi unit last detected the access point.
Mark as Accepted AP Select the icon to move this entry to the Accepted Access Points list.
Mark as Rogue AP Select the icon to move this entry to the Rogue Access Points list.
Forget AP Return item to Unknown Access Points list from Accepted Access Points
list or Rogue Access Points list.
Rogue AP detection System Wireless
198 01-410-89802-20091022
System DHCP FortiGate DHCP servers and relays
01-410-89802-20091022 199
System DHCP
This section describes how to use DHCP to provide convenient automatic network
configuration for your clients.
DHCP is not available in Transparent mode. DHCP requests are passed through the
FortiGate unit when it is in Transparent mode.
If you enable virtual domains (VDOMs) on the FortiGate unit, DHCP is configured
separately for each virtual domain. For details, see Using virtual domains on page 125.
FortiGate DHCP servers and relays
Configuring DHCP services
Viewing address leases
FortiGate DHCP servers and relays
The DHCP protocol enables hosts to automatically obtain an IP address from a DHCP
server. Optionally, they can also obtain default gateway and DNS server settings. A
FortiGate interface or VLAN subinterface can provide the following DHCP services:
Basic DHCP servers for non-IPSec IP networks
IPSec DHCP servers for IPSec (VPN) connections
DHCP relay for regular Ethernet or IPSec (VPN) connections
An interface cannot provide both a server and a relay for connections of the same type
(regular or IPSec).
You can configure one or more DHCP servers on any FortiGate interface. A DHCP server
dynamically assigns IP addresses to hosts on the network connected to the interface. The
host computers must be configured to obtain their IP addresses using DHCP.
If an interface is connected to multiple networks via routers, you can add a DHCP server
for each network. The IP range of each DHCP server must match the network address
range. The routers must be configured for DHCP relay.
To configure a DHCP server, see Configuring a DHCP server on page 201.
You can configure a FortiGate interface as a DHCP relay. The interface forwards DHCP
requests from DHCP clients to an external DHCP server and returns the responses to the
DHCP clients. The DHCP server must have appropriate routing so that its response
packets to the DHCP clients arrive at the FortiGate unit.
To configure a DHCP relay see Configuring an interface as a DHCP relay agent on
page 201.
DHCP services can also be configured through the Command Line Interface (CLI). See
the FortiGate CLI Reference for more information.
Note: You can configure a Regular DHCP server on an interface only if the interface is a
physical interface with a static IP address. You can configure an IPSec DHCP server on an
interface that has either a static or a dynamic IP address.
Configuring DHCP services System DHCP
200 01-410-89802-20091022
Configuring DHCP services
Go to System > DHCP > Service to configure DHCP services. On each FortiGate
interface, you can configure a DHCP relay or add DHCP servers as needed.
On FortiGate 50 and 60 series units, a DHCP server is configured, by default, on the
Internal interface, as follows:
You can disable or change this default DHCP Server configuration.
These settings are appropriate for the default Internal interface IP address of
192.168.1.99. If you change this address to a different network, you need to change the
DHCP server settings to match.
Figure 93: DHCP service list - FortiGate-200A shown
IP Range 192.168.1.110 to 192.168.1.210
Netmask 255.255.255.0
Default gateway 192.168.1.99
Lease time 7 days
DNS Server 1 192.168.1.99
Note: You can not configure DHCP in Transparent mode. In Transparent mode DHCP
requests pass through the FortiGate unit.
Note: An interface must have a static IP before you configure a DHCP server on it.
Interface List of FortiGate interfaces. Expand each listed interface to view the Relay and
Servers.
Server Name/
Relay IP
Name of FortiGate DHCP server or IP address of DHCP server accessed by
relay.
Type Type of DHCP relay or server: Regular or IPSec.
Enable Green check mark icon indicates that server or relay is enabled.
Add DHCP Server
icon
Select to configure and add a DHCP server for this interface.
Add DHCP Server
Edit
Delete
System DHCP Configuring DHCP services
01-410-89802-20091022 201
Configuring an interface as a DHCP relay agent
Go to System > DHCP > Service and select an edit icon to view or modify the DHCP relay
configuration for an interface.
Figure 94: Edit DHCP relay settings for an interface
Configuring a DHCP server
The System > DHCP > Service screen gives you access to existing DHCP servers. It is
also where you configure new DHCP servers.
To Configure a DHCP server
1 Go to System > DHCP > Service.
2 Select blue arrow for the interface.
3 Select the Add DHCP Server icon to create a new DHCP server, or select the Edit icon
beside an existing DHCP server to change its settings.
4 Configure the DHCP server.
5 Select OK.
Edit icon Select to edit the DHCP relay or server configuration.
Delete icon Select to delete the DHCP server.
Interface Name The name of the interface.
DHCP Relay Agent Select to enable the DHCP relay agent on this interface.
Type Select the type of DHCP service required as either Regular or IPSEC.
DHCP Server IP Enter the IP address of the DHCP server that will answer DHCP requests from
computers on the network connected to the interface.
Configuring DHCP services System DHCP
202 01-410-89802-20091022
Figure 95: DHCP Server options
Name Enter a name for the DHCP server.
Enable Enable the DHCP server.
Type Select Regular or IPSEC DHCP server.
You cannot configure a Regular DHCP server on an interface that has a
dynamic IP address.
IP Range Enter the start and end for the range of IP addresses that this DHCP server
assigns to DHCP clients.
These fields are greyed out when IP Assignment Mode is set to User-group
defined method.
Network Mask Enter the netmask of the addresses that the DHCP server assigns.
Default Gateway Enter the IP address of the default gateway that the DHCP server assigns to
DHCP clients.
Domain Enter the domain that the DHCP server assigns to DHCP clients.
Lease Time Select Unlimited for an unlimited lease time or enter the interval in days,
hours, and minutes after which a DHCP client must ask the DHCP server for
new settings. The lease time can range from 5 minutes to 100 days.
Advanced Select to configure advanced options. The remaining options in this table are
advanced options.
System DHCP Viewing address leases
01-410-89802-20091022 203
Viewing address leases
Go to System > DHCP > Address Leases to view the IP addresses that the DHCP servers
have assigned and the corresponding client MAC addresses.
Figure 96: Address leases list
Reserving IP addresses for specific clients
You can reserve an IP address for a specific client identified by the client device MAC
address and the connection type, regular Ethernet or IPSec. The DHCP server always
assigns the reserved address to that client. You can assign up to 200 IP addresses as
reserved. For more information see the FortiGate Maximum Values Matrix.
Use the CLI conf i g syst emdhcp r eser ved- addr ess command. For more
information, see the FortiGateCLI Reference.
IP Assignment
Mode
Configure how the IP addresses for an IPSec DHCP server are assigned to
Dialup IPSec VPN users. Select:
Server IP Range - The IPSec DHCP server will assign the IP addresses
as specified in IP Range, and Exclude Ranges.
User-group defined method - The IP addresses will be assigned by a user
group used to authenticate the user. The user group is used to
authenticate XAUTH users. See Dynamically assigning VPN client IP
addresses from a user group on page 665.
When User-group defined method is selected, the IP Range fields are greyed
out, and the Exclude Ranges table and controls are not visible.
DNS Server 1
DNS Server 2
DNS Server 3
Enter the IP addresses of up to 3 DNS servers that the DHCP server assigns
to DHCP clients.
WINS Server 1
WINS Server 2
Add the IP addresses of one or two WINS servers that the DHCP server
assigns to DHCP clients.
Option 1
Option 2
Option 3
Enter up to three custom DHCP options that can be sent by the DHCP
server. Code is the DHCP option code in the range 1 to 255. Option is an
even number of hexadecimal characters and is not required for some option
codes. For detailed information about DHCP options, see RFC 2132, DHCP
Options and BOOTP Vendor Extensions.
Exclude Ranges
Add Add an range of IP addresses to exclude.
You can add up to 16 exclude ranges of IP addresses that the DHCP server
cannot assign to DHCP clients. No range can exceed 65536 IP addresses.
Starting IP Enter the first IP address of the exclude range.
End IP Enter the last IP address of the exclude range.
Delete icon Delete the exclude range.
Interface Select interface for which to list leases.
Refresh Select Refresh to update Address leases list.
IP The assigned IP address.
MAC The MAC address of the device to which the IP address is assigned.
Expire Expiry date and time of the DHCP lease.
Viewing address leases System DHCP
204 01-410-89802-20091022
System Config HA
01-410-89802-20091022 205
System Config
This section describes the configuration of several non-network features, such as HA,
SNMP, custom replacement messages, and Operation mode.
If you enable virtual domains (VDOMs) on the FortiGate unit, HA, SNMP, and replacement
messages are configured globally for the entire FortiGate unit. Changing operation mode
is configured for each individual VDOM. For details, see Using virtual domains on
page 125.
HA
SNMP
Replacement messages
Operation mode and VDOM management access
HA
FortiGate high availability (HA) provides a solution for two key requirements of critical
enterprise networking components: enhanced reliability and increased performance. This
section contains a brief description of HA web-based manager configuration options, the
HA cluster members list, HA statistics, and disconnecting cluster members.
If you enable virtual domains (VDOMs) on the FortiGate unit, HA is configured globally for
the entire FortiGate unit. For details, see Using virtual domains on page 125.
For complete information about how to configure and operate FortiGate HA clusters see
the FortiGate HA Overview, the FortiGate HA Guide.
The following topics are included in this section:
HA options
Cluster members list
Viewing HA statistics
Changing subordinate unit host name and device priority
Disconnecting a cluster unit from a cluster
HA options
Configure HA options so that a FortiGate unit can join a cluster or to change the
configuration of an operating cluster or cluster member.
To configure HA options so that a FortiGate unit can join an HA cluster, go to System >
Config > HA.
Note: FortiGate HA is not compatible with PPP protocols such as PPPoE. FortiGate HA is
also not compatible with DHCP. If one or more FortiGate unit interfaces is dynamically
configured using DHCP or PPPoE you cannot switch to operate in HA mode. Also, you
cannot switch to operate in HA mode if one or more FortiGate unit interfaces is configured
as a PPTP or L2TP client or if the FortiGate unit is configured for standalone session
synchronization.
HA System Config
206 01-410-89802-20091022
If HA is already enabled, go to System > Config > HA to display the cluster members list.
Select Edit for the FortiGate unit with Role of master (also called the primary unit). When
you edit the HA configuration of the primary unit, all changes are synchronized to the other
units in the cluster.
Figure 97: FortiGate-3810A unit HA configuration
You can configure HA options for a FortiGate unit with virtual domains (VDOMs) enabled
by logging into the web-based manager as the global admin administrator and going to
System > Config > HA. If HA is enabled, you will have to select Edit for the cluster member
before you see the virtual cluster configuration screen for that cluster unit. For more
information, seeCluster members list on page 209.
Note: If your FortiGate cluster uses virtual domains, you are configuring HA virtual
clustering. Most virtual cluster HA options are the same as normal HA options. However,
virtual clusters include VDOM partitioning options. Other differences between configuration
options for regular HA and for virtual clustering HA are described below and in the
FortiGate HA Overview and the FortiGate HA Guide.
System Config HA
01-410-89802-20091022 207
Figure 98: FortiGate-5001SX HA virtual cluster configuration
Mode Select an HA mode for the cluster or return the FortiGate units in the cluster to
standalone mode. When configuring a cluster, you must set all members of the
HA cluster to the same HA mode. You can select Standalone (to disable HA),
Active-Passive, or Active-Active.
If virtual domains are enabled you can select Active-Passive or Standalone.
Device Priority Optionally set the device priority of the cluster unit. Each unit in a cluster can
have a different device priority. During HA negotiation, the unit with the highest
device priority usually becomes the primary unit.
In a virtual cluster configuration, each cluster unit can have two different device
priorities, one for each virtual cluster. During HA negotiation, the unit with the
highest device priority in a virtual cluster becomes the primary unit for that virtual
cluster.
Changes to the device priority are not synchronized. You can accept the default
device priority when first configuring a cluster. When the cluster is operating you
can change the device priority for different cluster units as required.
HA System Config
208 01-410-89802-20091022
Group Name Enter a name to identify the cluster. The maximum length of the group name is 32
characters. The group name must be the same for all cluster units before the
cluster units can form a cluster. After a cluster is operating, you can change the
group name. The group name change is synchronized to all cluster units.
The default group name is FGT-HA. You can accept the default group name
when first configuring a cluster, however two clusters on the same network
cannot have the same group name. When the cluster is operating you can
change the group name, if required.
Password Enter a password to identify the cluster. The maximum password length is 15
characters. The password must be the same for all cluster units before the cluster
units can form a cluster.
The default is no password. You can accept the default password when first
configuring a cluster. When the cluster is operating, you can add a password, if
required. Two clusters on the same network must have different passwords.
Enable Session
pickup
Select to enable session pickup so that if the primary unit fails, sessions are
picked up by the cluster unit that becomes the new primary unit.
You must enable session pickup for session failover protection. If you do not
require session failover protection, leaving session pickup disabled may reduce
HA CPU usage and reduce HA heartbeat network bandwidth usage.
Session pickup is disabled by default. You can accept the default setting for
session pickup and later choose to enable session pickup after the cluster is
operating.
Port Monitor Select to enable or disable monitoring FortiGate interfaces to verify the monitored
interfaces are functioning properly and are connected to their networks.
If a monitored interface fails or is disconnected from its network, the interface
leaves the cluster and a link failover occurs. The link failover causes the cluster to
reroute the traffic being processed by that interface to the same interface of
another cluster unit that still has a connection to the network. This other cluster
unit becomes the new primary unit.
Port monitoring (also called interface monitoring) is disabled by default. Leave
port monitoring disabled until the cluster is operating and then only enable port
monitoring for connected interfaces.
You can monitor up to 16 interfaces. This limit only applies to FortiGate units with
more than 16 physical interfaces.
Heartbeat
Interface
Select to enable or disable HA heartbeat communication for each interface in the
cluster and set the heartbeat interface priority. The heartbeat interface with the
highest priority processes all heartbeat traffic. If two or more heartbeat interfaces
have the same priority, the heartbeat interface with the lowest hash map order
value processes all heartbeat traffic. The web-based manager lists interfaces in
alphanumeric order:
port1
port2 through 9
port10
Hash map order sorts interfaces in the following order:
port1
port10
port2 through port9
The default heartbeat interface configuration is different for each FortiGate unit.
This default configuration usually sets the priority of two heartbeat interfaces to
50. You can accept the default heartbeat interface configuration or change it as
required.
The heartbeat interface priority range is 0 to 512. The default priority when you
select a new heartbeat interface is 0.
You must select at least one heartbeat interface. If heartbeat communication is
interrupted, the cluster stops processing traffic. For more information about
configuring heartbeat interfaces, see the FortiGate HA Overview.
You can select up to 8 heartbeat interfaces. This limit only applies to FortiGate
units with more than 8 physical interfaces.
VDOM
partitioning
If you are configuring virtual clustering, you can set the virtual domains to be in
virtual cluster 1 and the virtual domains to be in virtual cluster 2. The root virtual
domain must always be in virtual cluster 1.
For more information about configuring VDOM partitioning, see the FortiGate HA
Overview.
System Config HA
01-410-89802-20091022 209
Cluster members list
You can display the cluster members list to view the status of an operating cluster and the
status of the FortiGate units in the cluster. The cluster members list shows the FortiGate
units in the cluster and for each FortiGate unit shows interface connections, the cluster
unit and the device priority of the cluster unit. From the cluster members list you can
disconnect a unit from the cluster, edit the HA configuration of primary unit, change the
device priority and host name of subordinate units, and download a debug log for any
cluster unit. You can also view HA statistics for the cluster.
To display the cluster members list, log into an operating cluster and go to System >
Config > HA.
Figure 99: Example FortiGate-5001SX cluster members list
If virtual domains are enabled, you can display the cluster members list to view the status
of the operating virtual clusters. The virtual cluster members list shows the status of both
virtual clusters including the virtual domains added to each virtual cluster.
To display the virtual cluster members list for an operating cluster log in as the global
admin administrator and go to System > Config > HA.
Disconnect from Cluster
Edit
Download Debug Log
Up and Down
Arrows
HA System Config
210 01-410-89802-20091022
Figure 100: Example FortiGate-5001SX virtual cluster members list
View HA Statistics Displays the serial number, status, and monitor information for each cluster
unit. See Viewing HA statistics on page 211.
Up and down arrows Changes the order of cluster members in the list. The operation of the
cluster or of the units in the cluster are not affected. All that changes is the
order of the units on the cluster members list.
Cluster member Illustrations of the front panels of the cluster units. If the network jack for an
interface is shaded green, the interface is connected. Pause the mouse
pointer over each illustration to view the cluster unit host name, serial
number, how long the unit has been operating (up time), and the interfaces
that are configured for port monitoring.
Hostname The host name of the FortiGate unit. The default host name of the
FortiGate unit is the FortiGate unit serial number.
To change the primary unit host name, go to System > Status and select
Change beside the current host name.
To change a subordinate unit host name, from the cluster members list
select the Edit icon for a subordinate unit.
Role The status or role of the cluster unit in the cluster.
Role is MASTER for the primary (or master) unit
Role is SLAVE for all subordinate (or backup) cluster units
Priority The device priority of the cluster unit. Each cluster unit can have a different
device priority. During HA negotiation, the unit with the highest device
priority becomes the primary unit.
The device priority range is 0 to 255.
Disconnect from
cluster
Select to disconnect a selected cluster unit from the cluster. See
Disconnecting a cluster unit from a cluster on page 212.
Disconnect from Cluster
Up and Down
Arrows
Edit
Download Debug Log
System Config HA
01-410-89802-20091022 211
Viewing HA statistics
From the cluster members list, you can select View HA Statistics to display the serial
number, status, and monitor information for each cluster unit. To view HA statistics, go to
System > Config > HA and select View HA Statistics.
Figure 101: Example HA statistics (active-passive cluster)
Edit Select to change a cluster unit HA configuration.
For a primary unit, select Edit to change the cluster HA configuration
(including the device priority) of the primary unit.
For a primary unit in a virtual cluster, select Edit to change the virtual
cluster HA configuration; including the virtual cluster 1 and virtual
cluster 2 device priority of this cluster unit.
For a subordinate unit, select Edit to change the subordinate unit host
name and device priority. See Changing subordinate unit host name
and device priority on page 212.
For a subordinate unit in a virtual cluster, select Edit to change the
subordinate unit host name and the device priority of the subordinate
unit for the selected virtual cluster. See Changing subordinate unit host
name and device priority on page 212.
Download debug log Select to download an encrypted debug log to a file. You can send this
debug log file to Fortinet Technical Support (http://support.fortinet.com) for
help diagnosing problems with the cluster or with individual cluster units.
Refresh every Select to control how often the web-based manager updates the HA
statistics display.
Back to HA monitor Select to close the HA statistics list and return to the cluster members list.
Unit The host name and serial number of the cluster unit.
Status Indicates the status of each cluster unit.
A green check mark indicates that the cluster unit is operating normally.
A red X indicates that the cluster unit cannot communicate with the primary
unit.
Up Time The time in days, hours, minutes, and seconds since the cluster unit was last
started.
Monitor Displays system status information for each cluster unit.
CPU Usage The current CPU status of each cluster unit. The web-based manager
displays CPU usage for core processes only. CPU usage for management
processes (for example, for HTTPS connections to the web-based manager)
is excluded. For more information about CPU usage, see System
Resources on page 75.
HA System Config
212 01-410-89802-20091022
Changing subordinate unit host name and device priority
To change the host name and device priority of a subordinate unit in an operating cluster,
go to System > Config > HA to display the cluster members list. Select Edit for any slave
(subordinate) unit in the cluster members list.
To change the host name and device priority of a subordinate unit in an operating cluster
with virtual domains enabled, log in as the global admin administrator and go to System >
Config > HA to display the cluster members list. Select Edit for any slave (subordinate)
unit in the cluster members list.
You can change the host name (Peer) and device priority (Priority) of this subordinate unit.
These changes only affect the configuration of the subordinate unit.
Figure 102: Changing the subordinate unit host name and device priority
Disconnecting a cluster unit from a cluster
You can disconnect a cluster unit if you need to use the disconnected FortiGate unit for
another purpose, such as to act as a standalone firewall. You can go to System > Config >
HA and select a Disconnect from cluster icon to disconnect a cluster unit from a
functioning cluster without disrupting the operation of the cluster.
Memory Usage The current memory status of each cluster unit. The web-based manager
displays memory usage for core processes only. Memory usage for
management processes (for example, for HTTPS connections to the
web-based manager) is excluded. For more information about memory
usage, see System Resources on page 75.
Active Sessions The number of communications sessions being processed by the cluster
unit.
Total Packets The number of packets that have been processed by the cluster unit since it
last started up.
Virus Detected The number of viruses detected by the cluster unit.
Network Utilization The total network bandwidth being used by all of the cluster unit interfaces.
Total Bytes The number of bytes that have been processed by the cluster unit since it
last started up.
Intrusion Detected The number of intrusions or attacks detected by Intrusion Protection running
on the cluster unit.
Peer View and optionally change the subordinate unit host name.
Priority View and optionally change the subordinate unit device priority.
The device priority is not synchronized among cluster members. In a functioning cluster
you can change device priority to change the priority of any unit in the cluster. The next
time the cluster negotiates, the cluster unit with the highest device priority becomes the
primary unit.
The device priority range is 0 to 255. The default device priority is 128.
System Config SNMP
01-410-89802-20091022 213
Figure 103: Disconnect a cluster member
SNMP
Simple Network Management Protocol (SNMP) allows you to monitor hardware on your
network. You can configure the hardware, such as the FortiGate SNMP agent, to report
system information and send traps (alarms or event messages) to SNMP managers. An
SNMP manager, or host, is a typically a computer running an application that can read the
incoming trap and event messages from the agent and send out SNMP queries to the
SNMP agents. A FortiManager unit can act as an SNMP manager, or host, to one or more
FortiGate units.
Using an SNMP manager, you can access SNMP traps and data from any FortiGate
interface or VLAN subinterface configured for SNMP management access.
The FortiGate SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP
managers have read-only access to FortiGate system information through queries and
can receive trap messages from the FortiGate unit.
To monitor FortiGate system information and receive FortiGate traps, you must first
compile the proprietary Fortinet and FortiGate Management Information Base (MIB) files.
A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP
manager. These MIBs provide information the SNMP manager needs to interpret the
SNMP trap, event, and query messages sent by the FortiGate unit SNMP agent. For
information on how to download the MIB files, see the Fortinet Knowledge Base.
The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernet-
like MIB) and most of RFC 1213 (MIB II). For more information, see Fortinet MIBs on
page 217.
RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and
partial support of User-based Security Model (RFC 3414).
Serial Number Displays the serial number of the cluster unit to be disconnected from the cluster.
Interface Select the interface that you want to configure. You also specify the IP address
and netmask for this interface. When the FortiGate unit is disconnected, all
management access options are enabled for this interface.
IP/Netmask Specify an IP address and netmask for the interface. You can use this IP address
to connect to this interface to configure the disconnected FortiGate unit.
Note: Part of configuring an SNMP manager is to list it as a host in a community on the
FortiGate unit it will be monitoring. Otherwise the SNMP monitor will not receive any traps
from that FortiGate unit, or be able to query that unit.
Note: There were major changes to the MIB files between FortiOS v3.0 and v4.0. You need
to use the new MIBs for FortiOS v4.0 or you may be accessing the wrong traps and fields.
SNMP System Config
214 01-410-89802-20091022
SNMP traps alert you to events that happen, such as an a log disk being full or a virus
being detected. For more information about SNMP traps, see Fortinet and FortiGate
traps on page 218.
SNMP fields contain information about your FortiGate unit, such as percent CPU usage or
the number of sessions. This information is useful to monitor the condition of the unit, both
on an ongoing basis and to provide more information when a trap occurs. For more
information about SNMP fields, see Fortinet and FortiGate MIB fields on page 221.
The FortiGate SNMP v3 implementation includes support for queries, traps,
authentication, and privacy. Authentication and encryption are configured in the CLI. See
the syst emsnmp user command in the FortiGate CLI Reference.
Configuring SNMP
Go to System > Config > SNMP v1/v2c to configure the SNMP agent.
Figure 104: Configuring SNMP
SNMP Agent Enable the FortiGate SNMP agent.
Description Enter descriptive information about the FortiGate unit. The description can be
up to 35 characters long.
Location Enter the physical location of the FortiGate unit. The system location
description can be up to 35 characters long.
Contact Enter the contact information for the person responsible for this FortiGate
unit. The contact information can be up to 35 characters.
Apply Save changes made to the description, location, and contact information.
Create New Select Create New to add a new SNMP community.
See Configuring an SNMP community on page 215.
Communities The list of SNMP communities added to the FortiGate configuration. You can
add up to 3 communities.
Name The name of the SNMP community.
Queries The status of SNMP queries for each SNMP community. The query status
can be enabled or disabled.
Traps The status of SNMP traps for each SNMP community. The trap status can be
enabled or disabled.
Enable Select Enable to activate an SNMP community.
Delete icon Select Delete to remove an SNMP community.
Edit/View icon Select to view or modify an SNMP community.
System Config SNMP
01-410-89802-20091022 215
Configuring an SNMP community
An SNMP community is a grouping of devices for network administration purposes. Within
that SNMP community, devices can communicate by sending and receiving traps and
other information. One device can belong to multiple communities, such as one
administrator terminal monitoring both a firewall SNMP community and a printer SNMP
community.
Add SNMP communities to your FortiGate unit so that SNMP managers can connect to
view system information and receive SNMP traps.
You can add up to three SNMP communities. Each community can have a different
configuration for SNMP queries and traps. Each community can be configured to monitor
the FortiGate unit for a different set of events. You can also add the IP addresses of up to
8 SNMP managers to each community.
Figure 105: SNMP community options (part 1)
Note: When the FortiGate unit is in virtual domain mode, SNMP traps can only be sent on
interfaces in the management virtual domain. Traps cannot be sent over other interfaces.
SNMP System Config
216 01-410-89802-20091022
Figure 106: SNMP community options (part 2)
Community Name Enter a name to identify the SNMP community.
Hosts Enter the IP address and Identify the SNMP managers that can use the
settings in this SNMP community to monitor the FortiGate unit.
IP Address The IP address of an SNMP manager than can use the settings in this SNMP
community to monitor the FortiGate unit. You can also set the IP address to
0.0.0.0 to so that any SNMP manager can use this SNMP community.
Interface Optionally select the name of the interface that this SNMP manager uses to
connect to the FortiGate unit. You only have to select the interface if the
SNMP manager is not on the same subnet as the FortiGate unit. This can
occur if the SNMP manager is on the Internet or behind a router.
In virtual domain mode, the interface must belong to the management VDOM
to be able to pass SNMP traps.
Delete Select a Delete icon to remove an SNMP manager.
Add Add a blank line to the Hosts list. You can add up to 8 SNMP managers to a
single community.
Queries Enter the Port number (161 by default) that the SNMP managers in this
community use for SNMP v1 and SNMP v2c queries to receive configuration
information from the FortiGate unit. Select the Enable check box to activate
queries for each SNMP version.
Note: The SNMP client software and the Fortigate unit must use the same
port for queries.
System Config SNMP
01-410-89802-20091022 217
To configure SNMP access (NAT/Route mode)
Before a remote SNMP manager can connect to the FortiGate agent, you must configure
one or more FortiGate interfaces to accept SNMP connections.
2 Choose an interface that an SNMP manager connects to and select Edit.
3 In Administrative Access, select SNMP.
4 Select OK.
To configure SNMP access (Transparent mode)
1 Go to System > Config > Operation Mode.
2 Enter the IP address that you want to use for management access and the netmask in
the Management IP/Netmask field.
3 Select Apply.
Fortinet MIBs
The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC
1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665
(Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit
configuration.
There are two MIB files for FortiGate units - the Fortinet MIB, and the FortiGate MIB. The
Fortinet MIB contains traps, fields and information that is common to all Fortinet products.
The FortiGate MIB contains traps, fields and information that is specific to FortiGate units.
Each Fortinet product has its own MIBif you use other Fortinet products you will need to
download their MIB files as well.
The Fortinet MIB and FortiGate MIB along with the two RFC MIBs are listed in tables in
this section. You can download the two FortiGate MIB files from Fortinet Customer
Support. For information on how to download the MIB files, see the Fortinet Knowledge
Base.
Your SNMP manager may already include standard and private MIBs in a compiled
database that is ready to use. You must add the Fortinet proprietary MIB to this database
to have access to the Fortinet specific information. You need to obtain and compile the
two MIBs for this release.
Traps Enter the Local and Remote port numbers (port 162 for each by default) that
the FortiGate unit uses to send SNMP v1 and SNMP v2c traps to the SNMP
managers in this community. Select the Enable check box to activate traps for
each SNMP version.
Note: The SNMP client software and the Fortigate unit must use the same
port for traps.
SNMP Event Enable each SNMP event for which the FortiGate unit should send traps to the
SNMP managers in this community.
CPU overusage traps sensitivity is slightly reduced, by spreading values out
over 8 polling cycles. This prevents sharp spikes due to CPU intensive short-
term events such as changing a policy.
Power Supply Failure event trap is available only on some FortiGate models.
AMC interfaces enter bypass mode event trap is available only on FortiGate
models that support AMC modules.
Note: There were major changes to the MIB files between FortiOS v3.0 and v4.0. You need
to use the new MIBs for FortiOS v4.0 or you may mistakenly access the wrong traps and
fields.
SNMP System Config
218 01-410-89802-20091022
Fortinet and FortiGate traps
An SNMP manager can request information from the Fortinet devices SNMP agent, or
that agent can send traps when an event occurs. Traps are a method used to inform the
SNMP manager that something has happened or changed on the Fortinet device.
To receive FortiGate device SNMP traps, you must load and compile the FORTI NET-
CORE- MI B and FORTI NET- FORTI GATE- MI B into your SNMP manager. Traps sent
include the trap message as well as the FortiGate unit serial number (f nSysSer i al ) and
hostname (sysName).
The tables in this section include information about SNMP traps and variables. These
tables have been included to help you locate the object identifier number (OID), trap
message, and trap description of the Fortinet trap or variable you need.
The name of the table indicates if the trap is found in the Fortinet MIB or the FortiGate
MIB. The Trap Message column includes the message included with the trap as well as
the SNMP MIB field name to help locate the information about the trap. Traps starting with
f n such as f nTr apCpuThr eshol d are defined in the Fortinet MIB. Traps starting with f g
such as f gTr apAvVi r us are defined in the FortiGate MIB.
The object identifier (OID) is made up of the number at the top of the table with the index
added to the end. For example if the OID is 1.3.6.1.4.1.12356.1.3.0 and the index is 4, the
full OID is 1.3.6.1.4.1.12356.1.3.0.4. The OID and the name of the object are how SNMP
managers refer to fields and traps from the Fortinet and FortiGate MIBs.
Indented rows are fields that are part of the message or table associated with the
preceding row.
Table 13: Fortinet MIBs
MIB file name or RFC Description
FORTINET-CORE-MIB.mib The proprietary Fortinet MIB includes all system configuration
information and trap information that is common to all Fortinet
products.
Your SNMP manager requires this information to monitor
FortiGate unit configuration settings and receive traps from
the FortiGate SNMP agent. For more information, see
Fortinet and FortiGate traps on page 218 and Fortinet and
FortiGate MIB fields on page 221.
FORTINET-FORTIGATE-MIB.mib The proprietary FortiGate MIB includes all system
configuration information and trap information that is specific
to FortiGate units.
Your SNMP manager requires this information to monitor
FortiGate configuration settings and receive traps from the
FortiGate SNMP agent. FortiManager systems require this
MIB to monitor FortiGate units.
For more information, see Fortinet and FortiGate traps on
page 218 and Fortinet and FortiGate MIB fields on
page 221.
RFC-1213 (MIB II) The FortiGate SNMP agent supports MIB II groups with the
following exceptions.
No support for the EGP group from MIB II (RFC 1213,
section 3.11 and 6.10).
Protocol statistics returned for MIB II groups
(IP/ICMP/TCP/UDP/etc.) do not accurately capture all
FortiGate traffic activity. More accurate information can be
obtained from the information reported by the Fortinet
MIB.
RFC-2665 (Ethernet-like MIB) The FortiGate SNMP agent supports Ethernet-like MIB
information with the following exception.
No support for the dot3Tests and dot3Errors groups.
System Config SNMP
01-410-89802-20091022 219
The following tables include:
Generic Fortinet traps (OID 1.3.6.1.4.1.12356.1.3.0)
System traps (OID1.3.6.1.4.1.12356.1.3.0)
FortiGate VPN traps (OID1.3.6.1.4.1.12356.1.3.0)
FortiGate IPS traps (OID1.3.6.1.4.1.12356.1.3.0)
FortiGate antivirus traps (OID1.3.6.1.4.1.12356.1.3.0)
FortiGate HA traps (OID1.3.6.1.4.1.12356.1.3.0)
Table 14: Generic Fortinet traps (OID 1.3.6.1.4.1.12356.1.3.0)
Index Trap message Description
.1
.2
.3
.4
ColdStart
WarmStart
LinkUp
LinkDown
Standard traps as described in RFC 1215.
Table 15: System traps (OID1.3.6.1.4.1.12356.1.3.0)
.101 CPU usage high
(fnTrapCpuThreshold)
CPU usage exceeds 80%. This threshold can be set in the
CLI using conf i g syst emsnmp sysi nf o, set
t r ap- hi gh- cpu- t hr eshol d.
.102 Memory low
(fnTrapMemThreshold)
Memory usage exceeds 90%. This threshold can be set in
the CLI using conf i g syst emsnmp sysi nf o, set
t r ap- l ow- memor y- t hr eshol d.
.103 Log disk too full
(fnTrapLogDiskThreshold)
Log disk usage has exceeded the configured threshold.
Only available on devices with log disks. This threshold can
be set in the CLI using conf i g syst emsnmp sysi nf o,
set t r ap- l og- f ul l - t hr eshol d.
.104 Temperature too high
(fnTrapTempHigh)
A temperature sensor on the device has exceeded its
threshold. Not all devices have thermal sensors. See
manual for specifications.
.105 Voltage outside acceptable
range
(fnTrapVoltageOutOfRange)
Power levels have fluctuated outside of normal levels. Not
all devices have voltage monitoring instrumentation.
.106 Power supply failure
(fnTrapPowerSupplyFailure)
Power supply failure detected. Not available on all models.
Available on some devices which support redundant power
supplies.
.201 Interface IP change
(fnTrapIpChange)
The IP address for an interface has changed.
The trap message includes the name of the interface, the
new IP address and the serial number of the Fortinet unit.
You can use this trap to track interface IP address changes
for interfaces with dynamic IP addresses set using DHCP
or PPPoE.
.999 Diagnostic trap
(fnTrapTest)
This trap is sent for diagnostic purposes.
It has an OID index of . 999.
Table 16: FortiGate VPN traps (OID1.3.6.1.4.1.12356.1.3.0)
.301 VPN tunnel is up
(fgTrapVpnTunUp)
An IPSec VPN tunnel has started.
.302 VPN tunnel down
(fgTrapVpnTunDown)
An IPSec VPN tunnel has shut down.
SNMP System Config
220 01-410-89802-20091022
Local gateway address
(fgVpnTrapLocalGateway)
Address of the local side of the VPN tunnel.
This information is associated with both of the VPN
tunnel traps.
(OID1.3.6.1.4.1.12356.101.12.3.2)
Remote gateway address
(fgVpnTrapRemoteGateway)
Address of remote side of the VPN tunnel.
This information is associated with both of the VPN
tunnel traps.
(OID1.3.6.1.4.1.12356.101.12.3.2)
Table 17: FortiGate IPS traps (OID1.3.6.1.4.1.12356.1.3.0)
.503 IPS Signature
(fgTrapIpsSignature)
IPS signature detected.
.504 IPS Anomaly
(fgTrapIpsAnomaly)
IPS anomaly detected.
.505 IPS Package Update
(fgTrapIpsPkgUpdate)
The IPS signature database has been updated.
(fgIpsTrapSigId) ID of IPS signature identified in trap.
(OID 1.3.6.1.4.1.12356.101.9.3.1)
(fgIpsTrapSrcIp) IP Address of the IPS signature trigger.
(OID 1.3.6.1.4.1.12356.101.9.3.2)
(fgIpsTrapSigMsg) Message associated with IPS event.
(OID 1.3.6.1.4.1.12356.101.9.3.3)
Table 18: FortiGate antivirus traps (OID1.3.6.1.4.1.12356.1.3.0)
.601 Virus detected
(fgTrapAvVirus)
The antivirus engine detected a virus in an infected file
from an HTTP or FTP download or from an email
message.
.602 Oversize file/email detected
(fgTrapAvOversize)
The antivirus scanner detected an oversized file.
.603 Filename block detected
(fgTrapAvPattern)
The antivirus scanner blocked a file that matched a
known virus pattern.
.604 Fragmented file detected
(fgTrapAvFragmented)
The antivirus scanner detected a fragmented file or
attachment.
.605 (fgTrapAvEnterConserve) The AV engine entered conservation mode due to low
memory conditions.
.606 (fgTrapAvBypass) The AV scanner has been bypassed due to conservation
mode.
.607 (fgTrapAvOversizePass) An oversized file has been detected, but has been
passed due to configuration.
.608 (fgTrapAvOversizeBlock) An oversized file has been detected, and has been
blocked.
(fgAvTrapVirName) The virus name that triggered the event.
(OID1.3.6.1.4.1.12356.101.8.3.1)
Table 16: FortiGate VPN traps (OID1.3.6.1.4.1.12356.1.3.0)
System Config SNMP
01-410-89802-20091022 221
Fortinet and FortiGate MIB fields
The FortiGate MIB contains fields reporting current FortiGate unit status information. The
tables below list the names of the MIB fields and describe the status information available
for each one. You can view more details about the information available from all Fortinet
and FortiGate MIB fields by compiling the FORTI NET- CORE- MI B. mi b and FORTI NET-
FORTI GATE- MI B. mi b files into your SNMP manager and browsing the MIB fields on your
computer.
To help locate a field, the object identifier (OID) number for each table of fields has been
included. The OID number for a field is that fields position within the table, starting at 0.
For example f nSysVer si on has an OID of 1.3.6.1.4.1.12356.2.
The following tables include:
FortiGate HA MIB Information fields (OID 1.3.6.1.4.1.12356.101.13.1)
FortiGate HA unit stats fields (OID 1.3.6.1.4.1.12356.101.13.2)
FortiGate Administrator accounts (OID 1.3.6.1.4.1.12356.101)
FortiGate Virtual domains (OID 1.3.6.1.4.1.12356.101.3.1)
FortiGate Virtual domain table entries (OID 1.3.6.1.4.1.12356.101.3.2.1.1)
FortiGate Active IP sessions table (OID 1.3.6.1.4.1.12356.101.11.2.1.1)
FortiGate Firewall policy statistics table (OID 1.3.6.1.4.1.12356.101.5.1.2.1.1)
FortiGate Dialup VPN peers (OID 1.3.6.1.4.1.12356.101.12.2.1.1)
VPN Tunnel table (OID 1.3.6.1.4.1.12356.101.12.2.2.1)
Table 19: FortiGate HA traps (OID1.3.6.1.4.1.12356.1.3.0)
.401 HA switch
(fgTrapHaSwitch)
The specified cluster member has transitioned from a
slave role to a master role.
.402 HA State Change
(fgTrapHaStateChange)
The trap sent when the HA cluster member changes its
state.
.
.403 HA Heartbeat Failure
(fgTrapHaHBFail)
The heartbeat failure count has exceeded the configured
threshold.
.404 HA Member Unavailable
(fgTrapHaMemberDown)
An HA member becomes unavailable to the cluster.
.405 HA Member Available
(fgTrapHaMemberUp)
An HA member becomes available to the cluster.
(fgHaTrapMemberSerial) Serial number of an HA cluster member. Used to identify
the origin of a trap when a cluster is configured.
(OID1.3.6.1.4.1.12356.101.13.3.1)
Table 20: FortiGate HA MIB Information fields (OID 1.3.6.1.4.1.12356.101.13.1)
MIB field Description Index
fgHaSystemMode High-availability mode (Standalone, A-A or A-P). .1
fgHaGroupId HA cluster group ID. .2
fgHaPriority HA clustering priority (default - 127). .3
fgHaOverride Status of a master override flag. .4
fgHaAutoSync Status of an automatic configuration synchronization. .5
SNMP System Config
222 01-410-89802-20091022
fgHaSchedule Load balancing schedule for cluster in Active-Active mode. .6
fgHaGroupName HA cluster group name. .7
fgHaTrapMemberSerial Serial number of an HA cluster member. .8
Table 21: FortiGate HA unit stats fields (OID 1.3.6.1.4.1.12356.101.13.2)
fgHaStatsTable Statistics for the individual FortiGate unit in the HA cluster.
fgHaStatsIndex The index number of the unit in the cluster. .1
fgHaStatsSerial The FortiGate unit serial number. .2
fgHaStatsCpuUsage The current FortiGate unit CPU usage (%). .3
fgHaStatsMemUsage The current unit memory usage (%). .4
fgHaStatsNetUsage The current unit network utilization (Kbps). .5
fgHaStatsSesCount The number of active sessions. .6
fgHaStatsPktCount The number of packets processed. .7
fgHaStatsByteCount The number of bytes processed by the
FortiGate unit
.8
fgHaStatsIdsCount The number of attacks that the IPS detected in
the last 20 hours.
.9
fgHaStatsAvCount The number of viruses that the antivirus
system detected in the last 20 hours.
.10
fgHaStatsHostname Hostname of HA Cluster's unit. .11
Table 22: FortiGate Administrator accounts (OID 1.3.6.1.4.1.12356.101)
fgAdminIdleTimeout Idle period after which an administrator is automatically logged
out of the system.
.1
fgAdminLcdProtection Status of the LCD protection, either enabled or disabled. .2
fgAdminTable Table of administrators on this FortiGate unit.
fgAdminVdom The virtual domain the administrator belongs to.
(OID 1.3.6.1.4.1.12356.101.6.1.2.1.1.1)
Table 23: FortiGate Virtual domains (OID 1.3.6.1.4.1.12356.101.3.1)
fgVdInfo FortiGate unit Virtual Domain related information.
fgVdNumber The number of virtual domains configured on this
FortiGate unit.
.1
fgVdMaxVdoms The maximum number of virtual domains allowed on
the FortiGate unit as allowed by hardware or
licensing.
.2
fgVdEnabled Whether virtual domains are enabled on this
FortiGate unit.
.3
Table 20: FortiGate HA MIB Information fields (OID 1.3.6.1.4.1.12356.101.13.1)
System Config SNMP
01-410-89802-20091022 223
Table 24: FortiGate Virtual domain table entries (OID 1.3.6.1.4.1.12356.101.3.2.1.1)
fgVdTable.fgV
dEntry
Table of information about each virtual domaineach virtual domain has an
fgVdEntry. Each entry has the following fields.
fgVdEntIndex Internal virtual domain index used to uniquely identify
entries in this table.
This index is also used by other tables referencing a
virtual domain.
.1
fgVdEntName The name of the virtual domain. .2
fgVdEntOpMode Operation mode of this virtual domain - either NAT or
Transparent.
.3
Table 25: FortiGate Active IP sessions table (OID 1.3.6.1.4.1.12356.101.11.2.1.1)
fgIpSessIndex The index number of the IP session within the f gI pSessTabl e
table
.1
fgIpSessProto The IP protocol the session is using (IP, TCP, UDP, etc.). .2
fgIpSessFromAddr The source IPv4 address of the active IP session. .3
fgIpSessFromPort The source port of the active IP session (UDP and TCP only). .4
fgIpSessToAddr The destination IPv4 address of the active IP session. .5
fgIpSessToPort The destination port of the active IP session (UDP and TCP only). .6
fgIpSessExp The number of seconds remaining until the sessions expires (if
idle).
.7
fgIpSessVdom Virtual domain the session is part of. Corresponds to the index in
fgVdTable.
.8
fgIpSessStatsTable IP Session statistics table for the virtual domain.
fgIpSessStatsEntry.
fgIpSessNumber
Total sessions on this virtual domain.
(OID 1.3.6.1.4.1.12356.101.11.2.1.2.1.1)
Table 26: FortiGate Firewall policy statistics table (OID 1.3.6.1.4.1.12356.101.5.1.2.1.1)
fgFwPolicyStatsTable.fg
FwPolicyStatsEntry
Entries in the table for firewall policy statistics on a virtual domain.
fgFwPolicyID Firewall policy ID.
Only enabled policies are available for querying.
Policy IDs are only unique within a virtual domain.
.1
fgFwPolicyPktCount Number of packets matched to policy (passed or blocked,
depending on policy action). Count is from the time the policy
became active.
.2
fgFwPolicyByteCount Number of bytes matched to policy (passed or blocked,
depending on policy action). Count is from the time the policy
became active.
.3
Table 27: FortiGate Dialup VPN peers (OID 1.3.6.1.4.1.12356.101.12.2.1.1)
fgVpnDialupIndex An index value that uniquely identifies an VPN dial-up peer in
the table.
.1
fgVpnDialupGateway The remote gateway IP address on the tunnel. .2
fgVpnDialupLifetime VPN tunnel lifetime in seconds. .3
SNMP System Config
224 01-410-89802-20091022
fgVpnDialupTimeout Time remaining until the next key exchange (seconds) for this
tunnel.
.4
fgVpnDialupSrcBegin Remote subnet address of the tunnel. .5
fgVpnDialupSrcEnd Remote subnet mask of the tunnel. .6
fgVpnDialupDstAddr Local subnet address of the tunnel. .7
fgVpnDialupVdom The virtual domain this tunnel is part of. This index
corresponds to the index in fgVdTable.
.8
fgVpnDialUpInOctets The number of bytes received over the tunnel. .9
fgVpnDialUpOutOctets The number of byes send over the tunnel. .10
Table 28: VPN Tunnel table (OID 1.3.6.1.4.1.12356.101.12.2.2.1)
fgVpnTunEntIndex An index value that uniquely identifies a VPN tunnel
within the VPN tunnel table.
.1
fgVpnTunEntPhase1Name The descriptive name of the Phase1 configuration for
the tunnel.
.2
fgVpnTunEntPhase2Name The descriptive name of the Phase2 configuration for
the tunnel.
.3
fgVpnTunEntRemGwyIp The IP of the remote gateway used by the tunnel. .4
fgVpnTunEntRemGwyPort The port of the remote gateway used by the tunnel, if it
is UDP.
.5
fgVpnTunEntLocGwyIp The IP of the local gateway used by the tunnel. .6
fgVpnTunEntLocGwyPort The port of the local gateway used by the tunnel, if it is
UDP.
.7
fgVpnTunEntSelectorSrcBegin
Ip
Beginning of the address range of the source selector. .8
fgVpnTunEntSelectorSrcEndIp Ending of the address range of the source selector. .9
fgVpnTunEntSelectorSrcPort Source selector port. .10
fgVpnTunEntSelectorDstBegin
Ip
Beginning of the address range of the destination
selector.
.11
fgVpnTunEntSelectorDstEndIp Ending of the address range of the destination selector. .12
fgVpnTunEntSelectorDstPort Destination selector port. .13
fgVpnTunEntSelectorProto Protocol number for the selector. .14
fgVpnTunEntLifeSecs Lifetime of the tunnel in seconds, if time based lifetime
is used.
.15
fgVpnTunEntLifeBytes Lifetime of the tunnel in bytes, if byte transfer based
lifetime is used.
.16
fgVpnTunEntTimeout Timeout of the tunnel in seconds. .17
fgVpnTunEntInOctets Number of bytes received on the tunnel. .18
fgVpnTunEntOutOctets Number of bytes sent out on the tunnel. .19
fgVpnTunEntStatus Current status of the tunnel - either up or down. .20
fgVpnTunEntVdom Virtual domain the tunnel belongs to. This index
corresponds to the index used in fgVdTable.
.21
Table 27: FortiGate Dialup VPN peers (OID 1.3.6.1.4.1.12356.101.12.2.1.1)
System Config Replacement messages
01-410-89802-20091022 225
Replacement messages
Go to System > Config > Replacement Message to change replacement messages and
customize alert email and information that the FortiGate unit adds to content streams such
as email messages, web pages, and FTP sessions.
The FortiGate unit adds replacement messages to a variety of content streams. For
example, if a virus is found in an email message attachment, the file is removed from the
email and replaced with a replacement message. The same applies to pages blocked by
web filtering and email blocked by email filtering.
VDOM and global replacement messages
FortiGate units include global replacement messages that are used by all
VDOMs. At the global level you can customize replacement messages or
reset modified messages to their factory defaults. If you decide to revert a customized
message to the default message you can view the customized message in the
replacement messages list and select a Reset icon to revert the message to the default
version.
In each VDOM you can customize any replacement message for that
VDOM as needed, overriding the global message. If you decide to revert a
customized message to the global message you can view the customized message in the
replacement messages list and select a Reset icon to revert the message to use the
global version of this message.
Viewing the replacement messages list
To view the replacement messages list go to System > Config > Replacement Message
You use the replacement messages list to view and customize replacement messages to
your requirements. The list organizes replacement message into an number of types (for
example, Mail, HTTP, and so on). Use the expand arrow beside each type to display the
replacement messages for that category. Select the Edit icon beside each replacement
message to customize that message for your requirements.
If you are viewing the replacement messages list in a VDOM, any messages that have
been customized for that VDOM are displayed with a Reset icon that you can use to reset
the replacement message to the global version.
Note: Disclaimer replacement messages provided by Fortinet are examples only.
Replacement messages System Config
226 01-410-89802-20091022
Figure 107: Replacement messages list
Changing replacement messages
To change a replacement message list go to System > Config > Replacement Message.
Use the expand arrows to view the replacement message that you want to change. You
can change the content of the replacement message by editing the text and HTML codes
and by working with replacement message tags. For descriptions of the replacement
message tags, see Table 39 on page 236.
Name The replacement message category. Select the expand arrow to expand or collapse
the category. Each category contains several replacement messages that are used
by different FortiGate features. The replacement messages are described below.
Description A description of the replacement message.
Edit or view
icon
Select to change or view a replacement message.
Reset icon Only displayed on the a VDOM replacement message list. Select to revert to the
global version of this replacement message.
Edit
Reset
Note: FortiOS uses HTTP to send the Authentication Disclaimer page for the user to accept
before the firewall policy is in effect. Therefore, the user must initiate HTTP traffic first in
order to trigger the Authentication Disclaimer page. Once the Disclaimer is accepted, the
user can send whatever traffic is allowed by the firewall policy.
01-410-89802-20091022 227
Figure 108: Sample HTTP virus replacement message
Replacement messages can be text or HTML messages. You can add HTML code to
HTML messages. Allowed Formats shows you which format to use in the replacement
message. There is a limit of 8192 characters for each replacement message. The
following fields and options are available when editing a replacement message. Different
replacement messages have different sets of fields and options.
You can customize the following categories of replacement messages:
Mail replacement messages
HTTP replacement messages
FTP replacement messages
NNTP replacement messages
Alert Mail replacement messages
Spam replacement messages
Administration replacement message
User authentication replacement messages
FortiGuard Web Filtering replacement messages
IM and P2P replacement messages
Endpoint NAC replacement messages
NAC quarantine replacement messages
Traffic quota control replacement messages
SSL VPN replacement message
Message Setup The name of the replacement message.
Allowed Formats The type of content that can be included in the replacement message.
Allowed formats can be Text or HTML. You should not use HTML code in
Text messages. You can include replacement message tags in text and
HTML messages.
Size The number of characters allowed in the replacement message. Usually
size is 8192 characters.
Message Text The editable text of the replacement message. The message text can
include text, HTML codes (if HTML is the allowed format) and replacement
message tags.
228 01-410-89802-20091022
Mail replacement messages
The FortiGate unit sends the mail replacement messages listed in Table 29 to email
clients and servers using IMAP, POP3, or SMTP when an event occurs such as antivirus
blocking a file attached to an email that contains a virus. Email replacement messages are
text messages.
If the FortiGate unit supports SSL content scanning and inspection these replacement
messages can also be added to IMAPS, POP3S, and SMTPS email messages.
Table 29: Mail replacement messages
Message name Description
Virus message Antivirus Virus Scan enabled for an email protocol in a protection profile deletes
a infected file from an email message and replaces the file with this message.
File block
message
When the antivirus File Filter enabled for an email protocol in a protection profile
deletes a file that matches an entry in the selected file filter list, the file is blocked
and the email is replaced with this message.
Oversized file
message
When the antivirus Oversized File/Email is set to Block for an email protocol in a
protection profile and removes an oversized file from an email message, the file
is replaced with this message.
Fragmented
email
In a protection profile, antivirus Pass Fragmented Emails is not enabled so a
fragmented email is blocked. This message replaces the first fragment of the
fragmented email.
Data leak
prevention
message
In a DLP sensor, a rule with action set to Block replaces a blocked email
message with this message.
Subject of data
leak prevention
message
This message is added to the subject field of all email messages replaced by the
DLP sensor Block, Ban, Ban Sender, Quarantine IP address, and Quarantine
interface actions.
Banned by data
leak prevention
message
In a DLP sensor, a rule with action set to Ban replaces a blocked email message
with this message. This message also replaces any additional email messages
that the banned user sends until they are removed from the banned user list.
Sender banned
by data leak
prevention
message
In a DLP sensor, a rule with action set to Ban Sender replaces a blocked email
message with this message. This message also replaces any additional email
messages that the banned user sends until the user is removed from the banned
user list.
Virus message
(splice mode)
Splice mode is enabled and the antivirus system detects a virus in an SMTP
email message. The FortiGate unit aborts the SMTP session and returns a 554
SMTP error message to the sender that includes this replacement message.
File block
message (splice
mode)
Splice mode is enabled and the antivirus file filter deleted a file from an SMTP
email message. The FortiGate unit aborts the SMTP session and returns a 554
SMTP error message to the sender that includes this replacement message.
Oversized file
message (splice
mode)
Splice mode is enabled and antivirus Oversized File/Email set to Block and the
FortiGate unit blocks an oversize SMTP email message. The FortiGate unit
aborts the SMTP session and returns a 554 SMTP error message to the sender
that includes this replacement message.
01-410-89802-20091022 229
HTTP replacement messages
The FortiGate unit sends the HTTP replacement messages listed in Table 30 to web
browsers using the HTTP protocol when an event occurs such as antivirus blocking a file
that contains a virus in an HTTP session. HTTP replacement messages are HTML pages.
If the FortiGate unit supports SSL content scanning and inspection and if Protocol
Recognition > HTTPS Content Filtering Mode is set to Deep Scan in the protection profile,
these replacement messages can also replace web pages downloaded using the HTTPS
protocol.
Table 30: HTTP replacement messages
Virus message Antivirus Virus Scan enabled for HTTP or HTTPS in a protection profile deletes
an infected file being downloaded using an HTTP GET and replaces the file with
this web page that is displayed by the client browser.
Infection cache
message
Client comforting is enabled in a protection profile and the FortiGate unit blocks a
URL added to the client comforting URL cache and replaces the blocked URL
with this web page. For more information about the client comforting URL cache,
see HTTP and FTP client comforting on page 479.
File block
message
Antivirus File Filter enabled for HTTP or HTTPS in a protection profile blocks a
file being downloaded using an HTTP GET that matches an entry in the selected
file filter list and replaces it with this web page that is displayed by the client
browser.
Oversized file
message
Antivirus Oversized File/Email set to Block for HTTP or HTTPS in a protection
profile blocks an oversized file being downloaded using an HTTP GET and
replaces the file with this web page that is displayed by the client browser.
Data leak
prevention
message
In a DLP sensor, a rule with action set to Block replaces a blocked web page or
file with this web page.
Banned by data
leak prevention
message
In a DLP sensor, a rule with action set to Ban replaces a blocked web page or file
with this web page. This web page also replaces any additional web pages or
files that the banned user attempts to access until the user is removed from the
banned user list.
Banned word
message
Web content filtering enabled in a protection profile blocks a web page being
downloaded with an HTTP GET that contains content that matches an entry in
the selected Web Content Filter list. The blocked page is replaced with this web
page.
Content-type
block message
Email headers include information about content types such as image for
pictures, and so on. If a specific content-type is blocked, the blocked message is
replaced with this web page.
URL block
message
Web URL filtering enabled in a protection profile blocks a web page with a URL
that matches an entry in the selected URL Filter list. The blocked page is
replaced with this web page.
Client block Antivirus File Filter enabled for HTTP or HTTPS in a protection profile blocks a
file being uploaded by an HTTP POST that matches an entry in the selected file
filter list and replaces it with this web page that is displayed by the client browser.
Client anti-virus Antivirus Virus Scan enabled for HTTP or HTTPS in a protection profile deletes
an infected file being uploaded using an HTTP PUT and replaces the file with
this a web page that is displayed by the client browser.
Client filesize In a protection profile, antivirus Oversized File/Email set to Block for HTTP or
HTTPS and an oversized file that is being uploaded with an HTTP PUT is
blocked and replaced with this web page.
Client banned
word
Web content filtering enabled in a protection profile blocks a web page being
uploaded with an HTTP PUT that contains content that matches an entry in the
selected Web Content Filter list. The client browser displays this web page.
POST block HTTP POST Action is set to Block in a protection profile and the FortiGate unit
blocks an HTTP POST and displays this web page.
230 01-410-89802-20091022
FTP replacement messages
The FortiGate unit sends the FTP replacement messages listed in Table 31 to FTP clients
when an event occurs such as antivirus blocking a file that contains a virus in an FTP
session. FTP replacement messages are text messages.
NNTP replacement messages
The FortiGate unit sends the NNTP replacement messages listed in Table 32 to NNTP
clients when an event occurs such as antivirus blocking a file attached to an NNTP
message that contains a virus. NNTP replacement messages are text messages.
Table 31: FTP replacement messages
Virus message Antivirus Virus Scan enabled for FTP in a protection profile deletes an infected
file being downloaded using FTP and sends this message to the FTP client.
Blocked
message
Antivirus File Filter enabled for FTP in a protection profile blocks a file being
downloaded using FTP that matches an entry in the selected file filter list and
sends this message to the FTP client.
Oversized
message
Antivirus Oversized File/Email set to Block for FTP in a protection profile blocks
an oversize file from being downloaded using FTP and sends this message to
the FTP client.
DLP message In a DLP sensor, a rule with action set to Block replaces a blocked FTP
download with this message.
DLP ban
message
In a DLP sensor, a rule with action set to Ban blocks an FTP session and
displays this message. This message is displayed whenever the banned user
attempts to access until the user is removed from the banned user list.
Table 32: FTP replacement messages
Virus message Antivirus Virus Scan enabled for NTTP in a protection profile deletes an infected
file attached to an NNTP message and sends this message to the FTP client.
Blocked
message
Antivirus File Filter enabled for NNTP in a protection profile blocks a file attached
to an NNTP message that matches an entry in the selected file filter list and
sends this message to the FTP client.
Oversized
message
Antivirus Oversized File/Email set to Block for NNTP in a protection profile
removes an oversized file from an NNTP message and replaces the file with this
message.
Data Leak
prevention
message
In a DLP sensor, a rule with action set to Block replaces a blocked NNTP
Subject of data
leak prevention
message
This message is added to the subject field of all NNTP messages replaced by
the DLP sensor Block, Ban, Quarantine IP address, and Quarantine interface
actions.
Banned by data
leak prevention
message
In a DLP sensor, a rule with action set to Ban replaces a blocked NNTP
message with this message. This message also replaces any additional NNTP
messages that the banned user sends until they are removed from the banned
user list.
01-410-89802-20091022 231
Alert Mail replacement messages
The FortiGate unit adds the alert mail replacement messages listed in Table 33 to alert
email messages sent to administrators. For more information about alert email, see
Configuring Alert Email on page 709. Alert mail replacement messages are text
messages.
Spam replacement messages
The FortiGate unit adds the Spam replacement messages listed in Table 34 to SMTP
server responses if the email message is identified as spam and the spam action is
discard. If the FortiGate unit supports SSL content scanning and inspection these
replacement messages can also be added to SMTPS server responses.
Table 33: Alert mail replacement messages
Virus message Virus detected must be enabled for alert email. Antivirus Virus Scan must be
enabled in a protection profile and detect a virus.
Block message Virus detected must be enabled for alert email. Antivirus File Filter must be
enabled in a protection profile, and block a file that matches an entry in a
selected file filter list.
Intrusion
message
Intrusion detected enabled for alert email. An IPS Sensor or a DoS Sensor
detects and attack.
Critical event
message
Whenever a critical level event log message is generated, this replacement
message is sent unless you configure alert email to enable Send alert email for
logs based on severity and set the Minimum log level to Alert or Emergency.
Disk full
message
Disk usage enabled and disk usage reaches the % configured for alert email.
If you enable Send alert email for logs based on severity for alert email, whether or not
replacement messages are sent by alert email depends on how you set the alert email Minimum
log level.
Table 34: Spam replacement messages
Email IP IP address BWL check enabled for an email protocol in a protection profile
identifies an email message as spam and adds this replacement message.
DNSBL/ORDBL From the CLI, spamr bl enabled for an email protocol in a protection profile
HELO/EHLO
domain
HELO DNS lookup enabled for SMTP in a protection profile identifies an email
message as spam and adds this replacement message. HELO DNS lookup is
not available for SMTPS.
Email address E-mail address BWL check enabled for an email protocol in a protection profile
Mime header From the CLI, spamhdr check enabled for an email protocol in a protection
profile identifies an email message as spam and adds this replacement
message.
Returned email
domain
Return e-mail DNS check enabled for an email protocol in a protection profile
Banned word Banned word check enabled for an email protocol in a protection profile identifies
an email message as spam and adds this replacement message.
Spam
submission
message
Any Email Filtering option enabled for an email protocol in a protection profile
Email Filtering adds this message to all email tagged as spam. The message
describes a button that the recipient of the message can select to submit the
email signatures to the FortiGuard Antispam service if the email was incorrectly
tagged as spam (a false positive).
232 01-410-89802-20091022
Administration replacement message
If you enter the following CLI command the FortiGate unit displays the Administration
Login disclaimer whenever an administrator logs into the FortiGate unit web-based
manager or CLI.
set access- banner enabl e
end
The web-based manager administrator login disclaimer contains the text of the Login
Disclaimer replacement message as well as Accept and Decline buttons. The
administrator must select accept to login.
User authentication replacement messages
The FortiGate unit uses the text of the authentication replacement messages listed in
Table 35 for various user authentication HTML pages that are displayed when a user is
required to authenticate because a firewall policy includes at least one identity-based
policy that requires firewall users to authenticate. For more information about identity-
based policies, see Configuring identity-based firewall policies on page 373 and
Configuring SSL VPN identity-based firewall policies on page 376.
These replacement message pages are for authentication using HTTP and HTTPS.
Authentication replacement messages are HTML messages. You cannot customize the
firewall authentication messages for FTP and Telnet.
The authentication login page and the authentication disclaimer include replacement tags
and controls not found on other replacement messages.
Users see the authentication login page when they use a VPN or a firewall policy that
requires authentication. You can customize this page in the same way as you modify other
replacement messages.
There are some unique requirements for these replacement messages:
The login page must be an HTML page containing a form with ACTION="/" and
METHOD="POST"
The form must contain the following hidden controls:
<I NPUT TYPE=" hi dden" NAME=" %%MAGI CI D%%" VALUE="%%MAGI CVAL%%" >
<I NPUT TYPE=" hi dden" NAME=" %%STATEI D%%" VALUE="%%STATEVAL%%" >
<I NPUT TYPE=" hi dden" NAME=" %%REDI RI D%%" VALUE="%%PROTURI %%" >
The form must contain the following visible controls:
<I NPUT TYPE=" t ext " NAME=" %%USERNAMEI D%%" si ze=25>
<I NPUT TYPE=" passwor d" NAME=" %%PASSWORDI D%%" si ze=25>
Example
The following is an example of a simple authentication page that meets the requirements
listed above.
<HTML><HEAD><TI TLE>Fi r ewal l Aut hent i cat i on</ TI TLE></ HEAD>
<BODY><H4>You must aut hent i cat e t o use t hi s ser vi ce. </ H4>
<FORM ACTI ON=" / " met hod=" post " >
<I NPUT NAME=" %%MAGI CI D%%" VALUE=" %%MAGI CVAL%%" TYPE=" hi dden" >
<TABLE ALI GN=" cent er " BGCOLOR=" #00cccc" BORDER=" 0"
CELLPADDI NG=" 15" CELLSPACI NG=" 0" WI DTH=" 320" ><TBODY>
01-410-89802-20091022 233
<TR><TH>User name: </ TH>
<TD><I NPUT NAME=" %%USERNAMEI D%%" SI ZE=" 25" TYPE=" t ext " > </ TD></ TR>
<TR><TH>Passwor d: </ TH>
<TD><I NPUT NAME=" %%PASSWORDI D%%" SI ZE=" 25" TYPE=" passwor d" >
</ TD></ TR>
<TR><TD COLSPAN=" 2" ALI GN="cent er " BGCOLOR=" #00cccc" >
<I NPUT NAME=" %%STATEI D%%" VALUE=" %%STATEVAL%%" TYPE=" hi dden" >
<I NPUT NAME=" %%REDI RI D%%" VALUE=" %%PROTURI %%" TYPE=" hi dden" >
<I NPUT VALUE=" Cont i nue" TYPE=" submi t " > </ TD></ TR>
</ TBODY></ TABLE></ FORM></ BODY></ HTML>
Table 35: Authentication replacement messages
Disclaimer page Enable Disclaimer and Redirect URL to selected in a firewall policy that includes
identity based policies. After a firewall user authenticates with the FortiGate unit
using HTTP or HTTPS, this disclaimer page is displayed.
The CLI includes aut h- di scl ai mer - page- 1, aut h- di scl ai mer - page- 2,
and aut h- di scl ai mer - page- 3 that you can use to increase the size of the
authentication disclaimer page replacement message. For more information, see
the FortiGate CLI Reference.
Declined
disclaimer page
When a firewall user selects the button on the Disclaimer page to decline access
through the FortiGate unit, the Declined disclaimer page is displayed.
Login page The HTML page displayed for firewall users who are required to authenticate
using HTTP or HTTPS before connecting through the FortiGate unit.
Login failed
page
The HTML page displayed if firewall users enter an incorrect user name and
password combination.
Login challenge
page
The HTML page displayed if firewall users are required to answer a question to
complete authentication. The page displays the question and includes a field in
which to type the answer. This feature is supported by RADIUS and uses the
generic RADIUS challenge-access auth response. Usually, challenge-access
responses contain a Reply-Message attribute that contains a message for the
user (for example, Please enter new PIN). This message is displayed on the
login challenge page. The user enters a response that is sent back to the
RADIUS server to be verified.
The Login challenge page is most often used with RSA RADIUS server for RSA
SecurID authentication. The login challenge appears when the server needs the
user to enter a new PIN. You can customize the replacement message to ask
the user for a SecurID PIN.
Keepalive page The HTML page displayed with firewall authentication keepalive is enabled using
the following command:
set aut h- keepal i ve enabl e
end
Authentication keepalive keeps authenticated firewall sessions from ending
when the authentication timeout ends. Go to User > Options to set the
Authentication Timeout.
234 01-410-89802-20091022
FortiGuard Web Filtering replacement messages
The FortiGate unit sends the FortiGuard Web Filtering replacement messages listed in
Table 36 to web browsers using the HTTP protocol when FortiGuard web filtering blocks a
URL, provides details about blocked HTTP 4xx and 5xx errors, and for FortiGuard
overrides. FortiGuard Web Filtering replacement messages are HTTP pages.
If the FortiGate unit supports SSL content scanning and inspection and if Protocol
Recognition > HTTPS Content Filtering Mode is set to Deep Scan in the protection profile,
these replacement messages can also replace web pages downloaded using the HTTPS
protocol.
IM and P2P replacement messages
The FortiGate unit sends the IM and P2P replacement messages listed in Table 37 to IM
and P2P clients using AIM, ICQ, MSN, or Yahoo! Messenger when an event occurs such
as antivirus blocking a file attached to an email that contains a virus. IM and P2P
replacement messages are text messages.
Table 36: FortiGuard Web Filtering replacement messages
URL block
message
Enable FortiGuard Web Filtering enabled in a protection profile for HTTP or
HTTPS blocks a web page. The blocked page is replaced with this web page.
HTTP error
message
Provide details for blocked HTTP 4xx and 5xx errors enabled in a protection
profile for HTTP or HTTPS blocks a web page. The blocked page is replaced
with this web page.
FortiGuard Web
Filtering
override form
Override selected for a FortiGuard Web Filtering category and FortiGuard Web
Filtering blocks a web page in this category and displays this web page. Using
this web page users can authenticate to get access to the page. Go to UTM >
Web Filter > Override to add override rules. For more information, see
Configuring administrative override rules on page 553.
The %%OVRD_FORM%%tag provides the form used to initiate an override if
FortiGuard Web Filtering blocks access to a web page. Do not remove this tag
from the replacement message.
Table 37: IM and P2P replacement messages
File block
message
Antivirus File Filter enabled for IM in a protection profile deletes a file that
matches an entry in the selected file filter list and replaces it with this message.
File name block
message
Antivirus File Filter enabled for IM in a protection profile deletes a file with a
name that matches an entry in the selected file filter list and replaces it with this
message.
Virus message Antivirus Virus Scan enabled for IM in a protection profile deletes a infected file
from and replaces the file with this message.
Oversized file
message
Antivirus Oversized File/Email set to Block for IM in a protection profile removes
an oversized file and replaces the file with this message.
Data leak
prevention
message
In a DLP sensor, a rule with action set to Block replaces a blocked IM or P2P
Banned by data
leak prevention
message
In a DLP sensor, a rule with action set to Ban replaces a blocked IM or P2P
message with this message. This message also replaces any additional
messages that the banned user sends until they are removed from the banned
user list.
Voice chat block
message
In an Application Control list, the Block Audio option is selected for AIM, ICQ,
MSN, or Yahoo! and the application control list is added to a protection profile.
Photo share
block message
In an Application Control list, the bl ock- phot o CLI keyword is enabled for
MSN, or Yahoo and the application control list is added to a protection profile.
You enable photo blocking from the CLI.
01-410-89802-20091022 235
Endpoint NAC replacement messages
The FortiGate unit sends one of the following pages to non-compliant users who attempt
to use a firewall policy in which Endpoint NAC is enabled:
Endpoint NAC Download Portal The FortiGate unit sends this page if the Endpoint
NAC profile has the Quarantine Hosts to User Portal (Enforce compliance) option
selected. The user can download the FortiClient Endpoint Security application installer.
If you modify this replacement message, be sure to retain the %%LINK%% tag which
provides the download URL for the FortiClient installer.
Endpoint NAC Recommendation Portal The FortiGate unit sends this page if the
Endpoint NAC profile has the Notify Hosts to Install FortiClient (Warn only) option
selected. The user can either download the FortiClient Endpoint Security application
installer or select the Continue to link to access their desired destination. If you modify
this replacement message, be sure to retain both the %%LINK%% tag which provides
the download URL for the FortiClient installer and the %%DST_ADDR%% link that
contains the URL that the user requested.
To modify these messages, go to System > Config > Replacement Messages. Expand
Endpoint NAC and select the Edit icon of the message that you want to modify.
For more information about Endpoint NAC, see Endpoint NAC on page 687.
NAC quarantine replacement messages
When a user is blocked by NAC quarantine or a DLP sensor with action set to Quarantine
IP address or Quarantine Interface, if they attempt to start an HTTP session through the
FortiGate unit using TCP port 80, the FortiGate unit connects them to one of the four NAC
Quarantine HTML pages listed in Table 38.
The page that is displayed for the user depends on whether NAC quarantine blocked the
user because a virus was found, a DoS sensor detected an attack, an IPS sensor
detected an attack, or a DLP rule with action set to Quarantine IP address or Quarantine
Interface matched a session from the user.
The default messages inform the user of why they are seeing this page and recommend
they contact the system administrator. You can customize the pages as required, for
example to include an email address or other contact information or if applicable a note
about how long the user can expect to be blocked.
For more information about NAC quarantine see NAC quarantine and the Banned User
list on page 670.
Table 38: NAC quarantine replacement messages
Virus Message Antivirus Quarantine Virus Sender enabled in a protection profile adds a source
IP address or FortiGate interface to the banned user list. The FortiGate unit
displays this replacement message as a web page when the blocked user
attempts to connect through the FortiGate unit using HTTP on port 80 or when
any user attempts to connect through a FortiGate interface added to the banned
user list using HTTP on port 80.
DoS Message For a DoS Sensor the CLI quar ant i ne option set to at t acker or i nt er f ace
and the DoS Sensor added to a DoS firewall policy adds a source IP, a
destination IP, or FortiGate interface to the banned user list. The FortiGate unit
user list using HTTP on port 80. This replacement message is not displayed if
quar ant i ne is set to bot h.
236 01-410-89802-20091022
Traffic quota control replacement messages
When user traffic going through the FortiGate unit is blocked by traffic shaping quota
controls, users see the Traffic shaper block message or the Per IP traffic shaper block
message when they attempt to connect through the FortiGate unit using HTTP.
The traffic quota HTTP pages should contain the %%QUOTA_INFO%% tag to display
information about the traffic shaping quota setting that is blocking the user.
For information about traffic quotas, see Accounting and quota enforcement on
page 420.
SSL VPN replacement message
The SSL VPN login replacement message is an HTML replacement message that formats
the FortiGate SSL VPN portal login page. You can customize this replacement message
according to your organizations needs. The page is linked to FortiGate functionality and
you must construct it according to the following guidelines to ensure that it will work.
The login page must be an HTML page containing a form with
ACTI ON="%%SSL_ACT%%" and METHOD=" %%SSL_METHOD%%"
The form must contain the %%SSL_LOGI N%%tag to provide the login form.
The form must contain the %%SSL_HI DDEN%%tag.
Replacement message tags
Replacement messages can include replacement message tags. When users receive the
replacement message, the replacement message tag is replaced with content relevant to
the message. Table 39 lists the replacement message tags that you can add.
IPS Message Quarantine Attackers enabled in an IPS sensor filter or override and the IPS
sensor added to a protection profile adds a source IP address, a destination IP
address, or a FortiGate interface to the banned user list. The FortiGate unit
user list using HTTP on port 80. This replacement message is not displayed if
method is set to Attacker and Victim IP Address.
DLP Message Action set to Quarantine IP address or Quarantine Interface in a DLP sensor and
the DLP sensor added to a protection profile adds a source IP address or a
FortiGate interface to the banned user list. The FortiGate unit displays this
replacement message as a web page when the blocked user attempts to
connect through the FortiGate unit using HTTP on port 80 or when any user
attempts to connect through a FortiGate interface added to the banned user list
using HTTP on port 80.
Table 38: NAC quarantine replacement messages
Table 39: Replacement message tags
Tag Description
%%AUTH_LOGOUT%% The URL that will immediately delete the current policy and close the
session. Used on the auth-keepalive page.
%%AUTH_REDI R_URL%% The auth-keepalive page can prompt the user to open a new window
which links to this tag.
%%CATEGORY%% The name of the content category of the web site.
%%DEST_I P%% The IP address of the request destination from which a virus was
received. For email this is the IP address of the email server that sent
the email containing the virus. For HTTP this is the IP address of web
page that sent the virus.
01-410-89802-20091022 237
%%EMAI L_FROM%% The email address of the sender of the message from which the file was
removed.
%%EMAI L_TO%% The email address of the intended receiver of the message from which
the file was removed.
%%FAI LED_MESSAGE%% The failed to login message displayed on the auth-login-failed page.
%%FI LE%% The name of a file that has been removed from a content stream. This
could be a file that contained a virus or was blocked by antivirus file
blocking. %%FI LE%%can be used in virus and file block messages.
%%FORTI GUARD_WF%% The FortiGuard - Web Filtering logo.
%%FORTI NET%% The Fortinet logo.
%%LI NK%% The link to the FortiClient Host Security installs download for the
Endpoint Control feature.
%%HTTP_ERR_CODE%% The HTTP error code. 404 for example.
%%HTTP_ERR_DESC%% The HTTP error description.
%%NI DSEVENT%% The IPS attack message. %%NI DSEVENT%%is added to alert email
intrusion messages.
%%OVERRI DE%% The link to the FortiGuard Web Filtering override form. This is visible
only if the user belongs to a group that is permitted to create FortiGuard
web filtering overrides.
%%OVRD_FORM%% The FortiGuard web filter block override form. This tag must be present
in the FortiGuard Web Filtering override form and should not be used in
other replacement messages.
%%PROTOCOL%% The protocol (http, ftp, pop3, imap, or smtp) in which a virus was
detected. %%PROTOCOL%%is added to alert email virus messages.
%%QUARFI LENAME%% The name of a file that has been removed from a content stream and
added to the quarantine. This could be a file that contained a virus or
was blocked by antivirus file blocking. %%QUARFI LENAME%%can be
used in virus and file block messages. Quarantining is only available on
FortiGate units with a local disk.
%%QUOTA_I NFO%% Display information about the traffic shaping quota setting that is
blocking the user. Used in traffic quota control replacement messages.
%%QUESTI ON%% Authentication challenge question on auth-challenge page.
Prompt to enter username and password on auth-login page.
%%SERVI CE%% The name of the web filtering service.
%%SOURCE_I P%% The IP address of the request originator who would have received the
blocked file. For email this is the IP address of the users computer that
attempted to download the message from which the file was removed.
%%TI MEOUT%% Configured number of seconds between authentication keepalive
connections. Used on the auth-keepalive page.
%%URL%% The URL of a web page. This can be a web page that is blocked by web
filter content or URL blocking. %%URL%%can also be used in http virus
and file block messages to be the URL of the web page from which a
user attempted to download a file that is blocked.
%%VI RUS%% The name of a virus that was found in a file by the antivirus system.
%%VI RUS%%can be used in virus messages
Table 39: Replacement message tags (Continued)
Tag Description
Operation mode and VDOM management access System Config
238 01-410-89802-20091022
Operation mode and VDOM management access
You can change the operation mode of each VDOM independently of other VDOMs. This
allows any combination of NAT/Route and Transparent operating modes on the FortiGate
unit VDOMs.
Management access to a VDOM can be restricted based on which interfaces and
protocols can be used to connect to the FortiGate unit.
Changing operation mode
You can set the operating mode for your VDOM and perform sufficient network
configuration to ensure that you can connect to the web-based manager in the new mode.
There are two operation modes for the FortiGate unit - NAT/Route and Transparent. Each
mode is well suited to different situations.
To switch from NAT/Route to Transparent mode
1 Go to System > Config > Operation Mode or select Change beside Operation Mode on
the System Status page for the virtual domain.
2 From the Operation Mode list, select Transparent.
3 Enter the following information and select Apply.
To switch from Transparent to NAT/Route mode
1 Go to System > Config > Operation Mode or select Change beside Operation Mode on
the System Status page for the virtual domain.
2 From the Operation Mode list, select NAT.
Management IP/Netmask Enter the management IP address and netmask. This must be a
valid IP address for the network from which you want to
manage the FortiGate unit.
Default Gateway Enter the default gateway required to reach other networks from the
FortiGate unit.
System Config Operation mode and VDOM management access
01-410-89802-20091022 239
3 Enter the following information and select Apply.
Management access
Management access defines how administrators are able to log on to the FortiGate unit to
perform management tasks such as configuration and maintenance. Methods of access
can include local access through the console connection, or remote access over a
network or modem interface using various protocols including Telnet and HTTPS.
You can configure management access on any interface in your VDOM. See Configuring
administrative access to an interface on page 165. In NAT/Route mode, the interface IP
address is used for management access. In Transparent mode, you configure a single
management IP address that applies to all interfaces in your VDOM that permit
management access. The FortiGate also uses this IP address to connect to the FDN for
virus and attack updates (see Configuring FortiGuard Services on page 300).
The system administrator (admin) can access all VDOMs, and create regular
administrator accounts. A regular administrator account can access only the VDOM to
which it belongs. The management computer must connect to an interface in that VDOM.
It does not matter to which VDOM the interface belongs. In both cases, the management
computer must connect to an interface that permits management access and its IP
address must be on the same network. Management access can be via HTTP, HTTPS,
telnet, or SSH sessions if those services are enabled on the interface. HTTPS and SSH
are preferred as they are more secure.
You can allow remote administration of the FortiGate unit. However, allowing remote
administration from the Internet could compromise the security of the FortiGate unit. You
should avoid this unless it is required for your configuration. To improve the security of a
FortiGate unit that allows remote administration from the Internet:
Use secure administrative user passwords.
Change these passwords regularly.
Enable secure administrative access to this interface using only HTTPS or SSH.
Use Trusted Hosts to limit where the remote access can originate from.
Do not change the system idle timeout from the default value of 5 minutes (see
Settings on page 261).
Interface IP/Netmask Enter a valid IP address and netmask for the network from which
you want to manage the FortiGate unit.
Device Select the interface to which the Interface IP/Netmask settings
apply.
Default Gateway Enter the default gateway required to reach other networks from the
FortiGate unit.
Gateway Device Select the interface to which the default gateway is connected.
Operation mode and VDOM management access System Config
240 01-410-89802-20091022
System Admin Administrators
01-410-89802-20091022 241
System Admin
This section describes how to configure administrator accounts on your FortiGate unit.
Administrators access the FortiGate unit to configure its operation. The factory default
configuration has one administrator, admin. After connecting to the web-based manager
or the CLI, you can configure additional administrators with various levels of access to
different parts of the FortiGate unit configuration.
If you enable virtual domains (VDOMs) on the FortiGate unit, system administrators are
configured globally for the entire FortiGate unit. For details, see Using virtual domains on
page 125.
Administrators
Admin profiles
Central Management
Settings
Monitoring administrators
FortiGate IPv6 support
Customizable web-based manager
Administrators
There are two levels of administrator accounts:
Note: Always end your FortiGate session by logging out, in the CLI or the web-based
manager. If you do not, the session remains open.
Regular
administrators
An administrator with any admin profile other than super_admin. A regular
administrator account has access to configuration options as determined by its
Admin Profile. If virtual domains are enabled, the regular administrator is
assigned to one VDOM and cannot access global configuration options or the
configuration for any other VDOM. For information about which options are global
and which are per VDOM, see VDOM configuration settings on page 126 and
Global configuration settings on page 129.
System
administrators
Includes the factory default system administrator admin, any other administrators
assigned to the super_admin profile, and any administrator that is assigned to the
super_admin_readonly profile. Any administrator assigned to the super_admin
admin profile, including the default administrator account admin, has full access
to the FortiGate unit configuration and general system settings that includes the
ability to:
enable VDOM configuration
create VDOMs
configure VDOMs
assign regular administrators to VDOMs
configure global options
customize the FortiGate web-based manager.
The super_admin admin profile cannot be changed; it does not appear in the list
of profiles in System > Admin > Admin Profile, but it is one of the selections in the
Admin Profile drop-down list in System > Admin New/Edit Administrator dialog
box.
Administrators System Admin
242 01-410-89802-20091022
Figure 109: New Administrator dialog box displaying super_admin readonly option
Users assigned to the super_admin profile:
cannot delete logged-in users who are also assigned the super_admin profile
can delete other users assigned the super_admin profile and/or change the configured
authentication method, password, or admin profile, only if the other users are not
logged in
can delete the default admin account only if the default admin user is not logged in.
By default, admin has no password. The password should be 32 characters or less.
Note: The password of users with the super_admin admin profile can be reset in the CLI. If
the password of a user who is logged in is changed, the user will be logged out and
prompted to re-authenticate with the new password.
Example: For the user I TAdmi n with the admin profile super_admin, to set that users
password to 123456:
conf i g sys admi n
edi t I TAdmi n
set passwor d 123456
end
Example: For the user I TAdmi n with the admin profile super_admin, to reset the password
from 123456 to the default empty:
conf i g sys admi n
edi t I TAdmi n
unset passwor d 123456
end
01-410-89802-20091022 243
There is also an admin profile that allows read-only super admin privileges called
super_admin_readonly. This profile cannot be deleted or changed, similar to the
super_admin profile. The read-only super_admin profile is suitable in a situation where it is
necessary for a system administrator to troubleshoot a customer configuration without
being able to make changes. Other than being read-only, the super_admin_readonly
profile can view all the FortiGate configuration tools.
You can authenticate an administrator by using a password stored on the FortiGate unit, a
remote authentication server (such as LDAP, RADIUS, or TACACS+), or by using PKI
certificate-based authentication. To authenticate an administrator with an LDAP or
TACACS+server, you must add the server to an authentication list, include the server in a
user group, and associate the administrator with the user group. The RADIUS server
authenticates users and authorizes access to internal network resources based on the
admin profile of the user. Users authenticated with the PKI-based certificate are permitted
access to internal network resources based on the user group they belong to and the
associated admin profile.
A VDOM/admin profile override feature supports authentication of administrators via
RADIUS. The admin user will have access depending on which VDOM and associated
admin profile he or she is restricted to. This feature is available only to wildcard
administrators, and can be set only through the FortiGate CLI. There can only be one
VDOM override user per system. For more information, see the FortiGate CLI Reference.
Viewing the administrators list
You need to use the default admin account, an account with the super_admin admin
profile, or an administrator with read-write access control to add new administrator
accounts and control their permission levels. If you log in with an administrator account
that does not have the super_admin admin profile, the administrators list will show only
the administrators for the current virtual domain.
To view the list of administrators, go to System > Admin > Administrators.
Figure 110:
Administrators list
Create New Add an administrator account.
Name The login name for an administrator account.
Trusted Hosts The IP address and netmask of trusted hosts from which the administrator can
log in. For more information, see Using trusted hosts on page 254.
Profile The admin profile for the administrator.
Type The type of authentication for this administrator, one of:
Delete
Change password
Edit
244 01-410-89802-20091022
Configuring an administrator account
You need to use the default admin account, an account with the super_admin admin
profile, or an administrator with read-write access control to create a new administrator.
To create a new administrator, go to System > Admin > Administrators and select Create
New. To configure the settings for an existing administrator, select the Edit icon beside the
administrator.
Figure 111: Administrator account configuration - Regular (local) authentication
Local Authentication of an account with a local password stored on the FortiGate unit.
Remote Authentication of a specific account on a RADIUS, LDAP, or TACACS+server.
Remote+
Wildcard
Authentication of any account on an LDAP, RADIUS, or TACACS+server.
PKI PKI-based certificate authentication of an account.
Delete icon Delete the administrator account.
You cannot delete the original admin account until you create another user with
the super_admin profile, log out of the admin account, and log in with the
alternate user that has the super_admin profile.
Edit or View
icon
Edit or view the administrator account.
Change
Password
icon
Change the password for the administrator account. See Changing an
administrator account password on page 246.
01-410-89802-20091022 245
Figure 112: Administrator account configuration - Remote authentication
Figure 113: Administrator account configuration - PKI authentication
Administrator Enter the login name for the administrator account.
The name of the administrator should not contain the characters <>( ) #" ' .
Using these characters in the administrator account name can result in a cross
site scripting (XSS) vulnerability.
Type Select the type of administrator account:
Regular Select to create a Local administrator account. For more information, see
Configuring regular (password) authentication for administrators on
page 246.
Remote Select to authenticate the administrator using a RADIUS, LDAP, or TACACS+
server. Server authentication for administrators must be configured first. For
more information, see Configuring remote authentication for administrators
on page 246.
PKI Select to enable certificate-based authentication for the administrator. Only
one administrator can be logged in with PKI authentication enabled. For more
information, see Configuring PKI certificate authentication for administrators
on page 252.
User Group Select the administrator user group that includes the Remote server/PKI
(peer) users as members of the User Group. The administrator user group
cannot be deleted once the group is selected for authentication.
This is available only if Type is Remote or PKI.
Wildcard Select to allow all accounts on the RADIUS, LDAP, or TACACS+server to be
administrators.
This is available only if Type is Remote. Only one wildcard user is permitted
per VDOM.
Password Enter a password for the administrator account. For improved security, the
password should be at least 6 characters long.
This is not available if Wildcard is selected or when Type is PKI.
For more information see the Fortinet Knowledge Base article Recovering lost
administrator account passwords if you forget or lose an administrator account
password and cannot log in to your FortiGate unit.
Confirm Password Type the password for the administrator account a second time to confirm that
you have typed it correctly.
This is not available if Wildcard is selected or when PKI authentication is
selected.
246 01-410-89802-20091022
Changing an administrator account password
To change an administrator password, go to System > Admin >
Administrators, and select the Change Password icon next to the
administrator account you want to change the password for. Enter and confirm the new
password, and select OK to save the changes.
Configuring regular (password) authentication for administrators
You can use a password stored on the local FortiGate unit to authenticate an
administrator.
To configure an administrator to authenticate with a password stored on the
FortiGate unit
1 Go to System > Admin.
2 Select Create New, or select the Edit icon beside an existing administrator.
4 Configure additional features as required. For more information, see Configuring an
5 Select OK.
When you select Type > Regular, you will see Local as the entry in the Type column when
you view the list of administrators. For more information, see Viewing the administrators
list on page 243.
Configuring remote authentication for administrators
You can authenticate administrators using RADIUS, LDAP, or TACACS+servers. In order
to do this, you must configure the server, include the server as a user in a user group, and
create the administrator account to include in the user group.
Trusted Host #1
Trusted Host #2
Trusted Host #3
Enter the trusted host IP address and netmask this administrator login is
restricted to on the FortiGate unit. You can specify up to three trusted hosts.
These addresses all default to 0.0.0.0/0 or 0.0.0.0/0.0.0.0.
For more information, see Using trusted hosts on page 254.
IPv6 Trusted Host #1
Enter the trusted host IPv6 address and netmask this administrator login is
restricted to on the FortiGate unit. You can specify up to three trusted hosts.
These addresses all default to ::/0.
For more information, see Using trusted hosts on page 254.
Admin Profile Select the admin profile for the administrator. You can also select Create New
to create a new admin profile. For more information on admin profiles, see
Configuring an admin profile on page 258.
Administrator A name for the administrator.
Type Regular.
Password A password for the administrator to use to authenticate.
Confirm
Password
The password entered in Password.
Admin Profile The admin profile to apply to the administrator.
Note: If you forget or lose an administrator account password and cannot log in to your
FortiGate unit, see the Fortinet Knowledge Base article Recovering lost administrator
account passwords.
01-410-89802-20091022 247
Configuring RADIUS authentication for administrators
Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication,
authorization, and accounting functions. FortiGate units use the authentication and
authorization functions of the RADIUS server. To use the RADIUS server for
authentication, you must configure the server before you configure the FortiGate users or
user groups that will need it.
If you have configured RADIUS support and a user is required to authenticate using a
RADIUS server, the FortiGate unit sends the users credentials to the RADIUS server for
authentication. If the RADIUS server can authenticate the user, the user is successfully
authenticated with the FortiGate unit. If the RADIUS server cannot authenticate the user,
the FortiGate unit refuses the connection.
If you want to use a RADIUS server to authenticate administrators in your VDOM, you
must configure the authentication before you create the administrator accounts. To do this
you need :
To configure the FortiGate unit to access the RADIUS server
To create the user group (RADIUS)
To configure an administrator to authenticate with a RADIUS server
The following instructions assume there is a RADIUS server on your network populated
with the names and passwords of your administrators. For information on how to set up a
RADIUS server, see the documentation for your RADIUS server.
To view the RADIUS server list, go to User > Remote > RADIUS.
Figure 114: Example RADIUS server list
To configure the FortiGate unit to access the RADIUS server
1 Go to User > Remote > RADIUS.
2 Select Create New, or select the Edit icon beside an existing RADIUS server.
Note: Access to the FortiGate unit depends on the VDOM associated with the administrator
account.
Create New Add a new RADIUS server.
Name The name that identifies the RADIUS server on the FortiGate unit.
Server Name/IP The domain name or IP address of the RADIUS server.
Delete icon Delete a RADIUS server configuration.
You cannot delete a RADIUS server that has been added to a user
group.
Edit icon Edit a RADIUS server configuration.
Delete
Edit
248 01-410-89802-20091022
4 Select OK.
For further information about RADIUS authentication, see Configuring a RADIUS server
on page 648.
To create the user group (RADIUS)
1 Go to User > User Group.
2 Select Create New or select the Edit icon beside an existing RADIUS group.
3 Enter the name that identifies the user group.
4 For Type, enter Firewall.
5 In the Available Users/Groups list, select the RADIUS server name and move it to the
Members list.
6 Select OK.
To configure an administrator to authenticate with a RADIUS server
5 Select OK.
Name A name that identifies the RADIUS server.
Primary Server
Name/IP
Enter the domain name or IP address of the RADIUS server.
Primary Server
Secret
Enter the RADIUS server secret. The RADIUS server administrator can
provide this information.
Secondary
Server Name/IP
Enter the domain name or IP address of a second RADIUS server (optional).
Secondary
Server Secret
Enter the secondary RADIUS server secret (optional).
Authentication
Scheme
Select one of Use Default Authentication Scheme or Specify Authentication
Protocol. If you chose to specify the scheme, select one of the schemes from
the drop-down menu.
NAS IP/Called
Station ID
Enter the Network Attached Storage (NAS) IP address.
Include in every
User Group
Select to add this RADIUS server to every user group in this VDOM (optional).
Name A name that identifies the administrator.
Type Remote.
User Group The user group that includes the RADIUS server as a member.
Password The password the administrator uses to authenticate.
Confirm
Password
The re-entered password that confirms the original entry in Password.
01-410-89802-20091022 249
For more information about using a RADIUS server to authenticate system administrators,
see the Fortinet Knowledge Base article Using RADIUS for Admin Access and
Authorization.
Admin profiles
Configuring a RADIUS server
Configuring a user group
Configuring LDAP authentication for administrators
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain
authentication data that may include departments, people, groups of people, passwords,
email addresses, printers, etc.
If you have configured LDAP support and an administrator is required to authenticate
using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. If
the LDAP server cannot authenticate the administrator, the FortiGate unit refuses the
connection.
If you want to use an LDAP server to authenticate administrators in your VDOM, you must
configure the authentication before you create the administrator accounts. To do this you
need:
To configure an LDAP server
To create the user group (LDAP)
To configure an administrator to authenticate with an LDAP server
To view the LDAP server list, go to User > Remote > LDAP.
Figure 115: Example LDAP server list
To configure an LDAP server
1 Go to User > Remote > LDAP.
2 Select Create New or select the Edit icon beside an existing LDAP server.
3 Enter or select the following and select OK.
Create New Add a new LDAP server.
Name The name that identifies the LDAP server on the FortiGate unit.
Server Name/IP The domain name or IP address of the LDAP server.
Port The TCP port used to communicate with the LDAP server.
Common Name Identifier The common name identifier for the LDAP server.
Distinguished Name The distinguished name used to look up entries on the LDAP server.
Delete icon Delete the LDAP server configuration.
Edit icon Edit the LDAP server configuration.
Delete
Edit
250 01-410-89802-20091022
For further information about LDAP authentication, see Configuring an LDAP server on
page 650.
To create the user group (LDAP)
2 Select Create New or select the Edit icon beside an existing user group.
3 Enter a Name that identifies the LDAP user group.
4 For Type, enter Firewall.
5 In the Available Users/Groups list, select the LDAP server name and move it to the
Members list.
6 Select OK.
To configure an administrator to authenticate with an LDAP server
2 Select Create New or select the Edit icon beside an existing administrator account.
3 Enter or select the following:
Server Port The TCP port used to communicate with the LDAP server.
Common Name
Identifier
The common name identifier for the LDAP server.
Distinguished Name The base distinguished name for the server in the correct X.500 or
LDAP format.
Query icon View the LDAP server Distinguished Name Query tree for the LDAP
server that you are configuring so that you can cross-reference to the
Distinguished Name.
For more information, see Using Query on page 652.
Bind Type The type of binding for LDAP authentication.
Anonymous Bind using anonymous user search.
Regular Bind using a user name/password and then search.
Simple Bind using a simple password authentication without a search.
Filter Filter used for group searching. Available only if Bind Type is
Anonymous or Regular.
User DN Distinguished name of user to be authenticated. Available only if Bind
Type is Regular.
Password Password of user to be authenticated. Available only if Bind Type is
Regular.
Secure Connection A check box that enables a secure LDAP server connection for
authentication.
Protocol The secure LDAP protocol to use for authentication. Available only if
Secure Connection is selected.
Certificate The certificate to use for authentication. Available only if Secure
Connection is selected.
Administrator A name that identifies the administrator.
Type Remote.
User Group The user group that includes the LDAP server as a member.
Wildcard A check box that allows all accounts on the LDAP server to be administrators.
01-410-89802-20091022 251
5 Select OK.
Configuring TACACS+ authentication for administrators
Terminal Access Controller Access-Control System (TACACS+) is a remote
authentication protocol that provides access control for routers, network access servers,
and other networked computing devices via one or more centralized servers.
If you have configured TACACS+support and an administrator is required to authenticate
using a TACACS+server, the FortiGate unit contacts the TACACS+server for
authentication. If the TACACS+server cannot authenticate the administrator, the
connection is refused by the FortiGate unit.
If you want to use an TACACS+server to authenticate administrators in your VDOM, you
must configure the authentication before you create the administrator accounts. To do this
you need:
To configure the FortiGate unit to access the TACACS+server
To create the user group (TACACS+)
To configure an administrator to authenticate with a TACACS+server
To view the TACACS+server list, go to User > Remote > TACACS+.
Figure 116: Example TACACS+ server list
To configure the FortiGate unit to access the TACACS+ server
1 Go to User > Remote > TACACS+.
2 Select Create New, or select the Edit icon beside an existing TACACS+server.
Password The password the administrator uses to authenticate. Not available if Wildcard
is enabled.
Confirm
Password
The re-entered password that confirms the original entry in Password. Not
available if Wildcard is enabled.
Create New Add a new TACACS+server.
Server The server domain name or IP address of the TACACS+server.
Authentication Type The supported authentication method. TACACS+authentication
methods include: Auto, ASCII, PAP, CHAP, and MSCHAP.
Delete icon Delete this TACACS+server
Edit icon Edit this TACACS+server.
Delete
Edit
252 01-410-89802-20091022
4 Select OK.
For further information about TACACS+authentication, see Configuring TACACS+
servers on page 653.
To create the user group (TACACS+)
2 Select Create New, or select the Edit icon beside an existing user group.
3 Enter a Name that identifies the TACAS+user group.
4 For Type, select Firewall.
5 In the Available Users/Groups list, select the TACACS+server name and move it to
the Members list.
6 Select OK.
To configure an administrator to authenticate with a TACACS+ server
5 Select OK.
Configuring PKI certificate authentication for administrators
Public Key Infrastructure (PKI) authentication uses a certificate authentication library that
takes a list of peers, peer groups, and user groups and returns authentication successful
or denied notifications. Users only need a valid certificate for successful authentication; no
username or password is necessary.
To use PKI authentication for an administrator, you must configure the authentication
before you create the administrator accounts. To do this you need:
To configure a PKI user
Name Enter a name that identifies the TACACS+server.
Server Name/IP Enter the server domain name or IP address of the TACACS+server.
Server Key Enter the key to access the TACACS+server. The maximum number is 16.
Authentication
Type
Enter one of Auto, ASCII, PAP, CHAP, and MSCHAP. Auto authenticates
using PAP, MSCHAP, and CHAP (in that order).
Type Remote.
User Group The user group that includes the TACACS+server as a member.
Wildcard Select to allow all accounts on the TACACS+server to be administrators.
Password The password the administrator uses to authenticate. Not available if Wildcard
is enabled.
Confirm
Password
The re-entered password that confirms the original entry in Password. Not
available if Wildcard is enabled.
01-410-89802-20091022 253
To create the user group (PKI)
To configure an administrator to authenticate with a PKI certificate
To view the PKI user list, go to User > PKI.
Figure 117: Example PKI user list
To configure a PKI user
1 Go to User > PKI.
2 Select Create New, or select the Edit icon beside an existing PKI user.
3 Enter the Name of the PKI user.
4 For Subject, enter the text string that appears in the subject field of the certificate of the
authenticating user.
5 Select the CA certificate used to authenticate this user.
6 Select OK.
To create the user group (PKI)
2 Select Create New, or select the Edit icon beside an existing user group.
4 Select OK.
To configure an administrator to authenticate with a PKI certificate
Create New Add a new PKI user.
Name The name of the PKI user.
Subject The text string that appears in the subject field of the certificate of the
CA The CA certificate that is used to authenticate this user.
Delete icon Delete this PKI user.
Edit icon Edit this PKI user.
Name The name that identifies the PKI user group.
Type Firewall.
Available
Users/Groups
Select the PKI user name and move it to the Members list.
Delete
Edit
Admin profiles System Admin
254 01-410-89802-20091022
5 Select OK.
Using trusted hosts
Setting trusted hosts for all of your administrators increases the security of your network
by further restricting administrative access. In addition to knowing the password, an
administrator must connect only through the subnet or subnets you specify. You can even
restrict an administrator to a single IP address if you define only one trusted host IP
address with a netmask of 255.255.255.255.
When you set trusted hosts for all administrators, the FortiGate unit does not respond to
administrative access attempts from any other hosts. This provides the highest security. If
you leave even one administrator unrestricted, the unit accepts administrative access
attempts on any interface that has administrative access enabled, potentially exposing the
unit to attempts to gain unauthorized access.
The trusted hosts you define apply both to the web-based manager and to the CLI when
accessed through Telnet or SSH. CLI access through the console connector is not
affected.
The trusted host addresses all default to 0.0.0.0/0.0.0.0 for IPv4, or ::/0 for IPv6. If you set
one of the zero addresses to a non-zero address, the other zero addresses will be
ignored. The only way to use a wildcard entry is to leave the trusted hosts at
0.0.0.0/0.0.0.0 or ::0. However, this configuration is less secure.
Admin profiles
Each administrator account belongs to an admin profile. The admin profile separates
FortiGate features into access control categories for which an administrator with
read/write access can enable none (deny), read only, or read/write access.
The following table lists the web-based manager pages to which each category provides
access.
Type PKI.
User Group The user group that includes the PKI user as a member.
System Admin Admin profiles
01-410-89802-20091022 255
Read-only access for a web-based manager page enables the administrator to view that
page. However, the administrator needs write access to change the settings on the page.
You can expand the firewall configuration access control to enable more granular control
of access to the firewall functionality. You can control administrator access to policy,
address, service, schedule, profile, and other virtual IP (VIP) configurations.
Table 40: Admin profile control of access to Web-based manager pages
Access control Affected web-based manager pages
Admin Users System >Admin >Administrators
System >Admin >Admin Profile
Antivirus Configuration UTM >AntiVirus
Application Control UTM >Application Control
Auth Users User
Data Leak Prevention (DLP) UTM >Data Leak Prevention
Email Filter UTM >Email Filter
Firewall Configuration Firewall
FortiGuard Update System >Maintenance >FortiGuard
IM, P2P & VoIP Configuration IM, P2P & VoIP >Statistics
IM, P2P & VoIP >User >Current Users
IM, P2P & VoIP >User >User List
IM, P2P & VoIP >User >Config
IPS Configuration UTM >Intrusion Protection
Log&Report Log&Report
Maintenance System >Maintenance
Network Configuration System >Network >Interface
System >Network >Zone
System >Network >Web Proxy
System >DHCP
Router Configuration Router
Spamfilter Configuration UTM >AntiSpam
System Configuration System >Status, including Session info
System >Config
System >Hostname
System >Network >Options
System >Admin >Central Management
System >Admin >Settings
System >Status >System Time
WIreless Controller
VPN Configuration VPN
Webfilter Configuration UTM >Web Filter
Note: When Virtual Domain Configuration is enabled (see Settings on page 261), only the
administrators with the admin profile super_admin have access to global settings. Other
administrator accounts are assigned to one VDOM and cannot access global configuration
options or the configuration for any other VDOM.
For information about which settings are global, see VDOM configuration settings on
page 126.
256 01-410-89802-20091022
The admin profile has a similar effect on administrator access to CLI commands. The
following table shows which command types are available in each Access Control
category. You can access get and show commands with Read Only access. Access to
config commands requires Read-Write access.
Table 41: Admin profile control of access to CLI commands
Access control Available CLI commands
Admin Users (admingrp) syst emadmi n
syst emaccpr of i l e
Antivirus Configuration (avgrp) ant i vi r us
Application Control appl i cat i on
Auth Users (authgrp) user
Data Leak Prevention (DLP) dl p
Email Filter spamf i l t er
Firewall Configuration (fwgrp) f i r ewal l
Use the set f wgr p cust omand conf i g f wgr p-
per mi ssi on commands to set some firewall permissions
individually. You can make selections for policy, address,
service, schedule, profile, and other (VIP) configurations.
FortiGuard Update (updategrp) syst emaut oupdat e
execut e updat e- av
execut e updat e- i ps
execut e updat e- now
IPS Configuration (ipsgrp) i ps
Log & Report (loggrp) syst emal er t emai l
l og
syst emf or t i anal yzer
execut e l og
Maintenance (mntgrp) execut e f or mat l ogdi sk
execut e r est or e
execut e backup
execut e bat ch
execut e usb- di sk
Network Configuration (netgrp) syst emar p- t abl e
syst emdhcp
syst emi nt er f ace
syst emzone
execut e dhcp l ease- cl ear
execut e dhcp l ease- l i st
execut e cl ear syst emar p t abl e
execut e i nt er f ace
01-410-89802-20091022 257
To add admin profiles for FortiGate administrators, go to System > Admin > Admin Profile.
Each administrator account belongs to an admin profile. An administrator with read/write
access can create admin profiles that deny access to, allow read-only, or allow both read-
and write-access to FortiGate features.
When an administrator has read-only access to a feature, the administrator can access
the web-based manager page for that feature but cannot make changes to the
configuration. There are no Create or Apply buttons and lists display only the View ( )
icon instead of icons for Edit, Delete or other modification commands.
Viewing the admin profiles list
You need to use the admin account or an account with Admin Users read/write access to
create or edit admin profiles. To view the admin profiles list, go to System > Admin >
Admin Profile.
Router Configuration (routegrp) r out er
execut e r out er
execut e mr out er
Spamfilter Configuration (spamgrp) spamf i l t er
System Configuration (sysgrp) syst em( except admi ngr p, l oggr p, and net gr p
commands) .
gui
wi r el ess- cont r ol l er
execut e cf g
execut e cl i
execut e dat e
execut e di sconnect - admi n- sessi on
execut e ent er
execut e f act or yr eset
execut e f or t i guar d- l og
execut e ha
execut e pi ng
execut e pi ng- opt i ons
execut e pi ng6
execut e pi ng6- opt i ons
execut e r eboot
execut e send- f ds- st at i st i cs
execut e set - next - r eboot
execut e shut down
execut e ssh
execut e t el net
execut e t i me
execut e t r acer out e
execut e usb- di sk
VPN Configuration (vpngrp) vpn
execut e vpn
Webfilter Configuration (webgrp) webf i l t er
Table 41: Admin profile control of access to CLI commands (Continued)
Access control Available CLI commands
258 01-410-89802-20091022
Figure 118: Admin profile list
Configuring an admin profile
You need to use the admin account or an account with Admin Users read/write access to
edit an admin profile.
To configure an admin profile
1 Go to System > Admin > Admin Profile.
2 Select Create New or select the Edit icon beside an existing profile.
3 Enter or select the following, and select OK.
Create New Add a new admin profile.
Profile Name The name of the admin profile.
Delete icon Select to delete the admin profile.
You cannot delete an admin profile that has administrators assigned to
it.
Edit icon Select to modify the admin profile.
Delete
Edit
01-410-89802-20091022 259
Figure 119: Admin profile options
Profile Name Enter the name of the admin profile.
Access Control List of the items that can customize access control settings if
configured.
None Deny access to all Access Control categories.
Read Only Enable Read access in all Access Control categories.
Read-Write Select to allow read/write access in all Access Control categories.
Access Control
(categories)
Make specific control selections as required. For detailed information
about the Access Control categories, see Admin profiles on
page 254.
GUI Control Select Standard to use the default FortiGate web-based manager.
Select Customize to create a custom web-based manager
configuration for the administrators who login with this admin profile.
For more information, see Customizable web-based manager on
page 268.
Central Management System Admin
260 01-410-89802-20091022
Central Management
The Central Management tab provides the option of remotely managing your FortiGate
unit by either a FortiManager unit or the FortiGuard Analysis and Management Service.
From System > Admin > Central Management, you can configure your FortiGate unit to
back up or restore configuration settings automatically to the specified central
management server. The central management server is the type of service you enable,
either a FortiManager unit or the FortiGuard Analysis and Management Service. If you
have a subscription for FortiGuard Analysis and Management Service, you can also
remotely upgrade the firmware on the FortiGate unit.
Figure 120: Central Management using FortiManager
Figure 121: Central Management using the FortiGuard Management Service
Enable Central
Management
Enables the Central Management feature on the FortiGate unit.
Type Select the type of central management for this FortiGate unit. You can
select FortiManager or the FortiGuard Management Service.
System Admin Settings
01-410-89802-20091022 261
When you are configuring your FortiGate unit to connect to and communicate with a
FortiManager unit, the following steps must be taken because of the two different
deployment scenarios.
FortiGate is directly reachable from FortiManager:
In the FortiManager GUI, add the FortiGate unit to the FortiManager database in
the Device Manager module
Change the FortiManager IP address
Change the FortiGate IP address
FortiGate behind NAT
In System > Admin > Central Management, choose FortiManager
Add the FortiManager unit to the Trusted FortiManager List, if applicable
Change the FortiManager IP address
Change the FortiGate IP address
Contact the FortiManager administrator to verify the FortiGate unit displays in the
Device list in the Device Manager module
Revision control
The Revision Control tab displays a list of the backed up configuration files. The list
displays only when your FortiGate unit is managed by a central management server. For
more information, see Managing configuration revisions on page 297.
Settings
The Settings tab includes the following features that you can configure:
ports for HTTP/HTTPS administrative access and SSL VPN login
password policy for administrators and IPsec pre-shared keys
the idle timeout setting
FortiManager Select to use FortiManager as the central management service for the
FortiGate unit.
Enter the IP address or name of the FortiManager unit in the IP/Name
field.
If your organization is operating a FortiManager cluster, add the IP
address or name of the primary FortiManager unit to the IP/Name field
and add the IP address or name of the backup FortiManager units to
the Trusted FortiManager list.
Status indicates whether or not the FortiGate unit can communicate
with the FortiManager unit added to the IP/Name field.
Select Register to include the FortiManager unit in the Trusted
FortiManager List.
A red arrow-down indicates that there is no connection enabled.
A green arrow-up indicates that there is a connection.
A yellow caution symbol appears when your FortiGate unit is
considered an unregistered device by the FortiManager unit.
FortiGuard
Management Service
Select to use the FortiGuard Management Service as the central
management service for the FortiGate unit.
Enter the Account ID in the Account ID field. If you do not have an
account ID, register for the FortiGuard Management Service on the
FortiGuard Management Service website.
Select Change to go directly to System > Maintenance > FortiGuard.
Under Analysis & Management Service Options, enter the account ID
in the Account ID field.
Settings System Admin
262 01-410-89802-20091022
settings for the language of the web-based manager and the number of lines displayed
in generated reports
PIN protection for LCD and control buttons (LCD-equipped models only)
SCP capability for users logged in via SSH
Wireless controller capability
IPv6 support on the web based manager.
To configure settings, go to System > Admin > Settings, enter or select the following and
select OK.
Figure 122: Administrators Settings
Web Administration Ports
HTTP TCP port to be used for administrative HTTP access. The default is
80.
HTTPS TCP port to be used for administrative HTTPS access. The default is
443.
SSLVPN Login Port An alternative HTTPS port number for remote client web browsers to
connect to the FortiGate unit. The default port number is 10443.
Telnet Port TCP port to be used for administrative telnet access. The default is 23.
SSH Port TCP port to be used for administrative SSH access. The default is 22.
System Admin Settings
01-410-89802-20091022 263
Enable SSH v1
compatibility
Enable compatibility with SSH v1 in addition to v2. (Optional)
Password Policy
Enable Select to enable the password policy.
Minimum Length Set the minimum acceptable length for passwords.
Must contain Select any of the following special character types to require in a
password. Each selected type must occur at least once in the
password.
Upper Case Letters A, B, C, ... Z
Lower Case Letters a, b, c, ... z
Numerical digits 0, 1, 2, 3, 4, 5, 6, 7 8, 9
Non-alphanumeric Letters punctuation marks, @,#, ... %
Apply Password
Policy to
Select where to apply the password policy:
Admin Password Apply to administrator passwords. If any
password does not conform to the policy, require that administrator to
change the password at the next login.
IPSEC Preshared Key Apply to preshared keys for IPSec VPNs.
The policy applies only to new preshared keys. You are not required to
change existing preshared keys.
Admin Password
Expires after n days
Require administrators to change password after a specified number
of days. Specify 0 to remove required periodic password changes.
Timeout Settings
Idle Timeout The number of minutes an administrative connection must be idle
before the administrator has to log in again. The maximum is 480
minutes (8 hours).
To improve security, keep the idle timeout at the default value of 5
minutes.
Display Settings
Language The language the web-based manager uses. Choose from English,
Simplified Chinese, J apanese, Korean, Spanish, Traditional Chinese
or French.
You should select the language that the operating system of the
management computer uses.
Lines per Page Number of lines per page to display in table lists. The default is 50.
Range is from 20 - 1000.
IPv6 Support on GUI Enable to configure IPv6 options from the GUI (Firewall policy, route,
address and address group). Default allows configuration from CLI
only. For more information on IPv6, see the sections that include IPv6
related fields, or see FortiGate IPv6 support on page 264.
LCD Panel (LCD-equipped models only)
PIN Protection Select and enter a 6-digit PIN.
Administrators must enter the PIN to use the control buttons and LCD.
Enable SCP Enable users logged in through the SSH to be able to use Secure
Copy (SCP) to copy the configuration file.
Enable Wireless Controller Enable the Wireless Controller feature. Then you can access the
Wireless Controller menu in the web-based manager and the
corresponding CLI commands. For more information, see Wireless
Controller on page 697.
Note: If you make a change to the default port number for HTTP, HTTPS, Telnet, or SSH,
ensure that the port number is unique.
Monitoring administrators System Admin
264 01-410-89802-20091022
Monitoring administrators
To see the number of logged-in administrators, go to System > Status. Under System
Information, you will see Current Administrators. Select Details to view information about
the administrators currently logged in to the FortiGate unit.
Figure 123: System Information displaying current administrators
Figure 124: Detailed view of Admini strators logged in monitor window
See also
FortiGate IPv6 support
IPv6 is version 6 of the Internet Protocol, part of the TCP/IP protocol suite. It can provide
billions more unique IP addresses than the previous standard, IPv4. The internet is
currently in transition from IPv4 to IPv6 addressing. IPv6 hosts and routers maintain
interoperability with the existing IPv4 infrastructure in two ways:
Disconnect Select to disconnect the selected administrators. This is available only
if your admin profile gives you System Configuration write permission.
Refresh Select to update the list.
Close Select to close the window.
Select an administrator session, then select Disconnect to log off this
administrator. This is available only if your admin profile gives you
System Configuration write access.
You cannot log off the default admin user.
User Name The administrator account name.
Type The type of access: http, https, jsconsole, sshv2.
From If Type is jsconsole, the value in From is N/A.
Otherwise, Type contains the administrators IP address.
Time The date and time the administrator logged on.
System Admin FortiGate IPv6 support
01-410-89802-20091022 265
implementing dual IP layers to support both IPv6 and IPv4
using IPv6 over IPv4 tunneling to encapsulate IPv6 packets within IPv4 headers.
FortiGate units are dual IP layer IPv6/IPv4 nodes, and support IPv6 in both NAT/Route,
and Transparent operation modes. They support IPv6 overIPv4 tunneling as well as IPv6
routing, firewall policies and IPSec VPN. You can assign both an IPv4 and an IPv6
address to any interface on a FortiGate unitthe interface functions as two interfaces,
one for IPv4-addressed packets and another for IPv6-addressed packets.
For more information, see the FortiGate IPv6 Support Technical Note
Configuring IPv6 on FortiGate units
Many parts of the FortiGate configuration supports IPv6 addressing. Before you can work
with IPv6 on the web-based manager, you must enable IPv6 support.
To enable IPv6 support, go to System > Admin > Settings, then under Display Settings,
select IPv6 Support on GUI.
After you enable IPv6 support in the web-based manager, you can:
configure IPv6 interfaces (see System Network)
configure IPv6 DNS services (see System Network)
configure IPv6 administrative access (see System Admin)
create IPv6 static routes (see Router Static)
monitor IPv6 routes (see Router Monitor)
create IPv6 firewall addresses (see Firewall Address)
create IPv6 firewall address groups (see Firewall Address)
create IPv6 firewall policies such as DoS (see Firewall Policy)
perform antivirus scanning on IPv6 traffic
perform website filtering on IPv6 traffic
create VPNs that use IPv6 addressing (see IPSec VPN)
Once IPv6 support is enabled, you can configure the IPv6 options using the web-based
manager or the CLI. Note that some IPv6 configuration is only available in the CLI.
See the FortiGate CLI Reference for information on configuring IPv6 support using the
CLI.
IP version 6 address
While 32-bits of addresses, or just under 5 billion addresses, seems like a lot, they have
been used up quickly. Between servers and routers that provide the backbone
communications of the Internet, to large companies and governments with thousands of
computers large portions of the IP address space were either reserved or used up.
In 1998, IP version 6 was designed mainly to provide more addresses but also improve
slightly on IP version 4 (IPv4). IP version 6 (IPv6) is defined in RFC 2460.
With four bytes of addresses there are a total just under 5 billion addresses. IPv6
addresses are 32 bytes long, and have no problems of ever running out. This very large
address space also allows for more logical organization of addresses which in turn
promotes more efficient network management and routing.
IPv6 Address notation
The IPv6 addressing standard is specified in detail in RFC 3513. The following is a quick
overview.
FortiGate IPv6 support System Admin
266 01-410-89802-20091022
IPv6 addresses are normally written as eight groups of 4 hexadecimal digits each. For
example,
3f 2e: 6a8b: 78a3: 0d82: 1725: 6a2f : 0370: 6234
is a valid IPv6 address.
If a 4 digit group is 0000, it may be omitted. For example,
3f 2e: 6a8b: 78a3: 0000: 1725: 6a2f : 0370: 6234
is the same IPv6 address as
3f 2e: 6a8b: 78a3: : 1725: 6a2f : 0370: 6234
You can use the :: notation to indicate multiple consecutive omitted zero groups. There
must not be more than one use of :: in an address, as this is ambiguous. Also, you can
omit leading zeros in a group. Thus
19a4: 0478: 0000: 0000: 0000: 0000: 1a57: ac9e
19a4: 0478: 0000: 0000: 0000: : 1a57: ac9e
19a4: 478: 0: 0: 0: 0: 1a57: ac9e
19a4: 478: 0: : 0: 1a57: ac9e
19a4: 478: : 1a57: ac9e
are all valid and are the same address.
For IPv4-compatible or IPv4-mapped IPv6 addresses, you can enter the IPv4 portion
using either hexadecimal or dotted decimal, but the FortiGate CLI always shows the IPv4
portion in dotted decimal format. For all other IPv6 addresses, the CLI accepts and
displays only hexadecimal.
IPv6 Netmasks
As with IP addresses, hexadecimal notation replaces the dotted decimal notation of IPv4.
CIDR notation can also be used. This notation appends a slash (/) to the IP address,
followed by the number of bits in the network portion of the address.
Table 42: IPv6 netmasks
IP Address 3f f e: f f f f : 1011: f 101: 0210: a4f f : f ee3: 9566
Netmask f f f f : f f f f : f f f f : f f f f : 0000: 0000: 0000: 0000
Network 3f f e: f f f f : 1011: f 101: 0000: 0000: 0000: 0000
CIDR IP/Netmask 3f f e: f f f f : 1011: f 101: 0210: a4f f : f ee3: 9566/ 64
System Admin FortiGate IPv6 support
01-410-89802-20091022 267
IPv6 address types
There are more types of IPv6 addresses than IPv4 addresses. The types are identifiable
by their prefix values.
Transition from IPv4 to IPv6
The Internet is in transition from IPv4 to IPv6 addressing. IPv6 hosts and routers maintain
interoperability with the existing IPv4 infrastructure in two ways:
implementing dual IP layers to support both IPv6 and IPv4
using IPv6 over IPv4 tunneling to encapsulate IPv6 packets within IPv4 headers to
carry them over IPv4 infrastructure
FortiGate units are dual IP layer IPv6/IPv4 nodesthey support both IPv4, and IPv6.
FortiGate units also support IPv6 over IPv4 tunneling.
IPv4 addresses in IPv6 format
There are two ways that IPv4 addresses are represented in IPv6 format. You can
distinguish them by the 16 bits that precede the IPv4 portion of the address:
Table 43: IPv6 address types
Address Type Prefix/prefix length Comments
Unspecified ::/128 Equivalent to 0.0.0.0 in IPv4.
Loopback ::1/128 Equivalent to 127.0.0.1 in IPv4.
IPv4-compatible ::/96 Lowest 32 bits can be in IPv6 hexadecimal or IPv4
dotted decimal format.
IPv4-mapped ::FFFF/96 Lowest 32 bits can be in IPv6 hexadecimal or IPv4
dotted decimal format.
Multicast ::FF00/8
Anycast all prefixes except
those listed above
Multiple servers can have the same address with
routing used to balance the traffic load.
Unlike IPv4, IPv6 anycast addresses are
indistinguishable from other unicast addresses.
Link-local FE80::/10 Link-Local addresses are used for addressing on a
single link for automatic address configuration,
neighbor discovery, or when no routers are present.
Routers must not forward packets with link-local
source or destination addresses.
Site-local FEC0::/10 Site-local addresses are used for addressing inside
of a site without needing a global prefix.
Routers must not forward packets with site-local
source or destination addresses outside of the site.
Global all others
Table 44: Examples of IPv4 compatible and mapped IPv6 addresses
IPv4-compatible IPv6 address 0000:0000:0000:0000:0000:
or
::
0000: 874B:2B34
or
135.75.43.52
IPv4-mapped IPv6 address 0000:0000:0000:0000:0000:
or
::
FFFF: 874B:2B34
or
135.75.43.52
Customizable web-based manager System Admin
268 01-410-89802-20091022
IPv4-compatible addresses are used for hosts and routers to dynamically tunnel IPv6
packets over IPv4 routing infrastructure. IPv4-mapped addresses are used for nodes that
do not support IPv6.
IPv6 tunneling
Networks using IPv6 addressing can be linked through IPv4-addressed infrastructure
using several tunneling techniques:
FortiGate units support IPv6-over-IPv4 tunneling.
Customizable web-based manager
In addition to configuring administrators with varying levels of access to different parts of
the FortiGate unit configuration, you can customize the FortiGate web-based manager (or
GUI) to show, hide, and arrange widgets/menus/items according to your specific
requirements. In standard operation mode, the display is static. Customizing the display
allows you to vary or limit the GUI layoutto fulfill different administrator roles. There are
also several configuration widgets which you can enable for CLI-only options that are not
displayed by default. Only administrators with the super_admin admin profile may create
and edit GUI layouts. The customized GUI layouts are stored as part of the administrator
admin profile.
New admin profiles are based on the default layout. The FortiGate default layout cannot
be modified.
Terms used in this section include:
Dialog box - HTML-layer pop-up window. Displayed via HTML with grayed-out
background (see Figure 128).
GUI layout - web-based manager layout configured for a specific Admin Profile (see
Figure 139).
Page layout - arrangement of widgets on a screen of the web-based manager (see
Figure 136).
Tier 1 menu item - top-level menu item in web-based manager layout (see To create
Tier-1 and Tier-2 menu items on page 272).
Tier 2 menu item - submenu item in web-based manager layout (see To create Tier-1
and Tier-2 menu items on page 272).
Table 45: Tunneling techniques
IPv6-over-IPv4 Encapsulates IPv6 packets within IPv4 so that they can be carried
across IPv4 routing infrastructures.
Configured The endpoint address is determined by configuration information
on the encapsulating node.
Automatic The IPv4 tunnel endpoint address is determined from the IPv4
address embedded in the IPv4-compatible destination address of
the IPv6 packet being tunneled.
IPv4 multicast IPv4 tunnel endpoint address is determined using Neighbor
Discovery. No address configuration is required, but the IPv4
infrastructure must support IPv4 multicast.
Tip: Increase the timeout settings before creating or editing a GUI layout. See Settings on
page 261.
System Admin Customizable web-based manager
01-410-89802-20091022 269
GUI layout customization example
The following example illustrates the basic steps to customize the display. The example
assumes that you are an administrator with a super_admin profile performing the
customization. The super_admin will create a profile called Report Profile for a regular
admin user. This protection profile will allow the regular admin user read-only access to
logs and reports produced by the FortiGate unit, and also prevent him or her from viewing
additional FortiGate features.
Before customizing the GUI layout, you need to configure the administrative admin profile.
To configure the profile, go to System > Admin > Admin Profile and select Create New.
Figure 125: Admin profile dialog box (default settings)
The following configuration will set up read-only administrative access to Log&Report
items for the Report Profile profile, and prevent access to the default layout.
Note: The current administrator Access Control settings apply only to the fixed components
of the layout (default), not to the customized items. If you want to create a completely
customized layout profile, you must set access for all fixed components to None and also
set all the standard menu items to Hide from within the GUI layout dialog box (see
Figure 128).
270 01-410-89802-20091022
Figure 126: Admin Profile dialog box - Log & Report access
To configure the admin profile
1 Enter the name Report Profile (see Figure 126).
2 To prevent access to the default layout items, set Access Control to None for all items
except Log & Report.
3 Under GUI Control > Menu Layout, select Standard.
4 Select OK to save the settings. The admin profiles list reappears.
5 From the list, select the Edit icon beside Report Profile.
6 Under GUI Control > Menu Layout, select Customize, and then select OK. (see
Figure 127 and Figure 128).
Read-only access
selected for Log &
Report
Access denied
to other layout
items
Standard GUI
Control Menu
Layout selection
01-410-89802-20091022 271
Figure 127: Selection of Customize GUI Control option for Report Profile
Figure 128: Customize GUI layout dialog box for Report Profile
In the GUI layout dialog box, select the customization drop-down menu icon beside
System and select hide (see Figure 128). Repeat for each menu item except Log&Report.
Select Customize
to access the
layout dialog box
Edit Layout
Add Content
Show Preview
Save layout
Cancel layout changes
Layout preview icon
Create new Tier-1 menu item
Reset menu to default layout configuration
Customization
drop-down menu
Customization
drop-down menu icon
272 01-410-89802-20091022
To start the configuration of customized menu items, select the Create New (Tier-1 menu
item) icon in the FortiGate menu. You will need to:
configure Tier-1 and Tier-2 menu items
add tabs to each of these items as required
add content to the page layout.
To create Tier-1 and Tier-2 menu items
1 Select the Create New Tier-1 icon.
The first Tier-1 menu item with the default name custom menu will appear, with an
additional Create New Tier-1 icon below it (1).
2 Select and rename the default name to Custom Log Report (2).
3 Press Enter to save your change.
The Create New Tier-2 icon will appear, with the default name custom menu.
4 Select the Create New Tier-2 icon (3).
5 The first Tier-2 menu item with the default name custom menu will appear, with an
additional Create New Tier-2 icon below it (4).
6 Select and rename the default name to Custom Log Menu1 (5).
8 Repeat steps 4 to 7 to create a second Tier-2 menu item called Custom Log Menu2 (5)
and (6).
Figure 129: Creating Tier-1 and Tier-2 menu items in the FortiGate menu
After you create Tier-1 and Tier-2 menu items, you need to create the subset of tab items
across the page layout. The Create New tab icon is not available until you have created
the Tier-1 and Tier-2 menu items.
To create a new tab
1 Select the Create New tab item icon (see Figure 5).
A tab is created with the default name custom menu, and an additional Create New
icon appears beside it.
Creation of new
Tier-1 menu item
Custom Log Report
Creation of new
Tier-2 menu item
Custom Log Menu1
Creation of new
Tier-2 menu item
Custom Log Menu2
1 2
3 4
5 6
01-410-89802-20091022 273
2 Select and rename the default name to Custom Log Report Tab1 (see Figure 131).
4 Repeat steps 1 to 3 to create a second tab called Custom Log Report Tab2.
5 To save your customized layout, select Save in the GUI layout dialog box (see
Figure 128).
Figure 130: Create New tab
Figure 131: Creating tabs in page layout
To modify the configuration of the current page
1 Select the required tab, then select Edit Layout.
The Edit this tab dialog box appears (see Figure 132). You may configure the page
layout to display only one widget (Full page), a page layout with one column that
displays up to 8 widgets (1 column), or a page layout with two columns (2 columns)
that displays up to 8 widgets.
2 For the Custom Log Report Tab1, select 2 columns.
3 To save your modified configuration, select Save in the Edit this tab dialog box.
Create New tab item icon
Creation of tab
Custom Log Report Tab1
Creation of tab Custom Log Report Tab2
274 01-410-89802-20091022
Figure 132: Edit this tab dialog box
To add content to the page layout, select Add Content (see Figure 128). The Add content
to the Custom Log Report Tab1 dialog box appears (see Figure 133).
Figure 133: Add content dialog box
The Add content dialog box includes a search feature that you can use to find widgets.
This search employs a real-time filtering mechanism with a contains type search on the
widget names. For example, if you search on use, you will be shown User Group, IM
User Monitor, Firewall User Monitor, Banned User, and Top Viruses (see Figure 134).
Search text box
01-410-89802-20091022 275
Figure 134: Search mechanism - results for use
For Custom Log Report Tab1, select the Log&Report category. All the items related to the
Log&Report menu item are listed (see Figure 135). Select Add next to an item that you
want to include in the tab. The item is placed in the page layout behind the Custom Log
Report Tab1 dialog box. You will see the configured layout when you close the Add
content to the Custom Log Report Tab1 dialog box. The maximum number of items that
can be placed in a page layout is 8.
For the Custom Log Report Tab1, select the following items for inclusion in the layout:
Alert E-mail
Schedule.
Close the Edit Layout dialog box.
Figure 135: Log&Report category selection for Custom Log Report Tab1
Search results
Search on use
276 01-410-89802-20091022
Figure 136: Custom Log Report Tab1 page layout preview
For the Custom Log Report Tab2, select the following items for inclusion in the layout:
Event Log
Log Setting.
01-410-89802-20091022 277
Figure 137: Log&Report category selection for Custom Log Report Tab2
Figure 138: Custom Log Report Tab2 page layout preview
To preview a customized layout in the custom GUI layout dialog box, select Show Preview
(see Figure 139). When you have completed the configuration selections for the page
layout, select Save to close the custom GUI layout dialog box (see Figure 139). To
abandon the configuration, select Reset menus (see Figure 139). To exit the GUI layout
dialog box without saving your changes, select Cancel (see Figure 139).
278 01-410-89802-20091022
Figure 139: Report Profile customized GUI layout dialog box - complete
When you complete the customization, close the dialog box to return to the Admin Profile
dialog box in which you configured the custom GUI. To save the configuration, select OK
to close the Admin Profile dialog box (see Figure 125).
To view the web-based manager configuration created in Report Profile, you must log out
of the FortiGate unit, then log back in using the name and password of an administrator
assigned the Report Profile administrative profile. The FortiGate web-based manager
reflects the customized configuration of Report Profile (see Figure 140).
Figure 140: Customized web-based manager page
Reset menus
Save
Cancel
Show Preview
System Certificates
01-410-89802-20091022 279
System Certificates
This section explains how to manage X.509 security certificates using the FortiGate web-
based manager. Certificate authentication allows administrators to generate certificate
requests, install signed certificates, import CA root certificates and certificate revocation
lists, and back up and restore installed certificates and private keys.
Authentication is the process of determining if a remote host can be trusted with access to
network resources. To establish its trustworthiness, the remote host must provide an
acceptable authentication certificate by obtaining a certificate from a certification authority
(CA). The FortiGate unit can then use certificate authentication to reject or allow
administrative access via HTTPS, and to authenticate IPSec VPN peers or clients, as well
as SSL VPN user groups or clients.
If you enable virtual domains (VDOMs) on the FortiGate unit, system certificates are
configured globally for the entire FortiGate unit. For details, see Using virtual domains on
page 125.
There are several certificates on the FortiGate unit that have been automatically
generated.
System administrators can use these certificates wherever they may be required, for
example, with SSL VPN, IPSec, LDAP, and PKI.
For additional background information on certificates, see the FortiGate Certificate
Management User Guide.
Table 46: Automatically generated FortiGate certificates
Fortinet_Firmware Embedded inside the firmware. Signed by For t i net _CA. Same on all
FortiGate units. Used so FortiGate units without For t i net _Fact or y2
certificates have a built-in certificate signed by a FortiGate CA.
Listed under Certificates > Local, or in FortiGate CLI under vpn
cer t i f i cat e l ocal .
Fortinet_Factory Embedded inside BIOS. Signed by Fortinet_CA. Unique to each FortiGate
unit. Used for FortiGate/FortiManager tunnel, HTTPS administrative
access if Fortinet_Factory2 is not available.
cer t i f i cat e l ocal .
Fortinet_Factory2 Embedded inside BIOS. Signed by Fortinet_CA2. Unique to each
FortiGate unit. Used for FortiGate/FortiManager tunnel and HTTPS
administrative access.
cer t i f i cat e l ocal . Found only on units shipped at the end of 2008
onward.
Fortinet_CA Embedded inside firmware and BIOS. Fortinets CA certificate. Used to
verify certificates that claim to be signed by Fortinet, for example with a
FortiGate/FortiManager tunnel or an SSL connection to a FortiGuard
server.
Listed under Certificates > CA, or in FortiGate CLI under vpn
cer t i f i cat e ca or vpn cer t i f i cat e ocsp.
Fortinet_CA2 Embedded inside BIOS. Fortinets CA certificate. Will eventually replace
Fortinet_CA, as Fortinet_CA will expire in 2020.
Listed under Certificates > CA, or in FortiGate CLI under vpn
cer t i f i cat e ca or vpn cer t i f i cat e ocsp. Found only on units
shipped at the end of 2008 onward.
Local Certificates System Certificates
280 01-410-89802-20091022
Local Certificates
Remote Certificates
CA Certificates
CRL
Local Certificates
Certificate requests and installed server certificates are displayed in the Local Certificates
list. After you submit the request to a CA, the CA will verify the information and register the
contact information on a digital certificate that contains a serial number, an expiration date,
and the public key of the CA. The CA will then sign the certificate and send it to you to
install on the FortiGate unit.
Local certificates can update automatically online prior to expiry. This must be configured
in the CLI. See the vpn cer t i f i cat e l ocal command in the FortiGate CLI Reference.
To view certificate requests and/or import signed server certificates, go to System >
Certificates > Local Certificates. To view certificate details, select the View Certificate
Detail icon in the row that corresponds to the certificate.
Figure 141: Local Certificates list
Generate Generate a local certificate request. For more information, see Generating a
certificate request on page 281.
Import Import a signed local certificate. For more information, see Importing a signed
server certificate on page 283.
Name The names of existing local certificates and pending certificate requests.
Subject The Distinguished Names (DNs) of local signed certificates.
View Certificate Detail
Download
Delete
System Certificates Local Certificates
01-410-89802-20091022 281
For detailed information and step-by-step procedures related to obtaining and installing
digital certificates, see the FortiGate Certificate Management User Guide.
Generating a certificate request
The FortiGate unit generates a certificate request based on the information you enter to
identify the FortiGate unit. Generated requests are displayed in the Local Certificates list
with a status of PENDING. After you generate a certificate request, you can download the
request to a computer that has management access to the FortiGate unit and then forward
the request to a CA.
To fill out a certificate request, go to System > Certificates > Local Certificates, select
Generate, and complete the fields in the table below. To download and send the certificate
request to a CA, see Downloading and submitting a certificate request on page 282.
Figure 142: Generate Certificate Signing Request
Comments A description of the certificate.
Status The status of the local certificate. PENDING designates a certificate request
that needs to be downloaded and signed.
View Certificate
Detail icon
Display certificate details such as the certificate name, issuer, subject, and
valid certificate dates.
Delete icon Delete the selected certificate request or installed server certificate from the
FortiGate configuration. This is available only if the certificate has PENDING
status.
Download icon Save a copy of the certificate request to a local computer. You can send the
request to your CA to obtain a signed server certificate for the FortiGate unit
(SCEP-based certificates only).
Remove/Add OU
Local Certificates System Certificates
282 01-410-89802-20091022
Downloading and submitting a certificate request
You have to fill out a certificate request and generate the request before you can submit
the results to a CA. For more information, see Generating a certificate request on
page 281.
To download and submit a certificate request
1 Go to System > Certificates > Local Certificates.
2 In the Local Certificates list, select the Download icon in the row that corresponds to
the generated certificate request.
3 In the File Download dialog box, select Save to Disk.
4 Name the file and save it to the local file system.
Certification Name Enter a certificate name. Typically, this would be the name of the
FortiGate unit. To enable the export of a signed certificate as a PKCS12
file later on if required, do not include spaces in the name.
Subject Information Enter the information needed to identify the FortiGate unit:
Host IP If the FortiGate unit has a static IP address, select Host IP and enter the
public IP address of the FortiGate unit. If the FortiGate unit does not have
a public IP address, use an email address (or domain name if available)
instead.
Domain Name If the FortiGate unit has a static IP address and subscribes to a dynamic
DNS service, use a domain name if available to identify the FortiGate unit.
If you select Domain Name, enter the fully qualified domain name of the
FortiGate unit. Do not include the protocol specification (http://) or any
port number or path names. If a domain name is not available and the
FortiGate unit subscribes to a dynamic DNS service, an unable to verify
certificate message may be displayed in the users browser whenever
the public IP address of the FortiGate unit changes.
E-Mail If you select E-mail, enter the email address of the owner of the FortiGate
unit.
Optional Information Complete as described or leave blank.
Organization Unit Enter the name of your department or departments. You can enter a
maximum of 5 Organization Units. To add or remove a unit, use the plus
(+) or minus (-) icon.
Organization Enter the legal name of your company or organization.
Locality (City) Enter the name of the city or town where the FortiGate unit is installed.
State/Province Enter the name of the state or province where the FortiGate unit is
installed.
Country Select the country where the FortiGate unit is installed.
e-mail Enter the contact email address.
Key Type Only RSA is supported.
Key Size Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate
but they provide better security.
Enrollment Method Select one of the following methods:
File Based Select to generate the certificate request.
Online SCEP Select to obtain a signed SCEP-based certificate automatically over the
network.
CA Server URL: Enter the URL of the SCEP server from which to retrieve
the CA certificate.
Challenge Password: Enter the CA server challenge password.
System Certificates Local Certificates
01-410-89802-20091022 283
5 Submit the request to your CA as follows:
Using the web browser on the management computer, browse to the CA web site.
Follow the CA instructions to place a base-64 encoded PKCS#12 certificate request
and upload your certificate request.
Follow the CA instructions to download their root certificate and Certificate
Revocation List (CRL), and then install the root certificate and CRL on each remote
client (refer to the browser documentation).
6 When you receive the signed certificate from the CA, install the certificate on the
FortiGate unit. See Importing a signed server certificate on page 283.
Importing a signed server certificate
Your CA will provide you with a signed server certificate to install on the FortiGate unit.
When you receive the signed certificate from the CA, save the certificate on a computer
that has management access to the FortiGate unit. The certificate file can be in either
PEM or DER format.
To import the signed server certificate
1 Go to System > Certificates > Local Certificates and select Import.
Figure 143: Import local certificate
3 Select OK.
Importing an exported server certificate and private key
. You will need to know the password in order to import the certificate file. Before you
begin, save a copy of the file on a computer that has management access to the FortiGate
unit. For more information, see the FortiGate Certificate Management User Guide.
To import the PKCS12 file
Figure 144: Import PKCS12 certificate
Type Select Local Certificate.
Certificate File Enter the full path to and file name of the signed server certificate.
Browse Alternatively, browse to the location on the management computer where
the certificate has been saved and select the certificate.
Remote Certificates System Certificates
284 01-410-89802-20091022
3 Select OK.
Importing separate server certificate and private key files
When the server certificate request and private key were not generated by the FortiGate
unit, you will receive them as separate files. Copy the two files to the management
computer.
To import the certificate and private key files
Figure 145: Import certificate and private key file
3 Select OK.
Remote Certificates
For dynamic certificate revocation, you need to use an Online Certificate Status Protocol
(OCSP) server. Remote certificates are public certificates without a private key. The
OCSP is configured in the CLI only. For more information, see the FortiGate CLI
Reference.
Installed Remote (OCSP) certificates are displayed in the Remote Certificates list.
Type Select PKCS12 Certificate.
Certificate with key file Enter the full path to and file name of the previously exported
PKCS12 file.
Browse Alternatively, browse to the location on the management
computer where the PKCS12 file has been saved, select the file,
and then select OK.
Password Type the password needed to upload the PKCS12 file.
Note: The certificate file must not use 40-bit RC2-CBC encryption.
Type Select Certificate.
Certificate file Enter the full path to and file name of the previously exported certificate file.
Browse Alternatively, browse to the location of the previously exported certificate file,
select the file, and then select OK.
Key file Enter the full path to and file name of the previously exported key file.
Browse Alternatively, browse to the location of the previously exported key file, select
the file, and then select OK.
Password If a password is required to upload and open the files, type the password.
System Certificates Remote Certificates
01-410-89802-20091022 285
To view installed Remote (OCSP) certificates or import a Remote (OCSP) certificate, go to
System > Certificates > Remote. To view certificate details, select the View Certificate
Detail icon in the row that corresponds to the certificate.
Figure 146: Remote certificate list
Importing Remote (OCSP) certificates
To import a Remote (OCSP) certificate, go to System > Certificates > Remote and select
Import.
Figure 147: Upload Remote Certificate
The system assigns a unique name to each Remote (OCSP) certificate. The names are
numbered consecutively (REMOTE_Cer t _1, REMOTE_Cer t _2, REMOTE_Cer t _3, and
so on).
Note: There is one OCSP per VDOM.
Import Import a public OCSP certificate. See Importing CA certificates on page 286.
Name The names of existing Remote (OCSP) certificates. The FortiGate unit assigns
unique names (REMOTE_Cer t _1, REMOTE_Cer t _2, REMOTE_Cer t _3, and so
on) to the Remote (OCSP) certificates when they are imported.
Subject Information about the Remote (OCSP) certificate.
Delete icon Delete a Remote (OCSP) certificate from the FortiGate configuration.
View Certificate
Detail icon
Display certificate details.
Download icon Save a copy of the Remote (OCSP) certificate to a local computer.
Local PC Enter the location in a management PC to upload a public certificate.
Browse Alternatively, browse to the location on the management computer where
the certificate has been saved, select the certificate, and then select OK.
CA Certificates System Certificates
286 01-410-89802-20091022
CA Certificates
When you apply for a signed personal or group certificate to install on remote clients, you
must obtain the corresponding root certificate and CRL from the issuing CA.
When you receive the certificate, install it on the remote clients according to the browser
documentation. Install the corresponding root certificate and CRL from the issuing CA on
the FortiGate unit.
CA certificates can update automatically online prior to expiry. This must be configured in
the CLI. See the vpn cer t i f i cat e l ocal command in the FortiGate CLI Reference.
Installed CA certificates are displayed in the CA Certificates list. You cannot delete the
Fortinet_CA certificate. To view installed CA root certificates or import a CA root
certificate, go to System > Certificates > CA Certificates. To view root certificate details,
select the View Certificate Detail icon in the row that corresponds to the certificate.
Figure 148: CA Certificates list
For detailed information and step-by-step procedures related to obtaining and installing
digital certificates, see the FortiGate Certificate Management User Guide.
Importing CA certificates
After you download the root certificate of the CA, save the certificate on a PC that has
management access to the FortiGate unit.
To import a CA root certificate, go to System > Certificates > CA Certificates and select
Import.
Figure 149: Import CA Certificate
Import Import a CA root certificate. See Importing CA certificates on page 286.
Name The names of existing CA root certificates. The FortiGate unit assigns unique
names (CA_Cer t _1, CA_Cer t _2, CA_Cer t _3, and so on) to the CA
certificates when they are imported.
Subject Information about the issuing CA.
Delete icon Delete a CA root certificate from the FortiGate configuration.
View Certificate
Detail icon
Display certificate details.
Download icon Save a copy of the CA root certificate to a local computer.
Download
System Certificates CRL
01-410-89802-20091022 287
If you choose SCEP, the system starts the retrieval process as soon as you select OK.
The system assigns a unique name to each CA certificate. The names are numbered
consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).
CRL
A Certificate Revocation List (CRL) is a list of CA certificate subscribers paired with
certificate status information. Installed CRLs are displayed in the CRL list. The FortiGate
unit uses CRLs to ensure that the certificates belonging to CAs and remote clients are
valid.
To view installed CRLs, go to System > Certificates > CRL.
Figure 150: Certificate revocation list
SCEP Select to use an SCEP server to access CA certificate for user
authentication. Enter the URL of the SCEP server from which to retrieve
the CA certificate. Optionally, enter identifying information of the CA, such
as the file name. Select OK.
Local PC Select to use a local administrators PC to upload a public certificate. Enter
the location, or browse to the location on the management computer where
Import Import a CRL. For more information, see Importing a certificate revocation list
on page 288.
Name The names of existing certificate revocation lists. The FortiGate unit assigns
unique names (CRL_1, CRL_2, CRL_3, and so on) to certificate revocation lists
when they are imported.
Subject Information about the certificate revocation lists.
Delete icon Delete the selected CRL from the FortiGate configuration.
View Certificate
Detail icon
Display CRL details such as the issuer name and CRL update dates.
Download icon Save a copy of the CRL to a local computer.
Download
CRL System Certificates
288 01-410-89802-20091022
Importing a certificate revocation list
Certificate revocation lists from CA web sites must be kept updated on a regular basis to
ensure that clients having revoked certificates cannot establish a connection with the
FortiGate unit. After you download a CRL from the CA web site, save the CRL on a
computer that has management access to the FortiGate unit.
To import a certificate revocation list, go to System > Certificates > CRL and select Import.
Figure 151: Import CRL
The system assigns a unique name to each CRL. The names are numbered consecutively
(CRL_1, CRL_2, CRL_3, and so on).
Note: When the CRL is configured with an LDAP, HTTP, and/or SCEP server, the latest
version of the CRL is retrieved automatically from the server when the FortiGate unit does
not have a copy of it or when the current copy expires.
HTTP Select to use an HTTP server to retrieve the CRL. Enter the URL of the HTTP
server.
LDAP Select to use an LDAP server to retrieve the CRL, then select the LDAP
server from the list.
SCEP Select to use an SCEP server to retrieve the CRL, then select the Local
Certificate from the list. Enter the URL of the SCEP server from which the
CRL can be retrieved.
Local PC Select to use a local administrators PC to upload a public certificate. Enter
the location, or browse to the location on the management computer where
System Maintenance About the Maintenance menu
01-410-89802-20091022 289
System Maintenance
This section describes how to maintain your system configuration as well as how to enable
and update FDN services. This section also explains the types of FDN services that are
available for your FortiGate unit.
If you enable virtual domains (VDOMs) on the FortiGate unit, system maintenance is
configured globally for the entire FortiGate unit. For more information, see Using virtual
This section includes the following topics:
About the Maintenance menu
Backing up and restoring
Managing configuration revisions
Using script files
Configuring FortiGuard Services
Troubleshooting FDN connectivity
Updating antivirus and attack definitions
Enabling push updates
Adding VDOM Licenses
About the Maintenance menu
The maintenance menu provides help with maintaining and managing firmware,
configuration revisions, script files, and FortiGuard subscription-based services. From this
menu, you can upgrade or downgrade the firmware, view historical backups of
configuration files, or update FortiGuard services.
The maintenance menu has the following tabs:
Backup & Restore - allows you to back up and restore your system configuration file,
remotely upgrade firmware, and import CLI commands.
Revision Control - displays all system configuration backups with the date and time of
when they were backed up. Before you can use revision control, a Central
Management server must be configured and enabled.
Scripts - displays script history execution and provides a way to upload script files to
the FortiGuard Analysis & Management Service portal web site
FortiGuard - displays all FDN subscription services, such as antivirus and IPS
definitions as well as the FortiGuard Analysis & Management Service. This tab also
provides configuration options for antivirus, IPS, web filtering, and antispam services.
License - allows you to increase the maximum number of VDOMs (on some FortiGate
models).
When backing up the system configuration, web content files and email filtering files are
also included. You can save the configuration to the management computer or to a USB
disk if your FortiGate unit includes a USB port (see Formatting USB Disks on page 296).
You can also restore the system configuration from previously downloaded backup files in
the Backup & Restore menu.
Backing up and restoring System Maintenance
290 01-410-89802-20091022
When virtual domain configuration is enabled, the content of the backup file depends on
the administrator account that created it. A backup of the system configuration from the
super_admin account contains global settings and the settings included in each VDOM.
Only the super_admin can restore the configuration from this file. When you back up the
system configuration from a regular administrator account, the backup file contains the
global settings and the settings for the VDOM that the regular administrator belongs to. A
regular administrator is the only user account that can restore the configuration from this
file.
Some FortiGate models support FortiClient by storing a FortiClient image that users can
download. The FortiClient section of Backup & Restore is available if your FortiGate model
supports FortiClient.
Backing up and restoring
The Backup & Restore tab allows you to back up and restore your FortiGate configuration
to your management PC, a central management server, or a USB disk. You can back up
and restore your configuration to a USB disk if the FortiGate unit includes a USB port and
if you have connected a USB disk to the USB port. FortiGate units support most USB
disks including USB keys and external USB hard disks (see Formatting USB Disks on
page 296). The central management server is whatever remote management service the
FortiGate unit is connected to. For example, if the current configuration on a FortiGate-60
is backed up to a FortiManager unit, the central management server is the FortiManager
unit.
You must configure central management in System > Admin > Central Management
before these options are available in the Backup & Restore section. For more information,
see Central Management on page 260.
To view the backup and restore options, go to System > Maintenance > Backup and
Restore.
Figure 152: Backup and restore
For
Tip: For simplified procedures on managing firmware, including backup and restore
options, and on uploading and downloading firmware for your FortiGate unit, see
Managing firmware versions on page 113.
System Maintenance Backing up and restoring
01-410-89802-20091022 291
Basic backup and restore options
This section of the Backup & Restore page provides the option of backing up the current
configuration file to several different locations, including encryption for added security. You
can also restore a backed-up configuration file.
To view the backup and restore options, go to System > Maintenance >
Backup & Restore.
Figure 153: Backup & Restore options with FortiGuard services option enabled
Backup
Backup configuration to: The options available for backing up your current configuration. Select
one of the displayed options:
Local PC Back up the configuration to the management computer the FortiGate
unit is connected to. Local PC is always displayed regardless of
whether a USB disk is available, FortiGuard Analysis & Management
Service is enabled, or the FortiGate unit is connected to a
FortiManager unit.
FortiGuard Analysis &
Management Service
Back up the configuration to the FortiGuard Analysis & Management
Service. If the service is not enabled, Management Station is
displayed.
USB Disk Back up the configuration file to the USB disk connected to the
FortiGate unit. USB Disk is displayed only if the FortiGate unit includes
a USB port. If you do not connect a USB disk, this option is grayed out.
For more information, see Formatting USB Disks on page 296.
FortiManager Back up the configuration to the configured FortiManager unit. If the
FortiGate unit is not connected to a FortiManager unit, this option is not
displayed.
Encrypt configuration
file
Select to encrypt the backup file.
Encryption must be enabled to save VPN certificates with the
configuration.
This option is not available for configurations backed up to a
FortiManager unit.
Password Enter a password to encrypt the configuration file. You will need this
password to restore the configuration file.
Confirm Enter the password again to confirm the password.
Filename Enter the name of the backup file or select Browse to locate the file.
The Filename field is available only when you choose to back up the
configuration to a USB disk.
Backup Select to back up the configuration.
If you are backing up to a FortiManager device, a confirmation
message is displayed after successful completion of the backup.
292 01-410-89802-20091022
Remote FortiManager backup and restore options
Your FortiGate unit can be remotely managed by a FortiManager unit. The FortiGate unit
connects using the FortiGuard-FortiManager protocol. This protocol provides
communication between a FortiGate unit and a FortiManager unit, and runs over SSL
using IPv4/TCP port 541.
For detailed instructions on how to install a FortiManager unit, see the FortiManager Install
Guide.
After successfully connecting to the FortiManager unit from your FortiGate unit, you can
back up your configuration to the FortiManager unit. You can also restore your
configuration.
The automatic configuration backup is available only in local mode on the FortiManager
unit.
A list of revisions is displayed when restoring the configuration from a remote location.
The list allows you to choose the configuration to restore.
To view the basic backup and restore options, go to System > Maintenance >
Backup & Restore.
Restore
Restore configuration
from:
The options available for restoring the configuration from a specific file.
Select one of the displayed options:
Local PC Restore a configuration file from the management computer the
FortiGate unit is connected to. Local PC is always displayed regardless
of whether a USB disk is available, FortiGuard Analysis &
Management Service is enabled, or the FortiGate unit is connected to
a FortiManager unit.
USB disk Restore a configuration file from the USB disk connected to the
FortiGate unit. USB Disk is displayed only if the FortiGate unit includes
a USB port. If you do not connect a USB disk, this option is grayed out.
See Formatting USB Disks on page 296.
FortiGuard Analysis &
Management Service
Restore a configuration from the FortiGuard Analysis & Management
Service. If FortiGuard Management Services is not enabled, this option
is not displayed and instead displays Management Station.
FortiManager Restore a configuration from the configured FortiManager unit. If the
FortiGate unit is not connected to a FortiManager unit, this option is not
displayed.
Filename Select the configuration file name from the Browse list if you are
restoring the configuration from a USB disk.
Enter the configuration file name or select Browse if you are restoring
the configuration from a file on the management computer.
Password Enter the password you entered when backing up the configuration file.
Restore Select to restore the configuration.
Note: When central management is disabled, Management Station appears. FortiGuard
appears when the FortiGuard Analysis & Management Service is enabled.
01-410-89802-20091022 293
Figure 154: Backup & Restore options with FortiManager option enabled
\
Remote FortiGuard backup and restore options
Your FortiGate unit can be remotely managed by a central management server, which is
available when you register for the FortiGuard Analysis & Management Service. The
FortiGuard Analysis & Management Service is a subscription-based service and is
purchased by contacting support. Additional information, including how to register you
FortiGate unit for the FortiGuard Analysis & Management Service, is available in the
FortiGuard Analysis & Management Service Users Guide.
After registering, you can back up or restore your configuration. The FortiGuard Analysis &
Management Service is useful when administering multiple FortiGate units without having
a FortiManager unit.
You can also upgrade the firmware on your FortiGate unit using the FortiGuard Analysis &
Management Service. Upgrading the firmware is available in the Firmware Upgrade
section of the backup and restore menu. See Upgrading and downgrading firmware
through FortiGuard on page 295 for more information about upgrading firmware from the
backup and restore menu.
Backup The options available for backing up your current configuration to a
FortiManager unit.
Backup configuration
to:
Select FortiManager to upload the configuration to the FortiManager
unit.
The Local PC option is always available.
Comments: Enter a description or information about the file in the Comments field.
This is optional.
Backup Select to back up the configuration file to the FortiManager unit.
A confirmation message appears after successful completion of the
backup.
Restore The options for restoring a configuration file.
from:
Select the FortiManager option to download and restore the
configuration from the FortiManager unit.
Please Select: Select the configuration file you want to restore from the list. This list
includes the comments you included in the Comment field before it
was uploaded to the FortiManager unit.
The list is in numerical order, with the recent uploaded configuration
first.
Restore Select to restore the configuration from the FortiManager unit.
For
Tip: For simplified procedures on managing firmware, including backup and restore
options, and on uploading and downloading firmware for your FortiGate unit, see
Managing firmware versions on page 113.
294 01-410-89802-20091022
When restoring the configuration from a remote location, a list of revisions is displayed so
that you can choose the configuration file to restore.
To view the basic backup and restore options, go to System > Maintenance >
Backup & Restore.
Figure 155: Backup & Restore Central Management options
Upgrading and downgrading firmware
The firmware section displays the current version of firmware installed on your FortiGate
unit, as well as the firmware version currently in use if there is more than one firmware
image saved on the FortiGate unit.
To view the firmware options, go to System > Maintenance > Backup & Restore.
Backup The options available for backing up your current configuration to the
FortiGuard Analysis & Management Service.
Backup configuration
to:
Select the FortiGuard option to upload the configuration to the
The Local PC option is always available.
Comments: Enter a description or information about the file in the Comments field.
This is optional.
Backup Select to back up the configuration file to the FortiGuard Analysis &
Management Service.
A confirmation message appears after successful completion of the
backup.
Restore The options for restoring a configuration file.
from:
Select the FortiGuard option to download the configuration file from
the FortiGuard Analysis & Management Service.
Please Select: Select the configuration file you want to restore from the list. This list
includes the comments you included in the Comment field before it
was uploaded to the FortiGuard Analysis & Management Service.
The list is in numerical order, with the recent uploaded configuration
first.
Restore Select to restore the configuration from the FortiGuard Analysis &
Management Service.
Note: The FortiGuard-FortiManager protocol is used when connecting to the FortiGuard
Analysis & Management Service. This protocol runs over SSL using IPv4/TCP port 541 and
includes the following functions:
detects FortiGate unit dead or alive status
detects management service dead or alive status
notifies the FortiGate units about configuration changes, AV/IPS database update and
firewall changes.
01-410-89802-20091022 295
Figure 156: Firmware images
Upgrading and downgrading firmware through FortiGuard
The Firmware Upgrade section of the backup and restore page displays options for
upgrading to a new version using the FortiGuard Analysis & Management Service if that
option is available to you. Using the FortiGuard Analysis & Management Service to
upgrade the firmware on your FortiGate unit is only available on certain FortiGate units.
You must register for the service by contacting customer support.
Detailed firmware version information is provided if you have subscribed for the
To view the firmware options, go to System > Maintenance > Backup & Restore.
Figure 157: Firmware Upgrade section of the Backup & Restore page
Partition A partition can contain one version of the firmware and the system
configuration. FortiGate-100A units and higher have two partitions.
One partition is active and the other is used as a backup.
Active A green check mark indicates the partition currently in use.
Last upgrade The date and time of the last update to this partition.
Firmware Version The version and build number of the FortiGate firmware. If your
FortiGate model has a backup partition, you can:
Select Upload to replace with firmware from the management
computer or a USB disk. The USB disk must be connected to the
FortiGate unit USB port. See Formatting USB Disks on page 296.
Select Upload and Reboot to replace the existing firmware and
make this the active partition.
Boot alternate firmware Restart the FortiGate unit using the backup firmware.
This is available only for FortiGate-100 units or higher.
Upgrade from FortiGuard
network to firmware
version: [Please Select]
Select one of the available firmware versions. The list contains the
following information for each available firmware release:
continent (for example, North America)
maintenance release number
patch release number
build number.
For example, if you are upgrading to FortiOS 3.0 MR6 and the
FortiGate unit is located in North America, the firmware version
available is v3.0 MR6-NA (build 0700).
Allow firmware
downgrade
Select to allow installation of older versions than the one currently
installed.
This is useful if the current version changed functionality you need and
you have to revert to an older firmware image.
296 01-410-89802-20091022
Configuring advanced options
The Advanced section on the backup and restore page includes the USB Auto Install
feature and the debug log. The USB settings are available only if the FortiGate unit
includes a USB port. You must connect a USB disk to the FortiGate unit USB port to use
the USB auto-install feature. See Formatting USB Disks on page 296.
To view the advanced options, go to System > Maintenance > Backup & Restore.
Figure 158: Options available in the Advanced section
Formatting USB Disks
FortiGate units with USB ports support USB disks for backing up and restoring
configurations.
FortiUSB and generic USB disks are supported, but the generic USB disk must be
formatted as a FAT16 disk. No other partition type is supported.
There are two ways that you can format the USB disk, either by using the CLI or a
Windows system. You can format the USB disk in the CLI using the command syntax,
exe usb- di sk f or mat . When using a Windows system to format the disk, at the
command prompt type, f or mat <dr i ve_l et t er >: / FS: FAT / V: <dr i ve_l abel >
where <dr i ve_l et t er >is the letter of the connected USB drive you want to format, and
<dr i ve_l abel >is the name you want to give the USB drive for identification.
Upgrade by File Select Browse to locate a file on your local PC to upload to the
FortiGate unit.
OK Select OK to enable your selection.
On system restart,
automatically update
FortiGate
configuration...
Automatically update the configuration on restart. Ensure that the
default configuration file name matches the configuration file name on
the USB disk.
If the configuration file on the disk matches the currently installed
configuration, the FortiGate unit skips the configuration update
process.
On system restart,
automatically update
FortiGate firmware...
Automatically update the firmware on restart. Ensure that the default
image name matches the firmware file name on the USB disk.
If the firmware image on the disk matches the currently installed
firmware, the FortiGate unit skips the firmware update process.
Apply Select to apply the selected settings.
Download Debug Log Download an encrypted debug log to a file. You can send this debug
log to Fortinet Technical Support to help diagnose problems with your
FortiGate unit.
Caution: Formatting the USB disk deletes all information on the disk. Back up the
information on the USB disk before formatting to ensure all information on the disk is
recoverable.
System Maintenance Managing configuration revisions
01-410-89802-20091022 297
Managing configuration revisions
The Revision Control tab enables you to manage multiple versions of configuration files.
Revision control requires a configured central management server. This server can either
be a FortiManager unit or the FortiGuard Analysis & Management Service.
If central management is not configured on your FortiGate unit, a message appears to tell
you to do one of the following:
enable central management (see Central Management on page 260)
obtain a valid license.
When revision control is enabled on your FortiGate unit, and configurations have been
backed up, a list of saved revisions of those backed-up configurations appears.
To view the configuration revisions, go to System > Maintenance > Revision Control.
Figure 159: Revision Control page displaying system configuration backups
Current Page The current page number of list items that are displayed. Select the left
and right arrows to display the first, previous, next or last page of
system configuration backups.
For more information, see Using page controls on web-based
manager lists on page 60.
Revision An incremental number indicating the order in which the configurations
were saved. These may not be consecutive numbers if configurations
are deleted.
The most recent, and highest, number is first in the list.
Date/Time The date and time this configuration was saved on the FortiGate unit.
Administrator The administrator account that was used to back up this revision.
Comments Any relevant information saved with the revision, such as why the
revision was saved, who saved it, and if there is a date when it can be
deleted to free up space.
Diff icon Select to compare two revisions.
A window will appear, from which you can view and compare the
selected revision to one of:
the current configuration
a selected revision from the displayed list including revision history
and templates
a specified revision number.
Download icon Download this revision to your local PC.
Revert icon Restore the previous selected revision. You will be prompted to confirm
this action.
Current
Page
Diff
Revert
Download
Using script files System Maintenance
298 01-410-89802-20091022
Using script files
Scripts are text files containing CLI command sequences. These can be uploaded and
executed to run complex command sequences easily. Scripts can be used to deploy
identical configurations to many devices. For example, if all of your devices use identical
administrator admin profiles, you can enter the commands required to create the admin
profiles in a script, and then deploy the script to all the devices which should use those
same settings.
If you are using a FortiGate unit without a FortiManager unit or the FortiGuard Analysis &
Management Service, the scripts you upload are executed and discarded. If you want to
execute a script more than once, you must keep a copy on your management PC.
If your FortiGate unit is configured to use a FortiManager unit, you can upload your scripts
to the FortiManager unit, and run them from any FortiGate unit configured to use the
FortiManager unit. If you upload a script directly to a FortiGate unit, it is executed and
discarded.
If your FortiGate unit is configured to use the FortiGuard Analysis & Management Service,
scripts you upload are executed and stored. You can run uploaded scripts from any
FortiGate unit configured with your FortiGuard Analysis & Management Service account.
The uploaded script files appear on the FortiGuard Analysis & Management Service portal
web site.
After executing scripts, you can view the script execution history on the script page. The
list displays the last 10 executed scripts.
To view the script options, go to System > Maintenance > Scripts.
Figure 160: Script execution history
Execute Script from Scripts can be uploaded directly to the FortiGate unit from the
management PC. If you have configured either a FortiManager unit or
the FortiGuard Analysis & Management Service, scripts that have
been stored remotely can also be run on the FortiGate unit.
Upload Bulk CLI
Command File
Select Browse to locate the script file and then select Apply to upload
and execute the file.
If the FortiGate unit is configured to use the FortiGuard Analysis &
Management Service, the script will be saved on the server for later
use.
Select From remote
management station
Select to execute a script from the FortiManager unit or the FortiGuard
Analysis & Management Service. Choose the script you want to run
from the list of all scripts stored remotely.
System Maintenance Using script files
01-410-89802-20091022 299
Creating script files
Script files are text files with CLI command sequences. When a script file is uploaded to a
FortiGate unit, the commands are executed in sequence.
To create a script file
1 Open a text editor application. Notepad on Windows, GEdit on Linux, Textedit on the
Mac, or any editor that will save plain text can create a script file.
2 Enter the CLI commands you want to run.
The commands must be entered in sequence, with one command per line.
3 Save the file to your maintenance PC.
Uploading script files
After you have created a script file, you can then upload it through System >
Maintenance > Scripts. When a script is uploaded, it is automatically executed.
To execute a script
1 Go to System > Maintenance > Scripts.
2 Verify that Upload Bulk CLI Command File is selected.
3 Select Browse to locate the script file.
4 Select Apply.
If the FortiGate unit is not configured for remote management, or if it is configured to use a
FortiManager unit, uploaded scripts are discarded after execution. Save script files to your
management PC if you want to execute them again later.
If the FortiGate unit is configured to use the FortiGuard Analysis & Management Service,
the script file is saved to the remote server for later reuse. You can view the script or run it
from the FortiGuard Analysis & Management Service portal web site. For more
information about viewing or running an uploaded script on the portal web site, see the
FortiGuard Analysis & Management Service Users Guide.
Script Execution History
(past 10 scripts)
A list of the 10 most recently executed scripts.
Name The name of the script file.
Type The source of the script file. A local file is uploaded directly to the
FortiGate unit from the management PC and executed. A remote file
is executed on the FortiGate unit after being sent from a FortiManager
unit or the FortiGuard Analysis & Management Service.
Time The date and time the script file was executed.
Status The status of the script file, if its execution succeeded or failed.
Delete icon Delete the script entry from the list.
Tip: An unencrypted configuration file uses the same structure and syntax as a script file.
You can save a configuration file and copy the required parts to a new file, making any edits
you require. You can generate script files more quickly this way.
Caution: Commands that require the FortiGate unit to reboot when entered on the
command line will also force a reboot if included in a script.
Configuring FortiGuard Services System Maintenance
300 01-410-89802-20091022
Configuring FortiGuard Services
Go to System > Maintenance > FortiGuard to configure your FortiGate unit to use the
FortiGuard Distribution Network (FDN) and FortiGuard Services. The FDN provides
updates to antivirus definitions, IPS definitions, and the Antispam rule set. FortiGuard
Services include FortiGuard web filtering and the FortiGuard Analysis and Management
Service.
FortiGuard Distribution Network
The FDN is a world-wide network of FortiGuard Distribution Servers (FDS). The FDN
provides updates to antivirus (including grayware) definitions, IPS definitions, and the
antispam rule set. When the FortiGate unit contacts the FDN, it connects to the nearest
FDS based on the current time zone setting.
The FortiGate unit supports the following update options:
user-initiated updates from the FDN
hourly, daily, or weekly scheduled antivirus definition, IPS definition, and antispam rule
set updates from the FDN
push updates from the FDN
update status including version numbers, expiry dates, and update dates and times
push updates through a NAT device.
Registering your FortiGate unit on the Fortinet Support web page provides a valid license
contract and connection to the FDN. On the Fortinet Support web page, go to Product
Registration and follow the instructions.
The FortiGate unit must be able to connect to the FDN using HTTPS on port 443 to
receive scheduled updates. For more information, see To enable scheduled updates on
page 307.
You can also configure the FortiGate unit to receive push updates. When the FortiGate
unit is receiving push updates, the FDN must be able to route packets to the FortiGate unit
using UDP port 9443. For more information, see Enabling push updates on page 308. If
the FortiGate unit is behind a NAT device, see Enabling push updates through a NAT
device on page 309.
FortiGuard services
Worldwide coverage of FortiGuard services is provided by FortiGuard service points.
When the FortiGate unit is connecting to the FDN, it is connecting to the closest
FortiGuard service point. Fortinet adds new service points as required.
If the closest service point becomes unreachable for any reason, the FortiGate unit
contacts another service point and information is available within seconds. By default, the
FortiGate unit communicates with the service point via UDP on port 53. Alternately, you
can switch the UDP port used for service point communication to port 8888 by going to
System > Maintenance > FortiGuard.
If you need to change the default FortiGuard service point host name, use the host name
keyword in the syst emf or t i guar d CLI command. You cannot change the FortiGuard
service point name using the web-based manager.
For more information about FortiGuard services, see the FortiGuard Center web page.
System Maintenance Configuring FortiGuard Services
01-410-89802-20091022 301
FortiGuard Antispam service
FortiGuard Antispam is an antispam system from Fortinet that includes an IP address
black list, a URL black list, email filtering tools, contained in an antispam rule set that is
downloaded to the FortiGate unit. The IP address black list contains IP addresses of email
servers known to generate spam. The URL black list contains URLs that are found in
spam email.
FortiGuard Antispam processes are completely automated and configured by Fortinet.
With constant monitoring and dynamic updates, FortiGuard Antispam is always current.
You can either enable or disable FortiGuard Antispam in the Firewall menu in a protection
profile. For more information, see Email Filtering options on page 485.
Every FortiGate unit comes with a free 30-day FortiGuard Antispam trial license.
FortiGuard Antispam license management is performed by Fortinet servers; there is no
need to enter a license number. The FortiGate unit automatically contacts a FortiGuard
Antispam service point when enabling FortiGuard Antispam. Contact Fortinet Technical
support to renew the FortiGuard Antispam license after the free trial expires.
You can globally enable FortiGuard Antispam (Email Filter) in System > Maintenance >
FortiGuard and then configure Email Filtering options in each firewall protection profile in
Firewall > Protection Profile. For more information, see Email Filtering options on
page 485.
FortiGuard Web Filtering service
FortiGuard Web Filtering is a managed web filtering solution provided by Fortinet.
FortiGuard Web Filtering sorts hundreds of millions of web pages into a wide range of
categories users can allow, block, or monitor. The FortiGate unit accesses the nearest
FortiGuard Web Filtering service point to determine the category of a requested web
page, then follows the firewall policy configured for that user or interface.
Every FortiGate unit comes with a free 30-day FortiGuard Web Filtering trial license.
FortiGuard license management is performed by Fortinet servers. There is no need to
enter a license number. The FortiGate unit automatically contacts a FortiGuard service
point when enabling FortiGuard category blocking. Contact Fortinet Technical Support to
renew a FortiGuard license after the free trial.
You can globally enable FortiGuard Web Filtering in System > Maintenance > FortiGuard
and then configure FortiGuard Web Filtering options for each profile in Firewall >
Protection Profiles. For more information, see FortiGuard Web Filtering options on
page 483.
FortiGuard Analysis & Management Service
FortiGuard Analysis & Management Service is a subscription-based service that provides
remote management services, including logging and reporting capabilities for all FortiGate
units. These services were previously available only on FortiAnalyzer and FortiManager
units.
The subscription-based service is available from the FortiGuard Analysis & Management
Service portal web site, which provides a central location for configuring logging and
reporting and remote management, and for viewing subscription contract information,
such as daily quota and the expiry date of the service.
302 01-410-89802-20091022
Configuring the FortiGate unit for FDN and FortiGuard subscription services
FDN updates, as well as FortiGuard services, are configured in System > Maintenance >
FortiGuard. The FDN page contains four sections of FortiGuard services:
Support Contract and FortiGuard Subscription Services
Downloading antivirus and IPS updates
Configuring Web Filtering and Email Filtering Options
Configuring FortiGuard Analysis & Management Service Options
Support Contract and FortiGuard Subscription Services
The Support Contract and FortiGuard Subscription Services sections are displayed in
abbreviated form on the System Status page. See Viewing the system dashboard on
page 68.
To view the FortiGuard options, go to System > Maintenance > FortiGuard.
Figure 161: Support Contract and FortiGuard Subscription Services section
Support Contract The availability or status of your FortiGate unit support contract. The
status displays can be one of the following: Unreachable, Not
Registered or Valid Contract.
If Valid Contract is shown, the FortiOS firmware version and contract
expiry date appear. A green checkmark also appears.
[Register] Select to register your FortiGate unit support contract.
This option is available only when the support contract is not
registered.
FortiGuard Subscription
Services
Availability and status information for each of the FortiGuard
subscription services including:
AntiVirus
Intrusion Protection
Web Filtering
AntiSpam
Analysis & Management Service
License status icon
License expiry
Valid license
01-410-89802-20091022 303
Downloading antivirus and IPS updates
In the Antivirus and IPS Options section, you can schedule antivirus and IPS updates,
configure an override server, or allow push updates. You can access these options by
selecting the expand arrow.
The SETUP message that the FortiGate unit sends when you enable push updates
includes the IP address of the FortiGate interface that the FDN connects to. Use the Use
override push IP option when your FortiGate unit is behind a NAT device. The FortiGate
unit sends the FDS the IP and port numbers of the NAT device to the FDS. The NAT
device must also be configured to forward the FDS traffic to the FortiGate unit on port
9443.
For more information, see Enabling push updates through a NAT device on page 309.
Figure 162: AntiVirus and IPS Options section
[Availability] The availability of this service on this FortiGate unit, dependent on
your service subscription. The status can be Unreachable, Not
Registered, Valid License, or Valid Contract.
The option Subscribe appears if Availability is Not Registered.
The option Renew appears if Availability has expired.
[Update] Select to manually update this service on your FortiGate unit. This will
prompt you to download the update file from your local computer.
Select Update Now to immediately download current updates from
FDN directly.
[Register] Select to register the service. This is displayed in Analysis &
Management Service.
Status Icon Indicates the status of the subscription service. The icon corresponds
to the availability description.
Gray (Unreachable) FortiGate unit is not able to connect to service.
Orange (Not Registered) FortiGate unit can connect, but is not
subscribed to this service.
Yellow (Expired) FortiGate unit had a valid license that has expired.
Green (Valid license) FortiGate unit can connect to FDN and has a
registered support contract.
If the Status icon is green, the expiry date is displayed.
[Version] The version number of the definition file currently installed on the
FortiGate unit for this service.
[Last update date and
method]
The date of the last update and method used for last attempt to
download definition updates for this service.
[Date] Local system date when the FortiGate unit last checked for updates
for this service.
Expand arrow Allow Push Update Status
304 01-410-89802-20091022
Use override server
address
Select to configure an override server if you cannot connect to the
FDN or if your organization provides updates using their own
FortiGuard server.
When selected, enter the IP address or domain name of a FortiGuard
server and select Apply. If the FDN Status still indicates no connection
to the FDN, see Troubleshooting FDN connectivity on page 306.
Allow Push Update Select to allow push updates. Updates are then sent automatically to
your FortiGate unit when they are available, eliminating any need for
you to check if they are available.
Allow Push Update
status icon
The status of the FortiGate unit for receiving push updates:
Gray (Unreachable) - theFortiGate unit is not able to connect to push
update service
Yellow (Not Available) - the push update service is not available with
current support license
Green (Available) - the push update service is allowed. See
Enabling push updates on page 308.
If the icon is gray or yellow, see Troubleshooting FDN connectivity
on page 306.
Use override push IP Available only if both Use override server address and Allow Push
Update are enabled.
Select to allow you to create a forwarding policy that redirects
incoming FDS push updates to your FortiGate unit.
Enter the IP address of the NAT device in front of your FortiGate unit.
FDS will connect to this device when attempting to reach the FortiGate
unit.
The NAT device must be configured to forward the FDS traffic to the
FortiGate unit on UDP port 9443. See Enabling push updates through
a NAT device on page 309.
Port Select the port on the NAT device that will receive the FDS push
updates. This port must be forwarded to UDP port 9443 on the
FortiGate unit.
Available only if Use override push is enabled.
Schedule Updates Select this check box to enable scheduled updates.
Every Attempt to update once every 1 to 23 hours. Select the number of
hours between each update request.
Daily Attempt to update once a day. You can specify the hour of the day to
check for updates. The update attempt occurs at a randomly
determined time within the selected hour.
Weekly Attempt to update once a week. You can specify the day of the week
and the hour of the day to check for updates. The update attempt
occurs at a randomly determined time within the selected hour.
Update Now Select to manually initiate an FDN update.
Submit attack
characteristics
(recommended)
Fortinet recommends that you select this check box. It helps to
improve the quality of IPS signature.
01-410-89802-20091022 305
Configuring Web Filtering and Email Filtering Options
You can access this section by selecting the expand arrow to view Web Filtering and
Email Filtering Options.
Figure 163: Web Filtering and Email Filtering Options section
Enable Web Filter Select to enable the FortiGuard Web Filter service.
Enable Cache Select to enable caching of web filter queries.
This improves performance by reducing FortiGate unit requests to the
FortiGuard server. The cache uses 6 percent of the FortiGate memory.
When the cache is full, the least recently used IP address or URL is
deleted.
Available if Enable Web Filter is selected.
TTL Time to live. The number of seconds to store blocked IP addresses
and URLs in the cache before contacting the server again.TTL must
be between 300 and 86400 seconds.
Available only if both Enable Web Filter and Enable Cache are
selected.
Enable Email Filter Select to enable the FortiGuard AntiSpam service.
Enable Cache Select to enable caching of antispam queries.
This improves performance by reducing FortiGate unit requests to the
FortiGuard server. The cache uses 6 percent of the FortiGate memory.
When the cache is full, the least recently used IP address or URL is
deleted.
Available only if Enable Email Filter is selected.
TTL Time to live. The number of seconds to store blocked IP addresses
and URLs in the cache before contacting the server again.TTL must
be between 300 and 86400 seconds.
Port Section Select one of the following ports for your web filtering and antispam
requirements:
Use Default Port (53) Select to use port 53 for transmitting with FortiGuard Antispam
servers.
Use Alternate Port
(8888)
Select to use port 8888 for transmitting with FortiGuard Antispam
servers.
Test Availability Select to test the connection to the servers. Results are shown below
the button and on the Status indicators.
To have a URL's category
rating re-evaluated, please
click here.
Select to re-evaluate a URLs category rating on the FortiGuard Web
Filter service.
Troubleshooting FDN connectivity System Maintenance
306 01-410-89802-20091022
Configuring FortiGuard Analysis & Management Service Options
The Analysis & Management Service Options section contains the Account ID and other
options regarding the FortiGuard Analysis & Management Service.
You can access this section by selecting the expand arrow.
Figure 164: FortiGuard Analysis & Management Service options
Troubleshooting FDN connectivity
If your FortiGate unit is unable to connect to the FDN, check your configuration. For
example, you may need to add routes to the FortiGate routing table or configure your
network to allow the FortiGate unit to use HTTPS on port 443 to connect to the Internet.
You might have to connect to an override FortiGuard server to receive updates. For more
information, see To add an override server on page 308. If this is not successful, check
your configuration to make sure you can connect to the override FortiGuard server from
the FortiGate unit.
Push updates might be unavailable if:
you have not registered the FortiGate unit (go to Product Registration and follow the
instructions on the web site if you have not already registered your FortiGate unit)
there is a NAT device installed between the FortiGate unit and the FDN (see Enabling
push updates through a NAT device on page 309)
your FortiGate unit connects to the Internet using a proxy server (see To enable
scheduled updates through a proxy server on page 308).
Account ID Enter the name for the Analysis & Management Service that identifies
the account.
The account ID that you entered in the Account ID field when
registering is used in this field.
To launch the service
portal, please click here
Select to go directly to the FortiGuard Analysis & Management Service
portal web site to view logs or configuration. You can also select this to
register your FortiGate unit with the FortiGuard Analysis &
Management Service.
To configure FortiGuard
Analysis Service options,
please click here
Select the link please click here to configure and enable logging to the
FortiGuard Analysis & Management server. The link redirects you to
Log&Report > Log Config > Log Setting.
This appears only after registering for the service.
To purge logs older than n
months, please click here
Select the number of months from the list that will remove those logs
from the FortiGuard Analysis & Management server and select the link
please click here. For example, if you select 2 months, the logs from
the past two months will be removed from the server.
You can also use this option to remove logs that may appear on a
current report.
This appears only after logging is enabled and log messages are sent
to the FortiGuard Analysis server.
System Maintenance Updating antivirus and attack definitions
01-410-89802-20091022 307
Updating antivirus and attack definitions
Use the following procedures to configure the FortiGate unit to connect to the FDN to
update the antivirus (including grayware) definitions and IPS attack definitions.
To make sure the FortiGate unit can connect to the FDN
1 Go to System > Status and select Change on the System Time line in the System
Information section.
Verify that the time zone is set correctly, corresponding to the region where your
FortiGate unit is located.
2 Go to System > Maintenance > FortiGuard.
3 Select the expand arrow beside Web Filtering and Email Filtering Options to reveal the
available options.
4 Select Test Availability.
The FortiGate unit tests its connection to the FDN. The test results displays at the top
of the FortiGuard page.
To update antivirus and attack definitions
2 Select the expand arrow beside Antivirus and IPS Options to reveal the available
options.
3 Select Update Now to update the antivirus and attack definitions.
If the connection to the FDN or override server is successful, the web-based manager
displays a message similar to the following:
Your updat e r equest has been sent . Your dat abase wi l l be updat ed i n
a f ew mi nut es. Pl ease check your updat e page f or t he st at us of t he
updat e.
After a few minutes, if an update is available, the FortiGuard page lists new version
information for antivirus definitions and IPS attack definitions. The page also displays new
dates and version numbers for the updated definitions and engines. Messages are
recorded to the event log, indicating whether the update was successful or not.
To enable scheduled updates
2 Select the expand arrow beside AntiVirus and IPS Options to reveal the available
options.
3 Select the Scheduled Update check box.
4 Select one of the following:
Note: Updating antivirus and IPS attack definitions can cause a very short disruption in
traffic scanning while the FortiGate unit applies the new signature definitions. Fortinet
recommends scheduling updates when traffic is light to minimize disruption.
Every Once every 1 to 23 hours. Select the number of hours and minutes
between each update request.
Daily Once a day. You can specify the time of day to check for updates.
Weekly Once a week. You can specify the day of the week and the time of
day to check for updates.
Enabling push updates System Maintenance
308 01-410-89802-20091022
5 Select Apply.
The FortiGate unit starts the next scheduled update according to the new update
schedule.
Whenever the FortiGate unit runs a scheduled update, the event is recorded in the
FortiGate event log.
If you cannot connect to the FDN, or if your organization provides antivirus and IPS
attack updates using its own FortiGuard server, you can use the following procedure to
add the IP address of an override FortiGuard server.
To add an override server
options.
3 Select the Use override server address check box.
4 Type the fully qualified domain name or IP address of the FortiGuard server.
5 Select Apply.
The FortiGate unit tests the connection to the override server.
If the FortiGuard Distribution Network availability icon changes from gray to green, the
FortiGate unit has successfully connected to the override server.
If the FortiGuard Distribution Network availability icon stays gray, the FortiGate unit
cannot connect to the override server. Check the FortiGate configuration and network
configuration for settings that may prevent the FortiGate unit from connecting to the
override FortiGuard server.
To enable scheduled updates through a proxy server
If your FortiGate unit must connect to the Internet through a proxy server, you can use the
conf i g syst emaut oupdat e t unnel i ng command syntax to allow the FortiGate unit
to connect (or tunnel) to the FDN using the proxy server. For more information, see the
Enabling push updates
The FDN can push updates to FortiGate units to provide the fastest possible response to
critical situations. You must register the FortiGate unit before it can receive push updates.
Register your FortiGate unit by going to the Fortinet Support web site, Product
Registration, and following the instructions.
When you configure a FortiGate unit to allow push updates, the FortiGate unit sends a
SETUP message to the FDN. The next time new antivirus or IPS attack definitions are
released, the FDN notifies all FortiGate units that are configured for push updates, that a
new update is available. Within 60 seconds of receiving a push notification, the FortiGate
unit requests the update from the FDN.
When the network configuration permits, configuring push updates is recommended in
addition to scheduled updates. Scheduled updates ensure that the FortiGate unit receives
current updates, but if push updates are also enabled, the FortiGate unit will usually
receive new updates sooner.
System Maintenance Enabling push updates
01-410-89802-20091022 309
Fortinet does not recommend enabling push updates as the only method for obtaining
updates. The FortiGate unit might not receive the push notification. When the FortiGate
unit receives a push notification, it makes only one attempt to connect to the FDN and
download updates.
Enabling push updates when a FortiGate unit IP address changes
The SETUP message that the FortiGate unit sends when you enable push updates
includes the IP address of the FortiGate interface that the FDN connects to. The interface
used for push updates is the interface configured in the default route of the static routing
table.
The FortiGate unit sends the SETUP message if you:
change the IP address of this interface manually
have set the interface addressing mode to DHCP or PPPoE and your DHCP or PPPoE
server changes the IP address.
The FDN must be able to connect to this IP address so that your FortiGate unit can
receive push update messages. If your FortiGate unit is behind a NAT device, see
Enabling push updates through a NAT device on page 309.
If you have redundant connections to the Internet, the FortiGate unit also sends the
SETUP message when one Internet connection goes down and the FortiGate unit fails
over to another Internet connection.
In transparent mode, if you change the management IP address, the FortiGate unit also
sends the SETUP message to notify the FDN of the address change.
Enabling push updates through a NAT device
If the FDN connects only to the FortiGate unit through a NAT device, you must configure
port forwarding on the NAT device and add the port forwarding information to the push
update configuration. Port forwarding enables the FDN to connect to the FortiGate unit
using UDP on either port 9443 or an override push port that you specify.
If the external IP address of the NAT device is dynamic (PPPoE or DHCP), the FortiGate
unit is unable to receive push updates through a NAT device.
The following procedures configure the FortiGate unit to push updates through a NAT
device. These procedures also include adding port forwarding virtual IP and a firewall
policy to the NAT device.
Figure 165: Example network: Push updates through a NAT device
The overall process is:
1 Register the FortiGate unit on the internal network so that it has a current support
license and can receive push updates.
Internal
network
NAT Device
Internet
FDN Server
172.16.35.144
(external interface)
Virtual IP
10.20.6.135
(external interface)
Enabling push updates System Maintenance
310 01-410-89802-20091022
2 Configure the following FortiGuard options on the FortiGate unit on the internal
network.
Enable Allow push updates.
Enable Use override push IP and enter the IP address. Usually this is the IP
address of the external interface of the NAT device.
If required, change the override push update port.
3 Add a port forwarding virtual IP to the NAT device.
Set the external IP address of the virtual IP to match the override push update IP.
Usually this is the IP address of the external interface of the NAT device.
Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual
IP.
To configure FortiGuard options on the FortiGate unit on the internal network
options.
3 Select the Allow Push Update check box.
4 Select the Use override push IP check box.
5 Enter the IP address of the external interface of the NAT device.
UDP port 9943 is changed only if it is blocked or in use.
6 Select Apply.
You can change to the push override configuration if the external IP address of the
external service port changes; select Apply to have the FortiGate unit send the updated
push information to the FDN.
When the FortiGate unit sends the override push IP address and port to the FDN, the FDN
uses this IP address and port for push updates to the FortiGate unit. However, push
updates will not actually work until a virtual IP is added to the NAT device so that the NAT
device accepts push update packets and forwards them to the FortiGate unit on the
internal network.
If the NAT device is also a FortiGate unit, the following procedure, To add a port
forwarding virtual IP to the FortiGate NAT device, allows you to configure the NAT device
to use port forwarding to push update connections from the FDN to the FortiGate unit on
the internal network.
To add a port forwarding virtual IP to the FortiGate NAT device
1 Go to Firewall > Virtual IP.
3 Enter the appropriate information for the following:
Note: Push updates are not supported if the FortiGate unit must use a proxy server to
connect to the FDN. See To enable scheduled updates through a proxy server on
page 308 for more information.
Name Enter a name for the Virtual IP.
External Interface Select an external interface from the list. This is the interface that
connects to the Internet.
System Maintenance Adding VDOM Licenses
01-410-89802-20091022 311
4 Select OK.
To add a firewall policy to the FortiGate NAT device
1 Go to Firewall > Policy.
3 Configure the external to internal firewall policy.
4 Select OK.
Verify that push updates to the FortiGate unit on the internal network are working by going
to System > Maintenance > FortiGuard and selecting Test Availability under Web Filtering
and AntiSpam Options. The Push Update indicator should change to green.
Adding VDOM Licenses
If you have you can increase the maximum number of VDOMs on your FortiGate unit you
can purchase a license key from Fortinet to increase the maximum number of VDOMs to
25, 50, 100 or 250. By default, FortiGate units support a maximum of 10 VDOMs.
The license key is a 32-character string supplied by Fortinet. Fortinet requires the serial
number of the FortiGate unit to generate the license key.
The license key is entered in System > Maintenance > License in the Input License Key
field. This appears only on high-end FortiGate models.
External IP
Address/Range
Enter the IP address and/or range. This is the IP address to which
the FDN sends the push updates. This is usually the IP address of
the external interface of the NAT device. This IP address must be
the same as the IP address in User override push update for the
FortiGate unit on the internal network.
Mapped IP
Address/Range
Enter the IP address and/or range of the FortiGate unit on the
internal network.
Port Forwarding Select Port Forwarding. When you select Port Forwarding, the
options Protocol, External Services Port and Map to Port appear.
Protocol Select UDP.
External Service Port Enter the external service port. The external service port is the port
that the FDN connects to. The external service port for push
updates is usually 9443. If you changed the push update port in the
FortiGuard configuration of the FortiGate unit on the internal
network, you must set the external service port to the changed push
update port.
Map to Port Enter 9443. This is the port number to which the NAT FortiGate unit
will send the push update after it comes through the virtual IP.
FortiGate units expect push update notifications on port 9443.
Source Interface/Zone Select the name of the interface that connects to the Internet.
Source Address Select All
Destination
Interface/Zone
Select the name of the interface of the NAT device that connects to
the internal network.
Destination Address Select the virtual IP added to the NAT device.
Schedule Select Always.
Service Select ANY.
Action Select Accept.
NAT Select NAT.
Adding VDOM Licenses System Maintenance
312 01-410-89802-20091022
Figure 166: License key for additional VDOMs
Current License The current maximum number of virtual domains.
Input License key Enter the license key supplied by Fortinet and select Apply.
Note: VDOMs created on a registered FortiGate unit are recognized as real devices by any
connected FortiAnalyzer unit. The FortiAnalyzer unit includes VDOMs in its total number of
registered devices. For example, if three FortiGate units are registered on the FortiAnalyzer
unit and they contain a total of four VDOMs, the total number of registered FortiGate units
on the FortiAnalyzer unit is seven. For more information, see the FortiAnalyzer
Router Static Routing concepts
01-410-89802-20091022 313
Router Static
This section explains some general routing concepts, and how to define static routes and
route policies.
A route provides the FortiGate unit with the information it needs to forward a packet to a
particular destination on the network. A static route causes packets to be forwarded to a
destination other than the factory configured default gateway.
The factory configured static default route provides you with a starting point to configure
the default gateway. You must either edit the factory configured static default route to
specify a different default gateway for the FortiGate unit, or delete the factory configured
route and specify your own static default route that points to the default gateway for the
FortiGate unit. For more information, see Default route and default gateway on
page 318.
You define static routes manually. Static routes control traffic exiting the FortiGate unit
you can specify through which interface the packet will leave and to which device the
packet should be routed.
As an option, you can define route policies. Route policies specify additional criteria for
examining the properties of incoming packets. Using route policies, you can configure the
FortiGate unit to route packets based on the IP source and destination addresses in
packet headers and other criteria such as on which interface the packet was received and
which protocol (service) and port are being used to transport the packet.
If you enable virtual domains (VDOMs) on the FortiGate unit, static routing is configured
separately for each virtual domain. For more information, see Using virtual domains on
page 125.
Routing concepts
Static Route
ECMP route failover and load balancing
Policy Route
Routing concepts
The FortiGate unit functions as a security device on a network and packets must pass
through it. You need to understand a number of basic routing concepts in order to
configure the FortiGate unit appropriately.
Whether you administer a small or large network, this section will help you understand
how the FortiGate unit performs routing functions.
The following topics are covered in this section:
How the routing table is built
How routing decisions are made
Multipath routing and determining the best route
Route priority
Blackhole Route
Routing concepts Router Static
314 01-410-89802-20091022
How the routing table is built
The routing table stores routes to different addresses so the FortiGate unit does not have
to discover the route every time it contacts that address. In the factory default
configuration, the FortiGate routing table contains a single static routethe default route.
You can add routing information to the routing table by defining additional static routes.
The table may include several different routes to the same destinationthe IP addresses
of the next-hop router specified in those routes or the FortiGate interfaces associated with
those routes may vary.
The FortiGate unit selects the best route for a packet by evaluating the information in the
routing table. The best route to a destination is typically associated with the shortest
distance between the FortiGate unit and the closest next-hop router. In some cases, the
next best route may be selected if the best route is unavailable. The FortiGate unit installs
the best available routes in the units forwarding table, which is a subset of the units
routing table. Packets are forwarded according to the information in the forwarding table.
How routing decisions are made
Whenever a packet arrives at one of the FortiGate units interfaces, the unit determines
whether the packet was received on a legitimate interface by doing a reverse lookup using
the source IP address in the packet header. If the FortiGate unit cannot communicate with
the computer at the source IP address through the interface on which the packet was
received, the FortiGate unit drops the packet as it is likely a hacking attempt.
If the destination address can be matched to a local address (and the local configuration
permits delivery), the FortiGate unit delivers the packet to the local network. If the packet
is destined for another network, the FortiGate unit forwards the packet to a next-hop router
according to a policy route and the information stored in the FortiGate forwarding table.
For more information, see Policy Route on page 328.
Multipath routing and determining the best route
Multipath routing occurs when more than one entry to the same destination is present in
the routing table. When multipath routing happens, the FortiGate unit may have several
possible destinations for an incoming packet, forcing the FortiGate unit to decide which
next-hop is the best one.
Two methods to manually resolve multiple routes to the same destination are to lower the
administrative distance of one route or to set the priority of both routes. For the FortiGate
unit to select a primary (preferred) route, manually lower the administrative distance
associated with the preferred routes.
Administrative Distance
Administrative distance is based on the expected reliability of a given route. It is
determined through a combination of the number of hops from the source and the routing
protocol being used. More hops from the source means more possible points of failure.
The administrative distance can be from 1 to 255, with lower numbers being preferred. A
distance of 255 is seen as infinite and will not be installed in the routing table.
Here is an example to illustrate how administration distance worksif there are two
possible routes traffic can take between 2 destinations with administration distances of 5
(always up) and 31 (sometimes not available), the traffic will use the route with an
administrative distance of 5. whenever possible. Different routing protocols have different
default administrative distances. The default administrative distances for any of these
routing protocols are configurable. For more information on changing the administrative
distance associated with a routing protocol, see the config routing in the FortiGate CLI
Reference.
Router Static Routing concepts
01-410-89802-20091022 315
Another method to manually resolve multiple routes to the same destination is to manually
change the priority of both of the routes. If the next-hop administrative distances of two
routes on the FortiGate unit are equal, it may not be clear which route the packet will take.
Configuring the priority for each of those routes will make it clear which next-hop will be
used in the case of a tie. You can set the priority for a route only from the CLI. Lower
priorities are preferred. For more information, see the FortiGate CLI Reference.
All entries in the routing table are associated with an administrative distance. If the routing
table contains several entries that point to the same destination (the entries may have
different gateways or interface associations), the FortiGate unit compares the
administrative distances of those entries, selects the entries having the lowest distances,
and installs them as routes in the FortiGate forwarding table. As a result, the FortiGate
forwarding table contains only those routes having the lowest distances to each
destination. For information about how to change the administrative distance associated
with a static route, see Adding a static route to the routing table on page 320.
Route priority
After the FortiGate unit selects static routes for the forwarding table based on their
administrative distances, the priority field of those routes determines routing preference.
You configure the priority field through the CLI. The route with the lowest value in the
priority field is considered the best route, and the primary route. The command to set the
priority field is: set pr i or i t y <i nt eger >under the conf i g r out e st at i c
command. For more information, see the FortiGate CLI Reference.
In summary, because you can use the CLI to specify which priority field settings to use
when defining static routes, you can prioritize routes to the same destination according to
their priority field settings. For a static route to be the preferred route, you must create the
route using the conf i g r out er st at i c CLI command and specify a low priority for the
route. If two routes have the same administrative distance and the same priority, then they
are equal cost multipath (ECMP) routes. Since this means there is more than one route to
the same destination, it can be confusing which route or routes to install and use.
However, you can configure ECMP Route Failover and Load Balancing to control how
sessions are load balanced among ECMP routes. See ECMP route failover and load
balancing on page 322.
Blackhole Route
A blackhole route is a route that drops all traffic sent to it. It is very much like a /dev/null
interface in Linux programming.
Blackhole routes are used to dispose of packets instead of responding to suspicious
inquiries. This provides added security since the originator will not discover any
information from the target network.
Table 47: Default administrative distances for routing protocols
Routing protocol Default administrative distance
Direct physical connection 1
Static 10
EBGP 20
OSPF 110
RIP 120
IBGP 200
Static Route Router Static
316 01-410-89802-20091022
Blackhole routes can also limit traffic on a subnet. If some subnet addresses are not in
use, traffic to those addresses (traffic which may be valid or malicious) can be directed to
a blackhole for added security and to reduce traffic on the subnet.
The loopback interface, a virtual interface that does not forward traffic enables easier
configuration of blackhole routing. Similar to a normal interface, this loopback interface
has fewer parameters to configure, and all traffic sent to it stops there. Since it cannot
have hardware connection or link status problems, it is always available, making it useful
for other dynamic routing roles. Once configured, you can use a loopback interface in
firewall policies, routing, and other places that refer to interfaces. Loopback interfaces can
be configured from both the web-based manager and the CLI. For more information, see
Adding loopback interfaces on page 158 or the system chapter of the FortiGate CLI
Reference.
Static Route
You configure static routes by defining the destination IP address and netmask of packets
that you intend the FortiGate unit to intercept, and by specifying a (gateway) IP address
for those packets. The gateway address specifies the next-hop router to which traffic will
be routed.
Working with static routes
The Static Route list displays information that the FortiGate unit compares to packet
headers in order to route packets. Initially, the list contains the factory configured static
default route. For more information, see Default route and default gateway on page 318.
You can add new entries manually.
When you add a static route to the Static Route list, the FortiGate unit performs a check to
determine whether a matching route and destination already exist in the FortiGate routing
table. If no match is found, the FortiGate unit adds the route to the routing table.
When IPv6 is enabled in the web-based manager, IPv6 routes are visible on the Static
Route list and you can select IPv6 when creating a new static route. Otherwise, IPv6
routes are not displayed. For more information on IPv6, see Settings on page 261 or
FortiGate IPv6 support on page 264.
To view the static route list, go to Router > Static > Static Route.
Figure 167 shows the static route list belonging to a FortiGate unit that has interfaces
named port1 and port2. The names of the interfaces on your FortiGate unit may be
different.
Note: Unless otherwise specified, static route examples and procedures are for IPv4 static
routes.
Note: You can use the conf i g r out er st at i c6 CLI command to add, edit, or delete
static routes for IPv6 traffic. For more information, see the router chapter of the FortiGate
CLI Reference.
Router Static Static Route
01-410-89802-20091022 317
Figure 167: Static Route list when IPv6 is enabled in the GUI
Create New Add a static route to the Static Route list. For more information, see Adding a
static route to the routing table on page 320.
Select the down arrow for the option to create an IPv6 static Route.
ECMP Route
Failover & Load
Balance Method
Select the load balancing and failover method for ECMP routes. See ECMP
route failover and load balancing on page 322.
Source based The FortiGate unit load balances sessions among ECMP routes based on the
source IP address of the sessions to be load balanced. This is the default
load balancing method. No configuration changes are required to support
source IP load balancing.
Weighted The FortiGate unit load balances sessions among ECMP routes based on
weights.
After selecting weight-based you must add weights to static routes. For more
information, see Configuring weighted static route load balancing on
page 326.
Spill-over The FortiGate unit distributes sessions among ECMP routes based on how
busy the FortiGate interfaces associated with the routes are.
After selecting spill-over you add route Spillover Thresholds to interfaces
added to ECMP routes. For more information, see Configuring interface
status detection for gateway load balancing on page 165.
The FortiGate unit sends all ECMP-routed sessions to the lowest numbered
interface until the bandwidth being processed by this interface reaches its
spillover threshold. The FortiGate unit then spills additional sessions over to
the next lowest numbered interface.
For more information, including the order in which interfaces are selected,
see Configuring spill-over or usage-based ECMP on page 323.
Apply Select to save the ECMP Route Failover and load balance method.
Route Select the Expand Arrow to display or hide the IPv4 static routes. By default
these routes are displayed.
This is displayed only when IPv6 is enabled in the web-based manager.
IPv6 Route Select the Expand Arrow to display or hide the IPv6 static routes. By default
these routes are hidden.
This is displayed only when IPv6 is enabled in the web-based manager.
IP/Mask The destination IP addresses and network masks of packets that the
FortiGate unit intercepts.
Gateway The IP addresses of the next-hop routers to which intercepted packets are
forwarded.
Device The names of the FortiGate interfaces through which intercepted packets are
received and sent.
Distance The administrative distances associated with each route. The values
represent distances to next-hop routers.
Delete
Edit
Expand
Arrow
318 01-410-89802-20091022
Default route and default gateway
In the factory default configuration, entry number 1 in the Static Route list is associated
with a destination address of 0.0.0.0/0.0.0.0, which means any/all destinations. This route
is called the static default route. If no other routes are present in the routing table and a
packet needs to be forwarded beyond the FortiGate unit, the factory configured static
default route causes the FortiGate unit to forward the packet to the default gateway.
To prevent this you must either edit the factory configured static default route to specify a
different default gateway for the FortiGate unit, or delete the factory configured route and
specify your own static default route that points to the default gateway for the FortiGate
unit.
For example, Figure 168 shows a FortiGate unit connected to a router. To ensure that all
outbound packets destined to any network beyond the router are routed to the correct
destination, you must edit the factory default configuration and make the router the default
gateway for the FortiGate unit.
Figure 168: Making a router the default gateway
Weight If ECMP Route Failover & Load Balance Method is set to weighted, add
weights for each route. Add higher weights to routes that you want to assign
more sessions to when load balancing. For more information, see
Configuring weighted static route load balancing on page 326.
Delete and Edit
icons
Delete or edit an entry.
Note: For network traffic to pass, even with the correct routes configured, you must have
the appropriate firewall policies. For details, see Configuring firewall policies on page 367.
Internal network
192.168.20.0/24
FortiGate_1
external
Gateway
Router
192.168.10.1
internal
Internet
01-410-89802-20091022 319
To route outbound packets from the internal network to destinations that are not on
network 192.168.20.0/24, you would edit the default route and include the following
settings:
Destination IP/mask: 0.0.0.0/0.0.0.0
Gateway: 192.168.10.1
Device: Name of the interface connected to network 192.168.10.0/24 (in this example
external).
Distance: 10
The Gateway setting specifies the IP address of the next-hop router interface to the
FortiGate external interface. The interface connected to the router (192.168.10.1) is the
default gateway for FortiGate_1.
In some cases, there may be routers behind the FortiGate unit. If the destination IP
address of a packet is not on the local network but is on a network behind one of those
routers, the FortiGate routing table must include a static route to that network. For
example, in Figure 169, the FortiGate unit must be configured with static routes to
interfaces 192.168.10.1 and 192.168.11.1 in order to forward packets to Network_1 and
Network_2 respectively. Also firewall policies must be configured to allow traffic to pass
through the FortiGate unit along these routes. For details, see Configuring firewall policies on
page 367.
Figure 169: Destinations on networks behind internal routers
To route packets from Network_1 to Network_2, Router_1 must be configured to use the
FortiGate internal interface as its default gateway. On the FortiGate unit, you would create
a new static route with these settings:
Destination IP/mask 192.168.30.0/24
Gateway 192.168.11.1
Device dmz
Distance 10
Network_2
192.168.30.0/24
FortiGate_1
internal
dmz
Gateway
Router_1
192.168.10.1
Gateway
Router_2
192.168.11.1
Internet
Network_1
192.168.20.0/24
320 01-410-89802-20091022
To route packets from Network_2 to Network_1, Router_2 must be configured to use the
FortiGate dmz interface as its default gateway. On the FortiGate unit, you would create a
new static route with these settings:
Changing the gateway for the default route
The default gateway determines where packets matching the default route will be
forwarded.
To change the gateway for the default route
1 Go to Router > Static > Static Route.
2 Select the Edit icon in row 1.
3 If the FortiGate unit reaches the next-hop router through an interface other than the
interface that is currently selected in the Device field, select the name of the interface
from the Device field.
4 In the Gateway field, type the IP address of the next-hop router to which outbound
traffic may be directed.
5 In the Distance field, optionally adjust the administrative distance value.
The default route distance should be set high enough to allow other routes to be
configured at lower distances so they will be preferred over the default route.
6 Select OK.
Adding a static route to the routing table
A route provides the FortiGate unit with the information it needs to forward a packet to a
particular destination. A static route causes packets to be forwarded to a destination other
than the default gateway.
You define static routes manually. Static routes control traffic exiting the FortiGate unit
you can specify through which interface the packet will leave and to which device the
packet should be routed.
To add a static route entry
3 Enter the IP address and netmask.
For example, 172. 1. 2. 0/ 255. 255. 255. 0 would be a route for all addresses on the
subnet 172.1.2.x.
4 Enter the FortiGate unit interface closest to this subnet, or connected to it.
Destination IP/mask 192.168.20.0/24
Gateway 192.168.10.1
Device internal
Distance 10
Note: If you are using DHCP or PPPoE over a modem interface on your FortiGate unit, you
may have problems configuring a static route on this interface. After trying to either Renew
your DHCP license, or Reconnect the PPPoE connection, go to the CLI and enable
dynami c- gat eway under conf i g syst emi nt er f ace for the modem interface. Doing
this will remove the need to specify a gateway for this interfaces route. For more
information see FortiGate CLI Reference.
01-410-89802-20091022 321
5 Enter the gateway IP address. Continuing with the example, 172. 1. 2. 11 would be a
valid address.
6 Enter the administrative distance of this route.
The administrative distance allows you to weight one route to be preferred over
another. This is useful when one route is unreliable. For example, if route A has an
administrative distance of 30 and route B has an administrative distance of 10, the
preferred route is route A with the smaller administrative distance of 10. If you discover
that route A is unreliable, you can change the administrative distance for route A from
10 to 40, which will make the route B the preferred route.
7 Select OK to confirm and save your new static route.
When you add a static route through the web-based manager, the FortiGate unit adds the
entry to the Static Route list.
Figure 170 shows the Edit Static Route dialog box belonging to a FortiGate unit that has
an interface named internal. The names of the interfaces on your FortiGate unit may be
different.
Figure 170: Edit Static Route
Destination
IP/Mask
Type the destination IP address and network mask of packets that the
FortiGate unit has to intercept. The value 0. 0. 0. 0/ 0. 0. 0. 0 is reserved
for the default route.
Gateway Type the IP address of the next-hop router to which the FortiGate unit will forward
intercepted packets.
Device Select the name of the FortiGate interface through which the intercepted packets
may be routed to the next-hop router.
Distance Type an administrative distance from 1 to 255 for the route. The distance value is
arbitrary and should reflect the distance to the next-hop router. A lower value
indicates a more preferred route.
Weight Add weights for each route. Add higher weights to routes that you want to load
balance more sessions to. See Configuring weighted static route load balancing
on page 326.
Available if ECMP Route Failover & Load Balance Method is set to weighted.
ECMP route failover and load balancing Router Static
322 01-410-89802-20091022
ECMP route failover and load balancing
FortiOS uses equal-cost multi-path (ECMP) to distribute traffic to the same destination
such as the Internet or another network. Using ECMP you can add multiple routes to the
same destination and give each of those routes the same distance and priority.
Using ECMP, if more than one ECMP route is available you can configure how the
FortiGate unit selects the route to be used for a communication session. If only one ECMP
route is available (for example, because an interface cannot process traffic because
interface status detection does not receive a reply from the configured server) then all
traffic uses this route.
Previous versions of FortiOS provided source IP-based load balancing for ECMP routes.
FortiOS 4.0 MR1 includes three configuration options for ECMP route failover and load
balancing:
You can configure only one of these ECMP route failover and load balancing methods in a
single VDOM. If your FortiGate unit is configured for multiple VDOM operation, each
VDOM can have its own ECMP route failover and load balancing configuration.
To configure the ECMP route failover and load balancing method from the
web-based manager
2 Set ECMP Route failover & Load Balance Method to source based, weighted, or
spill-over.
3 Select Apply.
Note: If multiple routes to the same destination have the same priority but different
distances, the route with the lowest distance is used. If multiple routes to the same
destination have the same distance but different priorities, the route with the lowest priority
is used. Distance takes precedence over priority. If multiple routes to the same destination
have the different distances and different priorities, the route with the lowest distance is
always used even if it has the highest priority.
Source based
(also called
source IP based)
The FortiGate unit load balances sessions among ECMP routes based on the
source IP address of the sessions to be load balanced. This is the default load
balancing method. No configuration changes are required to support source IP
load balancing.
Weighted (also
called
weight-based)
The FortiGate unit load balances sessions among ECMP routes based on
weights.
After selecting weight-based you must add weights to static routes. See
Configuring weighted static route load balancing on page 326.
Spill-over (also
called
usage-based)
The FortiGate unit distributes sessions among ECMP routes based on how busy
the FortiGate interfaces added to the routes are.
After selecting spill-over you add route Spillover Thresholds to interfaces added
to ECMP routes. The FortiGate unit sends all ECMP-routed sessions to the
lowest numbered interface until the bandwidth being processed by this interface
reaches its spillover threshold. The FortiGate unit then spills additional sessions
over to the next lowest numbered interface.
The Spillover Thresholds range is 0-2097000 KBps.
For more information, including the order in which interfaces are selected, see
Configuring spill-over or usage-based ECMP on page 323.
Router Static ECMP route failover and load balancing
01-410-89802-20091022 323
Figure 171: Configuring ECMP route failover and load balancing method
To configure the ECMP route failover and load balancing method from the CLI
1 Enter the following command:
set v4- ecmp- mode {sour ce- i p- based | usage- based |
wei ght - based}
end
ECMP routing of simultaneous sessions to the same destination IP
address
When the FortiGate unit selects an ECMP route for a session, a route cache is created
that matches the route with the destination IP address of the session. All new sessions to
the same destination IP address use the same route until the route is flushed from the
cache. Routes are flushed from the cache after a period of time when no new sessions to
the destination IP address are received.
The route cache improves FortiGate routing performance by reducing how often the
FortiGate unit looks up routes in the routing table.
If the FortiGate unit receives a large number of sessions with the same destination IP
address, because all of these sessions will be processed by the same route, it may appear
that sessions are not distributed according to the ECMP route failover and load balancing
configuration.
Configuring spill-over or usage-based ECMP
The spill-over or usage-based ECMP method routes new sessions to interfaces that have
not reached a configured bandwidth limit (called the Spillover Threshold or a route-
spillover threshold). To configure spill-over or usage-based ECMP routing, you enable
spill-over ECMP method, add ECMP routes, and add a Spillover Threshold to the
interfaces used by the ECMP routes. Set the Spillover Thresholds to limit the amount of
bandwidth processed by each interface.
With spill-over ECMP routing configured, the FortiGate unit routes new sessions to an
interface used by an ECMP route until that interface reaches its Spillover Threshold. Then,
when the threshold of that interface is reached, new sessions are routed to one of the
other interfaces used by the ECMP routes.
To add Spillover Thresholds to interfaces from the web-based manager
Use the following steps to enable usage based ECMP routing, add Spillover Thresholds to
FortiGate interfaces port3 and port4, and then to configure EMCP routes with device set to
port3 and port4.
2 Set ECMP Route failover & Load Balance Method to usage-based.
4 Add ECMP routes for port3 and port4.
324 01-410-89802-20091022
6 Edit port3 and port4 and add the following spillover-thresholds:
7 Go to Router > Monitor to view the routing table.
The routes could be displayed in the order shown in Table 48.
In this example, the FortiGate unit sends all sessions to the 192.168.20.0 network through
port3. When port3 exceeds its spillover threshold of 100 Kbps the FortiGate unit sends all
new sessions to the 192.168.20.0 network through port4.
To add route-spillover thresholds to interfaces from the CLI
1 Enter the following command to set the ECMP route failover and load balance method
to usage-based.
set v4- ecmp- mode usage- based
end
2 Enter the following commands to add three route-spillover thresholds to three
interfaces.
edi t por t 1
set spi l l over - t hr eshol d 400
next
edi t por t 2
next
edi t por t 3
end
Destination IP/Mask 192.168.20.0/24
Device port3
Gateway 172.20.130.3
Distance 9
Device port4
Gateway 172.20.140.4
Distance 9
Interface port3
Spillover Threshold (KBps) 100
Interface port4
Spillover Threshold (KBps) 200
Table 48: Example ECMP routes as listed on the routing monitor
Type Network Distance Metric Gateway Interface
Static 192.168.20.0/24 9 0 172.20.130.3 port3
Static 192.168.20.0/24 9 0 172.20.140.4 port4
01-410-89802-20091022 325
3 Enter the following commands to add three ECMP default routes, one for each
interface.
conf i g r out er st at i c
edi t 1
set dst 0. 0. 0. 0/ 0. 0. 0. 0
set gwy 172. 20. 110. 1
set dev por t 1
next
edi t 2
set dst 0. 0. 0. 0/ 0. 0. 0. 0
set gwy 172. 20. 120. 2
set dev por t 2
next
edi t 3
set dst 0. 0. 0. 0/ 0. 0. 0. 0
set gwy 172. 20. 130. 3
set dev por t 3
end
4 Enter the following command to display static routes in the routing table:
get r out er i nf o r out i ng- t abl e st at i c
S 0. 0. 0. 0/ 0 [ 10/ 0] vi a 172. 20. 110. 1, por t 1
[ 10/ 0] vi a 172. 20. 120. 2, por t 2
[ 10/ 0] vi a 172. 20. 130. 3, por t 3
In this example, the FortiGate unit sends all sessions to the Internet through port1. When
port1 exceeds its spillover threshold of 400 KBps the FortiGate unit sends all new
sessions to the Internet through port2. If both port1 and port2 exceed their spillover
thresholds the FortiGate unit would send all new sessions to the Internet through port3.
Detailed description of how spill-over ECMP selects routes
When you add ECMP routes they are added to the routing table in the order displayed by
the routing monitor or by the get r out er i nf o r out i ng- t abl e st at i c command.
This order is independent of the configured bandwidth limit.
The FortiGate unit selects an ECMP route for a new session by finding the first route in the
routing table then sends the session out on a FortiGate interface that is not processing
more traffic that its configured route spill-over limit.
For example, consider a FortiGate unit with interfaces port3 and port4 both connected to
the Internet through different ISPs. ECMP routing is set to usage-based and route
spillover for to 100 KBps for port3 and 200 KBps for port4. Two ECMP default routes are
added, one for port3 and one for port4.
If the route to port3 is higher in the routing table than the route to port4, the FortiGate unit
sends all default route sessions out port3 until port3 is processing 100 KBps of data.
When port3 reaches its configured bandwidth limit, the FortiGate unit sends all default
route sessions out port4. When the bandwidth usage of port3 falls below 100 KBps, the
FortiGate again sends all default route sessions out port3.
Note: A new session to a destination IP address that already has an entry in the routing
cache is routed using the route already added to the cache for that destination address. For
more information, see ECMP routing of simultaneous sessions to the same destination IP
address on page 323.
326 01-410-89802-20091022
New sessions to designating IP addresses that are already in the routing cache; however,
use the cached routes. This means that even of port3 is exceeding its bandwidth limit, new
sessions can continue to be sent out port3 if their destination addresses are already in the
routing cache. As a result, new sessions are sent out port4 only if port3 exceeds its
bandwidth limit and if the routing cache does not contain a route for the destination IP
address of the new session. The limit on port4 is important only if there are additional
interfaces for spillover.
Also, the switchover to port4 does not occur as soon as port3 exceeds its bandwidth limit.
Bandwidth usage has to exceed the limit for a period of time before the switchover takes
place. If port3 bandwidth usage drops below the bandwidth limit during this time period,
sessions are not switched over to port4. This delay reduces route flapping. Route flapping
occurs when routes change their status frequently, forcing routers to continually change
their routing tables and broadcast the new information.
FortiGate usage-based ECMP routing is not actually load balancing, since routes are not
distributed evenly among FortiGate interfaces. Depending on traffic volumes, most traffic
would usually be processed by the first interface with only spillover traffic being processed
by other interfaces.
If you are configuring usage-based ECMP in most cases you should add spillover
thresholds to all of the interfaces with ECMP routes. The default spillover threshold is 0
which means no bandwidth limiting. If any interface has a spillover threshold of 0, no
sessions will be routed to interfaces lower in the list unless the interface goes down or is
disconnected. An interface can go down if Detect interface status for Gateway Load
Balancing does not receive a response from the configured server.
Determining of a interface has exceeded its Spillover Threshold
You can use the di agnose net l i nk dst mac l i st CLI command to determine if an
interface is exceeding its Spillover Threshold. If the command displays over_bps=1 the
interface is exceeding its threshold. If over_bps=0 the interface has not exceeded its
threshold.
Configuring weighted static route load balancing
Configure weighted load balancing to control how the FortiGate unit distributes sessions
among ECMP routes by adding weights for each route. Add higher weights to routes that
you want to load balance more sessions to. If no weight has been assigned to a route, its
weight is set to zero by default.
With the ECMP load balancing method set to weighted, the FortiGate unit distributes
sessions with different destination IPs by generating a random value to determine the
route to select. The probability of selecting one route over another is based on the weight
value of each route. Routes with higher weights are more likely to be selected.
Large numbers of sessions are evenly distributed among ECMP routes according to the
route weight values. If all weights are the same, sessions are distributed evenly. The
distribution of a small number of sessions however, may not be even. For example, its
possible that if there are two ECMP routes with the same weight, two sessions to different
IP addresses could use the same route. On the other hand 10,000 sessions with different
destination IPs should be load balanced evenly between two routes with equal rates. The
distribution could be 5000:5000 or 5001:4999. Also, 10,000 sessions with different
destination IP addresses should be load balanced in the following way if the weights for
the two routes are 100 and 200: 3333:6667.
01-410-89802-20091022 327
Weights only affect how routes are selected for sessions to new destination IP addresses.
New sessions to IP addresses already in the routing cache are routed using the route for
the session already in the cache. So in practice sessions will not always be distributed
according to the routing weight distribution.
To add weights to static routes from the web-based manager
2 Set ECMP Route failover & Load Balance Method to weighted.
4 Add new or edit static routes and add weights to them.
The following example shows two ECMP routes with weights added.
Figure 172: Adding a weighted static route
In this example:
one third of the sessions to the 192.168.20.0 network will use the first route and be
sent out port1 to the gateway with IP address 172.20.110.1.
the other two thirds of the sessions to the 192.168.20.0 network will use the second
route and be sent out port2 to the gateway with IP address 172.20.120.2.
To add weights to static routes from the CLI
1 Enter the following command to set the ECMP route failover and load balance method
to weighted.
set v4- ecmp- mode wei ght - based
end
2 Enter the following commands to add three ECMP static routes and add weights to
each route.
conf i g r out er st at i c
Device port1
Gateway 172.20.110.1
Distance 10
Weight 100
Device port2
Gateway 172.20.120.2
Distance 10
Weight 200
Policy Route Router Static
328 01-410-89802-20091022
edi t 1
set dst 192. 168. 20. 0/ 24
set gwy 172. 20. 110. 1
set dev por t 1
set wei ght 100
next
edi t 2
set dst 192. 168. 20. 0/ 24
set gwy 172. 20. 120. 2
set dev por t 2
set wei ght 200
next
edi t 3
set dst 192. 168. 20. 0/ 24
set gwy 172. 20. 130. 3
set dev por t 3
set wei ght 300
end
In this example:
one sixth of the sessions to the 192.168.20.0 network will use the first route and be
one third of the sessions to the 192.168.20.0 network will use the second route and be
one half of the sessions to the 192.168.20.0 network will use the third route and be
Policy Route
A routing policy allows you to redirect traffic away from a static route. This can be useful if
you want to route certain types of network traffic differently. You can use incoming traffics
protocol, source address or interface, destination address, or port number to determine
where to send the traffic. For example, generally network traffic would go to the router of a
subnet, but you might want to direct SMTP or POP3 traffic addressed to that subnet
directly to the mail server.
If you have configured the FortiGate unit with routing policies and a packet arrives at the
FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to
match the packet with a policy. If a match is found and the policy contains enough
information to route the packet (a minimum of the IP address of the next-hop router and
the FortiGate interface for forwarding packets to it), the FortiGate unit routes the packet
using the information in the policy. If no policy route matches the packet, the FortiGate unit
routes the packet using the routing table.
Note: In this example the pr i or i t y remains set to 0 and the di st ance remains set to 10
for all three routes. Any other routes with a di st ance set to 10 will not have their wei ght
set, so will have a wei ght of 0 and will not be part of the load balancing.
Router Static Policy Route
01-410-89802-20091022 329
Policy route options define which attributes of a incoming packet cause policy routing to
occur. If the attributes of a packet match all the specified conditions, the FortiGate unit
routes the packet through the specified interface to the specified gateway.
Figure 173 shows the policy route list belonging to a FortiGate unit that has interfaces
named external and internal. The names of the interfaces on your FortiGate unit may
be different.
To edit an existing policy route, see Adding a policy route on page 329.
Figure 173: Policy Route list
Adding a policy route
To add a policy route, go to Router > Static > Policy Route and select Create New.
For more information on Type of Service, see Type of Service on page 331.
Figure 174 shows the New Routing Policy dialog box belonging to a FortiGate unit that
has interfaces named external and internal. The names of the interfaces on your
FortiGate unit may be different.
Note: Most policy settings are optional, so a matching policy alone might not provide
enough information for forwarding the packet. The FortiGate unit may refer to the routing
table in an attempt to match the information in the packet header with a route in the routing
table. For example, if the outgoing interface is the only item in the policy, the FortiGate unit
looks up the IP address of the next-hop router in the routing table. This situation could
happen when the interfaces are dynamic (such as DHCP or PPPoE) and you do not want
or are unable to specify the IP address of the next-hop router.
Create New Add a policy route. See Adding a policy route on page 329.
# The ID numbers of configured route policies. These numbers are sequential
unless policies have been moved within the table.
Incoming The interfaces on which packets subjected to route policies are received.
Outgoing The interfaces through which policy routed packets are routed.
Source The IP source addresses and network masks that cause policy routing to occur.
Destination The IP destination addresses and network masks that cause policy routing to
occur.
Delete icon Delete a policy route.
Edit icon Edit a policy route.
Move To icon After selecting this icon, enter the destination position in the window that
appears, and select OK.
For more information, see Moving a policy route on page 332.
Edit
Delete
Move To
330 01-410-89802-20091022
Figure 174: Example policy route to route all HTTP traffic received at port5 to port4
Example policy route
Configure the following policy route to send all FTP traffic received at port1 out the port10
interface and to a next hop router at IP address 172.20.120.23. To route FTP traffic set
protocol to 6 (for TCP) and set both of the destination ports to 21, the FTP port.
Protocol To perform policy routing based on the value in the protocol field of the
packet, enter the protocol number to match. The Internet Protocol Number is
found in the IP packet header. RFC 5237 describes protocol numbers and
you can find a list of the assigned protocol numbers here. The range is from 0
to 255. A value of 0 disables the feature.
Tip: Commonly used Protocol settings include 6 to route TCP sessions, 17
for UDP sessions, 1 for ICMP sessions, 47 for GRE sessions, and 92 for
multicast sessions.
For protocols other than 6 and 17, the port number is ignored.
Incoming Interface Select the name of the interface through which incoming packets subjected to
the policy are received.
Source Address /
Mask
To perform policy routing based on the IP source address of the packet, type
the source address and network mask to match. A value of
0. 0. 0. 0/ 0. 0. 0. 0 disables the feature.
Destination
Address / Mask
To perform policy routing based on the IP destination address of the packet,
type the destination address and network mask to match. A value of
0. 0. 0. 0/ 0. 0. 0. 0 disables the feature.
Destination Ports To perform policy routing based on the port on which the packet is received,
type the same port number in the From and To fields. To apply policy routing
to a range of ports, type the starting port number in the From field and the
ending port number in the To field. A value of 0 disables this feature.
The Destination Ports fields are only used for TCP and UDP protocols. The
ports are skipped over for all other protocols.
Type of Service Use a two digit hexadecimal bit pattern to match the service, or use a two digit
hexadecimal bit mask to mask out. For more information, see Type of
Service on page 331.
Outgoing Interface Select the name of the interface through which packets affected by the policy
will be routed.
Gateway Address Type the IP address of the next-hop router that the FortiGate unit can access
through the specified interface. A value of 0. 0. 0. 0 is not valid.
Protocol 6
Incoming interface port1
Source address / mask 0.0.0.0/0.0.0.0
Destination address / mask 0.0.0.0/0.0.0.0
Router Static Policy Route
01-410-89802-20091022 331
Figure 175: Example policy route to route all FTP traffic received at port1 to port10
Type of Service
Type of service (TOS) is an 8-bit field in the IP header that enables you to determine how
the IP datagram should be delivered, with such qualities as delay, priority, reliability, and
minimum cost.
Each quality helps gateways determine the best way to route datagrams. A router
maintains a ToS value for each route in its routing table.The lowest priority TOS is 0, the
highest is 7 - when bits 3, 4,and 5 are all set to 1. The router tries to match the TOS of the
datagram to the TOS on one of the possible routes to the destination. If there is no match,
the datagram is sent over a zero TOS route.
Using increased quality may increase the cost of delivery because better performance
may consume limited network resources. For more information, see RFC 791 and RFC
1349.
Destination Ports From 21 to 21
Type of Service bit pattern: 00 (hex) bit mask: 00 (hex)
Outgoing interface port10
Gateway Address 172.20.120.23
Table 49: The role of each bit in the IP header TOS 8-bit field
bits 0, 1, 2 Precedence Some networks treat high precedence traffic as more important
traffic. Precedence should only be used within a network, and
can be used differently in each network. Typically you do not
care about these bits.
bit 3 Delay When set to 1, this bit indicates low delay is a priority. This is
useful for such services as VoIP where delays degrade the
quality of the sound.
bit 4 Throughput When set to 1, this bit indicates high throughput is a priority.
This is useful for services that require lots of bandwidth such
as video conferencing.
bit 5 Reliability When set to 1, this bit indicates high reliability is a priority. This
is useful when a service must always be available such as with
DNS servers.
bit 6 Cost When set to 1, this bit indicates low cost is a priority. Generally
there is a higher delivery cost associated with enabling bits 3,4,
or 5, and bit 6 indicates to use the lowest cost route.
bit 7 Reserved for
future use
Not used at this time.
332 01-410-89802-20091022
For example, if you want to assign low delay, and high reliability, say for a VoIP application
where delays are unacceptable, you would use a bit pattern of xxx1x1xx where an x
indicates that bit can be any value. Since all bits are not set, this is a good use for the bit
mask; if the mask is set to 0x14, it will match any TOS packets that are set to low delay
and high reliability.
Moving a policy route
A routing policy is added to the bottom of the routing table when it is created. If you prefer
to use one policy over another, you may want to move it to a different location in the
routing policy table.
The option to use one of two routes happens when both routes are a match, for example
172. 20. 0. 0/ 255. 255. 0. 0 and 172. 20. 120. 0/ 255. 255. 255. 0. If both of these
routes are in the policy table, both can match a route to 172. 20. 120. 112 but you
consider the second one as a better match. In that case the best match route should be
positioned before the other route in the policy table.
In the case of two matches in the routing table, alternating sessions will use both routes in
a load balancing configuration. You can also manually assign priorities to routes. For two
matches in the routing table, the priority will determine which route is used. This feature is
available only through the CLI. For details, see the FortiGate CLI Reference.
To change the position of a policy route in the table, go to Router > Static > Policy Route
and select Move To for the policy route you want to move.
Figure 176: Moving a policy route
Before/After Select Before to place the selected Policy Route before the indicated route.
Select After to place it following the indicated route.
Policy route ID Enter the Policy route ID of the route in the Policy route table to move the
selected route before or after.
Router Dynamic
01-410-89802-20091022 333
Router Dynamic
This section explains how to configure dynamic protocols to route traffic through large or
complex networks. Dynamic routing protocols enable the FortiGate unit to automatically
share information about routes with neighboring routers and learn about routes and
networks advertised by them. The FortiGate unit supports these dynamic routing
protocols:
Routing Information Protocol (RIP)
Open Shortest Path First (OSPF)
Border Gateway Protocol (BGP).
The FortiGate unit selects routes and updates its routing table dynamically based on the
rules you specify. Given a set of rules, the unit can determine the best route or path for
sending packets to a destination. You can also define rules to suppress the advertising of
routes to neighboring routers and change FortiGate routing information before it is
advertised.
If you enable virtual domains (VDOMs) on the FortiGate unit, dynamic routing is
configured separately for each virtual domain. For details, see Using virtual domains on
page 125.
Bi-Directional Forwarding (BFD) is a protocol that works with BGP and OSPF to quickly
discover routers on the network that cannot be contacted, and to re-route traffic
accordingly until those routers can be contacted.
A useful part of the FortiOS web-based management interface is the customizable menus
and widgets. These widgets include the following routing widgets: access list, distribute
list, key chain, offset list, prefix list, and route map. For more information on these routing
widgets, see Customizable routing widgets on page 353.
RIP
OSPF
BGP
Multicast
Bi-directional Forwarding Detection (BFD)
Customizable routing widgets
Note: A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2
router in the root virtual domain. FortiGate units support PIM sparse mode and dense mode
and can service multicast servers or receivers on the network segment to which a FortiGate
interface is connected. PIM can use static routes, RIP, OSPF, or BGP to forward multicast
packets to their destinations.
RIP Router Dynamic
334 01-410-89802-20091022
RIP
Routing Information Protocol (RIP) is a distance-vector routing protocol intended for small,
relatively homogeneous networks. The FortiGate implementation of RIP supports RIP
version 1 (see RFC 1058) and RIP version 2 (see RFC 2453).
How RIP works
When RIP is enabled, the FortiGate unit broadcasts requests for RIP updates from each
of its RIP-enabled interfaces. Neighboring routers respond with information from their
routing tables. The FortiGate unit adds routes from neighbors to its own routing table only
if those routes are not already recorded in the routing table. When a route already exists in
the routing table, the unit compares the advertised route to the recorded route and
chooses the shortest route for the routing table.
RIP uses hop count as the metric for choosing the best route. A hop count of 1 represents
a network that is connected directly to the unit, while a hop count of 16 represents a
network that the FortiGate unit cannot reach. Each network that a packet travels through
to reach its destination usually counts as one hop. When the FortiGate unit compares two
routes to the same destination, it adds the route having the lowest hop count to the routing
table.
Similarly, when RIP is enabled on an interface, the FortiGate unit sends RIP responses to
neighboring routers on a regular basis. The updates provide information about the routes
in the FortiGate units routing table, subject to the rules that you specify for advertising
those routes. You can specify how often the FortiGate unit sends updates, the period of
time a route can be kept in the routing table without being updated, and for routes that are
not updated regularly you can specify the period of time that the unit advertises a route as
unreachable before it is removed from the routing table.
Viewing and editing basic RIP settings
When you configure RIP settings, you have to specify the networks that are running RIP
and specify any additional settings needed to adjust RIP operation on the FortiGate
interfaces that are connected to the RIP-enabled network.
To view and edit RIP settings go to Router > Dynamic > RIP.
Figure 177 shows the basic RIP settings on a FortiGate unit that has interfaces named
dmz and external. The names of the interfaces on your FortiGate unit may be different.
Router Dynamic RIP
01-410-89802-20091022 335
Figure 177: Basic RIP settings
RIP Version Select the level of RIP compatibility needed at the FortiGate unit. You
can enable global RIP settings on all FortiGate interfaces connected
to RIP-enabled networks:
1 send and receive RIP version 1 packets.
2 send and receive RIP version 2 packets.
You can override the global settings for a specific FortiGate interface if
required. For more information, see Configuring a RIP-enabled
interface on page 337.
Advanced Options Select the Expand Arrow to view or hide advanced RIP options. For
more information, see Selecting advanced RIP options on page 336.
Networks The IP addresses and network masks of the major networks
(connected to the FortiGate unit) that run RIP. When you add a
network to the Networks list, the FortiGate interfaces that are part of
the network are advertised in RIP updates. You can enable RIP on all
FortiGate interfaces whose IP addresses match the RIP network
address space.
IP/Netmask Enter the IP address and netmask that defines the RIP-enabled
network.
Add Select to add the network information to the Networks list.
Edit
Delete
Expand
Arrow
RIP Router Dynamic
336 01-410-89802-20091022
Selecting advanced RIP options
With advanced RIP options, you can specify settings for RIP timers and define metrics for
redistributing routes that the FortiGate unit learns through some means other than RIP
updates. For example, if the unit is connected to an OSPF or BGP network or you add a
static route to the FortiGate routing table manually, you can configure the unit to advertise
those routes on RIP-enabled interfaces.
To select advanced RIP options, go to Router > Dynamic > RIP and expand Advanced
Options. After you select the options, select Apply.
Figure 178: Advanced Options (RIP)
Interfaces Any additional settings needed to adjust RIP operation on a FortiGate
interface.
Create New Add new RIP operating parameters for an interface. These
parameters will override the global RIP settings for that interface. For
more information, see Configuring a RIP-enabled interface on
page 337.
Interface The name of the unit RIP interface.
Send Version The version of RIP used to send updates through each interface: 1, 2,
or both.
Receive Version The versions of RIP used to listen for updates on each interface: 1, 2,
or both.
Authentication The type of authentication used on this interface: None, Text or MD5.
Passive Permissions for RIP broadcasts on this interface. A green checkmark
means the RIP broadcasts are blocked.
Delete and Edit icons Delete or edit a RIP network entry or a RIP interface definition.
Note: You can configure additional advanced options through customizable GUI widgets,
and the CLI. For example, you can filter incoming or outgoing updates by using a route
map, an access list, or a prefix list. The FortiGate unit also supports offset lists, which add
the specified offset to the metric of a route. For more information on customizable GUI
widgets, see Customizable routing widgets on page 353. For more information on CLI
routing commands, see the router chapter of the FortiGate CLI Reference.
Rip Version Select the version of RIP packets to send and receive.
Advanced Options Select the Expand Arrow to view or hide advanced options.
Default Metric Enter the default hop count that the FortiGate unit should assign to routes
that are added to the FortiGate routing table. The range is from 1 to 16. This
metric is the hop count, with 1 being best or shortest.
This value also applies to Redistribute unless otherwise specified.
Expand
Arrow
Router Dynamic RIP
01-410-89802-20091022 337
Configuring a RIP-enabled interface
You can use RIP interface options to override the global RIP settings that apply to all
FortiGate unit interfaces connected to RIP-enabled networks. For example, if you want to
suppress RIP advertising on an interface that is connected to a subnet of a RIP-enabled
network, you can set the interface to operate passively. Passive interfaces listen for RIP
updates but do not respond to RIP requests.
If RIP version 2 is enabled on the interface, you can optionally choose password
authentication to ensure that the FortiGate unit authenticates a neighboring router before
accepting updates from that router. The unit and the neighboring router must both be
configured with the same password. Authentication guarantees the authenticity of the
update packet, not the confidentiality of the routing information in the packet.
To set specific RIP operating parameters for a RIP-enabled interface, go to Router >
Dynamic > RIP and select Create New.
Default-information-
originate
Select to generate and advertise a default route into the FortiGate units RIP-
enabled networks. The generated route may be based on routes learned
through a dynamic routing protocol, routes in the routing table, or both.
RIP Timers Enter new values to override the default RIP timer settings. The default
settings are effective in most configurations if you change these settings,
ensure that the new settings are compatible with local routers and access
servers.
If the Update timer is smaller than Timeout or Garbage timers, you will get an
error.
Update Enter the amount of time (in seconds) that the FortiGate unit will wait
between sending RIP updates.
Timeout Enter the maximum amount of time (in seconds) that a route is considered
reachable while no updates are received for the route. This is the maximum
time the FortiGate unit will keep a reachable route in the routing table while
no updates for that route are received. If the FortiGate unit receives an
update for the route before the timeout period expires, the timer is restarted.
The Timeout period should be at least three times longer than the Update
period.
Garbage Enter the amount of time (in seconds) that the FortiGate unit will advertise a
route as being unreachable before deleting the route from the routing table.
The value determines how long an unreachable route is kept in the routing
table.
Redistribute Select one or more of the options to redistribute RIP updates about routes
that were not learned through RIP. The FortiGate unit can use RIP to
redistribute routes learned from directly connected networks, static routes,
OSPF, and BGP.
Connected Select to redistribute routes learned from directly connected networks. To
specify a hop count for those routes, select Metric, and enter the hop count
in the Metric field. The valid hop count range is from 1 to 16.
Static Select to redistribute routes learned from static routes. To specify a hop
count for those routes, select Metric, and enter the hop count in the Metric
field. The range is from 1 to 16.
OSPF Select to redistribute routes learned through OSPF. To specify a hop count
for those routes, select Metric, and enter the hop count in the Metric field.
The range is from 1 to 16.
BGP Select to redistribute routes learned through BGP. To specify a hop count for
those routes, select Metric, and enter the hop count in the Metric field. The
range is from 1 to 16.
Note: Additional options such as split-horizon and key-chains can be configured per
interface through the CLI. For more information, see the router chapter of the FortiGate
CLI Reference or the Fortinet Knowledge Center.
OSPF Router Dynamic
338 01-410-89802-20091022
Figure 179 shows the New/Edit RIP Interface dialog box belonging to a FortiGate unit that
has an interface named internal. The names of the interfaces on your FortiGate unit may
be different.
Figure 179: New/Edit RIP Interface
OSPF
Open Shortest Path First (OSPF) is a link-state routing protocol that is most often used in
large heterogeneous networks to share routing information among routers in the same
Autonomous System (AS). FortiGate units support OSPF version 2 (see RFC 2328).
The main benefit of OSPF is that it advertises routes only when neighbors change state
instead of at timed intervals, so routing overhead is reduced.
How OSPF works
An OSPF network consists of one or more Autonomous Systems (ASes). An OSPF AS is
typically divided into logical areas linked by Area Border Routers. A group of contiguous
networks form an area. An Area Border Router (ABR) links one or more ASes to the
OSPF network backbone (area ID 0). For information on configuring an OSPF AS, see
Defining an OSPF ASOverview on page 339.
When a FortiGate unit interface is connected to an OSPF area, that unit can participate in
OSPF communications. FortiGate units use the OSPF Hello protocol to acquire neighbors
in an area. A neighbor is any router that directly connected to the same area as the
FortiGate unit. After initial contact, the FortiGate unit exchanges Hello packets with its
OSPF neighbors regularly to confirm that the neighbors can be reached.
Interface Select the name of the FortiGate interface to which these settings apply. The
interface must be connected to a RIP-enabled network. The interface can be a
virtual IPSec or GRE interface.
Send Version,
Receive Version
Select to override the default RIP-compatibility setting for sending and
receiving updates through the interface: RIP version 1, version 2 or Both.
Authentication Select an authentication method for RIP exchanges on the specified interface:
None Disable authentication.
Text Select if the interface is connected to a network that runs RIP version
2. Type a password (up to 35 characters) in the Password field. The FortiGate
unit and the RIP updates router must both be configured with the same
password. The password is sent in clear text over the network.
MD5 Authenticate the exchange using MD5.
Passive Interface Select to suppress the advertising of FortiGate unit routing information over
the specified interface. Clear the check box to allow the interface to respond
normally to RIP requests.
Router Dynamic OSPF
01-410-89802-20091022 339
OSPF-enabled routers generate Link-State Advertisements (LSA) and send them to their
neighbors whenever the status of a neighbor changes or a new neighbor comes online. As
long as the OSPF network is stable, LSAs between OSPF neighbors do not occur. An LSA
identifies the interfaces of all OSPF-enabled routers in an area, and provides information
that enables OSPF-enabled routers to select the shortest path to a destination. All LSA
exchanges between OSPF-enabled routers are authenticated.
The FortiGate unit maintains a database of link-state information based on the
advertisements that it receives from OSPF-enabled routers. To calculate the best route
(shortest path) to a destination, the FortiGate unit applies the Shortest Path First (SPF)
algorithm to the accumulated link-state information. OSPF uses relative path cost metric
for choosing the best route. The path cost can be any metric, but is typically the speed of
the pathhow fast traffic will get from one point to another. The path cost, similar to
distance for RIP, imposes a penalty on the outgoing direction of a FortiGate interface.
The path cost of a route is calculated by adding together all of the costs associated with
the outgoing interfaces along the path to a destination. The lowest overall path cost
indicates the best route, and generally the fastest route.
The FortiGate unit dynamically updates its routing table based on the results of the SPF
calculation to ensure that an OSPF packet will be routed using the shortest path to its
destination. Depending on the network topology, the entries in the FortiGate routing table
may include:
the addresses of networks in the local OSPF area (to which packets are sent directly)
routes to OSPF area border routers (to which packets destined for another area are
sent)
if the network contains OSPF areas and non-OSPF domains, routes to AS boundary
routers, which reside on the OSPF network backbone and are configured to forward
packets to destinations outside the OSPF AS.
The number of routes that a FortiGate unit can learn through OSPF depends on the
network topology. A single unit can support tens of thousands of routes if the OSPF
network is configured properly.
Defining an OSPF ASOverview
Defining an OSPF Autonomous System (AS), involves:
defining the characteristics of one or more OSPF areas
creating associations between the OSPF areas that you defined and the local networks
to include in the OSPF AS
if required, adjusting the settings of OSPF-enabled interfaces.
If you are using the web-based manager to perform these tasks, follow the procedures
summarized below.
To define an OSPF AS
1 Go to Router > Dynamic > OSPF.
2 Under Areas, select Create New.
3 Define the characteristics of one or more OSPF areas. See Defining OSPF areas on
page 343.
4 Under Networks, select Create New.
Note: The inter-area routes may not be calculated when a Cisco type ABR has no fully
adjacent neighbor in the backbone area. In this situation, the router considers summary-
LSAs from all Actively summary-LSAs from all Actively Attached areas (RFC 3509).
OSPF Router Dynamic
340 01-410-89802-20091022
5 Create associations between the OSPF areas that you defined and the local networks
to include in the OSPF AS. See Specifying OSPF networks on page 344.
6 If you need to adjust the default settings of an OSPF-enabled interface, select Create
New under Interfaces.
7 Select the OSPF operating parameters for the interface. See Selecting operating
parameters for an OSPF interface on page 344.
Repeat steps 6 and 7 for any additional OSPF-enabled interfaces.
8 Optionally select advanced OSPF options for the OSPF AS. See Selecting advanced
OSPF options on page 342.
9 Select Apply.
Configuring basic OSPF settings
When you configure OSPF settings, you have to define the AS in which OSPF is enabled
and specify which of the FortiGate interfaces participate in the AS. As part of the AS
definition, you specify the AS areas and specify which networks to include those areas.
You may optionally adjust the settings associated with OSPF operation on the FortiGate
interfaces.
To view and edit OSPF settings, go to Router > Dynamic > OSPF.
Figure 180 shows the basic OSPF settings on a FortiGate unit that has an interface
named port1. The names of the interfaces on your FortiGate unit may be different.
Figure 180: Basic OSPF settings
Expand
Arrow
Router ID Enter a unique router ID to identify the FortiGate unit to other OSPF routers.
By convention, the router ID is the numerically highest IP address assigned to
any of the FortiGate interfaces in the OSPF AS.
If you change the router ID while OSPF is configured on an interface, all
connections to OSPF neighbors will be broken temporarily. The connections
will re-establish themselves.
If Router ID is not explicitly set, the highest IP address of the VDOM or unit
will be used.
Advanced Options Select the Expand Arrow to view or hide advanced OSPF settings. For more
information, see Selecting advanced OSPF options on page 342.
Router Dynamic OSPF
01-410-89802-20091022 341
Areas Information about the areas making up an OSPF AS. The header of an OSPF
packet contains an area ID, which helps to identify the origination of a packet
inside the AS.
Create New Define and add a new OSPF area to the Areas list. For more information, see
Defining OSPF areas on page 343.
Area The unique 32-bit identifiers of areas in the AS, in dotted-decimal notation.
Area ID 0.0.0.0 references the backbone of the AS and cannot be changed or
deleted.
Type The types of areas in the AS:
Regular - a normal OSPF area
NSSA - a not so stubby area
Stub - a stub area.
For more information, see Defining OSPF areas on page 343.
Authentication The methods for authenticating OSPF packets sent and received through all
FortiGate interfaces linked to each area:
None authentication is disabled
Text text-based authentication is enabled
MD5 MD5 authentication is enabled.
A different authentication setting may apply to some of the interfaces in an
area, as displayed under Interfaces. For example, if an area employs simple
passwords for authentication, you can configure a different password for one
or more of the networks in that area.
Networks The networks in the OSPF AS and their area IDs. When you add a network to
the Networks list, all FortiGate interfaces that are part of the network are
advertised in OSPF link-state advertisements. You can enable OSPF on all
FortiGate interfaces whose IP addresses match the OSPF network address
space. For more information, see Specifying OSPF networks on page 344.
Create New Add a network to the AS, specify its area ID, and add the definition to the
Networks list.
Network The IP addresses and network masks of networks in the AS on which OSPF
runs. The FortiGate unit may have physical or VLAN interfaces connected to
the network.
Area The area IDs that have been assigned to the OSPF network address space.
Interfaces Any additional settings needed to adjust OSPF operation on a FortiGate
interface. For more information, see Selecting operating parameters for an
OSPF interface on page 344.
Create New Create additional/different OSPF operating parameters for a unit interface
and add the configuration to the Interfaces list.
Name The names of OSPF interface definitions.
Interface The names of FortiGate physical or VLAN interfaces having OSPF settings
that differ from the default values assigned to all other interfaces in the same
area.
IP The IP addresses of the OSPF-enabled interfaces having additional/different
settings.
Authentication The methods for authenticating LSA exchanges sent and received on specific
OSPF-enabled interfaces. These settings override the area Authentication
settings.
Delete and Edit
icons
Delete or edit an OSPF area entry, network entry, or interface definition. Icons
are visible only when there are entries in Areas, Networks, and Interfaces
sections.
OSPF Router Dynamic
342 01-410-89802-20091022
Selecting advanced OSPF options
By selecting advanced OSPF options, you can specify metrics for redistributing routes that
the FortiGate unit learns through some means other than OSPF link-state advertisements.
For example, if the FortiGate unit is connected to a RIP or BGP network or you add a
static route to the FortiGate routing table manually, you can configure the unit to advertise
those routes on OSPF-enabled interfaces.
To select advanced RIP options, go to Router > Dynamic > RIP and expand Advanced
Options. After you select the options, select Apply.
Figure 181: Advanced Options (OSPF)
Router ID Enter a unique router ID to identify the FortiGate unit to other OSPF routers.
Expand Arrow Select to view or hide Advanced Options.
Default
Information
Generate and advertise a default (external) route to the OSPF AS. You may base
the generated route on routes learned through a dynamic routing protocol, routes
in the routing table, or both.
None Prevent the generation of a default route.
Regular Generate a default route into the OSPF AS and advertise the route to neighboring
autonomous systems only if the route is stored in the FortiGate routing table.
Always Generate a default route into the OSPF AS and advertise the route to neighboring
autonomous systems unconditionally, even if the route is not stored in the
FortiGate routing table.
Redistribute Select one or more of the options listed to redistribute OSPF link-state
advertisements about routes that were not learned through OSPF. The FortiGate
unit can use OSPF to redistribute routes learned from directly connected networks,
static routes, RIP, and BGP.
Connected Select to redistribute routes learned from directly connected networks.
Enter a cost for those routes in the Metric field. The range is from 1 to 16 777 214.
Static Select to redistribute routes learned from static routes.
RIP Select to redistribute routes learned through RIP.
BGP Select to redistribute routes learned through BGP.
Expand
Arrow
Note: You can configure additional advanced options through customizable GUI widgets,
and the CLI. For example, you can filter incoming or outgoing updates by using a route
map, an access list, or a prefix list. The FortiGate unit also supports offset lists, which add
the specified offset to the metric of a route. For more information on customizable GUI
widgets, see Customizable routing widgets on page 353. For more information on CLI
routing commands, see the router chapter of the FortiGate CLI Reference.
Router Dynamic OSPF
01-410-89802-20091022 343
Defining OSPF areas
An area logically defines part of the OSPF AS. Each area is identified by a 32-bit area ID
expressed in dotted-decimal notation, for example 192.168.0.1. Area ID 0.0.0.0 is
reserved for the OSPF network backbone. You can classify the remaining areas of an AS
as regular, stub, or NSSA.
A regular area contains more than one router, each having at least one OSPF-enabled
interface to the area.
To reach the OSPF backbone, the routers in a stub area must send packets to an area
border router. Routes leading to non-OSPF domains are not advertised to the routers in
stub areas. The area border router advertises to the OSPF AS a single default route
(destination 0.0.0.0) into the stub area, which ensures that any OSPF packet that cannot
be matched to a specific route will match the default route. Any router connected to a stub
area is considered part of the stub area.
In a Not-So-Stubby Area (NSSA), routes that lead out of the area into a non-OSPF domain
are made known to OSPF AS. However, the area itself continues to be treated like a stub
area by the rest of the AS.
Regular areas and stub areas (including not-so-stubby areas) are connected to the OSPF
backbone through area border routers.
To define an OSPF area, go to Router > Dynamic > OSPF, and then under Areas, select
Create New. To edit the attributes of an OSPF area, go to Router > Dynamic > OSPF and
select the Edit icon in the row that corresponds to the area.
Figure 182: New/Edit OSPF Area
Note: If required, you can define a virtual link to an area that has lost its physical
connection to the OSPF backbone. Virtual links can be set up only between two FortiGate
units that act as area border routers. For more information on virtual links, see the
Area Type a 32-bit identifier for the area. The value must resemble an IP address in
dotted-decimal notation. Once you have created the OSPF area, the area IP
value cannot be changed; you must delete the area and restart.
Type Select an area type to classify the characteristics of the network that will be
assigned to the area:
Regular If the area contains more than one router, each having at least one
OSPF-enabled interface to the area.
NSSA If you want routes to external non-OSPF domains made known to
OSPF AS and you want the area to be treated like a stub area by the rest of the
AS.
STUB If the routers in the area must send packets to an area border router in
order to reach the backbone and you do not want routes to non-OSPF domains to
be advertised to the routers in the area.
OSPF Router Dynamic
344 01-410-89802-20091022
Specifying OSPF networks
OSPF areas group a number of contiguous networks together. When you assign an area
ID to a network address space, the attributes of the area are associated with the network.
To assign an OSPF area ID to a network, go to Router > Dynamic > OSPF, and then
under Networks, select Create New. To change the OSPF area ID assigned to a network,
go to Router > Dynamic > OSPF and select the Edit icon in the row that corresponds to
the network.
Figure 183: New/Edit OSPF Network
Selecting operating parameters for an OSPF interface
An OSPF interface definition contains specific operating parameters for a FortiGate
OSPF-enabled interface. The definition includes the name of the interface (for example,
external or VLAN_1), the IP address assigned to the interface, the method for
authenticating LSA exchanges through the interface, and timer settings for sending and
receiving OSPF Hello and dead-interval packets.
You can enable OSPF on all FortiGate interfaces whose IP addresses match the OSPF-
enabled network space. For example, define an area of 0.0.0.0 and the OSPF network as
10.0.0.0/16. Then define vlan1 as 10.0.1.1/24, vlan2 as 10.0.2.1/24 and vlan3 as
10.0.3.1/24. All three VLANs can run OSPF in area 0.0.0.0. To enable all interfaces, you
would create an OSPF network 0.0.0.0/0
Authentication Select the method for authenticating OSPF packets sent and received through all
interfaces in the area:
Text Enables text-based password authentication. to authenticate LSA
exchanges using a plain-text password. The password is sent in clear text over
the network.
MD5 Enable MD5-based authentication using an MD5 cryptographic hash
(RFC 1321).
If required, you can override this setting for one or more of the interfaces in the
area. For more information, see Selecting operating parameters for an OSPF
interface on page 344.
Note: To assign a network to the area, see Specifying OSPF networks on page 344.
IP/Netmask Enter the IP address and network mask of the local network that you want to assign
to an OSPF area.
Area Select an area ID for the network. The attributes of the area must match the
characteristics and topology of the specified network. You must define the area
before you can select the area ID. For more information, see Defining OSPF areas
on page 343.
Router Dynamic OSPF
01-410-89802-20091022 345
You can configure different OSPF parameters for the same FortiGate interface when more
than one IP address has been assigned to the interface. For example, the same FortiGate
interface could be connected to two neighbors through different subnets. You could
configure an OSPF interface definition containing one set of Hello and dead-interval
parameters for compatibility with one neighbors settings, and a second OSPF interface
definition for the same interface to ensure compatibility with the second neighbors
settings.
To select OSPF operating parameters for a FortiGate interface, go to Router > Dynamic >
OSPF, and then under Interfaces, select Create New. To edit the operating parameters of
an OSPF-enabled interface, go to Router > Dynamic > OSPF and select the Edit icon in
the row that corresponds to the OSPF-enabled interface.
Figure 184 shows the New/Edit OSPF Interface dialog box belonging to a FortiGate unit
that has an interface named port1. The interface names on your FortiGate unit may
differ.
Figure 184: New/Edit OSPF Interface
Name Enter a name to identify the OSPF interface definition. For example, the
name could indicate to which OSPF area the interface will be linked.
Interface Select the name of the FortiGate interface to associate with this OSPF
interface definition (for example, port1, external, or VLAN_1). The
FortiGate unit can have physical, VLAN, virtual IPSec or GRE interfaces
connected to the OSPF-enabled network.
IP Enter the IP address that has been assigned to the OSPF-enabled
interface. The interface becomes OSPF-enabled because its IP address
matches the OSPF network address space.
For example, if you defined an OSPF network of 172. 20. 120. 0/ 24 and
port1 has been assigned the IP address 172. 20. 120. 140, type
172. 20. 120. 140.
Authentication Select an authentication method for LSA exchanges on the specified
interface:
Text Authenticate LSA exchanges using a plain-text password. The
password can be up to 35 characters, and is sent in clear text over the
network.
MD5 Use one or more keys to generate an MD5 cryptographic hash.
Password Enter the plain-text password. Enter an alphanumeric value of up to 15
characters. The OSPF neighbors that send link-state advertisements to
this FortiGate interface must be configured with an identical password.
This field is available only if you selected plain-text authentication.
Add
BGP Router Dynamic
346 01-410-89802-20091022
BGP
Border Gateway Protocol (BGP) is an Internet routing protocol typically used by ISPs to
exchange routing information between different ISP networks. For example, BGP enables
the sharing of network paths between the ISP network and an autonomous system (AS)
that uses RIP, OSPF, or both to route packets within the AS. The FortiGate implementation
of BGP supports BGP-4 and complies with RFC 1771 and RFC 2385.
How BGP works
When BGP is enabled on an interface, the FortiGate unit sends routing table updates to
neighboring autonomous systems connected to that interface whenever any part of the
FortiGate routing table changes. Each AS to which the unit belongs is associated with an
AS number. The AS number references a particular destination network.
BGP updates advertise the best path to a destination network. When the FortiGate unit
receives a BGP update, the FortiGate unit examines the Multi-Exit Discriminator (MED)
attributes of potential routes to determine the best path to a destination network before
recording the path in the FortiGate unit routing table.
BGP has the capability to gracefully restart. This capability limits the effects of software
problems by allowing forwarding to continue when the control plane of the router fails. It
also reduces routing flaps by stabilizing the network.
Viewing and editing BGP settings
When you configure BGP settings, you need to specify the AS to which the FortiGate unit
belongs and enter a router ID to identify this unit to other BGP routers. You must also
identify the FortiGate units BGP neighbors and specify which of the networks local to the
FortiGate unit should be advertised to BGP neighbors.
MD5 Keys Enter the key identifier for the (first) password in the ID field (the range is
from 1 to 255) and then type the associated password in the Key field.
The password is a 128-bit hash, represented by an alphanumeric string of
up to 16 characters.
The OSPF neighbors that send link-state advertisements to this FortiGate
interface must be configured with an identical MD5 key. If the OSPF
neighbor uses more than one password to generate MD5 hash, select the
Add icon to add additional MD5 keys to the list.
This field is available only if you selected MD5 authentication.
Hello Interval Optionally, set the Hello Interval to be compatible with Hello Interval
settings on all OSPF neighbors.
This setting defines the period of time (in seconds) that the FortiGate unit
waits between sending Hello packets through this interface.
Dead Interval Optionally, set the Dead Interval to be compatible with Dead Interval
settings on all OSPF neighbors.
This setting defines the period of time (in seconds) that the FortiGate unit
waits to receive a Hello packet from an OSPF neighbor through the
interface. If the FortiGate unit does not receive a Hello packet within the
specified amount of time, the FortiGate unit declares the neighbor
inaccessible.
By convention, the Dead Interval value is usually four times greater than
the Hello Interval value.
Note: You can configure graceful restarting and other advanced settings only through CLI
commands. For more information on advanced BGP settings, see the router chapter of
the FortiGate CLI Reference.
Router Dynamic BGP
01-410-89802-20091022 347
To view and edit BGP settings, go to Router > Dynamic > BGP. The web-based manager
offers a simplified user interface to configure basic BGP options. You can also configure
many advanced BGP options through the CLI. For more information, see the router
chapter of the FortiGate CLI Reference.
Figure 185: Basic BGP options
Local AS Enter the number of the local AS to which the FortiGate unit belongs.
Router ID Enter a unique router ID to identify the FortiGate unit to other BGP routers. The
router ID is an IP address written in dotted-decimal format, for example
192. 168. 0. 1.
If you change the router ID while BGP is configured on an interface, all
connections to BGP peers will be broken temporarily. The connections will re-
establish themselves.
If Router ID is not explicitly set, the highest IP address of the VDOM will be
used.
Neighbors The IP addresses and AS numbers of BGP peers in neighboring autonomous
systems.
IP Enter the IP address of the neighbor interface to the BGP-enabled network.
Remote AS Enter the number of the AS that the neighbor belongs to.
Add/Edit Add the neighbor information to the Neighbors list, or edit an entry in the list.
Neighbor The IP addresses of BGP peers.
Remote AS The numbers of the autonomous systems associated with the BGP peers.
Delete icon Delete a BGP neighbor entry.
Networks The IP addresses and network masks of networks to advertise to BGP peers.
The FortiGate unit may have a physical or VLAN interface connected to those
networks.
IP/Netmask Enter the IP address and netmask of the network to be advertised.
Add Add the network information to the Networks list.
Network The IP addresses and network masks of major networks that are advertised to
BGP peers.
Delete icon Delete a BGP network definition.
Delete
Note: The get r out er i nf o bgp CLI command provides detailed information about
configured BGP settings. For a complete list of the command options, see the router
Multicast Router Dynamic
348 01-410-89802-20091022
Multicast
A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in
the root virtual domain. FortiGate units support PIM sparse mode (RFC 2362) and PIM
dense mode (RFC 3973) and can service multicast servers or receivers on the network
segment to which a FortiGate interface is connected.
How multicast works
Multicast server applications use a (Class D) multicast address to send one copy of a
packet to a group of receivers. The PIM routers throughout the network ensure that only
one copy of the packet is forwarded through the network until it reaches an end-point
destination. At the end-point destination, copies of the packet are made only when
required to deliver the information to multicast client applications that request traffic
destined for the multicast address.
A PIM domain is a logical area comprising a number of contiguous networks. The domain
contains at least one Boot Strap Router (BSR). If sparse mode is enabled, the domain
also contains a number of Rendezvous Points (RPs) and Designated Routers (DRs).
When you enable PIM on a FortiGate unit, the FortiGate unit can perform any of these
functions at any time as configured. If required for sparse mode operation, you can define
static RPs.
Viewing and editing multicast settings
When multicast (PIM) routing is enabled, you can configure sparse mode or dense mode
operation on any FortiGate interface.
To view and edit PIM settings, go to Router > Dynamic > Multicast. The web-based
manager offers a simplified user interface to configure basic PIM options. You can also
configure advanced PIM options through the CLI. For more information, see the router
Note: To support PIM communications, the sending/receiving applications and all
connecting PIM routers in between must be enabled with PIM version 2. PIM can use static
routes, RIP, OSPF, or BGP to forward multicast packets to their destinations. To support
source-to-destination packet delivery, either sparse mode or dense mode must be enabled
on all the PIM-router interfaces. Sparse mode routers cannot send multicast messages to
dense mode routers. In addition, if a FortiGate unit is located between a source and a PIM
router, or between two PIM routers, or is connected directly to a receiver, you must create a
firewall policy manually to pass encapsulated (multicast) packets or decapsulated data (IP
traffic) between the source and destination.
Note: You can configure basic options through the web-based manager. Many additional
options are available, but only through the CLI. For complete descriptions and examples of
how to use CLI commands to configure PIM settings, see mul t i cast in the router
Note: For more information about FortiGate multicast support, see the FortiGate Multicast
Technical Note or the FortiGate Routing Guide.
Router Dynamic Multicast
01-410-89802-20091022 349
Figure 186: Basic Multicast options
Enable Multicast
Routing
Select to enable PIM version 2 routing. A firewall policy must be created on
PIM-enabled interfaces to pass encapsulated packets and decapsulated data
between the source and destination,
Add Static RP If required for sparse mode operation, enter the IP address of a Rendezvous
Point (RP) that may be used as the root of a packet distribution tree for a
multicast group. J oin messages from the multicast group are sent to the RP,
and data from the source is sent to the RP.
If an RP for the specified IPs multicast group is already known to the Boot
Strap Router (BSR), the RP known to the BSR is used and the static RP
address that you specify is ignored.
Apply Save the specified static RP addresses.
Create New Create a new multicast entry for an interface.
You can use the new entry to fine-tune PIM operation on a specific FortiGate
interface or override the global PIM settings on a particular interface. For
more information, see Overriding the multicast settings on an interface on
page 350.
Interface The names of FortiGate interfaces having specific PIM settings.
Mode The mode of PIM operation (Sparse or Dense) on that interface.
Status The status of parse-mode RP candidacy on the interface.
To change the status of RP candidacy on an interface, select the Edit icon in
the row that corresponds to the interface.
Priority The priority number assigned to RP candidacy on that interface. Available
only when RP candidacy is enabled.
DR Priority The priority number assigned to Designated Router (DR) candidacy on the
interface. Available only when sparse mode is enabled.
Delete and Edit
icons
Delete or edit the PIM settings on the interface.
Add Static RP
Edit
Delete
Multicast Router Dynamic
350 01-410-89802-20091022
Overriding the multicast settings on an interface
You use multicast (PIM) interface options to set operating parameters for FortiGate
interfaces connected to PIM domains. For example, you can enable dense mode on an
interface that is connected to a PIM-enabled network segment. When sparse mode is
enabled, you can adjust the priority number that is used to advertise Rendezvous Point
(RP) and/or Designated Router (DR) candidacy on the interface.
Figure 187: Multicast interface settings
Multicast destination NAT
Multicast destination NAT (DNAT) allows you translate externally received multicast
destination addresses to addresses that conform to an organization's internal addressing
policy.
By using this feature that is available only in the CLI, you can avoid redistributing routes at
the translation boundary into their network infrastructure for Reverse Path Forwarding
(RPF) to work properly. They can also receive identical feeds from two ingress points in
the network and route them independently.
Configure multicast DNAT in the CLI by using the following command:
conf i g f i r ewal l mul t i cast - pol i cy
edi t p1
set dnat <dnat t ed- mul t i cast - gr oup>
set . . .
next
end
For more information, see the firewall chapter of the FortiGate CLI Reference.
Interface Select the name of the root VDOM FortiGate interface to which these
settings apply. The interface must be connected to a PIM version 2 enabled
network segment.
PIM Mode Select the mode of operation: Sparse Mode or Dense Mode. All PIM routers
connected to the same network segment must be running the same mode
of operation. If you select Sparse Mode, adjust the remaining options as
described below.
DR Priority Enter the priority number for advertising DR candidacy on the FortiGate
units interface. The range is from 1 to 4 294 967 295.
The unit compares this value to the DR interfaces of all other PIM routers on
the same network segment, and selects the router having the highest DR
priority to be the DR.
RP Candidate Enable RP candidacy on the interface.
RP Candidate Priority Enter the priority number for advertising RP candidacy on the FortiGate
interface. The range is from 1 to 255.
Router Dynamic Bi-directional Forwarding Detection (BFD)
01-410-89802-20091022 351
Bi-directional Forwarding Detection (BFD)
The bi-directional Forwarding Detection (BFD) protocol is designed to deal with dynamic
routing protocols' lack of a fine granularity for detecting device failures on the network and
re-routing around those failures. BFD can more quickly react to these failures, since it
detects them on a millisecond timer, where other dynamic routing protocols can only
detect them on a second timer.
Your unit supports BFD as part of OSPF and BGP dynamic networking.
How BFD works
When you enable BFD on your FortiGate unit, BFD starts trying to connect to other routers
on the network. You can limit where BFD looks for routers by enabling one interface only,
and by enabling BFD for specific neighboring routers on the network.
Once the connection has been made, BFD will continue to send periodic packets to the
router to make sure it is still operational. These small packets are sent frequently.
If there is no response from the neighboring router within the set period of time, BFD on
your unit reports that router down and changes routing accordingly. BFD continues to try
to reestablish a connection with the non-responsive router.
Once that connection is reestablished, routes are reset to include the router once again.
Configuring BFD
BFD is intended for networks that use BGP or OSPF routing protocols. This generally
excludes smaller networks.
BFD configuration on your FortiGate unit is very flexible. You can enable BFD for the
whole unit, and turn it off for one or two interfaces. Alternatively you can specifically
enable BFD for each neighbor router, or interface. Which method you choose will be
determined by the amount of configuring required for your network
The timeout period determines how long the unit waits before labeling a connection as
down. The length of the timeout period is importantif it is too short connections will be
labeled down prematurely, and if it is too long time will be wasted waiting for a reply from a
connection that is down. There is no easy number, as it varies for each network and unit.
High end FortiGate models will respond very quickly unless loaded down with traffic. Also
the size of the network will slow down the response timepackets need to make more
hops than on a smaller network. Those two factors (CPU load and network traversal time)
affect how long the timeout you select should be. With too short a timeout period, BFD will
not connect to the network device but it will keep trying. This state generates unnecessary
network traffic, and leaves the device unmonitored. If this happens, you should try setting
a longer timeout period to allow BFD more time to discover the device on the network.
Note: You can configure BFD only from the CLI.
Bi-directional Forwarding Detection (BFD) Router Dynamic
352 01-410-89802-20091022
Configuring BFD on your FortiGate unit
For this example, BFD is enabled on the FortiGate unit using the default values. This
means that once a connection is established, your unit will wait for up to 150 milliseconds
for a reply from a BFD router before declaring that router down and rerouting traffica 50
millisecond minimum transmit interval multiplied by a detection multiplier of 3. The port
that BFD traffic originates from will be checked for security purposes as indicated by
disabling bf d- dont - enf or ce- sr c- por t .
set bf d enabl e
set bf d- desi r ed- mi n- t x 50
set bf d- r equi r ed- mi n- r x 50
set bf d- det ect - mul t 3
set bf d- dont - enf or ce- sr c- por t di sabl e
end
Disabling BFD for a specific interface
The previous example enables BFD for your entire FortiGate unit. If an interface is not
connected to any BFD enabled routers, you can reduce network traffic by disabling BFD
for that interface. For this example, BFD is disabled for the internal interface using CLI
commands.
edi t <i nt er f ace>
set bf d di sabl e
end
Configuring BFD on BGP
Configuring BFD on a BGP network involves only one step enable BFD globally and
then disable it for each neighbor that is running the protocol.
set bf d enabl e
end
conf i g r out er bgp
conf i g nei ghbor
edi t <i p_addr ess>
set bf d di sabl e
end
end
Note: The minimum receive interval (bf d- r equi r ed- mi n- r x) and the detection
multiplier (bf d- det ect - mul t ) combine to determine how long a period your unit will wait
for a reply before declaring the neighbor down. The correct value for your situation will vary
based on the size of your network and the speed of your units CPU. The numbers used in
this example may not work for your network.
Router Dynamic Customizable routing widgets
01-410-89802-20091022 353
Configuring BFD on OSPF
Configuring BFD on an OSPF network is very much like enabling BFD on your unityou
can enable it globally for OSPF, and you can override the global settings at the interface
level.
To enable BFD on OSPF:
conf i gur e r out i ng OSPF
set bf d enabl e
end
To override BFD on an interface:
conf i gur e r out i ng OSPF
conf i gur e ospf - i nt er f ace
edi t <i nt er f ace_name>
set bf d di sabl e
end
end
Customizable routing widgets
You can customize the FortiGate web-based manager (or GUI) to show, hide, and arrange
widgets/menus/items according to your specific requirements. Customizing the display
allows you to vary or limit the GUI layout to address different administrator needs such as
advanced routing.
Only administrators with the super_admin admin profile may create and edit GUI layouts.
For more information on GUI layouts, see Customizable web-based manager on
page 268.
Each of the customizable GUI widgets can be minimized or maximized using the arrow
next to the widget title.
Customizable routing widgets include:
Access List
Distribute List
Key Chain
Offset List
Prefix List
Route Map
Access List
Access lists are filters used by FortiGate unit routing processes to limit access to the
network based on IP addresses. For an access list to take effect, it must be called by a
FortiGate unit routing process (for example, a process that supports RIP or OSPF). The
offset list is part of the RIP and OSPF routing protocols. For more information about RIP,
see RIP on page 334. For more information about OSPF, see OSPF on page 338.
Each rule in an access list consists of a prefix (IP address and netmask), the action to take
for this prefix (permit or deny), and whether to match the prefix exactly or to match the
prefix and any more specific prefix.
Note: If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route,
0.0.0.0/0 can not be exactly matched with an access-list. A prefix-list must be used for this
purpose. For more information, see Prefix List on page 356.
Customizable routing widgets Router Dynamic
354 01-410-89802-20091022
The FortiGate unit attempts to match a packet against the rules in an access list starting at
the top of the list. If it finds a match for the prefix, it takes the action specified for that
prefix. If no match is found the default action is deny.
Figure 188: Access List GUI widget
For more information on access list, see the router chapter of the FortiGate CLI
Reference.
Distribute List
The distribute list is a subcommand of OSPF. It filters the networks in routing updates
using an access or prefix list. Routes not matched by any of the distribution lists will not be
advertised. The offset list is part of the RIP and OSPF routing protocols. For more
information about OSPF, see OSPF on page 338.
Figure 189: Distribute List GUI widget
For more information on the distribute list, see the router chapter of the FortiGate CLI
Reference.
Access-list Enter the name of a new access list. Select Add to save the new access list.
Name The name of the access list.
Action The action to take when the prefix of this access list is matched. Actions can
be either permit or deny.
Prefix The IP address prefix for this access-list. When this prefix is matched, the
action is taken. The prefix can match any address, or a specific address.
Delete Icon Select delete to remove this access-list.
Add Icon Select to add a rule to this access-list. Rules include actions and prefixes.
Rules are processed from smallest to highest number.
Note: You must configure the access list that you want the distribution list to use before you
configure the distribution list. To configure an access list, see Access List on page 353.
Create New Select to create a new distribute list. This includes setting the direction,
selecting either the prefix-list or access-list, and interface.
Direction The name of the access list.
Filter The prefix-list or access-list to apply to this interface.
Interface The interface to apply the filter on.
Enable A green check indicates this distribute list is enabled.
Delete Icon Select to remove a distribution list rule.
Edit Icon Select to change the direction, filter, or interface of the distribute list.
01-410-89802-20091022 355
Key Chain
A key chain is a list of one or more keys and the send and receive lifetimes for each key.
Keys are used for authenticating routing packets only during the specified lifetimes. The
FortiGate unit migrates from one key to the next according to the scheduled send and
receive lifetimes. The sending and receiving routers should have their system dates and
times synchronized, but overlapping the key lifetimes ensures that a key is always
available even if there is some difference in the system times.
RIP version 2 uses authentication keys to ensure that the routing information exchanged
between routers is reliable. For authentication to work both the sending and receiving
routers must be set to use authentication, and must be configured with the same keys.
The offset list is part of the RIP and OSPF routing protocols. For more information about
RIP, see RIP on page 334.
Figure 190: Key Chain GUI widget
For more information on key-chains, see the router chapter of the FortiGate CLI
Reference.
Offset List
Use the offset list to change the weighting of the metric (hop count) for a route from the
offset list.
The offset list is part of the RIP and OSPF routing protocols. For more information about
RIP, see RIP on page 334. For more information about OSPF, see OSPF on page 338.
Figure 191: Offset List GUI widget
Key-chain Enter the name for a new key-chain. Select Add to save the new key-chain.
Name The name of the key-chain, or the number of the key on that chain.
Accept Lifetime The start and end time that this key can accept routing packets.
Start The start time for this key. The format is H:M:S M/D/YYYY.
End The end time for this key. The end can be infinite, a set duration in seconds,
or a set time as with the start time.
Send Lifetime The start and end time that this key can send routing packets.
Start The start time for this key. The format is H:M:S M/D/YYYY.
End The end time for this key. The end can be infinite, a set duration in seconds,
or a set time as with the start time.
Delete Icon Select to remove a key or key-chain
Add Icon Select to add keys to the key-chain.
Edit Icon Select to edit an existing key.
356 01-410-89802-20091022
For more information on the offset list, see the router chapter of the FortiGate CLI
Reference.
Prefix List
A prefix list is an enhanced version of an access list that allows you to control the length of
the prefix netmask.
Each rule in a prefix list consists of a prefix (IP address and netmask), the action to take
for this prefix (permit or deny), and maximum and minimum prefix length settings.
The FortiGate unit attempts to match a packet against the rules in a prefix list starting at
the top of the list. If it finds a match for the prefix it takes the action specified for that prefix.
If no match is found the default action is deny. A prefix-list should be used to match the
default route 0.0.0.0/0.
For a prefix list to take effect, it must be called by another FortiGate unit routing feature
such as RIP or OSPF. For more information about RIP, see RIP on page 334. For more
information about OSPF, see OSPF on page 338.
Figure 192: Prefix List GUI widget
For more information on the prefix list, see the router chapter of the FortiGate CLI
Reference.
Create New Select to add a new offset to the list.
Direction The direction can be In or Out.
Access-list The access-list to use to match the traffic.
Offset The adjustment to the hop count metric.
Interface The interface this offset list applies to.
Delete Icon Select to remove a offset entry.
Edit Icon Select to edit an existing offset entry.
Prefix-list Enter the name of a new prefix-list. Select Add to save the new prefix list
entry.
Name The name of the prefix list, or the number of the prefix entry.
Action The action of the prefix entry. Actions can be permit or deny.
Prefix The IP address and netmask associated with this prefix. Optionally this can
be set to match any address.
GE Select the number of bits to match in the address. This number or greater
will be matched for there to be a match.
LE Select the number of bits to match in the address. This number or less will
be matched for there to be a match
Delete Icon Select to remove a prefix entry or list.
Add Icon Select to add a prefix entry to a list.
Edit Icon Select to edit an existing prefix entry.
01-410-89802-20091022 357
Route Map
Route maps provide a way for the FortiGate unit to evaluate optimum routes for
forwarding packets or suppressing the routing of packets to particular destinations using
the BGP routing protocol. Compared to access lists, route maps support enhanced
packet-matching criteria. In addition, route maps can be configured to permit or deny the
addition of routes to the FortiGate unit routing table and make changes to routing
information dynamically as defined through route-map rules.
The FortiGate unit compares the rules in a route map to the attributes of a route. The rules
are examined in ascending order until one or more of the rules in the route map are found
to match one or more of the route attributes:
When a single matching match-* rule is found, changes to the routing information are
made as defined through the rules set-ip-nexthop, set-metric, set-metric-type, and/or
set-tag settings.
If no matching rule is found, no changes are made to the routing information.
When more than one match-* rule is defined, all of the defined match-* rules must
evaluate to TRUE or the routing information is not changed.
If no match-* rules are defined, the FortiGate unit makes changes to the routing
information only when all of the default match-* rules happen to match the attributes of
the route.
The default rule in the route map (which the FortiGate unit applies last) denies all routes.
For a route map to take effect, it must be called by a FortiGate unit routing process.
Figure 193: Route Map GUI widget
For more information on the route map, see the router chapter of the FortiGate CLI
Reference.
Route-map Enter the name of a new route-map. Select Add to save the new route-
map.
Name The name of the route map, or the number of the prefix entry.
Action The action of the route map. Actions can be permit or deny.
Rules The rules include the criteria to match and a value to set. The criteria to
match can be an interface, address from access or prefix list, the next-hop
to match from access or prefix list, a metrics, or other information. The
value to set can be the next-hop IP address, the metric, metric type, and a
tag number.
Delete Icon Select to remove a route map or entry.
Add Icon Select to add a route map entry to a route map.
Edit Icon Select to edit an existing route map entry.
358 01-410-89802-20091022
Router Monitor Viewing routing information
01-410-89802-20091022 359
Router Monitor
This section explains how to interpret the Routing Monitor list. The list displays the entries
in the FortiGate routing table.
If you enable virtual domains (VDOMs) on the FortiGate unit, router monitoring is available
separately for each virtual domain. For more information, see Using virtual domains on
page 125.
Viewing routing information
Searching the FortiGate routing table
Viewing routing information
By default, all routes are displayed in the Routing Monitor list. The default static route is
defined as 0.0.0.0/0, which matches the destination IP address of any/all packets.
To display the routes in the routing table, go to Router > Monitor.
Figure 194 shows the Routing Monitor list belonging to a FortiGate unit that has interfaces
named port1, port4, and lan. The names of the interfaces on your FortiGate unit may
be different.
Figure 194: Routing Monitor list - IPv4
Figure 195: Routing Monitor list - IPv6
Viewing routing information Router Monitor
360 01-410-89802-20091022
IP version Select IPv4 or IPv6 routes. Fields displayed vary depending on which IP version is
selected.
Displayed only if IPv6 display is enabled on the web-based manager
Type Select one of the following route types to search the routing table and display routes
of the selected type only:
All all routes recorded in the routing table.
Connected all routes associated with direct connections to FortiGate interfaces.
Static the static routes that have been added to the routing table manually. For
more information see Static Route on page 316.
RIP all routes learned through RIP. For more information see RIP on page 334.
OSPF all routes learned through OSPF. For more information see OSPF on
page 338.
BGP all routes learned through BGP. For more information see BGP on
page 346
HA RIP, OSPF, and BGP routes synchronized between the primary unit and the
subordinate units of a high availability (HA) cluster. HA routes are maintained on
subordinate units and are visible only if you are viewing the router monitor from a
virtual domain that is configured as a subordinate virtual domain in a virtual cluster.
Not displayed when IP version IPv6 is selected.
For details about HA routing synchronization, see the FortiGate HA User Guide.
Network Enter an IP address and netmask (for example, 172. 16. 14. 0/ 24) to search the
routing table and display routes that match the specified network.
Gateway Enter an IP address and netmask (for example, 192. 168. 12. 1/ 32) to search the
routing table and display routes that match the specified gateway.
Apply Filter Select to search the entries in the routing table based on the specified search criteria
and display any matching routes.
Type The type values assigned to FortiGate routes (Static, Connected, RIP, OSPF, or
BGP).
Subtype If applicable, the subtype classification assigned to OSPF routes.
An empty string implies an intra-area route. The destination is in an area to which
the FortiGate unit is connected.
OSPF inter area the destination is in the OSPF AS, but the FortiGate unit is
not connected to that area.
External 1 the destination is outside the OSPF AS. The metric of a
redistributed route is calculated by adding the external cost and the OSPF cost
together.
External 2 the destination is outside the OSPF AS. In this case, the metric of
the redistributed route is equivalent to the external cost only, expressed as an
OSPF cost.
OSPF NSSA 1 same as External 1, but the route was received through a not-
so-stubby area (NSSA).
OSPF NSSA 2 same as External 2, but the route was received through a not-
so-stubby area.
Network The IP addresses and network masks of destination networks that the FortiGate unit
can reach.
Distance The administrative distance associated with the route. A value of 0 means the route
is preferable compared to routes to the same destination.
To modify the administrative distance assigned to static routes, see Adding a static
route to the routing table on page 320. To modify this distance for dynamic routes,
see FortiGate CLI Reference.
Router Monitor Searching the FortiGate routing table
01-410-89802-20091022 361
Searching the FortiGate routing table
You can apply a filter to search the routing table and display certain routes only. For
example, you can display one or more static routes, connected routes, routes learned
through RIP, OSPF, or BGP, and routes associated with the network or gateway that you
specify.
If you want to search the routing table by route type and further limit the display according
to network or gateway, all of the values that you specify as search criteria must match
corresponding values in the same routing table entry in order for that entry to be displayed
(an implicit AND condition is applied to all of the search parameters you specify).
For example, if the FortiGate unit is connected to network 172.16.14.0/24 and you want to
display all directly connected routes to network 172.16.14.0/24, you must select
Connected from the Type list, type 172. 16. 14. 0/ 24 in the Network field, and then select
Apply Filter to display the associated routing table entry or entries. Any entry that contains
the word Connected in its Type field and the specified value in the Gateway field will be
displayed.
To search the FortiGate routing table
1 Go to Router > Monitor > Routing Monitor.
2 From the Type list, select the type of route to display. For example, select Connected to
display all connected routes, or select RIP to display all routes learned through RIP.
3 If you want to display routes to a specific network, type the IP address and netmask of
the network in the Networks field.
4 If you want to display routes to a specific gateway, type the IP address of the gateway
in the Gateway field.
5 Select Apply Filter.
Metric The metric associated with the route type. The metric of a route influences how the
FortiGate unit dynamically adds it to the routing table. The following are types of
metrics and the protocols they are applied to.
Hop count routes learned through RIP.
Relative cost routes learned through OSPF.
Multi-Exit Discriminator (MED) routes learned through BGP. However, several
attributes in addition to MED determine the best path to a destination network.
Gateway The IP addresses of gateways to the destination networks.
Interface The interface through which packets are forwarded to the gateway of the destination
network.
Up Time The total accumulated amount of time that a route learned through RIP, OSPF, or
BGP has been reachable.
Note: All of the values that you specify as search criteria must match corresponding values
in the same routing table entry in order for that entry to be displayed.
Searching the FortiGate routing table Router Monitor
362 01-410-89802-20091022
Firewall Policy How list order affects policy matching
01-410-89802-20091022 363
Firewall Policy
Firewall policies control all traffic attempting to pass through the FortiGate unit, between
FortiGate interfaces, zones, and VLAN subinterfaces.
Firewall policies are instructions the FortiGate unit uses to decide connection acceptance
and packet processing for traffic attempting to pass through. When the firewall receives a
connection packet, it analyzes the packets source address, destination address, and
service (by port number), and attempts to locate a firewall policy matching the packet.
Firewall policies can contain many instructions for the FortiGate unit to follow when it
receives matching packets. Some instructions are required, such as whether to drop or
accept and process the packets, while other instructions, such as logging and
authentication, are optional.
Policy instructions may include network address translation (NAT), or port address
translation (PAT), by using virtual IPs or IP pools to translate source and destination IP
addresses and port numbers. For details on using virtual IPs and IP pools, see Firewall
Virtual IP on page 421.
Policy instructions may also include protection profiles, which can specify application-layer
inspection and other protocol-specific protection and logging. For details on using
protection profiles, see Firewall Protection Profile on page 467.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall policies are
configured separately for each virtual domain, and you must first enter the virtual domain
to configure its firewall policies. For details, see Using virtual domains on page 125.
How list order affects policy matching
Multicast policies
Viewing the firewall policy list
Configuring firewall policies
Using DoS policies to detect and prevent attacks
Using one-arm sniffer policies to detect network attacks
How FortiOS selects unused NAT ports
Firewall policy examples
How list order affects policy matching
Each time a FortiGate unit receives a connection attempting to pass through one of its
interfaces, the unit searches its firewall policy list for a matching firewall policy.
The search begins at the top of the policy list and progresses in order towards the bottom.
The FortiGate unit evaluates each policy in the firewall policy list for a match until a match
is found. When the FortiGate unit finds the first matching policy, it applies the matching
policys specified actions to the packet, and disregards subsequent firewall policies.
Matching firewall policies are determined by comparing the firewall policy and the
packets:
source and destination interfaces
How list order affects policy matching Firewall Policy
364 01-410-89802-20091022
source and destination firewall addresses
services
time/schedule.
If no policy matches, the connection is dropped.
As a general rule, you should order the firewall policy list from most specific to most
general because of the order in which policies are evaluated for a match, and because
only the first matching firewall policy is applied to a connection. Subsequent possible
matches are not considered or applied. Ordering policies from most specific to most
general prevents policies that match a wide range of traffic from superseding and
effectively masking policies that match exceptions.
For example, you might have a general policy that allows all connections from the internal
network to the Internet, but want to make an exception that blocks FTP. In this case, you
would add a policy that denies FTP connections above the general policy.
Figure 196: Example: Blocking FTP Correct policy order
FTP connections would immediately match the deny policy, blocking the connection.
Other kinds of services do not match the FTP policy, and so policy evaluation would
continue until reaching the matching general policy. This policy order has the intended
effect. But if you reversed the order of the two policies, positioning the general policy
before the policy to block FTP, all connections, including FTP, would immediately match
the general policy, and the policy to block FTP would never be applied. This policy order
would not have the intended effect.
Figure 197: Example: Blocking FTP Incorrect policy order
Similarly, if specific traffic requires authentication, IPSec VPN, or SSL VPN, you would
position those policies above other potential matches in the policy list. Otherwise, the
other matching policies could always take precedence, and the required authentication,
IPSec VPN, or SSL VPN might never occur.
Moving a policy to a different position in the policy list
You can arrange the firewall policy list to influence the order in which policies are
evaluated for matches with incoming traffic. When more than one policy has been defined
for the same interface pair, the first matching firewall policy will be applied to the traffic
session. For more information, see How list order affects policy matching on page 363.
Moving a policy in the firewall policy list does not change its ID, which only indicates the
order in which the policy was created.
}Exception
}General
}Exception
}General
Note: A default firewall policy may exist which accepts all connections. You can move,
disable or delete it. If you move the default policy to the bottom of the firewall policy list and
no other policy matches the packet, the connection will be accepted. If you disable or delete
the default policy and no other policy matches the packet, the connection will be dropped.
Firewall Policy Multicast policies
01-410-89802-20091022 365
Figure 198: Move Policy
To move a policy in the policy list
Or go to Firewall > Policy > Dos Policy.
Or go to Firewall > Policy > Sniffer Policy.
Or go to Firewall > Policy > Policy6.
2 In the firewall policy list, note the ID of a firewall policy that is before or after your
intended destination.
3 In the row corresponding to the firewall policy that you want to move, select the
Move To icon.
4 Select Before or After, and enter the ID of the firewall policy that is before or after your
intended destination. This specifies the policys new position in the firewall policy list.
5 Select OK.
Enabling and disabling policies
From the policy lists you can temporarily enable or disable policies. It can be useful to
temporarily disable a policy without deleting. You can then just enable it again without
having to re-add it.
To temporarily disable a policy in the policy list
Or go to Firewall > Policy > Dos Policy.
Or go to Firewall > Policy > Sniffer Policy.
Or go to Firewall > Policy > Policy6.
2 Select a policy to disable and clear the checkbox in the status column entry for the
policy.
All sessions currently being processed by the policy continue. But no new sessions will
start until you re-enable the policy.
To view sessions currently being processed by a policy use the Top Sessions widget in
the dashboard and select Details. The Policy ID column in the sessions list shows the
policies in use and the sessions using them. From this list you can select a Policy ID to
view the policy and also go to the policy list containing the policy.
3 To enable a policy select the checkbox in the status column entry for the policy
Multicast policies
FortiGate units support multicast policies. You can configure and create multicast policies
using the following CLI command:
conf i g f i r ewal l mul t i cast - pol i cy
For more information, see the FortiOS CLI Reference and the FortiGate Multicast
Technical Note.
Viewing the firewall policy list Firewall Policy
366 01-410-89802-20091022
The firewall policy list displays firewall policies in their order of matching precedence for
each source and destination interface pair.
If virtual domains are enabled on the FortiGate unit, firewall policies are configured
separately for each virtual domain; you must access the VDOM before you can configure
its policies. To access a VDOM, go to System > VDOM, and in the row corresponding to
the VDOM whose policies you want to configure, select Enter.
You can add, delete, edit, and re-order policies in the policy list. Firewall policy order
affects policy matching. For details about arranging policies in a policy list, see How list
order affects policy matching on page 363 and Moving a policy to a different position in
the policy list on page 364.
To view the policy list, go to Firewall > Policy. To view the IPv6 firewall policy list go to
Firewall > IPv6 Policy.
Figure 199: Firewall policy list
Create New Add a new firewall policy. Select the down arrow beside Create New to add a
new section to the list to visually group the policies.
For security purposes, selecting Create New adds the new policy to the bottom
of the list. Once the policy is added to the list you can use the Move To icon to
move the policy to the required position in the list. You can also use the Insert
Policy before icon to add a new policy above another policy in the list. See How
list order affects policy matching on page 363.
Column Settings Customize the table view. You can select the columns to hide or display and
specify the column displaying order in the table. For more information, see
Using column settings to control the columns displayed on page 61 and
Web-based manager icons on page 63.
Section View Select to display firewall policies organized by source and destination interfaces.
Note: Section View is not available if any policy selects Any as the source or
destination interface.
Global View Select to list all firewall policies in order according to a sequence number.
Delete
Edit
Move To
Insert Policy before
Filter
Enable or Disable a Policy
Firewall Policy Configuring firewall policies
01-410-89802-20091022 367
You can configure firewall policies to define which sessions will match the policy and what
actions the FortiGate unit will perform with packets from matching sessions.
Sessions are matched to a firewall policy by considering these features of both the packet
and policy:
Source Interface/Zone
Source Address
Destination Interface/Zone
Filter icons Edit the column filters to filter or sort the policy list according to the criteria you
specify. For more information, see Adding filters to web-based manager lists
on page 57.
ID The policy identifier. Policies are numbered in the order they are added to the
policy list.
From The source interface of the policy. Global view only.
To The destination interface of the policy. Global view only.
Source The source address or address group to which the policy applies. For more
information, see Firewall Address on page 395.
Destination The destination address or address group to which the policy applies. For more
information, see Firewall Address on page 395.
Schedule The schedule that controls when the policy should be active. For more
information, see Firewall Schedule on page 411.
Service The service to which the policy applies. For more information, see Firewall
Service on page 401.
Profile The protection profile that is associated with the policy.
Action The response to make when the policy matches a connection attempt.
Status Select the checkbox to enable a policy or deselect it to disable a policy. See
Enabling and disabling policies on page 365.
From The source interface.
To The destination interface.
VPN Tunnel The VPN tunnel the VPN policy uses.
Authentication The user authentication method the policy uses.
Comments Comments entered when creating or editing the policy.
Log A green check mark indicates traffic logging is enabled for the policy; a grey
cross mark indicates traffic logging is disabled for the policy.
Count The FortiGate unit counts the number of packets and bytes that hit the firewall
policy.
For example, 5/50B means that five packets and 50 bytes in total have hit the
policy.
The counter is reset when the FortiGate unit is restarted or the policy is deleted
and re-configured.
Delete icon Delete the policy from the list.
Edit icon Edit a policy.
Insert Policy
Before icon
Add a new policy above the corresponding policy. Use this option to simplify
policy ordering. See How list order affects policy matching on page 363.
Move To icon Move the corresponding policy before or after another policy in the list. For more
information, see Moving a policy to a different position in the policy list on
page 364.
Configuring firewall policies Firewall Policy
368 01-410-89802-20091022
Destination Address
schedule and time of the sessions initiation
service and the packets port numbers.
If the initial packet matches the firewall policy, the FortiGate unit performs the configured
Action and any other configured options on all packets in the session.
Packet handling actions can be ACCEPT, DENY, IPSEC or SSL-VPN.
ACCEPT policy actions permit communication sessions, and may optionally include
other packet processing instructions, such as requiring authentication to use the policy,
or specifying a protection profile to apply features such as virus scanning to packets in
the session. An ACCEPT policy can also apply interface-mode IPSec VPN traffic if
either the selected source or destination interface is an IPSec virtual interface. For
more information, see Overview of IPSec VPN configuration on page 603.
DENY policy actions block communication sessions, and may optionally log the denied
traffic.
IPSEC and SSL-VPN policy actions apply a tunnel mode IPSec VPN or SSL VPN
tunnel, respectively, and may optionally apply NAT and allow traffic for one or both
directions. If permitted by the firewall encryption policy, a tunnel may be initiated
automatically whenever a packet matching the policy arrives on the specified network
interface, destined for the local private network. For more information, see Configuring
IPSec firewall policies on page 376 and Configuring SSL VPN identity-based firewall
policies on page 376.
To add or edit a firewall policy, go to Firewall > Policy. Select Create New to add a policy
or select the edit icon beside an existing firewall policy. Configure the settings as
described in the following table and in the references to specific features for IPSec, SSL
VPN and other specialized settings, and then select OK.
If you want to create a DoS policy, go to Firewall > Policy > DoS Policy, and configure the
settings according to the following table. DoS policies are independent from firewall
policies and are used to associate DoS sensors with traffic that reaches a FortiGate
interface. DoS policies deliver packets to the IPS before they are accepted by firewall
policies. This arrangement results in more effective protection from denial service attacks
and other benefits. For more information, see Using DoS policies to detect and prevent
attacks on page 379.
If you want to create a Sniffer policy, go to Firewall > Policy > Sniffer Policy, and configure
the settings according to the following table. For more information, see Using one-arm
sniffer policies to detect network attacks on page 382.
If you want to use IPv6 firewall addresses in your firewall policy, first go to System > Admin
> Settings. Select IPv6 Support on GUI. Then go to Firewall > Policy > IPv6 Policy, and
configure the settings according to the following table. Configuring IPv6 policies is the
same as configuring IPv4 policies. You can add a protection profile to and IPv6 firewall
policy and you can also configure shared traffic shaping and log allowed or denied traffic.
You cannot create IPv6 firewall policies for IPSec or SSL VPN and you cannot add
authentication to IPv6 policies.
Firewall policy order affects policy matching. Each time that you create or edit a policy,
make sure that you position it in the correct location in the list. You can create a new policy
and position it right away before an existing one in the firewall policy list, by selecting
Insert Policy before (see Viewing the firewall policy list on page 366).
Note: You can configure differentiated services (DSCP) firewall policy options through the
CLI. See the firewall chapter of the FortiGate CLI Reference.
01-410-89802-20091022 369
Figure 200: Firewall Policy options
Figure 201: IPv6 firewall policy options
370 01-410-89802-20091022
Source
Interface/Zone
Select the name of the FortiGate network interface, virtual domain (VDOM) link,
or zone on which IP packets are received. Interfaces and zones are configured
on the System Network page. For more information, see Configuring interfaces
on page 145 and Configuring zones on page 170.
If you select Any as the source interface, the policy matches all interfaces as
source.
If Action is set to IPSEC, the interface is associated with the local private
network.
If Action is set to SSL-VPN, the interface is associated with connections from
remote SSL VPN clients.
Source Address Select the name of a firewall address to associate with the Source
Interface/Zone. Only packets whose header contains an IP address matching
the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from this list.
For more information, see Configuring addresses on page 397.
If you want to associate multiple firewall addresses or address groups with the
Source Interface/Zone, from Source Address, select Multiple. In the dialog box,
move the firewall addresses or address groups from the Available Addresses
section to the Members section, then select OK.
If Action is set to IPSEC, the address is the private IP address of the host,
server, or network behind the FortiGate unit.
If Action is set to SSL-VPN and the policy is for web-only mode clients, select all.
If Action is set to SSL-VPN and the policy is for tunnel mode clients, select the
name of the address that you reserved for tunnel mode clients.
Destination
Interface/Zone
Select the name of the FortiGate network interface, virtual domain (VDOM) link,
or zone to which IP packets are forwarded. Interfaces and zones are configured
on the System Network page. For more information, see Configuring interfaces
on page 145 and Configuring zones on page 170.
If you select Any as the destination interface, the policy matches all interfaces as
destination.
If Action is set to IPSEC, the interface is associated with the entrance to the VPN
tunnel.
If Action is set to SSL-VPN, the interface is associated with the local private
network.
Destination
Address
Select the name of a firewall address to associate with the Destination
Interface/Zone. Only packets whose header contains an IP address matching
the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from this list.
For more information, see Configuring addresses on page 397.
If you want to associate multiple firewall addresses or address groups with the
Destination Interface/Zone, from Destination Address, select Multiple. In the
dialog box, move the firewall addresses or address groups from the Available
Addresses section to the Members section, then select OK.
If you select a virtual IP, the FortiGate unit applies NAT or PAT. The applied
translation varies by the settings specified in the virtual IP, and whether you
select NAT (below). For more information on using virtual IPs, see Firewall
If Action is set to IPSEC, the address is the private IP address to which packets
may be delivered at the remote end of the VPN tunnel.
If Action is set to SSL-VPN, select the name of the IP address that corresponds
to the host, server, or network that remote clients need to access behind the
FortiGate unit.
Schedule Select a one-time or recurring schedule or a schedule group that controls when
the policy is in effect.
You can also create schedules by selecting Create New from this list. For more
01-410-89802-20091022 371
Service Select the name of a firewall service or service group that packets must match to
trigger this policy.
You can select from a wide range of predefined firewall services, or you can
create a custom service or service group by selecting Create New from this list.
For more information, see Configuring custom services on page 406 and
Configuring service groups on page 408.
By selecting the Multiple button beside Service, you can select multiple services
or service groups.
Action Select how you want the firewall to respond when a packet matches the
conditions of the policy. The options available will vary widely depending on this
selection.
ACCEPT Accept traffic matched by the policy. You can configure NAT, protection profiles,
log traffic, shape traffic, set authentication options, or add a comment to the
policy.
DENY Reject traffic matched by the policy. The only other configurable policy options
are Log Violation Traffic to log the connections denied by this policy and adding
a Comment.
IPSEC You can configure an IPSec firewall encryption policy to process IPSec VPN
packets, as well as configure protection profiles, log traffic, shape traffic or add a
comment to the policy. See Configuring IPSec firewall policies on page 376.
SSL-VPN You can configure an SSL-VPN firewall encryption policy to accept SSL VPN
traffic. This option is available only after you have added a SSL-VPN user group.
You can also configure NAT and protection profiles, log traffic, shape traffic or
add a comment to the policy. See Configuring SSL VPN identity-based firewall
policies on page 376.
NAT Available only if Action is set to ACCEPT or SSL-VPN. Enable or disable
Network Address Translation (NAT) of the source address and port of packets
accepted by the policy. When NAT is enabled, you can also configure Dynamic
IP Pool and Fixed Port.
If you select a virtual IP as the Destination Address, but do not select the NAT
option, the FortiGate unit performs destination NAT (DNAT) rather than full NAT.
Source NAT (SNAT) is not performed.
Dynamic IP Pool Select the check box, then select an IP pool to translate the source address to
an IP address randomly selected from addresses in the IP Pool.
IP Pool cannot be selected if the destination interface, VLAN subinterface, or
one of the interfaces or VLAN subinterfaces in the destination zone is configured
using DHCP or PPPoE.
For details, see Configuring IP pools on page 437.
Fixed Port Select Fixed Port to prevent NAT from translating the source port.
Some applications do not function correctly if the source port is translated. In
most cases, if Fixed Port is selected, Dynamic IP pool is also selected. If
Dynamic IP pool is not selected, a policy with Fixed Port selected can allow only
one connection to that service at a time.
Note: Fixed Port is only visible if enabled from the CLI.
Enable Identity
Based Policy
Select to configure firewall policies that require authentication. For more
information, see Adding authentication to firewall policies on page 372. This
section also describes the Firewall, Directory Service (FSAE), NTLM
Authentication, and Enable Disclaimer and Redirect URL to options.
Protection
Profile
Select a protection profile to apply to a firewall policy. You can also create a
protection profile by selecting Create New from this list. For more information,
see Firewall Protection Profile on page 467.
If you intend to apply authentication to this policy, do not make a Protection
Profile selection. The user group you choose for authentication is already linked
to a protection profile. For more information, see Adding authentication to
firewall policies on page 372.
Traffic Shaping Select a shared traffic shaper for the policy. You can also create a new shared
traffic shaper. Shared traffic shapers control the bandwidth available to and set
the priority of the traffic as its processed by, the policy.
For information about configuring shared traffic shapers, see Configuring
shared traffic shapers on page 417.
372 01-410-89802-20091022
Adding authentication to firewall policies
If you enable Enable Identity Based Policy in a firewall policy, network users must send
traffic involving a supported firewall authentication protocol to trigger the firewall
authentication challenge, and successfully authenticate, before the FortiGate unit will
allow any other traffic matching the firewall policy.
User authentication can occur through any of the following supported protocols:
HTTP
HTTPS
FTP
Telnet
The authentication style depends on which of these supported protocols you have
included in the selected firewall services group and which of those enabled protocols the
network user applies to trigger the authentication challenge. The authentication style will
be one of two types. For certificate-based (HTTPS or HTTP redirected to HTTPS only)
authentication, you must install customized certificates on the FortiGate unit and on the
browsers of network users, which the FortiGate unit matches. For user name and
password-based (HTTP, FTP, and Telnet) authentication, the FortiGate unit prompts
network users to input their firewall user name and password.
Reverse
Direction
Traffic
Shaping
Select to enable reverse traffic shaping and select a shared traffic shaper. For
example, if the traffic direction that a policy controls is from port1 to port2, select
this option will also apply the policy shaping configuration to traffic from port2 to
port1.
For information about configuring shared traffic shapers, see Configuring
shared traffic shapers on page 417.
Per-IP Traffic
Shaping
Select a Per-IP traffic shaper for the policy. Per-IP traffic shaping applies traffic
shaping to the traffic generated from the IP addresses added to the Per-IP traffic
shaper added to the firewall policy.
For information about configuring per-IP traffic shapers, see Configuring Per IP
traffic shaping on page 419.
Log Allowed
Traffic
Select to record messages to the traffic log whenever the policy processes a
connection. You must also enable traffic log for a logging location (syslog,
WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging
severity level to Notification or lower using the Log and Report screen. For more
information see Log&Report on page 703.
Log Violation
Traffic
Available only if Action is set to DENY. Select Log Violation Traffic, for Deny
policies, to record messages to the traffic log whenever the policy processes a
connection. You must also enable traffic log for a logging location (syslog,
WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging
severity level to Notification or lower using the Log and Report screen. For more
information, see Log&Report on page 703.
Enable Endpoint
NAC
Select to enable the Endpoint NAC feature and select the Endpoint NAC profile
to apply. For more information, see Endpoint NAC on page 687.
Notes:
You cannot enable Endpoint NAC in firewall policies if Redirect HTTP
Challenge to a Secure Channel (HTTPS) is enabled in User > Options >
Authentication.
If the firewall policy involves a load balancing virtual IP, the Endpoint NAC
check is not performed.
Comments Add information about the policy. The maximum length is 63 characters.
01-410-89802-20091022 373
For example, if you want to require HTTPS certificate-based authentication before
allowing SMTP and POP3 traffic, you must select a firewall service (in the firewall policy)
that includes SMTP, POP3 and HTTPS services. Prior to using either POP3 or SMTP, the
network user would send traffic using the HTTPS service, which the FortiGate unit would
use to verify the network users certificate; upon successful certificate-based
authentication, the network user would then be able to access his or her email.
In most cases, you should ensure that users can use DNS through the FortiGate unit
without authentication. If DNS is not available, users will not be able to use a domain
name when using a supported authentication protocol to trigger the FortiGate units
authentication challenge.
Authentication requires that Action is ACCEPT or SSL-VPN, and that you first create
users, assign them to a firewall user group, and assign a protection profile to that user
group. For information on configuring user groups, see User Group on page 658. For
information on configuring authentication settings, see Configuring identity-based firewall
policies on page 373 and Configuring SSL VPN identity-based firewall policies on
page 376.
Configuring identity-based firewall policies
For network users to use non-SSL-VPN identity-based policies, you need to add user
groups to the policy. For information about configuring user groups, see User Group on
page 658.
To configure identity-based policies, go to Firewall > Policy, select Create New to add a
firewall policy, or, in the row corresponding to an existing firewall policy, select Edit. Make
sure that Action is set to ACCEPT. Select Enable Identity Based Policy.
Note: If you do not install certificates on the network users web browser, the network users
may see an SSL certificate warning message and have to manually accept the default
FortiGate certificate, which the network users web browsers may then deem as invalid. For
information on installing certificates, see System Certificates on page 279.
Note: When you use certificate authentication, if you do not specify any certificate when
you create a firewall policy, the FortiGate unit will use the default certificate from the global
settings will be used. If you specify a certificate, the per-policy setting will override the
global setting. For information on global authentication settings, see Options on
page 667.
374 01-410-89802-20091022
Figure 202: Selecting user groups for authentication

Enable Identity
Based Policy
Select to enable identity-based policy authentication.
When the Action is set to ACCEPT, you can select one or more authentication
server types. When a network user attempts to authenticate, the server types
selected indicate which local or remote authentication servers the FortiGate unit
will consult to verify the users credentials.
Add The selected user groups that must authenticate to be allowed to use this
policy.
Delete icon Select to remove this identity-based policy.
Edit icon Select to modify this identity-based policy.
Move To icon Select to change the position of this identity-based policy in the identity-based
policy list.
User Group The selected user groups that must authenticate to be allowed to use this
policy.
Service The firewall service or service group that packets must match to trigger this
policy.
Delete
Edit
Move To
01-410-89802-20091022 375
To create an identity-based firewall policy (non-SSL-VPN)
1 Go to Firewall > Policy > Policy and select Create New.
2 Configure Source Interface/Zone, Source Address, Destination Interface/Zone,
Destination Address, Schedule, and Service. For more information, see Configuring
3 In the Action field, select ACCEPT.
4 Select Enable Identity Based Policy to be able to add identity-based policies.
5 Select Add.
6 From the Available User Groups list, select one or more user groups that must
authenticate to be allowed to use this policy. Select the right arrow to move the
selected user groups to the Selected User Groups list.
7 Select services in the Available Services list and then select the right arrow to move
them to the Selected Services list.
8 Select a Schedule.
Schedule The one-time or recurring schedule that controls when the policy is in effect.
You can also create schedules by selecting Create New from this list. For more
Protection Profile The protection profile to apply to this policy. You can also create a protection
profile by selecting Create New from this list. For more information, see
Firewall Protection Profile on page 467.
Traffic Shaping The traffic shaping configuration for this policy.
For more information, see Firewall Policy on page 363.
Reverse
Direction
Traffic Shaping
Select to enable the reverse traffic shaping and choose the traffic shaper. For
example, if the traffic direction that a policy controls is from port1 to port2, select
this option to apply traffic shaping to traffic from port2 to port1.
Log Allowed
Traffic
If the Log Allowed Traffic option is selected when adding an identity-based
policy, a green check mark appears. Otherwise, a white cross mark appears.
Firewall Include firewall user groups defined locally on the FortiGate unit, as well as on
any connected LDAP and RADIUS servers. This option is selected by default.
Directory Service
(FSAE)
Include Directory Service groups defined in User > User Group. The groups are
authenticated through a domain controller using Fortinet Server Authentication
Extensions (FSAE). If you select this option, you must install the FSAE on the
Directory Service domain controller. For information about FSAE, see the
Fortinet Server Authentication Extension Administration Guide. For information
about configuring user groups, see User Group on page 658.
NTLM
Authentication
Include Directory Service groups defined in User > User Group. If you select
this option, you must use Directory Service groups as the members of the
authentication group for NTLM. For information about configuring user groups,
see User Group on page 658.
Certificate Certificate-based authentication only. Select the protection profile that guest
accounts will use. Note: In order to implement certificate-based authentication,
you must select a firewall service group that includes one of the supported
authentication protocols that use certificate-based authentication. You should
also install the certificate on the network users web browser. For more
information, see Adding authentication to firewall policies on page 372.
Enable Disclaimer
and Redirect URL
to
Select this option to display the Authentication Disclaimer replacement
message HTML page after the user authenticates. The user must accept the
disclaimer to connect to the destination. For information about customizing user
authentication replacement messages, see User authentication replacement
messages on page 232.
You can also optionally enter an IP address or domain name to redirect user
HTTP requests after accepting the authentication disclaimer. The redirect URL
could be to a web page with extra information (for example, terms of usage).
.To prevent web browser security warnings, this should match the CN field of
the specified aut h- cer t , which is usually a fully qualified domain name
(FQDN).
376 01-410-89802-20091022
9 Optionally, select Protection Profile and choose a protection profile.
10 Optionally, select Traffic Shaping and choose a traffic shaper.
11 If you selected Traffic Shaping optionally, select Reverse Direction Traffic Shaping and
choose a traffic shaper.
12 Optionally select Log Allowed Traffic.
13 Select OK.
Configuring IPSec firewall policies
In a firewall policy (see Configuring firewall policies on page 367), the following
encryption options are available for IPSec. To configure these options, go to Firewall >
Policy, select Create New to add a firewall policy, or in the row corresponding to an
existing firewall policy, select Edit. Make sure that Action is set to IPSEC. Enter the
information in the following table and select OK.
Figure 203: IPSEC encryption policy
For more information, see the FortiGate IPSec VPN User Guide.
Configuring SSL VPN identity-based firewall policies
For network users to use SSL-VPN identity-based policies, you must configure users, add
them to user groups, and then configure the policy.
To create an identity-based firewall policy (SSL-VPN), go to Firewall > Policy > Policy and
select Create New and enter the information in the following table. Select Action > SSL
VPN.
For more information, see Configuring firewall policies on page 367.
VPN Tunnel Select the VPN tunnel name defined in the phase 1 configuration. The specified
tunnel will be subject to this firewall encryption policy.
Allow Inbound Select to enable traffic from a dialup client or computers on the remote private
network to initiate the tunnel.
Allow outbound Select to enable traffic from computers on the local private network to initiate
the tunnel.
Inbound NAT Select to translate the source IP addresses of inbound decrypted packets into
the IP address of the FortiGate interface to the local private network.
Outbound NAT Select only in combination with a nat i p CLI value to translate the source
addresses of outbound cleartext packets into the IP address that you specify.
When a nat i p value is specified, the source addresses of outbound IP packets
are replaced before the packets are sent through the tunnel. For more
information, see the firewall chapter of the FortiGate CLI Reference.
Note: For a route-based (interface mode) VPN, you do not configure an IPSec firewall
policy. Instead, you configure two regular ACCEPT firewall policies, one for each direction
of communication, with the IPSec virtual interface as the source or destination interface as
appropriate.
Note: The SSL-VPN option is only available from the Action list after you have added SSL
VPN user groups. To add SSL VPN user groups, see SSL VPN user groups on page 660.
01-410-89802-20091022 377
Figure 204: Configuring a new SSL VPN firewall policy
Delete
Edit
Move To
378 01-410-89802-20091022
Source
Interface/Zone
Select the name of the FortiGate network interface, virtual domain (VDOM)
link, or zone on which IP packets are received.
Source Address Select the name of a firewall address to associate with the Source
Interface/Zone. Only packets whose header contains an IP address
matching the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from this
list. For more information, see Configuring addresses on page 397.
If Action is set to SSL-VPN and the policy is for web-only mode clients,
select all.
If Action is set to SSL-VPN and the policy is for tunnel mode clients, select
the name of the address that you reserved for tunnel mode clients.
Destination
Interface/Zone
Select the name of the FortiGate network interface, virtual domain (VDOM)
link, or zone to which IP packets are forwarded. If Action is set to SSL-VPN,
the interface is associated with the local private network.
Destination Address Select the name of a firewall address to associate with the Destination
Interface/Zone. Only packets whose header contains an IP address
matching the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from this
list. For more information, see Configuring addresses on page 397.
If you want to associate multiple firewall addresses or address groups with
the Destination Interface/Zone, from Destination Address, select Multiple. In
the dialog box, move the firewall addresses or address groups from the
Available Addresses section to the Members section, then select OK.
If you select a virtual IP, the FortiGate unit applies NAT or PAT. The applied
translation varies by the settings specified in the virtual IP, and whether you
select NAT (below). For more information on using virtual IPs, see Firewall
If Action is set to IPSEC, the address is the private IP address to which
packets may be delivered at the remote end of the VPN tunnel.
If Action is set to SSL-VPN, select the name of the IP address that
corresponds to the host, server, or network that remote clients need to
access behind the FortiGate unit.
Action Select SSL-VPN to configure the firewall encryption policy to accept SSL
VPN traffic. This option is available only after you have added a SSL-VPN
user group.
SSL Client Certificate
Restrictive
Allow traffic generated by holders of a (shared) group certificate. The
holders of the group certificate must be members of an SSL VPN user
group, and the name of that user group must be present in the Allowed field.
Cipher Strength Select the bit level of SSL encryption. The web browser on the remote client
must be capable of matching the level that you select: Any, High >=164, or
Medium>=128.
User Authentication
Method
Select the authentication server type by which the user will be
authenticated:
Any For all of the above authentication methods. Local is attempted first, then
RADIUS, then LDAP.
Local For a local user group that will be bound to this firewall policy.
RADIUS For remote clients that will be authenticated by an external RADIUS server.
LDAP For remote clients that will be authenticated by an external LDAP server.
TACACS+ For remote clients that will be authenticated by an external TACACS+
server.
Firewall Policy Using DoS policies to detect and prevent attacks
01-410-89802-20091022 379
Using DoS policies to detect and prevent attacks
DoS policies are primarily used to apply DoS sensors to network traffic based on the
FortiGate interface it is leaving or entering as well as the source and destination
addresses. DoS sensors are a traffic anomaly detection feature to identify network traffic
that does not fit known or common traffic patterns and behavior. A common example of
anomalous traffic is the denial of service attack. A denial of service occurs when an
attacking system starts an abnormally large number of sessions with a target system. The
large number of sessions slows down or disables the target system so legitimate users
can no longer use it.
NAT Enable or disable Network Address Translation (NAT) of the source address
and port of packets accepted by the policy. When NAT is enabled, you can
also configure Dynamic IP Pool and Fixed Port.
If you select a virtual IP as the Destination Address, but do not select the
NAT option, the FortiGate unit performs destination NAT (DNAT) rather than
full NAT. Source NAT (SNAT) is not performed.
Tip: If you select NAT, the IP address of the outgoing interface of the
FortiGate unit is used as the source address for new sessions started by
SSL VPN.
Fixed Port Select Fixed Port to prevent NAT from translating the source port.
Note: Fixed Port is only visible if enabled from the CLI.
Add Select to add identity-based policies to the SSL VPN policy.
Delete icon Select to remove this identity-based policy.
Edit icon Select to modify this identity-based policy.
Move To icon Select to change the position of this identity-based policy in the identity-
based policy list.
User Group The selected user groups that must authenticate to be allowed to use this
policy.
Service The firewall service or service group that packets must match to trigger this
policy.
Schedule Select a one-time or recurring schedule that controls when the policy is in
effect.
You can also create schedules by selecting Create New from this list. For
more information, see Firewall Schedule on page 411.
Protection Profile Select a protection profile to apply to a firewall policy. You can also create a
protection profile by selecting Create New from this list. For more
information, see Firewall Protection Profile on page 467.
Traffic Shaping Select a traffic shaper for the policy. You can also select to create a new
traffic shaper. Traffic Shaping controls the bandwidth available to, and sets
the priority of the traffic processed by, the policy.
For information about traffic shaping, see Traffic Shaping on page 415.
Note: The traffic shaping option can be used to traffic shape tunnel-mode
SSL VPN traffic, but has no effect on web-mode SSL VPN traffic.
Reverse Direction
Traffic Shaping
Select to enable the reverse traffic shaping. For example, if the traffic
direction that a policy controls is from port1 to port2, select this option will
also apply the policy shaping configuration to traffic from port2 to port1.
Log Allowed Traffic Select to record messages to the traffic log whenever the policy processes
a connection. You must also enable traffic log for a logging location (syslog,
WebTrends, local disk if available, memory, or FortiAnalyzer) and set the
logging severity level to Notification or lower using the Log and Report
screen. For more information see Log&Report on page 703.
Comments Add information about the policy. The maximum length is 63 characters.
Using DoS policies to detect and prevent attacks Firewall Policy
380 01-410-89802-20091022
DoS policies examine network traffic very early in the sequence of protective measures
the FortiGate unit deploys to protect your network. Because of this, DoS policies are a
very efficient defence, using few resources. The previously mentioned denial of service
would be detected and its packets dropped before requiring firewall policy look-ups,
antivirus scans, and other protective but resource-intensive operations.
This section provides an introduction to configuring DoS Policies. For more information
see the FortiGate UTM User Guide.
Viewing the DoS policy list
The DoS policy list displays the DoS policies in their order of matching precedence for
each interface, source/destination address pair, and service.
If virtual domains are enabled on the FortiGate unit, DoS policies are configured
You can add, delete, edit, and re-order policies in the DoS policy list. DoS policy order
affects policy matching. As with firewall policies, DoS policies are checked against traffic in
the order in which they appear in the DoS policy list, one at a time, from top to bottom.
When a matching policy is discovered, it is used and further checking for DoS policy
matches are stopped.
To view the DoS policy list, go to Firewall > Policy > DoS Policy.
Figure 205: The DoS policy list
Create New Add a new DoS policy. Select the down arrow beside Create New to
add a new section to the list to visually group the policies.
Column Settings Customize the table view. You can select the columns to hide or
display and specify the column displaying order in the table. See
Using column settings to control the columns displayed on page 61.
Section View Select to display firewall policies organized by interface.
Global View Select to list all firewall policies in order according to a sequence
number.
Filter icon Edit the column filters to filter or sort the policy list according to the
criteria you specify. For more information, see Adding filters to
web-based manager lists on page 57.
Status When selected, the DoS policy is enabled. Clear the checkbox to
disable the policy. See Enabling and disabling policies on page 365.
Delete
Edit
Move To
Filter
Firewall Policy Using DoS policies to detect and prevent attacks
01-410-89802-20091022 381
Configuring DoS policies
The DoS policy configuration allows you to specify the interface, a source address, a
destination address, and a service. All of the specified attributes must match network
traffic to trigger the policy.
You can also use the conf i g f i r ewal l i nt er f ace- pol i cy CLI command to add
DoS policies from the CLI. You can also use this CLI command to add an IPS sensor or an
Application Control black/white list to a DoS policy. For more information, see the
You can use the conf i g f i r ewal l i nt er f ace- pol i cy6 command to add IPv6
sniffer policies. For more information about FortiGate IPv6 support, see FortiGate IPv6
support on page 264.
Figure 206: Editing a DoS policy
ID A unique identifier for each policy. Policies are numbered in the order
they are created.
Source The source address or address group to which the policy applies. For
more information, see Firewall Address on page 395.
Destination The destination address or address group to which the policy applies.
For more information, see Firewall Address on page 395.
Service The service to which the policy applies. For more information, see
Firewall Service on page 401.
DoS The DoS sensor selected in this policy.
Interface The interface to which this policy applies.
Edit icon Edit the policy.
Insert Policy Before icon Add a new policy above the corresponding policy (the New Policy
screen appears).
Move To icon Move the corresponding policy before or after another policy in the list.
Source Interface/Zone The interface or zone to be monitored.
Source Address Select an address, address range, or address group to limit traffic
monitoring to network traffic sent from the specified address or range.
Select Multiple to include multiple addresses or ranges. You can also
select Create New to add a new address or address group.
Destination Address Select an address, address range, or address group to limit traffic
monitoring to network traffic sent to the specified address or range.
Using one-arm sniffer policies to detect network attacks Firewall Policy
382 01-410-89802-20091022
Using one-arm sniffer policies to detect network attacks
Using sniffer policies you can configure a FortiGate unit interface to operate as a one-arm
intrusion detection system (IDS) appliance by sniffing packets for attacks without actually
receiving and otherwise processing the packets.
To configure one-arm IDS, you need to configure one or more FortiGate interfaces to
operated in one-arm sniffer mode. To do this, go to System > Network > Interface, edit an
interface and select Enable one-arm sniffer mode. When you configure an interface to
operate in one-arm sniffer mode it cannot be used for any other purpose. For example,
you cannot add firewall policies for the interface and you cannot add the interface to a
zone.
After you have configured the interface for one-arm sniffer mode, connect the interface to
a hub or to the SPAN port of a switch that is processing network traffic.
Figure 207: One-arm IDS topology
Then you can go to Firewall > Policy > Sniffer Policy and add Sniffer policies for that
FortiGate interface that include a DoS sensor, an IPS sensors, and an Application
black/white list to detect attacks and other activity in the traffic that the FortiGate interface
receives from the hub or switch SPAN port.
In one-arm sniffer mode, the interface receives packets accepted by sniffer mode policies
only. All packets not received by sniffer model policies are dropped. All packets received
by sniffer mode policies go through IPS inspection and are dropped after then are
analyzed by IPS.
Service Select a firewall pre-defined service or a custom service to limit traffic
monitoring to only the selected service or services. You can also
select Create new to add a custom service.
DoS Sensor Select and specify a DoS sensor to have the FortiGate unit apply the
sensor to matching network traffic. You can also select Create new to
add a new DoS Sensor. See DoS sensors on page 537.
Note: If you add VLAN interfaces to an interface configured for one-arm sniffer operation
this VLAN interface also operates in one-arm sniffer mode and you can add sniffer policies
for this VLAN interface.
Hub or switch
SPAN
port
Internet
Internal
network
Firewall Policy Using one-arm sniffer policies to detect network attacks
01-410-89802-20091022 383
One-arm IDS cannot block traffic. However, if you enable logging in the DoS and IPS
sensors and the application black/white lists, the FortiGate unit records log messages for
all detected attacks and applications.
This section provides an introduction to configuring sniffer policies. For more information
Viewing the sniffer policy list
The sniffer policy list displays sniffer policies in their order of matching precedence for
each interface, source/destination address pair, and service.
If virtual domains are enabled on the FortiGate unit, sniffer policies are configured
You can add, delete, edit, and re-order policies in the sniffer policy list. Sniffer policy order
affects policy matching. As with firewall policies and DoS policies, sniffer policies are
checked against traffic in the order in which they appear in the sniffer policy list, one at a
time, from top to bottom. When a matching policy is discovered, it is used and further
checking for sniffer policy matches are stopped. If no match is found the packet is
dropped.
To view the sniffer policy list, go to Firewall > Policy > Sniffer Policy.
Figure 208: The Sniffer policy list
Create New Add new a sniffer policy. Select the down arrow beside Create New to
add a new section to the list to visually group the policies.
Column Settings Customize the table view. You can select the columns to hide or
display and specify the column displaying order in the table. See
Using column settings to control the columns displayed on page 61.
Section View Select to display firewall policies organized by interface.
Global View Select to list all firewall policies in order according to a sequence
number.
Filter icon Edit column filters to filter or sort the policy list according to the criteria
you specify. For more information, see Adding filters to web-based
Status When selected, the DoS policy is enabled. Clear the checkbox to
disable the policy. See Enabling and disabling policies on page 365.
Delete
Edit
Move To
Filter
Using one-arm sniffer policies to detect network attacks Firewall Policy
384 01-410-89802-20091022
Configuring sniffer policies
Use the sniffer policy configuration to specify the interface, a source address, a
destination address, and a service. All of the specified attributes must match network
traffic to trigger the policy.
You can also use the conf i g f i r ewal l si nf f - i nt er f ace- pol i cy CLI command
to add sinffer policies from the CLI. For more information, see the FortiGate CLI
Reference.
You can use the conf i g f i r ewal l sni f f - i nt er f ace- pol i cy6 command to add
IPv6 sniffer policies. For more information about FortiGate IPv6 support, see FortiGate
IPv6 support on page 264.
Figure 209: Editing a sniffer policy
ID A unique identifier for each policy. Policies are numbered in the order
they are created.
Source The source address or address group to which the policy applies. For
more information, see Firewall Address on page 395.
Destination The destination address or address group to which the policy applies.
For more information, see Firewall Address on page 395.
Service The service to which the policy applies. For more information, see
Firewall Service on page 401.
DoS The DoS sensor selected in this policy.
Sensor The IPS sensor selected in this policy.
Application Black/White
List
The Application Black/White List selected in this policy.
Edit icon Edit the policy.
Insert Policy Before icon Add a new policy above the corresponding policy (the New Policy
screen appears).
Move To icon Move the corresponding policy before or after another policy in the list.
Source Interface/Zone The interface or zone to be monitored.
Source Address Select an address, address range, or address group to limit traffic
monitoring to network traffic sent from the specified address or range.
Firewall Policy How FortiOS selects unused NAT ports
01-410-89802-20091022 385
How FortiOS selects unused NAT ports
Consider the following idealized topology for a university that allows its students to
connect to the Internet through a FortiGate unit:
Figure 210: Example university Internet connection topology
The university does not give a publicly routable IP address to its students. Instead each
student uses DHCP to obtain an IP address from the 10.0.0.0/8 range from the FortiGate
unit. The FortiGate unit then uses Network Address Port Translation (NAPT) to translate
all traffic so that it appears to come from IP address 192.168.1.1.
Destination Address Select an address, address range, or address group to limit traffic
monitoring to network traffic sent to the specified address or range.
Service Select a firewall pre-defined service or a custom service to limit traffic
monitoring to only the selected service or services. You can also
select Create new to add a custom service.
DoS Sensor Select and specify a DoS sensor to have the FortiGate unit apply the
add a new DoS Sensor. See DoS sensors on page 537.
IPS Sensor Select and specify an IPS sensor to have the FortiGate unit apply the
add a new IPS Sensor. See IPS sensors on page 529.
Application Black/White
List
Select and specify an Application Black/White List sensor to have the
FortiGate unit apply the application control black/white list to matching
network traffic. You can also select Create new to add a new
Application Black/White List. See Creating a new application control
black/white list on page 597.
Student Network
10.0.0.0/8
Student A
Student B
Student C
Student Z
Video Sharing
172.20.120.1
Search Engine
172.20.120.2
Social Networking
172.20.120.3
Internet
External IP
address
192.168.1.1
How FortiOS selects unused NAT ports Firewall Policy
386 01-410-89802-20091022
For example, consider student A (IP address 10.78.33.97) who wants to connect to search
engine (IP address 172.20.120.2) and sends a packet with the following IP addresses and
port numbers:
sr c- i p: 10. 78. 33. 97
dst - i p: 172. 20. 120. 2
sr c- por t : 10000
dst - por t : 80
When this packet passes through the FortiGate unit with NAT enabled the packet is
modified to be:
sr c- i p: 92. 168. 1. 1
dst - i p: 172. 20. 120. 2
sr c- por t : 46372
dst - por t : 80
Where 192. 168. 1. 1 is the external IP address of the FortiGate unit and 46372 is an
unused port chosen by the FortiGate unit.
The following sections describe three solutions to choosing the unused port. These
solutions provide some context for the last section which describes how FortiOS chooses
an unused port.
Global pool
In this approach there is a single pool of ports which are available for assignment. When a
port is assigned it is removed from the pool. Because the port is removed from the pool, it
is not possible to assign the same port twice. Once a port is no longer needed for NAT it is
returned to the pool so that it can be assigned again.
For example if the range is from 0x7000 (28672) to 0xF000 (61440) then there 2
15

(32768) possible ports that can be simultaneously used (the reason for choosing this
range is described below). The maximum number of simultaneous connections is 32768.
This maximum is independent of transport protocol.
This approach was one of the first approaches used to choosing a NAT port because it is
simple to implement. It is viable if the number of connections is unlikely to reach the pool
size, for example in the case of a NAT firewall for home use. However, it is not really a
viable solution for a large university or ISP that would usually be processing thousands of
simultaneous sessions.
This is not the approach that FortiOS uses.
Global per-protocol pool
Using a global per-protocol pool extends the global pool approach by having a separate
pool for TCP and UDP. The chosen pool is a function of the protocol used. With the same
range of 32768 ports there are 32768 for ports UDP and 32768 ports for TCP, resulting in
a total of 65536 ports. The result is twice as many available ports, but this still would not
be enough for a university or ISP.
Per NAT IP pool
Using a per NAT IP pool extends the approach further so that rather than just a per-
protocol pool, the pool is also determined by the NAT IP. Thus, the pool is a function of the
protocol and the NAT IP. In the topology shown in Figure 210 on page 385 the NAT IP is
192.168.1.1. If there is only one NAT IP then this approach is no different from global per-
protocol pools. However, consider the topology shown in Figure 211 with two separate
Internet connections and thus two NAT IP addresses 192.168.1.1 and 192.168.2.2.
Firewall Policy How FortiOS selects unused NAT ports
01-410-89802-20091022 387
Figure 211: Example university Internet connection topology with two Internet connections
If the FortiGate configuration includes equal-cost multipath (ECMP) routing, both Internet
connections can be used simultaneously and the maximum number of connections is
N*R*P where N is the number of NAT IP addresses, R is the port range, and P is the
number of protocols. So for the case where there are two NAT IPs, the range is 32768 and
the protocols are TCP and UDP then the maximum number of simultaneous connections
is:
2*32768*2 = 131, 072
This solution scales with the number of NAT IPs that can be deployed and so could
feasibly be used by a university or a small ISP.
Per NAT IP, destination IP, port, and protocol pool
This is the approach that FortiOS uses.
Using a per NAT IP, destination IP, port, and protocol pool is a further refinement that
expands the pool to be a function of the protocol, NAT IP, destination IP and destination
port.
The reason for using these attributes to determine the pool is a consequence of the
session-based design of the FortiOS firewall. When a TCP connection is made through a
FortiGate unit, a session is created and two indexes are created for the session. The
FortiGate unit uses these indexes to guide matching traffic to the session.
One index is for traffic flowing in the same direction as the packet that initiated the creation
of the session:
sr c- i p: 10. 78. 33. 97
dst - i p: 172. 20. 120. 2
pr ot o: t cp
sr c- por t : 10000
Student Network
10.0.0.0/8
Student A
Student B
Student C
Student Z
Video Sharing
172.20.120.1
Search Engine
172.20.120.2
Social Networking
172.20.120.3
Internet
External IP
address
192.168.1.1
External IP
address
192.168.2.2
How FortiOS selects unused NAT ports Firewall Policy
388 01-410-89802-20091022
dst - por t : 80
And the other index is for traffic flowing in the opposite/reply direction:
sr c- i p: 172. 20. 120. 2
dst - i p: 192. 168. 1. 1
pr ot o: t cp
sr c- por t : 80
dst - por t : 46372
Where 46372 is the chosen NAT port. In both cases when traffic matches either of these
indexes the session that the traffic belongs to can be uniquely identified.
Using a per NAT IP, destination IP, port, and protocol pool, when choosing the NAT port
FortiOS only has to ensure that the chosen port combined with the other four attributes are
unique to uniquely identify the session. So for example, if student A simultaneously makes
a connection to the search engine (destination IP address 172.20.120.2) on port 443 this
would create another session and the index in the reply direction would be:
sr c- i p: 172. 20. 120. 2
dst - i p: 192. 168. 1. 1
pr ot o: t cp
sr c- por t : 443
dst - por t : NP
The value of NP can be any value as long as the five values together are unique. For
example, FortiOS could choose 46372 again:
sr c- i p: 172. 20. 120. 2
dst - i p: 192. 168. 1. 1
pr ot o: t cp
sr c- por t : 443
dst - por t : 46372
This is acceptable because:
sr c- i p: 172. 20. 120. 2
dst - i p: 192. 168. 1. 1
pr ot o: t cp
sr c- por t : 80
dst - por t : 46372
and
sr c- i p: 172. 20. 120. 2
dst - i p: 192. 168. 1. 1
pr ot o: t cp
sr c- por t : 443
dst - por t : 46372
have different sr c- por t values.
The result of using the per NAT IP, destination IP, port, and protocol pool approach is that
a pool of 32768 ports are available for each unique combination of sr c- i p, dst - i p,
pr ot o and sr c- por t .
The maximum number of simultaneous connections that can be supported is
N*R*P*D*Dp where N is the number of NAT IP addresses, R is the port range, P is the
number of protocols, D is the number of unique destination IP addresses and Dp the
number of unique destination ports.
Considering the large number of destination IP addresses available, the number of
simultaneous connections that can be supported is very large. To get an idea of how
large, for one destination IP address and one NAT IP address the calculation would be
N=1, R=32, 768, P=2, D=1 and Dp=32,768:
Firewall Policy Firewall policy examples
01-410-89802-20091022 389
1 * 32, 768 * 2 * 1 * 32, 768 = 2, 147, 483, 648.
A problem with this calculation is that not all 32,768 possible destination ports are used. In
fact for many organizations, must Internet traffic is web traffic using destination port 80
and all using the TCP protocol. So the pool size limit for web traffic to one destination IP
address from one NAT IP address using the TCP protocol would be N=1, R=32, 768, P=1,
D=1 and Dp=1:
1* 32, 768 * 1 * 1 * 1 = 32, 768
Using the topology in Figure 210 on page 385, for students simultaneously connecting to
the search engine, the social networking and the video sharing sites on TCP port 80 then
assuming each site uses one IP address a maximum of 32,768 simultaneous connections
are allowed to each site or 32,768 * 3 =98,304 connections in total.
Many large public web sites may use round-robin DNS to rotate through at least four IP
addresses. If the search engine and the video sharing site did this with an even balance of
IP usage the result would be a maximum of 4 * 32,768 =131,072 connections to the
search engine, 131,072 connections to the video sharing site and 32,768 connections to
the social networking site for a total of 294,912 different connections supported by the
single FortiGate unit with one NAT IP and for a total of 9 destination IP addresses and one
destination port.
Firewall policy examples
FortiGate units are capable of meeting various network requirements from home use to
SOHO, large enterprises and ISPs. The following two scenarios demonstrate practical
applications of firewall policies in the SOHO and large enterprise environments.
Scenario one: SOHO-sized business
Scenario two: enterprise-sized business
Scenario one: SOHO-sized business
Company A is a small software company performing development and providing customer
support. In addition to their internal network of 15 computers, they also have several
employees who work from home all or some of the time.
With their current network topography, all 15 of the internal computers are behind a router
and must go to an external source to access the IPS mail and web servers. All home-
based employees access the router through open/non-secured connections.
Firewall policy examples Firewall Policy
390 01-410-89802-20091022
Figure 212: Example SOHO network before FortiGate installation
Company A requires secure connections for home-based workers. Like many companies,
they rely heavily on email and Internet access to conduct business. They want a
comprehensive security solution to detect and prevent network attacks, block viruses, and
decrease spam. They want to apply different protection settings for different departments.
They also want to integrate web and email servers into the security solution.
To deal with their first requirement, Company A configures specific policies for each
home-based worker to ensure secure communication between the home-based worker
and the internal network.
2 Select Create New and enter or select the following settings for Home_User_1:
Interface / Zone Source: internal Destination: wan1
Address Source:
CompanyA_Network
Destination: Home_User_1
Schedule Always
Service ANY
Action IPSEC
VPN Tunnel Home1
Allow Inbound yes
Allow outbound yes
Inbound NAT yes
Home-based Workers
(no secure connection)
ISP Web
Server
Internal Network
Finance
Department
Help
Desk
Engineering
Department
192.168.100.1
172.16.10.3
IPS Mail
Server
Internet
01-410-89802-20091022 391
3 Select OK.
4 Select Create New and enter or select the following settings for Home_User_2:
5 Select OK.
Figure 213: SOHO network topology with FortiGate-100
The proposed network is based around a ForitGate 100A unit. The 15 internal computers
are behind the FortiGate unit. They now access the email and web servers in a DMZ,
which is also behind the FortiGate unit. All home-based employees now access the office
network through the FortiGate unit via VPN tunnels.
Outbound NAT no
Protection Profile Select the check mark and select standard_profile
Interface / Zone Source: internal Destination: wan1
Address Source:
CompanyA_network
Destination: All
Schedule Always
Service ANY
Action IPSEC
VPN Tunnel Home2_Tunnel
Allow Inbound yes
Allow outbound yes
Inbound NAT yes
Outbound NAT no
Protection Profile Select the check mark and select standard_profile
VPN Tunnel
Home User 2
172.25.106.99
Web Server
10.10.10.3
Internal
192.168.100.1
Finance Users
192.168.100.10-
192.168.100.20
Help Desk Users
192.168.100.21-
192.168.100.50
Engineering Users
192.168.100.51-
192.168.100.100
Email Server
10.10.10.2
DMZ
10.10.10.1
External
172.30.120.8
Internet
Home User 1
172.20.100.6
VPN Tunnel
FortiGate
100A
392 01-410-89802-20091022
Scenario two: enterprise-sized business
Located in a large city, the library system is anchored by a main downtown location
serving most of the population, with more than a dozen branches spread throughout the
city. Each branch is wired to the Internet but none are linked with each other by dedicated
connections.
The current network topography at the main location consists of three user groups. The
main branch staff and public terminals access the servers in the DMZ behind the firewall.
The catalog access terminals directly access the catalog server without first going through
the firewall.
The topography at the branch office has all three users accessing the servers at the main
branch through non-secured internet connections.
Figure 214: The library systems current network topology
The library must be able to set different access levels for patrons and staff members.
The first firewall policy for main office staff members allows full access to the Internet at all
times. A second policy will allow direct access to the DMZ for staff members. A second
pair of policies is required to allow branch staff members the same access.
The staff firewall policies will all use a protection profile configured specifically for staff
access. Enabled features include virus scanning, email filtering, IPS, and blocking of all
P2P traffic. FortiGuard web filtering is also used to block advertising, malware, and
spyware sites.
01-410-89802-20091022 393
A few users may need special web and catalog server access to update information on
those servers, depending on how they are configured. Special access can be allowed
based on IP address or user.
The proposed topography has the main branch staff and the catalog access terminals
going through a FortiGate HA cluster to the servers in a DMZ. The public access terminals
first go through a FortiWiFi unit, where additional policies can be applied, to the HA
Cluster and finally to the servers.
The branch office has all three users routed through a FortiWiFi unit to the main branch via
VPN tunnels.
Figure 215: Proposed library system network topology
Policies are configured in Firewall > Policy. Protection Profiles are configured in Firewall >
Protection Profile.
Main office staff to Internet policy:
Source Interface Internal
Source Address All
Destination Interface External
Destination Address All
Schedule Always
Action Accept
394 01-410-89802-20091022
Main office staff to DMZ policy:
Branches staff to Internet policy:
Branches staff to DMZ policy:
For more information about these examples, see:
SOHO and SMB Configuration Example Guide
FortiGate Enterprise Configuration Example
Source Interface Internal
Source Address All
Destination Interface DMZ
Destination Address Servers
Schedule Always
Action Accept
Source Interface Branches
Source Address Branch Staff
Destination Interface External
Destination Address All
Schedule Always
Action Accept
Source Interface Branches
Source Address Branch Staff
Destination Interface DMZ
Destination Address Servers
Schedule Always
Action Accept
Firewall Address About firewall addresses
01-410-89802-20091022 395
Firewall Address
Firewall addresses and address groups define network addresses that you can use when
configuring firewall policies source and destination address fields. The FortiGate unit
compares the IP addresses contained in packet headers with firewall policy source and
destination addresses to determine if the firewall policy matches the traffic. You can add
IPv4 addresses and address ranges, IPv6 addresses, and fully qualified domain names
(FQDNs).
You can organize related addresses into address groups and related IPv6 addresses into
IPv6 address groups to simplify your firewall policy lists.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall addresses are
configured separately for each virtual domain, and you must first enter the virtual domain
to configure its firewall addresses. For details, see Using virtual domains on page 125.
About firewall addresses
About IPv6 firewall addresses
Viewing the firewall address list
Configuring addresses
Viewing the address group list
Configuring address groups
About firewall addresses
This section describes the options for adding firewall addresses. These are IPv4
addresses, address ranges, or fully qualified domain names (FQDNs). You can also add
IPv6 addresses. See About IPv6 firewall addresses on page 396.
A firewall address can contain one or more network addresses. Network addresses can
be represented by an IP address with a netmask, an IP address range, or a fully qualified
domain name (FQDN).
When representing hosts by an IP address with a netmask, the IP address can represent
one or more hosts. For example, a firewall address can be:
a single computer, such as 192. 45. 46. 45
a subnetwork, such as 192. 168. 1. 0 for a class C subnet
0. 0. 0. 0, which matches any IP address
The netmask corresponds to the subnet class of the address being added, and can be
represented in either dotted decimal or CIDR format. The FortiGate unit automatically
converts CIDR formatted netmasks to dotted decimal format. Example formats:
netmask for a single computer: 255. 255. 255. 255, or / 32
netmask for a class A subnet: 255. 0. 0. 0, or / 8
netmask for a class B subnet: 255. 255. 0. 0, or / 16
netmask for a class C subnet: 255. 255. 255. 0, or / 24
netmask including all IP addresses: 0. 0. 0. 0
About IPv6 firewall addresses Firewall Address
396 01-410-89802-20091022
Valid IP address and netmask formats include:
x.x.x.x/x.x.x.x, such as 192. 168. 1. 0/ 255. 255. 255. 0
x.x.x.x/x, such as 192. 168. 1. 0/ 24
When representing hosts by an IP Range, the range indicates hosts with continuous IP
addresses in a subnet, such as 192. 168. 1. [ 2- 10] , or 192. 168. 1. * to indicate the
complete range of hosts on that subnet. Valid IP Range formats include:
x.x.x.x-x.x.x.x, such as 192. 168. 110. 100- 192. 168. 110. 120
x.x.x.[x-x], such as 192. 168. 110. [ 100- 120]
x.x.x.*, such as 192. 168. 110. *
When representing hosts by a FQDN, the domain name can be a subdomain, such as
mail.example.com. A single FQDN firewall address may be used to apply a firewall policy
to multiple hosts, as in load balancing and high availability (HA) configurations. FortiGate
units automatically resolve and maintain a record of all addresses to which the FQDN
resolves. Valid FQDN formats include:
<host_name>.<second_level_domain_name>.<top_level_domain_name>, such as
mai l . exampl e. com
<host_name>.<top_level_domain_name>
About IPv6 firewall addresses
By default, IPv6 firewall addresses can be configured only from the CLI. To enable
configuring IPv6 settings on the web-based manager, see Settings on page 261.
An Ipv6 firewall address can contain one IPv6 address or an IPv6 address and subnet.
You cannot add IPv6 address ranges.
Example IPv6 firewall address:
3f f e: f f f f : 1011: f 101: 0210: a4f f : f ee3: 9566/ 128
The FortiGate units adds the / 128 netmask.
Example IPv6 firewall address for a subnet:
2001: 470: 1f 0e: 162: : / 64
The IPv6 address field is restricted to around 34 characters so you cannot add full IPv6
addresses and netmasks. Instead you should use the short form netmask shown in the
examples.
You cannot assign IPv6 addresses to a FortiGate interface.
Note: An IP address 0. 0. 0. 0 with netmask 255. 255. 255. 255 is not a valid firewall
address.
Caution: Be cautious if employing FQDN firewall addresses. Using a fully qualified domain
name in a firewall policy, while convenient, does present some security risks, because
policy matching then relies on a trusted DNS server. Should the DNS server be
compromised, firewall policies requiring domain name resolution may no longer function
properly.
Firewall Address Viewing the firewall address list
01-410-89802-20091022 397
Viewing the firewall address list
Firewall addresses in the list are grouped by type: IP/Netmask, FQDN, or IPv6. FortiGate
unit default configurations include the all address, which represents any IPv4 IP address
on any network.
To view the address list, go to Firewall > Address.
Figure 216: Firewall address list
Configuring addresses
To add a firewall address go to Firewall > Address and select Create New. You can add a
static IP address, an IP address range, or a FQDN.
If IPv6 Support is enabled, to add an IPv6 firewall address, go to Firewall > Address and
select Create New > IPv6 Address.
Create New Add a firewall address.
If IPv6 Support is enabled you can select the down arrow in the Create New
button and select IPv6 Address, to add an IPv6 firewall address. To enable IPv6
support on the web-based manager, see Settings on page 261.
Name The name of the firewall address.
Address / FQDN The IP address and mask, IP address range, or fully qualified domain name.
Interface The interface, zone, or virtual domain (VDOM) to which you bind the IP address.
IP/Netmask The list of IPv4 firewall addresses and address ranges.
FQDN The list of fully qualified domain name firewall addresses.
IPv6 The list of IPv6 firewall addresses.
Delete icon Select to remove the address. The Delete icon appears only if a firewall policy
or address group is not currently using the address.
Edit icon Select to edit the address.
Delete
Edit
Create New Address or Create New IPv6 Address
Caution: Be cautious when FQDN firewall addresses. Using a fully qualified domain name
in a firewall policy, while convenient, does present some security risks, because policy
matching then relies on a trusted DNS server. Should the DNS server be compromised,
firewall policies requiring domain name resolution may no longer function properly.
Tip: You can also add firewall addresses when configuring a firewall policy: Go to Firewall >
Policy, select the appropriate policy tab and then Create New. From the Source Address
list, select Address > Create New.
Viewing the address group list Firewall Address
398 01-410-89802-20091022
Figure 217: New IPv4 firewall address or IP range options
Figure 218: New IPv6 firewall address or IP range options
Viewing the address group list
You can organize multiple firewall addresses into an address group to simplify your
firewall policy list. For example, instead of having five identical policies for five different but
related firewall addresses, you might combine the five addresses into a single address
group, which is used by a single firewall policy.
To view the address group list, go to Firewall > Address > Group.
Figure 219: Firewall address group list
Address Name Enter a name to identify the firewall address. Addresses, address groups, and
virtual IPs must have unique names.
Type Select the type of address: Subnet/IP Range or FQDN. You can enter either an IP
range or an IP address with subnet mask.
Subnet / IP
Range
Enter the firewall IP address, followed by a forward slash (/), then subnet mask, or
enter an IP address range separated by a hyphen. See About firewall addresses
on page 395.
Interface Select the interface, zone, or virtual domain (VDOM) link to which you want to
bind the IP address. Select Any if you want to bind the IP address with the
interface/zone when you create a firewall policy.
IPv6 Address Enter the firewall IPv6 address, followed by a forward slash (/), then subnet mask.
See About IPv6 firewall addresses on page 396.
Create New Add an address group.
If IPv6 Support is enabled you can select the down arrow in the Create New
button and select IPv6 Address Group, to add an IPv6 firewall address. To
enable IPv6 support on the web-based manager, see Settings on
page 261.
Delete
Edit
Create Address group and Create IPv6 Address Group
Firewall Address Configuring address groups
01-410-89802-20091022 399
Configuring address groups
Because firewall policies require addresses with homogenous network interfaces, address
groups should contain only addresses bound to the same network interface, or to Any
addresses whose selected interface is Any are bound to a network interface during
creation of a firewall policy, rather than during creation of the firewall address. For
example, if address A1 is associated with port1, and address A2 is associated with port2,
they cannot be grouped. However, if A1 and A2 have an interface of Any, they can be
grouped, even if the addresses involve different networks.
You cannot mix IPv4 firewall addresses and IPv6 firewall addresses in the same address
group.
To organize addresses into an address group go to Firewall > Address > Group and select
Create New.
If IPv6 Support is enabled, to add an IPv6 firewall address group, go to Firewall > Address
and select Create New > IPv6 Address Group.
Figure 220: Address group options
Group Name The name of the address group.
Members The addresses in the address group.
Address Group The list of firewall IPv4 address groups.
IPv6 Address Group The list of firewall IPv6 address groups.
Delete icon Select to remove the address group. The Delete icon appears only if the
address group is not currently being used by a firewall policy.
Edit icon Select to edit the address group.
Tip: You can also create firewall address groups when configuring a firewall policy: Go to
Firewall > Policy, select the appropriate policy tab and then Create New. From the Source
Address list, select Address Group > Create New.
Configuring address groups Firewall Address
400 01-410-89802-20091022
Group Name Enter a name to identify the address group. Addresses, address groups, and
virtual IPs must have unique names.
Available
Addresses
The list of all IPv4 or IPv6 firewall addresses. Use the arrows to move selected
addresses between the lists of available and member addresses.
You cannot add IPv4 and IPv6 firewall addresses to the same address group. If
you are adding an IPv4 firewall address group only the IPv4 addresses and FQDN
addresses appear. If you are added an IPv6 firewall address group, only the IPv6
addresses appear.
Members The list of addresses included in the address group. Use the arrows to move
selected addresses between the lists of available and member addresses.
Firewall Service Viewing the predefined service list
01-410-89802-20091022 401
Firewall Service
Firewall services define one or more protocols and port numbers associated with each
service. Firewall policies use service definitions to match session types.
You can organize related services into service groups to simplify your firewall policy list.
If you enable virtual domains (VDOMs) on the FortiGate unit, you must configure firewall
services separately for each virtual domain. For more information, see Using virtual
Viewing the predefined service list
Viewing the custom service list
Configuring custom services
Viewing the service group list
Configuring service groups
Viewing the predefined service list
Many well-known traffic types have been predefined in firewall services. These predefined
services are defaults, and cannot be edited or removed. However, if you require different
services, you can create custom services. For more information, see Configuring custom
services on page 406.
To view the predefined service list, go to Firewall > Service > Predefined.
Figure 221: Predefined service list (top portion)
Viewing the predefined service list Firewall Service
402 01-410-89802-20091022
Table 50 lists the FortiGate firewall predefined services.
Name The name of the predefined service.
Detail The protocol (TCP, UDP, IP, ICMP) and port number or numbers of the
predefined service.
Table 50: Predefined services
Service name Description IP Protocol Port
AFS3 Advanced File Security Encrypted File, version 3, of
the AFS distributed file system protocol.
TCP 7000-7009
UDP 7000-7009
AH Authentication Header. AH provides source host
authentication and data integrity, but not secrecy.
This protocol is used for authentication by IPSec
remote gateways set to aggressive mode.
51
ANY Matches connections using any protocol over IP. all all
AOL America Online Instant Message protocol. TCP 5190-5194
BGP Border Gateway Protocol. BGP is an
interior/exterior routing protocol.
TCP 179
CVSPSERVER Concurrent Versions System Proxy
Server.CSSPServer is very good for providing
anonymous CVS access to a repository.
TCP 2401
UDP 2401
DCE-RPC Distributed Computing Environment / Remote
Procedure Calls. Applications using DCE-RPC can
call procedures from another application without
having to know on which host the other application
is running.
TCP 135
UDP 135
DHCP Dynamic Host Configuration Protocol. DHCP
allocates network addresses and delivers
configuration parameters from DHCP servers to
hosts.
UDP 67
68
DHCP6 Dynamic Host Configuration Protocol for IPv6. UDP 546, 547
DNS Domain Name Service. DNS resolves domain
names into IP addresses.
TCP 53
UDP 53
ESP Encapsulating Security Payload. ESP is used by
manual key and AutoIKE IPSec VPN tunnels for
communicating encrypted data. AutoIKE VPN
tunnels use ESP after establishing the tunnel by
IKE.
50
FINGER A network service providing information about
users.
TCP 79
FTP File Transfer Protocol. TCP 21
FTP_GET File Transfer Protocol. FTP GET sessions transfer
remote files from an FTP server to an FTP client
computer.
TCP 21
FTP_PUT File Transfer Protocol. FTP PUT sessions transfer
local files from an FTP client to an FTP server.
TCP 21
GOPHER Gopher organizes and displays Internet server
contents as a hierarchically structured list of files.
TCP 70
GRE Generic Routing Encapsulation. GRE allows an
arbitrary network protocol to be transmitted over
any other arbitrary network protocol, by
encapsulating the packets of the protocol within
GRE packets.
47
01-410-89802-20091022 403
H323 H.323 multimedia protocol. H.323 is a standard
approved by the International Telecommunication
Union (ITU) defining how audiovisual conferencing
data can be transmitted across networks. For more
information, see the FortiGate Support for H.323
Technical Note.
TCP 1720, 1503
UDP 1719
HTTP Hypertext Transfer Protocol. HTTP is used to
browse web pages on the World Wide Web.
TCP 80
HTTPS HTTP with secure socket layer (SSL). HTTPS is
used for secure communication with web servers.
TCP 443
ICMP_ANY Internet Control Message Protocol. ICMP allows
control messages and error reporting between a
host and gateway (Internet).
ICMP Any
IKE Internet Key Exchange. IKE obtains authenticated
keying material for use with the Internet Security
Association and Key Management Protocol
(ISAKMP) for IPSEC.
UDP 500, 4500
IMAP Internet Message Access Protocol. IMAP is used by
email clients to retrieves email messages from
email servers.
TCP 143
IMAPS IMAP with SSL. IMAPS is used for secure IMAP
communication between email clients and servers.
IMAPS is only available on FortiGate units that
support SSL content scanning and inspection.
TCP 993
INFO_ADDRESS ICMP information request messages. ICMP 17
INFO_REQUEST ICMP address mask request messages. ICMP 15
IRC Internet Relay Chat. IRC allows users to join chat
channels.
TCP 6660-6669
Internet-
Locator-Service
Internet Locator Service. ILS includes LDAP, User
Locator Service, and LDAP over TLS/SSL.
TCP 389
L2TP Layer 2 Tunneling Protocol. L2TP is a PPP-based
tunnel protocol for remote access.
TCP 1701
UDP 1701
LDAP Lightweight Directory Access Protocol. LDAP is
used to access information directories.
TCP 389
MGCP Media Gateway Control Protocol. MGCP is used by
call agents and media gateways in distributed Voice
over IP (VoIP) systems.
UDP 2427, 2727
MS-SQL Microsoft SQL Server is a relational database
management system (RDBMS) produced by
Microsoft. Its primary query languages are MS-SQL
and T-SQL.
TCP 1433, 1434
MYSQL MySQL is a relational database management
system (RDBMS) which runs as a server providing
multi-user access to a number of databases.
TCP 3306
NFS Network File System. NFS allows network users to
mount shared files.
TCP 111, 2049
UDP 111, 2049
NNTP Network News Transport Protocol. NNTP is used to
post, distribute, and retrieve Usenet messages.
TCP 119
NTP Network Time Protocol. NTP synchronizes a hosts
time with a time server.
TCP 123
UDP 123
NetMeeting NetMeeting allows users to teleconference using
the Internet as the transmission medium.
TCP 1720
Table 50: Predefined services (Continued)
Viewing the predefined service list Firewall Service
404 01-410-89802-20091022
ONC-RPC Open Network Computing Remote Procedure Call.
ONC-RPC is a widely deployed remote procedure
call system.
TCP 111
UDP 111
OSPF Open Shortest Path First. OSPF is a common link
state routing protocol.
89
PC-Anywhere PC-Anywhere is a remote control and file transfer
protocol.
TCP 5631
UDP 5632
PING Ping sends ICMP echo request/replies to test
connectivity to other hosts.
ICMP 8
PING6 Ping6 sends ICMPv6 echo request/replies to
network hosts to test IPv6 connectivity to other
hosts.
58
POP3 Post Office Protocol v3. POP retrieves email
messages.
TCP 110
POP3S Post Office Protocol v3 with secure socket layer
(SSL). POP3S is used for secure retrieval of email
messages. POP3S is only available on FortiGate
units that support SSL content scanning and
inspection.
TCP 995
PPTP Point-to-Point Tunneling Protocol. PPTP is used to
tunnel connections between private network hosts
over the Internet. Note: Also requires IP protocol
47.
47
TCP 1723
QUAKE Quake multi-player computer game traffic. UDP 26000,
27000,
27910,
27960
RADIUS Remote Authentication Dial In User Service.
RADIUS is a networking protocol that provides
centralized access, authorization and accounting
management for people or computers to connect
and use a network service.
TCP 1812, 1813
RAUDIO RealAudio multimedia traffic. UDP 7070
RDP Remote Desktop Protocol is a multi-channel
protocol that allows a user to connect to a
networked computer.
TCP 3389
REXEC Rexec traffic allows specified commands to be
executed on a remote host running the rexecd
service (daemon).
TCP 512
RIP Routing Information Protocol. RIP is a common
distance vector routing protocol. This service
matches RIP v1.
UDP 520
RLOGIN Remote login traffic. TCP 513
RSH Remote Shell traffic allows specified commands to
be executed on a remote host running the rshd
service (daemon).
TCP 514
RTSP Real Time Streaming Protocol is a protocol for use
in streaming media systems which allows a client to
remotely control a streaming media server, issuing
VCR-like commands such as play and pause, and
allowing time-based access to files on a server.
TCP 554, 7070,
8554
UDP 554
SAMBA Server Message Block. SMB allows clients to use
file and print shares from enabled hosts. This is
primarily used for Microsoft Windows hosts, but
may be used with operating systems running the
Samba daemon.
TCP 139
01-410-89802-20091022 405
SCCP Skinny Client Control Protocol. SCCP is a Cisco
proprietary standard for terminal control for use with
voice over IP (VoIP).
TCP 2000
SIP Session Initiation Protocol. SIP allows audiovisual
conferencing data to be transmitted across
networks. For more information, see the FortiGate
SIP Support Technical Note.
UDP 5060
SIP-
MSNmessenger
Session Initiation Protocol used by Microsoft
Messenger to initiate an interactive, possibly
multimedia session.
TCP 1863
SMTP Simple Mail Transfer Protocol. SMTP is used for
sending email messages between email clients and
email servers, and between email servers.
TCP 25
SMTPS SMTP with SSL. Used for sending email messages
between email clients and email servers, and
between email servers securely. SMTPS is only
available on FortiGate units that support SSL
content scanning and inspection.
TCP 465
SNMP Simple Network Management Protocol. SNMP can
be used to monitor and manage complex networks.
TCP 161-162
UDP 161-162
SOCKS SOCKetS. SOCKS is an Internet protocol that
allows client-server applications to transparently
use the services of a network firewall.
TCP 1080
UDP 1080
SQUID A proxy server and web cache daemon that has a
wide variety of uses that includes speeding up a
web server by caching repeated requests; caching
web, DNS and other computer network lookups for
a group of people sharing network resources;
aiding security by filtering traffic.
TCP 3128
SSH Secure Shell. SSH allows secure remote
management and tunneling.
TCP 22
UDP 22
SYSLOG Syslog service for remote logging. UDP 514
TALK Talk allows conversations between two or more
users.
UDP 517-518
TCP Matches connections using any TCP port. TCP 0-65535
TELNET Allows plain text remote management. TCP 23
TFTP Trivial File Transfer Protocol. TFTP is similar to
FTP, but without security features such as
authentication.
UDP 69
TIMESTAMP ICMP timestamp request messages. ICMP 13
TRACEROUTE A computer network tool used to determine the
route taken by packets across an IP network.
TCP 33434
UDP 33434
UDP Matches connections using any UDP port. UDP 0-65535
UUCP Unix to Unix Copy Protocol. UUCP provides simple
file copying.
UDP 540
VDOLIVE VDO Live streaming multimedia traffic. TCP 7000-7010
VNC Virtual Network Computing.VNC is a graphical
desktop sharing system which uses the RFB
protocol to remotely control another computer.
TCP 5900
WAIS Wide Area Information Server. WAIS is an Internet
search protocol which may be used in conjunction
with Gopher.
TCP 210
Viewing the custom service list Firewall Service
406 01-410-89802-20091022
Viewing the custom service list
If you need to create a firewall policy for a service that is not in the predefined service list,
you can add a custom service.
To view the custom service list, go to Firewall > Service > Custom.
Figure 222: Custom service list
Configuring custom services
If you need to create a firewall policy for a service that is not in the predefined service list,
you can add a custom service.
To add a custom TCP or UDP service
1 Go to Firewall > Service > Custom.
3 Set Protocol Type to TCP/UDP.
4 Complete the fields in the following table and select OK.
WINFRAME WinFrame provides communications between
computers running Windows NT, or Citrix
WinFrame/MetaFrame.
TCP 1494
WINS Windows Internet Name Service is Microsoft's
implementation of NetBIOS Name Service (NBNS),
a name server and service for NetBIOS computer
names.
TCP 1512
UDP 1512
X-WINDOWS X Window System (also known as X11) can forward
the graphical shell from an X Window server to X
Window client.
TCP 6000-6063
Create New Add a custom service.
Service Name The name of the custom service.
Detail The protocol and port numbers for each custom service.
Delete icon Remove the custom service. The Delete icon appears only if the service is not
currently being used by a firewall policy.
Edit icon Edit the custom service.
Delete
Edit
Tip: You can also create custom services when you configure a firewall policy. Go to
Firewall > Policy, select the appropriate policy tab and then Create New. From the Service
list, select Service > Create New.
Firewall Service Configuring custom services
01-410-89802-20091022 407
Figure 223: New Custom Service - TCP/UDP
To add a custom ICMP service
3 Set Protocol Type to ICMP.
Figure 224: New Custom Service - ICMP
To add a custom IP service
3 Set Protocol Type to IP.
Name Enter a name for the custom service.
Protocol Type Select TCP/UDP.
Protocol Select TCP or UDP as the protocol of the port range being added.
Source Port Specify the source port number range for the service by entering the low and
high port numbers. If the service uses one port number, enter this number in
both the Low and High fields. The default values allow the use of any source
port.
Destination Port Specify the destination port number range for the service by entering the low
and high port numbers. If the service uses one port number, enter this number
in both the Low and High fields.
Add If your custom service requires more than one port range, select Add to allow
more source and destination ranges.
Delete Icon Remove the entry from the list.
Name Enter a name for the ICMP custom service.
Protocol Type Select ICMP.
Type Enter the ICMP type number for the service.
Code If required, enter the ICMP code number for the service.
Delete
Viewing the service group list Firewall Service
408 01-410-89802-20091022
Figure 225: New Custom Service - IP
Viewing the service group list
You can organize multiple firewall services into a service group to simplify your firewall
policy list. For example, instead of having five identical policies for five different but related
firewall services, you might combine the five services into a single address group that is
used by a single firewall policy.
Service groups can contain both predefined and custom services. Service groups cannot
contain other service groups.
To view the service group list, go to Firewall > Service > Group.
Figure 226: Sample service group list
Configuring service groups
You can organize multiple firewall services into a service group to simplify your firewall
firewall services, you might combine the five services into a single service group that is
used by a single firewall policy.
Service groups can contain both predefined and custom services. Service groups cannot
contain other service groups.
Name Enter a name for the IP custom service.
Protocol Type Select IP.
Protocol Number Enter the IP protocol number for the service.
Create New Add a service group.
Group Name The name to identify the service group.
Members The services added to the service group.
Delete icon Remove the entry from the list. The Delete icon appears only if the service group
is not selected in a firewall policy.
Edit icon Select to edit the Group Name and Members.
Delete
Edit
Firewall Service Configuring service groups
01-410-89802-20091022 409
To organize services into a service group, go to Firewall > Service > Group.
Figure 227: Service Group
Tip: You can also create custom service groups when you configure a firewall policy. Go to
Firewall > Policy, select the appropriate policy tab and then Create New. From the Service
list, select Service Group > Create New.
Group Name Enter a name to identify the service group.
Available
Services
The list of configured and predefined services available for your group, with
custom services at the bottom. Use the arrows to move selected services
between this list and Members.
Members The list of services in the group. Use the arrows to move selected services
between this list and Available Services.
Configuring service groups Firewall Service
410 01-410-89802-20091022
Firewall Schedule Viewing the recurring schedule list
01-410-89802-20091022 411
Firewall Schedule
Firewall schedules control when policies are in effect. You can create one-time schedules
or recurring schedules. One-time schedules are in effect only once for the period of time
specified in the schedule. Recurring schedules are in effect repeatedly at specified times
of specified days of the week.
If you enable virtual domains (VDOMs) on the FortiGate unit, you must configure firewall
schedules separately for each virtual domain. For more information, see Using virtual
Viewing the recurring schedule list
Configuring recurring schedules
Viewing the one-time schedule list
Configuring one-time schedules
Configuring schedule groups
Viewing the recurring schedule list
You can create a recurring schedule that activates a policy during a specified period of
time. For example, you might prevent game playing during office hours by creating a
recurring schedule that covers office hours.
To view the recurring schedule list, go to Firewall > Schedule > Recurring.
Figure 228: Recurring schedule list
Note: If a recurring schedule has a stop time that is earlier than the start time, the schedule
will take effect at the start time but end at the stop time on the next day. You can use this
technique to create recurring schedules that run from one day to the next. For example, to
prevent game playing except at lunchtime, you might set the start time for a recurring
schedule at 1:00 p.m. and the stop time at 12:00 noon. To create a recurring schedule that
runs for 24 hours, set the start and stop times to 00.
Create New Add a recurring schedule.
Name The name of the recurring schedule.
Day The initials of the days of the week on which the schedule is active.
Start The start time of the recurring schedule.
Stop The stop time of the recurring schedule.
Edit
Delete
Configuring recurring schedules Firewall Schedule
412 01-410-89802-20091022
Configuring recurring schedules
To add a recurring schedule, go to Firewall > Schedule > Recurring. Complete the fields
as described in the following table and select OK.
To put a policy into effect for an entire day, set schedule start and stop times to 00.
Figure 229: New Recurring Schedule
Viewing the one-time schedule list
You can create a one-time schedule that activates a policy during a specified period of
time. For example, a firewall might be configured with a default policy that allows access
to all services on the Internet at all times, but you could add a one-time schedule to block
access to the Internet during a holiday.
To view the one-time schedule list, go to Firewall > Schedule > One-time.
Figure 230: One-time schedule list
Delete icon Remove the schedule from the list. The Delete icon appears only if the schedule
is not being used in a firewall policy.
Edit icon Edit the schedule.
Name Enter a name to identify the recurring schedule.
Select Select the days of the week for the schedule to be active.
Start Select the start time for the recurring schedule.
Stop Select the stop time for the recurring schedule.
Tip: You can also create recurring schedules when you configure a firewall policy. Go to
Firewall > Policy, select the appropriate policy tab and then Create New. From the Schedule
list, select Recurring > Create New.
Create New Add a one-time schedule.
Name The name of the one-time schedule.
Start The start date and time for the schedule.
Stop The stop date and time for the schedule.
Edit
Delete
Firewall Schedule Configuring one-time schedules
01-410-89802-20091022 413
Configuring one-time schedules
To add a one-time schedule, go to Firewall > Schedule > One-time. Complete the fields as
described in the following table and select OK.
To put a policy into effect for an entire day, set schedule start and stop times to 00.
Figure 231: New One-time Schedule
Configuring schedule groups
You can organize multiple firewall schedules into a schedule group to simplify your firewall
firewall schedules, you might combine the five schedules into a single schedule group that
is used by a single firewall policy.
Schedule groups can contain both recurring and on-time schedules. Schedule groups
cannot contain other schedule groups.
To organize schedules into a schedule group, go to Firewall > Schedule > Group.
Delete icon Remove the schedule from the list. The Delete icon appears only if the schedule
is not being used in a firewall policy.
Edit icon Edit the schedule.
Name Enter a name to identify the one-time schedule.
Start Select the start date and time for the schedule.
Stop Select the stop date and time for the schedule.
Tip: You can also create one-time schedules when you configure a firewall policy. Go to
Firewall > Policy, select the appropriate policy tab and then Create New. From the Schedule
list, select One-time > Create New.
Configuring schedule groups Firewall Schedule
414 01-410-89802-20091022
Figure 232: Schedule Group
Group Name Enter a name to identify the schedule group.
Available
Schedules
The list of recurring and one-time schedules available for your group. Use the
arrow buttons to move selected schedules between this list and Members.
Members The list of schedules in the group. Use the arrows to move selected schedules
between this list and Available Schedule.
Traffic Shaping Guaranteed bandwidth and maximum bandwidth
01-410-89802-20091022 415
Traffic Shaping
Traffic shaping, once included in a firewall policy, controls the bandwidth available to, and
sets the priority of the traffic processed by, the policy. Traffic shaping makes it possible to
control which policies have the highest priority when large amounts of data are moving
through the FortiGate unit. For example, the policy for the corporate web server might be
given higher priority than the policies for most employees computers. An employee who
needs extra high speed Internet access could have a special outgoing policy set up with
higher bandwidth.
Traffic shaping is available for firewall policies whose Action is ACCEPT, IPSEC, or SSL-
VPN. It is also available for all supported services, including H.323, TCP, UDP, ICMP, and
ESP.
Guaranteed and maximum bandwidth in combination with queuing ensures minimum and
maximum bandwidth is available for traffic.
Traffic shaping cannot increase the total amount of bandwidth available, but you can use it
to improve the quality of bandwidth-intensive and sensitive traffic.
For more information about firewall policy, see Firewall Policy on page 363.
Guaranteed bandwidth and maximum bandwidth
Traffic priority
Traffic shaping considerations
Configuring shared traffic shapers
Configuring Per IP traffic shaping
Guaranteed bandwidth and maximum bandwidth
When you enter a value in the Guaranteed Bandwidth field when adding a traffic shaper,
you guarantee the amount of bandwidth available for selected network traffic (in
Kbytes/sec). For example, you may want to give a higher guaranteed bandwidth to your e-
commerce traffic.
When you enter a value in the Maximum Bandwidth field when adding a traffic shaper, you
limit the amount of bandwidth available for selected network traffic (in Kbytes/sec). For
example, you may want to limit the bandwidth of IM traffic usage, to save some bandwidth
for the more important e-commerce traffic.
The bandwidth available for traffic set in a traffic shaper is used for both the control and
data sessions and for traffic in both directions. For example, if guaranteed bandwidth is
applied to an internal and an external FTP policy, and a user on an internal network uses
FTP to put and get files, both the put and get sessions share the bandwidth available to
the traffic controlled by the policy.
Note: For more information about traffic shaping you can also see the FortiGate Traffic
Shaping Technical Note.
Traffic priority Traffic Shaping
416 01-410-89802-20091022
Once included in a firewall policy, the guaranteed and maximum bandwidth is the total
bandwidth available to all traffic controlled by the policy. If multiple users start multiple
communications session using the same policy, all of these communications sessions
must share from the bandwidth available for the policy.
However, bandwidth availability is not shared between multiple instances of using the
same service if these multiple instances are controlled by different policies. For example,
you can create one FTP policy to limit the amount of bandwidth available for FTP for one
network address and create another FTP policy with a different bandwidth availability for
another network address.
Traffic priority
when adding a traffic shaper, you can set traffic priority to manage the relative priorities of
different types of traffic. Important and latency-sensitive traffic should be assigned a high
priority. Less important and less sensitive traffic should be assigned a low priority.
The FortiGate unit provides bandwidth to low-priority connections only when bandwidth is
not needed for high-priority connections.
For example, you can add policies to guarantee bandwidth for voice and ecommerce
traffic. Then you can assign a high priority to the policy that controls voice traffic and a
medium priority to the policy that controls e-commerce traffic. During a busy time, if both
voice and e-commerce traffic are competing for bandwidth, the higher priority voice traffic
will be transmitted before the ecommerce traffic.
Traffic shaping considerations
Traffic shaping attempts to normalize traffic peaks/bursts to prioritize certain flows over
others. But there is a physical limitation to the amount of data which can be buffered and
to the length of time. Once these thresholds have been surpassed, frames and packets
will be dropped, and sessions will be affected in other ways. For example, incorrect traffic
shaping configurations may actually further degrade certain network flows, since the
excessive discarding of packets can create additional overhead at the upper layers that
may be attempting to recover from these errors.
A basic traffic shaping approach is to prioritize certain traffic flows over other traffic whose
potential discarding is less advantageous. This would mean that you accept sacrificing
certain performance and stability on low-priority traffic, in order to increase or guarantee
performance and stability to high-priority traffic.
If, for example, you are applying bandwidth limitations to certain flows, you must accept
the fact that these sessions can be limited and therefore negatively impacted.
Traffic shaping applied to a firewall policy is enforced for traffic which may flow in either
direction. Therefore a session which may be set up by an internal host to an external one,
through an Internal-to-External policy, will have traffic shaping applied even if the data
stream flows external to internal. One example may be an FTP get or a SMTP server
connecting to an external one, in order to retrieve email.
Note: If you set both guaranteed bandwidth and maximum bandwidth to 0 (zero), the policy
does not allow any traffic.
Traffic Shaping Configuring shared traffic shapers
01-410-89802-20091022 417
Note that traffic shaping is effective for normal IP traffic at normal traffic rates. Traffic
shaping is not effective during periods when traffic exceeds the capacity of the FortiGate
unit. Since packets must be received by the FortiGate unit before they are subject to traffic
shaping, if the FortiGate unit cannot process all of the traffic it receives, then dropped
packets, delays, and latency are likely to occur.
To ensure that traffic shaping is working at its best, make sure that the interface ethernet
statistics show no errors, collisions or buffer overruns. If any of these problems do appear,
then FortiGate and switch settings may require adjusting. For more information, see the
FortiGate Traffic Shaping Technical Note.
Configuring shared traffic shapers
Configure shared traffic shapers to add traffic shaping and reverse direction traffic shaping
to firewall policies.
To view the shared traffic shaper list, go to Firewall > Traffic Shaping > Shared. To add a
shared traffic shaper select Create New.
By default the FortiGate unit includes pre-defined shared traffic shapers. You can add
these shapers to firewall policies as is, custom them, or add new shared traffic shapers.
After creating or editing shared traffic shapers you add them to firewall policies by going to
Firewall > Policy and adding a new or editing a firewall policy. You can also go to Firewall
> Policy6 and add a new or edit an IPv6 firewall policy to apply traffic shaping to IPv6
traffic.
To enable shared traffic shaping in a firewall policy, select Traffic Shaping and select a
shared traffic shaper. You can also select Reverse Direction Traffic Shaping and select a
shared traffic shaper to apply shared traffic shaping to return traffic.
Note: To ensure that traffic shaping is working at its best, verify that the interface ethernet
statistics show no errors, collisions, or buffer overruns. If any of these problems do appear,
then FortiGate and switch settings may require adjusting. See the Troubleshooting
section of the FortiGate Traffic Shaping Technical Note for information about using
diagnose commands to get this information.
Configuring shared traffic shapers Traffic Shaping
418 01-410-89802-20091022
Figure 233: Shared traffic shaper list
Shared Traffic Shaper list
Create New Select to add a new shared traffic shaper.
Name Type a name for this traffic shaper.
Delete icon Select to remove a traffic shaper.
Edit icon Select to modify a traffic shaper.
Shared Traffic Shaper configuration
Apply Shaping Select Per Policy to apply this traffic shaper to a single firewall policy that uses it.
Select For all policies using this shaper to apply this traffic shaper to all firewall
policies that use it.
Shaping Methods Configure the traffic shaping methods used by the shared traffic shaper.
Guaranteed
Bandwidth
Select a value to ensure there is enough bandwidth available for a high-priority
service. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies
is significantly less than the bandwidth capacity of the interface.
Maximum
Bandwidth
Select to limit bandwidth in order to keep less important services from using
bandwidth needed for more important ones.
Do not set both Guaranteed Bandwidth and Maximum Bandwidth to 0 (zero), or
the firewall policy that the shared traffic shaper is added to will not allow any
traffic.
Traffic Priority Select High, Medium, or Low. Select Traffic Priority so the FortiGate unit
manages the relative priorities of different types of traffic. For example, a policy
for connecting to a secure web server needed to support ecommerce traffic
should be assigned a high traffic priority. Less important services should be
assigned a low priority. The firewall provides bandwidth to low-priority
connections only when bandwidth is not needed for high-priority connections.
Be sure to enable traffic shaping on all firewall policies. If you do not apply any
traffic shaping rule to a policy, the policy is set to high priority by default.
Distribute firewall policies over all three priority queues.
Quotas and
Accounting
See Accounting and quota enforcement on page 420.
Delete
Edit
Traffic Shaping Configuring Per IP traffic shaping
01-410-89802-20091022 419
Configuring Per IP traffic shaping
Configure traffic shaping that is applied per IP address, instead of per policy or per shaper.
As with the shared traffic shaper, you select the per-IP traffic shaper in firewall policies.
Go to Firewall > Traffic Shaping > Per-IP to add per-IP traffic shapers.
To apply per-IP traffic shaping to a firewall policy, go to Firewall > Policy, add or edit a
firewall policy, select Per-IP Traffic Shaping and select a per-IP traffic shaper.
Figure 234: Configuring a per-IP traffic shaper
Per-IP Traffic Shaper list
Create New Select to add a new per-IP traffic shaper.
Name The name of this per-IP traffic shaper.
Delete icon Select to remove a per-IP traffic shaper.
Edit icon Select to modify a per-IP traffic shaper.
Per-IP Traffic Shaper configuration
Maximum Bandwidth Enter the maximum allowed bandwidth in Kbps. This limit applies to
each IP address. Range 1 to 2 097 000. Enter 0 to disable bandwidth
limit.
Quotas and Accounting See Accounting and quota enforcement on page 420.
IP List
IP/Range
Add the IP addresses or IP add ranges that this per-IP traffic shaper
applies to.
Delete icon Delete an IP address/range entry.
Add Add an single IP address or an address range.
Delete
Delete
Edit
Accounting and quota enforcement Traffic Shaping
420 01-410-89802-20091022
Both the shared and per-IP traffic shapers provide traffic accounting with enforceable
quotas. To configure account and quota enforcement, go to Firewall > Traffic Shaper >
Shared or Firewall > Traffic Shaper > Per-IP.
Figure 235: Traffic shaping quotas and accounting configuration
None Select to disable accounting and quotas.
Enforce Traffic Quota Select and enter a traffic quota to be enforced by the traffic shaper.
Enter the amount of data in MBytes allowed for the selected time (hour,
day, week, or month). If the amount of data transferred during a single
session is exceeded in the time, the traffic shaper blocks additional
traffic until the time expires.
Users attempting to connect through the FortiGate unit while blocked by
the traffic quota see one of the traffic control quota replacement
messages. See Traffic quota control replacement messages on
page 236.
Generate Accounting Log
every
Enable to monitor and write accounting log messages that record the
volume of traffic accepted by the traffic shaper. Select the log period:
Hour, Day, Week, or Month.
Firewall Virtual IP How virtual IPs map connections through FortiGate units
01-410-89802-20091022 421
Firewall Virtual IP
Virtual IP addresses (VIPs) can be used when configuring firewall policies to translate IP
addresses and ports of packets received by a network interface, including a modem
interface.
When the FortiGate unit receives inbound packets matching a firewall policy whose
Destination Address field is a virtual IP, the FortiGate unit applies NAT, replacing packets
IP addresses with the virtual IPs mapped IP address.
IP pools, similarly to virtual IPs, can be used to configure aspects of NAT; however, IP
pools configure dynamic translation of packets IP addresses based on the Destination
Interface/Zone, whereas virtual IPs configure dynamic or static translation of a packets IP
addresses based upon the Source Interface/Zone.
To implement the translation configured in the virtual IP or IP pool, you must add it to a
NAT firewall policy. For details, see Configuring virtual IPs on page 426.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall virtual IPs are
page 125.
How virtual IPs map connections through FortiGate units
Viewing the virtual IP list
Configuring virtual IPs
Virtual IP Groups
Viewing the VIP group list
Configuring VIP groups
Configuring IP pools
Viewing the IP pool list
Configuring IP Pools
Double NAT: combining IP pool with virtual IP
Adding NAT firewall policies in transparent mode
How virtual IPs map connections through FortiGate units
Virtual IPs can specify translations of packets port numbers and/or IP addresses for both
inbound and outbound connections. In Transparent mode, virtual IPs are available from
the FortiGate CLI.
Inbound connections
Virtual IPs can be used in conjunction with firewall policies whose Action is not DENY to
apply bidirectional NAT, also known as inbound NAT.
Note: In Transparent mode from the FortiGate CLI you can configure NAT firewall policies
that include Virtual IPs and IP pools. See Adding NAT firewall policies in transparent mode
on page 442.
How virtual IPs map connections through FortiGate units Firewall Virtual IP
422 01-410-89802-20091022
When comparing packets with the firewall policy list to locate a matching policy, if a firewall
policys Destination Address is a virtual IP, FortiGate units compares packets destination
address to the virtual IPs external IP address. If they match, the FortiGate unit applies the
virtual IPs inbound NAT mapping, which specifies how the FortiGate unit translates
network addresses and/or port numbers of packets from the receiving (external) network
interface to the network interface connected to the destination (mapped) IP address or IP
address range.
In addition to specifying IP address and port mappings between interfaces, virtual IP
configurations can optionally bind an additional IP address or IP address range to the
receiving network interface. By binding an additional IP address, you can configure a
separate set of mappings that the FortiGate unit can apply to packets whose destination
matches that bound IP address, rather than the IP address already configured for the
network interface.
Depending on your configuration of the virtual IP, its mapping may involve port address
translation (PAT), also known as port forwarding or network address port translation
(NAPT), and/or network address translation (NAT) of IP addresses.
If you configure NAT in the virtual IP and firewall policy, the NAT behavior varies by your
selection of:
static vs. dynamic NAT mapping
the dynamic NATs load balancing style, if using dynamic NAT mapping
full NAT vs. destination NAT (DNAT)
The following table describes combinations of PAT and/or NAT that are possible when
configuring a firewall policy with a virtual IP.
Static NAT Static, one-to-one NAT mapping: an external IP address is always translated to
the same mapped IP address.
If using IP address ranges, the external IP address range corresponds to a
mapped IP address range containing an equal number of IP addresses, and
each IP address in the external range is always translated to the same IP
address in the mapped range.
Static NAT with
Port Forwarding
Static, one-to-one NAT mapping with port forwarding: an external IP address is
always translated to the same mapped IP address, and an external port number
is always translated to the same mapped port number.
If using IP address ranges, the external IP address range corresponds to a
mapped IP address range containing an equal number of IP addresses, and
each IP address in the external range is always translated to the same IP
address in the mapped range. If using port number ranges, the external port
number range corresponds to a mapped port number range containing an equal
number of port numbers, and each port number in the external range is always
translated to the same port number in the mapped range.
Server Load
Balancing
Dynamic, one-to-many NAT mapping: an external IP address is translated to one
of the mapped IP addresses, as determined by the selected load balancing
algorithm for more even traffic distribution. The external IP address is not always
translated to the same mapped IP address.
Server load balancing requires that you configure at least one real server, but
can use up to eight. Real servers can be configured with health check monitors.
Health check monitors can be used to gauge server responsiveness before
forwarding packets.
Server Load
Balancing with
Port Forwarding
Dynamic, one-to-many NAT mapping with port forwarding: an external IP
address is translated to one of the mapped IP addresses, as determined by the
selected load balancing algorithm for more even traffic distribution. The external
IP address is not always translated to the same mapped IP address.
Server load balancing requires that you configure at least one real server, but
can use up to eight. Real servers can be configured with health check monitors.
Health check monitors can be used to gauge server responsiveness before
forwarding packets.
Firewall Virtual IP How virtual IPs map connections through FortiGate units
01-410-89802-20091022 423
A typical example of static NAT is to allow client access from a public network to a web
server on a private network that is protected by a FortiGate unit. Reduced to its essence,
this example involves only three hosts, as shown in Figure 236: the web server on a
private network, the client computer on another network, such as the Internet, and the
FortiGate unit connecting the two networks.
When a client computer attempts to contact the web server, it uses the virtual IP on the
FortiGate units external interface. The FortiGate unit receives the packets. The addresses
in the packets are translated to private network IP addresses, and the packet is forwarded
to the web server on the private network.
Figure 236: A simple static NAT virtual IP example
The packets sent from the client computer have a source IP of 192.168.37.55 and a
destination IP of 192.168.37.4. The FortiGate unit receives these packets at its external
interface, and matches them to a firewall policy for the virtual IP. The virtual IP settings
map 192.168.37.4 to 10.10.10.42, so the FortiGate unit changes the packets addresses.
The source address is changed to 10.10.10.2 and the destination is changed to
10.10.10.42. The FortiGate unit makes a note of this translation in the firewall session
table it maintains internally. The packets are then sent on to the web server.
Figure 237: Example of packet address remapping during NAT from client to server
Note that the client computers address does not appear in the packets the server
receives. After the FortiGate unit translates the network addresses, there is no reference
to the client computers IP address, except in its session table. The web server has no
indication that another network exists. As far as the server can tell, all packets are sent by
the FortiGate unit.
Note: If the NAT check box is not selected when building the firewall policy, the resulting
policy does not perform full (source and destination) NAT; instead, it performs destination
network address translation (DNAT).
For inbound traffic, DNAT translates packets destination address to the mapped private IP
address, but does not translate the source address. The private network is aware of the
sources public IP address. For reply traffic, the FortiGate unit translates packets private
network source IP address to match the destination address of the originating packets,
which is maintained in the session table.
How virtual IPs map connections through FortiGate units Firewall Virtual IP
424 01-410-89802-20091022
When the web server replies to the client computer, address translation works similarly,
but in the opposite direction. The web server sends its response packets having a source
IP address of 10.10.10.42 and a destination IP address of 10.10.10.2. The FortiGate unit
receives these packets on its internal interface. This time, however, the session table is
used to recall the client computers IP address as the destination address for the address
translation. In the reply packets, the source address is changed to 192.168.37.4 and the
destination is changed to 192.168.37.55. The packets are then sent on to the client
computer.
The web servers private IP address does not appear in the packets the client receives.
After the FortiGate unit translates the network addresses, there is no reference to the web
servers network. The client has no indication that the web servers IP address is not the
virtual IP. As far as the client is concerned, the FortiGate units virtual IP is the web server.
Figure 238: Example of packet address remapping during NAT from server to client
In the previous example, the NAT check box is checked when configuring the firewall
policy. If the NAT check box is not selected when building the firewall policy, the resulting
policy does not perform full NAT; instead, it performs destination network address
translation (DNAT).
For inbound traffic, DNAT translates packets destination address to the mapped private IP
address, but does not translate the source address. The web server would be aware of
the clients IP address. For reply traffic, the FortiGate unit translates packets private
network source IP address to match the destination address of the originating packets,
which is maintained in the session table.
Outbound connections
Virtual IPs can also affect outbound NAT, even though they are not selected in an
outbound firewall policy. If no virtual IPs are configured, FortiGate units apply traditional
outbound NAT to connections outbound from private network IP addresses to public
network IP addresses. However, if virtual IP configurations exist, FortiGate units use
virtual IPs inbound NAT mappings in reverse to apply outbound NAT, causing IP address
mappings for both inbound and outbound traffic to be symmetric.
For example, if a network interfaces IP address is 10.10.10.1, and its bound virtual IPs
external IP is 10.10.10.2, mapping inbound traffic to the private network IP address
192.168.2.1, traffic outbound from 192.168.2.1 will be translated to 10.10.10.2, not
10.10.10.1
Firewall Virtual IP Viewing the virtual IP list
01-410-89802-20091022 425
Virtual IP, load balance virtual server and load balance real server limitations
The following limitations apply when adding virtual IPs, Load balancing virtual servers,
and load balancing real servers. Load balancing virtual servers are actually server load
balancing virtual IPs. You can add server load balance virtual IPs from the CLI.
Virtual IP External IP Address/Range entries or ranges cannot overlap with each
other or with load balancing virtual server Virtual Server IP entries.
A virtual IP Mapped IP Address/Range cannot be 0.0.0.0 or 255.255.255.255.
A real server IP cannot be 0.0.0.0 or 255.255.255.255.
If a static NAT virtual IP External IP Address/Range is 0.0.0.0, the Mapped IP
Address/Range must be a single IP address.
If a load balance virtual IP External IP Address/Range is 0.0.0.0, the Mapped IP
Address/Range can be an address range.
When port forwarding, the count of mapped port numbers and external port
numbers must be the same. The web-based manager does this automatically but
the CLI does not.
Virtual IP and virtual server names must be different from firewall address or
address group names.
Viewing the virtual IP list
To view the virtual IP list, go to Firewall > Virtual IP > Virtual IP.
Figure 239: Virtual IP list
Create New Select to add a virtual IP.
Name The name of the virtual IP.
IP The bound network interface and external IP address or IP address, separated
by a slash (/ ).
Service Port The external port number or port number range. This field is empty if the virtual
IP does not specify port forwarding.
Map to IP/IP
Range
The mapped to IP address or address range on the destination network.
Map to Port The mapped to port number or port number range. This field is empty if the
virtual IP does not specify port forwarding.
Delete icon Remove the virtual IP from the list. The Delete icon only appears if the virtual IP
is not selected in a firewall policy.
Edit icon Edit the virtual IP to change any virtual IP option including the virtual IP name.
Delete
Edit
Configuring virtual IPs Firewall Virtual IP
426 01-410-89802-20091022
Configuring virtual IPs
A virtual IPs external IP address can be a single IP address or an IP address range, and
is bound to a FortiGate unit interface. When you bind the virtual IPs external IP address to
a FortiGate unit interface, by default, the network interface responds to ARP requests for
the bound IP address or IP address range. Virtual IPs use proxy ARP, as defined in RFC
1027, so that the FortiGate unit can respond to ARP requests on a network for a server
that is actually installed on another network. To disable ARP replies, see the FortiGate CLI
Reference.
A virtual IPs mapped IP address can be a single IP address, or an IP address range.
When the FortiGate unit receives packets matching a firewall policy whose Destination
Address field is a virtual IP, the FortiGate unit applies NAT, replacing the packets
destination IP address with the virtual IPs mapped IP address.
To implement the translation configured in the virtual IP or IP pool, you must add it to a
NAT firewall policy. For example, to add a firewall policy that maps public network
addresses to a private network, add an external to internal firewall policy whose
Destination Address field is a virtual IP.
For limitations on creating virtual IPs, see Virtual IP, load balance virtual server and load
balance real server limitations on page 425.
Figure 240: Creating a static NAT Virtual IP
Figure 241: Creating a port forwarding static NAT Virtual IP
Name Enter or change the name to identify the virtual IP. To avoid confusion,
addresses, address groups, and virtual IPs cannot have the same names.
External Interface Select the virtual IP external interface from the list. The external interface is
connected to the source network and receives the packets to be forwarded to
the destination network. You can select any FortiGate interface, VLAN
subinterface, VPN interface, or modem interface.
Type VIP type is Static NAT, read only.
Firewall Virtual IP Configuring virtual IPs
01-410-89802-20091022 427
To configure a virtual IP
1 Go to Firewall > Virtual IP > Virtual IP.
3 Configure the virtual IP by entering the virtual IP address, if any, that will be bound to
the network interface, and selecting the mapping type and mapped IP address(es)
and/or port(s). For configuration examples of each type, see:
Adding a static NAT virtual IP for a single IP address on page 428
Adding a static NAT virtual IP for an IP address range on page 429
Adding static NAT port forwarding for a single IP address and a single port on
page 431
Adding static NAT port forwarding for an IP address range and a port range on
page 432
Adding dynamic virtual IPs on page 434
Adding a virtual IP with port translation only on page 435
4 Select OK.
The virtual IP appears in the virtual IP list.
5 To implement the virtual IP, select the virtual IP in a firewall policy.
For example, to add a firewall policy that maps public network addresses to a private
network, you might add an external to internal firewall policy and select the Source
Interface/Zone to which a virtual IP is bound, then select the virtual IP in the
Destination Address field of the policy. For details, see Configuring firewall policies on
page 367.
External IP
Address/Range
Enter the external IP address that you want to map to an address on the
destination network.
To configure a dynamic virtual IP that accepts connections for any IP address,
set the external IP address to 0.0.0.0. For a static NAT dynamic virtual IP you
can only add one mapped IP address. For a load balance dynamic virtual IP
you can specify a single mapped address or a mapped address range.
Mapped IP
Address/Range
Enter the real IP address on the destination network to which the external IP
address is mapped.
You can also enter an address range to forward packets to multiple IP
addresses on the destination network.
For a static NAT virtual IP, if you add a mapped IP address range the FortiGate
unit calculates the external IP address range and adds the IP address range to
the External IP Address/Range field.
This option appears only if Type is Static NAT.
Port Forwarding Select to perform port address translation (PAT).
Protocol Select the protocol of the forwarded packets.
This option appears only if Port Forwarding is enabled.
External Service
Port
Enter the external interface port number for which you want to configure port
forwarding.
Map to Port Enter the port number on the destination network to which the external port
number is mapped.
You can also enter a port number range to forward packets to multiple ports on
the destination network.
For a virtual IP with static NAT, if you add a map to port range the FortiGate unit
calculates the external port number range and adds the port number range to
the External Service port field.
428 01-410-89802-20091022
Adding a static NAT virtual IP for a single IP address
The IP address 192.168.37.4 on the Internet is mapped to 10.10.10.42 on a private
network. Attempts to communicate with 192.168.37.4 from the Internet are translated and
sent to 10.10.10.42 by the FortiGate unit. The computers on the Internet are unaware of
this translation and see a single computer at 192.168.37.4 rather than a FortiGate unit
with a private network behind it.
Figure 242: Static NAT virtual IP for a single IP address example
To add a static NAT virtual IP for a single IP address
3 Use the following procedure to add a virtual IP that allows users on the Internet to
connect to a web server on the DMZ network. In our example, the wan1 interface of the
FortiGate unit is connected to the Internet and the dmz1 interface is connected to the
DMZ network.
Figure 243: Virtual IP options: static NAT virtual IP for a single IP address
Name static_NAT
External Interface wan1
Type Static NAT
External IP
Address/Range
The Internet IP address of the web server.
The external IP address is usually a static IP address obtained from your
ISP for your web server. This address must be a unique IP address that is
not used by another host and cannot be the same as the IP address of the
external interface the virtual IP will be using. However, the external IP
address must be routed to the selected interface. The virtual IP address and
the external IP address can be on different subnets. When you add the
virtual IP, the external interface responds to ARP requests for the external IP
address.
Mapped IP
Address/Range
The IP address of the server on the internal network. Since there is only one
IP address, leave the second field blank.
Internal IP
10.10.10.2
Virtual IP
192.168.37.4
NAT with a virtual IP
Source IP 192.168.37.55
Destination IP 192.168.37.4
3 1
2
Source IP 10.10.10.2
3 1
2
Client IP
192.168.37.55
Server IP
10.10.10.42
01-410-89802-20091022 429
4 Select OK.
To add a static NAT virtual IP for a single IP address to a firewall policy
Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the
Internet attempt to connect to the web server IP address packets pass through the
FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates
the destination address of these packets from the external IP to the DMZ network IP
address of the web server.
1 Go to Firewall > Policy and select Create New.
2 Configure the firewall policy:
3 Select NAT.
4 Select OK.
Adding a static NAT virtual IP for an IP address range
The IP address range 192.168.37.4-192.168.37.6 on the Internet is mapped to
10.10.10.42-10.10.123.44 on a private network. Packets from Internet computers
communicating with 192.168.37.4 are translated and sent to 10.10.10.42 by the FortiGate
unit. Similarly, packets destined for 192.168.37.5 are translated and sent to 10.10.10.43,
and packets destined for 192.168.37.6 are translated and sent to 10.10.10.44. The
computers on the Internet are unaware of this translation and see three computers with
individual IP addresses rather than a FortiGate unit with a private network behind it.
Figure 244: Static NAT virtual IP for an IP address range example
To add a static NAT virtual IP for an IP address range
Source Interface/Zone external
Source Address All (or a more specific address)
Destination Interface/Zone dmz1
Destination Address simple_static_nat
Schedule always
Service HTTP
Action ACCEPT
Internal network
Internal IP
10.10.10.2
Source IP 172.199.190.25
3 1
2
3 1
2
Server IP
10.10.10.42
Server IP
10.10.10.43
Server IP
10.10.10.44
Virtual IPs
192.168.37.4

192.168.37.5
192.168.37.6
Source IP 172.20.37.126
3 1
2
3 1
2
Source IP 172.168.37.55
3 1
2
3 1
2
Client IP
172.168.37.55
Client IP
172.20.37.126
Client IP
172.199.190.25
Internet
430 01-410-89802-20091022
connect to three individual web servers on the DMZ network. In this example, the wan1
interface of the FortiGate unit is connected to the Internet and the dmz1 interface is
connected to the DMZ network.
Figure 245: Virtual IP options: static NAT virtual IP with an IP address range
4 Select OK.
To add a static NAT virtual IP with an IP address range to a firewall policy
Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the
Internet attempt to connect to the server IP addresses, packets pass through the
FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the
destination addresses of these packets from the wan1 IP to the DMZ network IP
addresses of the servers.
Name static_NAT_range
Type Static NAT
External IP
Address/Range
The Internet IP address range of the web servers.
The external IP addresses are usually static IP addresses obtained
from your ISP for your web server. These addresses must be
unique IP addresses that are not used by another host and cannot
be the same as the IP addresses of the external interface the virtual
IP will be using. However, the external IP addresses must be routed
to the selected interface. The virtual IP addresses and the external
IP address can be on different subnets. When you add the virtual
IP, the external interface responds to ARP requests for the external
IP addresses.
Mapped IP
Address/Range
The IP address range of the servers on the internal network. Define
the range by entering the first address of the range in the first field
and the last address of the range in the second field.
Source Interface/Zone wan1
Destination
Interface/Zone
dmz1
Destination Address static_NAT_range
Schedule always
Service HTTP
Action ACCEPT
01-410-89802-20091022 431
3 Select NAT.
4 Select OK.
Adding static NAT port forwarding for a single IP address and a single port
The IP address 192.168.37.4, port 80 on the Internet is mapped to 10.10.10.42, port 8000
on a private network. Attempts to communicate with 192.168.37.4, port 80 from the
Internet are translated and sent to 10.10.10.42, port 8000 by the FortiGate unit. The
computers on the Internet are unaware of this translation and see a single computer at
192.168.37.4, port 80 rather than a FortiGate unit with a private network behind it.
Figure 246: Static NAT virtual IP port forwarding for a single IP address and a single port
example
To add static NAT virtual IP port forwarding for a single IP address and a single port
connect to a web server on the DMZ network. In our example, the wan1 interface of the
FortiGate unit is connected to the Internet and the dmz1 interface is connected to the
DMZ network.
Figure 247: Virtual IP options: Static NAT port forwarding virtual IP for a single IP address
and a single port
Name Port_fwd_NAT_VIP
Internal IP
10.10.10.2
Virtual IP
192.168.37.4
and port forwarding
Source IP 192.168.37.55
Destination Port 80
3 1
2
Destination port 8000
3 1
2
Client IP
192.168.37.55
Server IP
10.10.10.42
432 01-410-89802-20091022
4 Select OK.
To add static NAT virtual IP port forwarding for a single IP address and a single port
to a firewall policy
Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the
Internet attempt to connect to the web server IP addresses, packets pass through the
destination addresses and ports of these packets from the external IP to the dmz network
IP addresses of the web servers.
3 Select NAT.
4 Select OK.
Adding static NAT port forwarding for an IP address range and a port range
Ports 80 to 83 of addresses 192.168.37.4 to 192.168.37.7 on the Internet are mapped to
ports 8000 to 8003 of addresses 10.10.10.42 to 10.10.10.44 on a private network.
Attempts to communicate with 192.168.37.5, port 82 from the Internet, for example, are
translated and sent to 10.10.10.43, port 8002 by the FortiGate unit. The computers on the
Internet are unaware of this translation and see a single computer at 192.168.37.5 rather
than a FortiGate unit with a private network behind it.
Type Static NAT
External IP
Address/Range
The Internet IP address of the web server.
The external IP address is usually a static IP address obtained from
your ISP for your web server. This address must be a unique IP
address that is not used by another host and cannot be the same
as the IP address of the external interface the virtual IP will be
using. However, the external IP address must be routed to the
selected interface. The virtual IP address and the external IP
address can be on different subnets. When you add the virtual IP,
the external interface responds to ARP requests for the external IP
address.
Mapped IP
Address/Range
The IP address of the server on the internal network. Since there is
only one IP address, leave the second field blank.
Port Forwarding Selected
Protocol TCP
External Service Port The port traffic from the Internet will use. For a web server, this will
typically be port 80.
Map to Port The port on which the server expects traffic. Since there is only one
port, leave the second field blank.
Destination
Interface/Zone
dmz1
Destination Address Port_fwd_NAT_VIP
Schedule always
Service HTTP
Action ACCEPT
01-410-89802-20091022 433
Figure 248: Static NAT virtual IP port forwarding for an IP address range and a port range
example
To add static NAT virtual IP port forwarding for an IP address range and a port
range
connect to a web server on the DMZ network. In this example, the external interface of
the FortiGate unit is connected to the Internet and the dmz1 interface is connected to
the DMZ network.
Figure 249: Virtual IP options: Static NAT port forwarding virtual IP for a range of IP
addresses and a range of ports
Name Port_fwd_NAT_VIP_port_range
External Interface external
Type Static NAT
External IP
Address/Range
The external IP addresses are usually static IP addresses obtained
from your ISP. This addresses must be unique, not used by another
host, and cannot be the same as the IP address of the external
interface the virtual IP will be using. However, the external IP
addresses must be routed to the selected interface. The virtual IP
addresses and the external IP address can be on different subnets.
When you add the virtual IP, the external interface responds to ARP
requests for the external IP addresses.
Mapped IP
Address/Range
The IP addresses of the server on the internal network. Define the
range by entering the first address of the range in the first field and
the last address of the range in the second field.
Port Forwarding Selected
434 01-410-89802-20091022
4 Select OK.
To add static NAT virtual IP port forwarding for an IP address range and a port
range to a firewall policy
Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the
Internet attempt to connect to the web server IP addresses, packets pass through the
FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates
the destination addresses and ports of these packets from the external IP to the dmz
network IP addresses of the web servers.
3 Select NAT.
4 Select OK.
Adding dynamic virtual IPs
Adding a dynamic virtual IP is similar to adding a virtual IP. The difference is that the
External IP address must be set to 0.0.0.0 so the External IP address matches any IP
address.
To add a dynamic virtual IP
3 Enter a name for the dynamic virtual IP.
4 Select the virtual IP External Interface from the list.
The external interface is connected to the source network and receives the packets to
be forwarded to the destination network.
Select any firewall interface or a VLAN subinterface.
5 Set the External IP Address to 0.0.0.0.
The 0.0.0.0 External IP Address matches any IP address.
6 Enter the Mapped IP Address to which to map the external IP address. For example,
the IP address of a PPTP server on an internal network.
Protocol TCP
External Service Port The ports that traffic from the Internet will use. For a web server,
this will typically be port 80.
Map to Port The ports on which the server expects traffic. Define the range by
entering the first port of the range in the first field and the last port of
the range in the second field. If there is only one port, leave the
second field blank.
Source Interface/Zone external
Destination
Interface/Zone
dmz1
Destination Address Port_fwd_NAT_VIP_port_range
Schedule always
Service HTTP
Action ACCEPT
01-410-89802-20091022 435
7 Select Port Forwarding.
8 For Protocol, select TCP.
9 Enter the External Service Port number for which to configure dynamic port forwarding.
The external service port number must match the destination port of the packets to be
forwarded. For example, if the virtual IP provides PPTP passthrough access from the
Internet to a PPTP server, the external service port number should be 1723 (the PPTP
port).
10 Enter the Map to Port number to be added to packets when they are forwarded.
Enter the same number as the External Service Port if the port is not to be translated.
11 Select OK.
Adding a virtual IP with port translation only
When adding a virtual IP, if you enter a virtual IP address that is the same as the mapped
IP address and apply port forwarding, the destination IP address will be unchanged, but
the port number will be translated.
To add a virtual IP with port translation only
3 Enter a name for the dynamic virtual IP.
4 Select the virtual IP External Interface from the list.
The external interface is connected to the source network and receives the packets to
be forwarded to the destination network.
Select any firewall interface or a VLAN subinterface.
5 Set the External IP Address as the mapped IP address.
6 Enter the Mapped IP Address to which to map the external IP address. For example,
the IP address of a PPTP server on an internal network.
7 Select Port Forwarding.
8 For Protocol, select TCP.
9 Enter the External Service Port number for which to configure dynamic port forwarding.
The external service port number must match the destination port of the packets to be
forwarded. For example, if the virtual IP provides PPTP passthrough access from the
Internet to a PPTP server, the external service port number should be 1723 (the PPTP
port).
10 Enter the Map to Port number to be added to packets when they are forwarded.
11 Select OK.
Note: To apply port forwarding to the external interface without binding a virtual IP address
to it, enter the IP address of the network interface instead of a virtual IP address, then
configure port forwarding as usual.
Virtual IP Groups Firewall Virtual IP
436 01-410-89802-20091022
To disable arp-reply
In some cases, when you have completed this configuration the FortiGate unit will drop
the packets received on the External Interface. To make sure this does not happen you
can log into the FortiGate CLI and use the following procedure to disable arp replies for
the port translation only virtual IP.
1 Log into the FortiGate CLI.
2 Enter the following command where <vi p_name>is the name of the port translation
only virtual IP.
conf i g f i r ewal l vi p
edi t <vi p_name>
set ar p- r epl y di sabl e
end
Virtual IP Groups
You can organize multiple virtual IPs into a virtual IP group to simplify your firewall policy
list. For example, instead of having five identical policies for five different but related virtual
IPs located on the same network interface, you might combine the five virtual IPs into a
single virtual IP group, which is used by a single firewall policy.
Firewall policies using VIP Groups are matched by comparing both the member VIP IP
address(es) and port number(s).
Viewing the VIP group list
To view the virtual IP group list, go to Firewall > Virtual IP > VIP Group.
Figure 250: VIP Group list
Configuring VIP groups
To add a VIP group, go to Firewall > Virtual IP > VIP Group and select Create New. To edit
a VIP group, go to Firewall > Virtual IP > VIP Group and select the Edit icon for the VIP
group to edit. Enter the information as described below, and select OK.
Create New Select to add a new VIP group. See Configuring VIP groups on page 436.
Group Name The name of the virtual IP group.
Members Lists the group members.
Interface Displays the interface that the VIP group belongs to.
Delete icon Remove the VIP group from the list. The Delete icon only appears if the VIP
group is not being used in a firewall policy.
Edit icon Edit the VIP group information, including the group name and membership.
Delete
Edit
Firewall Virtual IP Configuring IP pools
01-410-89802-20091022 437
Figure 251: Editing a VIP group
Configuring IP pools
Use IP pools to add NAT policies that translate source addresses to addresses randomly
selected from the IP pool, rather than the IP address assigned to that FortiGate unit
interface. In Transparent mode, IP pools are available only from the FortiGate CLI.
An IP pool defines a single IP address or a range of IP addresses. A single IP address in
an IP pool becomes a range of one IP address. For example, if you enter an IP pool as
1.1.1.1 the IP pool is actually the address range 1.1.1.1 to 1.1.1.1.
If a FortiGate interface IP address overlaps with one or more IP pool address ranges, the
interface responds to ARP requests for all of the IP addresses in the overlapping IP pools.
For example, consider a FortiGate unit with the following IP addresses for the port1 and
port2 interfaces:
port1 IP address: 1.1.1.1/255.255.255.0 (range is 1.1.1.0-1.1.1.255)
port2 IP address: 2.2.2.2/255.255.255.0 (range is 2.2.2.0-2.2.2.255)
And the following IP pools:
IP_pool_1: 1.1.1.10-1.1.1.20
IP_pool_2: 2.2.2.10-2.2.2.20
IP_pool_3: 2.2.2.30-2.2.2.40
The port1 interface overlap IP range with IP_pool_1 is:
(1.1.1.0-1.1.1.255) and (1.1.1.10-1.1.1.20) =1.1.1.10-1.1.1.20
Group Name Enter or modify the group name.
Interface Select the interface for which you want to create the VIP group. If you
are editing the group, the Interface box is grayed out.
Available VIPs and
Members
Select the up or down arrow to move virtual IPs between Available
VIPs and Members. Members contains virtual IPs that are a part of
this virtual IP group.
Configuring IP pools Firewall Virtual IP
438 01-410-89802-20091022
(2.2.2.0-2.2.2.255) & (2.2.2.10-2.2.2.20) =2.2.2.10-2.2.2.20
(2.2.2.0-2.2.2.255) & (2.2.2.30-2.2.2.40) =2.2.2.30-2.2.2.40
And the result is:
The port1 interface answers ARP requests for 1.1.1.10-1.1.1.20
The port2 interface answers ARP requests for 2.2.2.10-2.2.2.20 and for 2.2.2.30-
2.2.2.40
Select NAT in a firewall policy and then select Dynamic IP Pool and select an IP pool to
translate the source address of packets leaving the FortiGate unit to an address randomly
selected from the IP pool.
IP pools and dynamic NAT
Use IP pools for dynamic NAT. For example, an organization might have purchased a
range of Internet addresses but has only one Internet connection on the external interface
of the FortiGate unit.
Assign one of the organizations Internet IP addresses to the external interface of the
FortiGate unit. If the FortiGate unit is operating in NAT/Route mode, all connections from
the organizations network to the Internet appear to come from this IP address.
For connections to originate from all the Internet IP addresses, add this address range to
an IP pool. Then select Dynamic IP Pool for all policies with the external interface as the
destination. For each connection, the firewall dynamically selects an IP address from the
IP pool to be the source address for the connection. As a result, connections to the
Internet appear to be originating from any of the IP addresses in the IP pool.
IP Pools for firewall policies that use fixed ports
Some network configurations do not operate correctly if a NAT policy translates the source
port of packets used by the connection. NAT translates source ports to keep track of
connections for a particular service. From the CLI you can enabled f i xedpor t for NAT
policies to prevent source port translation. However, enabling f i xedpor t means that
only one connection can be supported through the firewall for this service. To be able to
support multiple connections, add an IP pool, and then select Dynamic IP pool in the
policy. The firewall randomly selects an IP address from the IP pool and assigns it to each
connection. In this case the number of connections that the firewall can support is limited
by the number of IP addresses in the IP pool.
Source IP address and IP pool address matching
When the source addresses are translated to the IP pool addresses, one of the following
three cases may occur:
Scenario 1: The number of source addresses equals that of IP pool addresses
In this case, the FortiGate unit always matches the IP addressed one to one.
If you enable f i xedpor t in such a case, the FortiGate unit preserves the original source
port. This may cause conflicts if more than one firewall policy uses the same IP pool, or
the same IP addresses are used in more than one IP pool.
Original address Change to
192.168.1.1 172.16.30.1
Firewall Virtual IP Viewing the IP pool list
01-410-89802-20091022 439
Scenario 2: The number of source addresses is more than that of IP pool addresses
In this case, the FortiGate unit translates IP addresses using a wrap-around mechanism.
If you enable f i xedpor t in such a case, the FortiGate unit preserves the original source
port. But conflicts may occur since users may have different sessions using the same TCP
5 tuples.
Scenario 3: The number of source addresses is fewer than that of IP pool addresses
In this case, some of the IP pool addresses are used and the rest of them are not be used.
Viewing the IP pool list
If virtual domains are enabled on the FortiGate unit, IP pools are created separately for
each virtual domain. To access IP pools, select a virtual domain from the list on the main
menu.
To view the IP pool list go to Firewall > Virtual IP > IP Pool.
Figure 252: IP pool list
192.168.1.2 172.16.30.2
...... ......
192.168.1.254 172.16.30.254
192.168.1.1 172.16.30.10
192.168.1.2 172.16.30.11
...... ......
192.168.1.10 172.16.30.19
192.168.1.11 172.16.30.10
192.168.1.12 172.16.30.11
192.168.1.13 172.16.30.12
...... ......
192.168.1.1 172.16.30.10
192.168.1.2 172.16.30.11
192.168.1.3 172.16.30.12
No more source addresses 172.16.30.13 and other
addresses are not used
Delete
Edit
Configuring IP Pools Firewall Virtual IP
440 01-410-89802-20091022
Configuring IP Pools
To add an IP pool, go to Firewall > Virtual IP > IP Pool.
Figure 253: New Dynamic IP Pool
A single IP address is entered normally. For example, 192. 168. 110. 100 is a valid IP
pool address. If an IP address range is required, use either of the following formats.
x.x.x.x-x.x.x.x, for example 192. 168. 110. 100- 192. 168. 110. 120
x.x.x.[x-x], for example 192. 168. 110. [ 100- 120]
Double NAT: combining IP pool with virtual IP
When creating a firewall policy, you can use both IP pool and virtual IP for double IP
and/or port translation.
For example, in the following network topology:
Users in the 10.1.1.0/24 subnet use port 8080 to access server 172.16.1.1.
The servers listening port is 80.
Fixed ports must be used.
Create New Select to add an IP pool.
Name The name of the IP pool. Select this name in a firewall policy.
Start IP Enter the start IP defines the start of the IP pool address range.
End IP Enter the end IP defines the end of the IP pool address range.
Delete icon Select to remove the entry from the list. The Delete icon only appears if the IP
pool is not being used in a firewall policy.
Edit icon Select to edit the IP pool. You can change the Name, Interface, IP
Range/Subnet.
Name Enter the name of the IP pool.
IP Range/Subnet Enter the IP address range for the IP pool. The IP range defines the start and
end of an address range. The start of the range must be lower than the end of
the range. The start and end of the IP range does not have to be on the same
subnet as the IP address of the interface to which you are adding the IP pool.
Firewall Virtual IP Double NAT: combining IP pool with virtual IP
01-410-89802-20091022 441
Figure 254: Double NAT
To allow the local users to access the server, you can use fixed port and IP pool to allow
more than one user connection while using virtual IP to translate the destination port from
8080 to 80.
To create an IP pool
1 Go to Firewall > Virtual IP > IP Pool.
To create a Virtual IP with port translation only
Name pool-1
IP Range/Subnet 10.1.3.1-10.1.3.254
Name server-1
External Interface Internal
Type Static NAT
External IP Address/Range 172.16.1.1
Note this address is the same as the server address.
Mapped IP Address/Range 172.16.1.1.
Port Forwarding Enable
Protocol TCP
External Service Port 8080
Map to Port 80
Internet

10.1.1.0/24
10.1.2.0/24
Router Without
NAT
Router Without
NAT
Internal
10.1.3.0/16
DMZ
172.16.1.2
External
172.16.1.1
172.16.1.3
Adding NAT firewall policies in transparent mode Firewall Virtual IP
442 01-410-89802-20091022
To create a firewall policy
Add an internal to dmz firewall policy that uses the virtual IP to translate the destination
port number and the IP pool to translate the source addresses.
4 Select OK.
Adding NAT firewall policies in transparent mode
Similar to operating in NAT/Route mode, when operating a FortiGate unit in Transparent
mode you can add firewall policies and:
Enable NAT to translate the source addresses of packets as they pass through the
FortiGate unit.
Add virtual IPs to translate destination addresses of packets as they pass through the
FortiGate unit.
Add IP pools as required for source address translation
For NAT firewall policies to work in NAT/Route mode you must have two interfaces on two
different networks with two different subnet addresses. Then you can create firewall
policies to translate source or destination addresses for packets as they are relayed by the
FortiGate unit from one interface to the other.
A FortiGate unit operating in Transparent mode normally has only one IP address, the
management IP. To support NAT in Transparent mode you can add a second
management IP. These two management IPs must be on different subnets. When you add
two management IP addresses, all FortiGate unit network interfaces will respond to
connections to both of these IP addresses.
In the example shown in Figure 255, all of the PCs on the internal network (subnet
address 192.168.1.0/24) are configured with 192.168.1.99 as their default route. One of
the management IPs of the FortiGate unit is set to 192.168.1.99. This configuration results
in a typical NAT mode firewall. When a PC on the internal network attempts to connect to
the Internet, the PC's default route sends packets destined for the Internet to the FortiGate
unit internal interface.
Similarly on the DMZ network (subnet address 10.1.1.0/24) all of the PCs have a default
route of 10.1.1.99.
Source Interface/Zone internal
Source Address 10.1.1.0/24
Destination
Interface/Zone
dmz
Destination Address server-1
Schedule always
Service HTTP
Action ACCEPT
NAT Select
Dynamic IP Pool Select, and select the pool-1 IP pool.
Firewall Virtual IP Adding NAT firewall policies in transparent mode
01-410-89802-20091022 443
The example describes adding an internal to wan1 firewall policy to relay these packets
from the internal interface out the wan1 interface to the Internet. Because the wan1
interface does not have an IP address of its own, you must add an IP pool to the wan1
interface that translates the source addresses of the outgoing packets to an IP address on
the network connected to the wan1 interface.
The example describes adding an IP pool with a single IP address of 10.1.1.201. So all
packets sent by a PC on the internal network that are accepted by the internal to wan1
policy leave the wan1 interface with their source address translated to 10.1.1.201. These
packets can now travel across the Internet to their destination. Reply packets return to the
wan1 interface because they have a destination address of 10.1.1.201. The internal to
wan1 NAT policy translates the destination address of these return packets to the IP
address of the originating PC and sends them out the internal interface to the originating
PC.
Use the following steps to configure NAT in Transparent mode
Adding two management IPs
Adding an IP pool to the wan1 interface
Adding an internal to wan1 firewall policy
Figure 255: Example NAT in Transparent mode configuration
To add a source address translation NAT policy in Transparent mode
1 Enter the following command to add two management IPs.
The second management IP is the default gateway for the internal network.
set managei p 10. 1. 1. 99/ 24 192. 168. 1. 99/ 24
end
2 Enter the following command to add an IP pool to the wan1 interface:
conf i g f i r ewal l i ppool
edi t nat - out
DMZ network
10.1.1.0/24
10.1.1.0/24
Transparent mode
Management IPs:
10.1.1.99
192.168.1.99
Internal network
192.168.1.0/24
Internal
DMZ
WAN 1
Router
Internet
Adding NAT firewall policies in transparent mode Firewall Virtual IP
444 01-410-89802-20091022
set i nt er f ace " wan1"
set st ar t i p 10. 1. 1. 201
set endi p 10. 1. 1. 201
end
3 Enter the following command to add an internal to wan1 firewall policy with NAT
enabled that also includes an IP pool:
conf i g f i r ewal l pol i cy
edi t 1
set sr ci nt f " i nt er nal "
set dst i nt f " wan1"
set scr addr " al l "
set dst addr " al l "
set act i on accept
set schedul e " al ways"
set ser vi ce " ANY"
set nat enabl e
set i ppool enabl e
set pool name nat - out
end
Note: You can add the firewall policy from the web-based manager and then use the CLI to
enable NAT and add the IP Pool.
Firewall Load Balance How FortiGate load balancing works
01-410-89802-20091022 445
Firewall Load Balance
Use the FortiGate load balancing function to intercept the incoming traffic and share it
across the available servers. By doing so, the FortiGate unit enables multiple servers to
respond as if they were a single device or server. This in turn means that more
simultaneous requests can be handled.
There are additional benefits to server load balancing. Firstly, because the load is
distributed across multiple servers, the service being provided can be highly available. If
one of the servers breaks down, the load can still be handled by the other servers.
Secondly, this increases scalability. If the load increases substantially, more servers can
be added behind the FortiGate unit in order to cope with the increased load.
How FortiGate load balancing works
Configuring virtual servers
Configuring real servers
Configuring health check monitors
Monitoring the servers
Load balancing examples
How FortiGate load balancing works
You can go to Firewall > Load Balance > Virtual Server to configure virtual servers on the
FortiGate unit (load balancer). Then you can add real servers by going to go to Firewall >
Load Balance > Real Server. Each real server must be bound to a virtual server.
You can bind up to 8 real servers can to one virtual server. The real server topology is
transparent to end users, and the users interact with the system as if it were only a single
server with the IP address and port number of the virtual server. The real servers may be
interconnected by high-speed LAN or by geographically dispersed WAN. The FortiGate
unit schedules requests to the real servers and makes parallel services of the virtual
server to appear to involve a single IP address.
Configuring virtual servers Firewall Load Balance
446 01-410-89802-20091022
Figure 256: Virtual server and real servers setup
Configuring virtual servers
Configure a virtual servers external IP address and bind it to a FortiGate interface. When
you bind the virtual servers external IP address to a FortiGate unit interface, by default,
the network interface responds to ARP requests for the bound IP address. Virtual servers
use proxy ARP, as defined in RFC 1027, so that the FortiGate unit can respond to ARP
requests on a network for a real server that is actually installed on another network. To
disable ARP replies, see the FortiGate CLI Reference.
To view the virtual server list, go to Firewall > Load Balance > Virtual Server.
For limitations on creating virtual servers, see Virtual IP, load balance virtual server and
load balance real server limitations on page 425.
Figure 257: Virtual server list
User
(Virtual Server/Load Balancer)
Real Server
Real Server
Internet/Intranet
Real Server
LAN/WAN
Create New Select to add virtual servers. For more information, see To create a
virtual server on page 447.
Name Name of the virtual server.
Type The protocol load balanced by the virtual server.
Comments A description of the virtual server.
Virtual Server IP The IP address of the virtual server. This is an IP address on the external
interface that you want to map to an address on the destination network.
Delete
Edit
Firewall Load Balance Configuring virtual servers
01-410-89802-20091022 447
To create a virtual server
1 Go to Firewall > Load Balance > Virtual Server > Create New.
Figure 258: Creating a virtual server
Virtual server Port The external port number that you want to map to a port number on the
destination network. Sessions with this destination port are load
balanced by this virtual server.
Load Balance Method The load balancing method for this virtual server.
Health Check The health check monitor selected for this virtual server. For more
information, see Health Check on page 450.
Persistence The type of persistence applied to this virtual server.
Delete icon Remove the virtual server from the list. The Delete icon only appears if
the virtual server is not bound to a real server.
Edit icon Edit the virtual server to change any virtual server option including the
virtual server name.
Configuring virtual servers Firewall Load Balance
448 01-410-89802-20091022
Name Enter the name for the virtual server. This name is not the hostname for the
FortiGate unit.
Type Select the protocol to be load balanced by the virtual server. If you select a
general protocol such as IP, TCP, or UDP the virtual server load balances all IP,
TCP, or UDP sessions. If you select specific protocols such as HTTP, HTTPS, or
SSL you can apply additional server load balancing features such as Persistence
and HTTP Multiplexing.
Select HTTP to load balance only HTTP sessions with destination port
number that matches the Virtual Server Port setting. Change Virtual Server
Port to match the destination port of the sessions to be load balanced (usually
port 80 for HTTP sessions). You can also select HTTP Multiplex. You can also
set Persistence to HTTP Cookie to select cookie-based persistence. See the
description of the conf i g f i r ewal l VI P command in the FortiGate CLI
Reference for information about advanced HTTP Cookie persistence options.
Select HTTPS to load balance only HTTPS sessions with destination port
number that matches the Virtual Server Port setting. Change Virtual Server
Port to match the destination port of the sessions to be load balanced (usually
port 443 for HTTPS sessions). You can also select HTTP Multiplex. You can
also set Persistence to HTTP Cookie to select cookie-based persistence. You
can also set Persistence to SSL Session ID. See the description of the
conf i g f i r ewal l VI P command in the FortiGate CLI Reference for
information about advanced HTTP Cookie persistence options and advanced
SSL options. HTTPS is available on FortiGate units that support SSL
acceleration.
Select IP to load balance all sessions accepted by the firewall policy that
contains this virtual server.
Select SSL to load balance only SSL sessions with destination port number
that matches the Virtual Server Port setting. Change Virtual Server Port to
match the destination port of the sessions to be load balanced.See the
description of the conf i g f i r ewal l VI P command in the FortiGate CLI
Reference for information about advanced SSL options.
Select TCP to load balance only TCP sessions with destination port number
match the destination port of the sessions to be load balanced.
Select UDP to load balance only UDP sessions with destination port number
match the destination port of the sessions to be load balanced.
Interface Select the virtual server external interface from the list. The external interface is
connected to the source network and receives the packets to be forwarded to the
destination network.
Virtual Server
IP
The IP address of the virtual server. This is an IP address on the external
interface that you want to map to an address on the destination network.
Virtual server
Port
Enter the external port number that you want to map to a port number on the
destination network. Sessions with this destination port are load balanced by this
virtual server.
Firewall Load Balance Configuring virtual servers
01-410-89802-20091022 449
Load Balance
Method
Load balancing methods include:
Static: The traffic load is spread evenly across all servers, no additional
server is required. This load balancing method provides some persistence
because all sessions from the same source address always go to the same
server. However, the distribution is stateless, so if a real server is added or
removed (or goes up or down) the distribution is changed so persistence will
be lost. Separate real servers are not required.
Round Robin: Directs requests to the next server, and treats all servers as
equals regardless of response time or number of connections. Dead servers
or non responsive servers are avoided. A separate server is required.
Weighted: Servers with a higher weight value will receive a larger percentage
of connections. Set the server weight when adding a server.
First Alive: Always directs requests to the first alive real server. In this case
first refers to the order of the real servers in the virtual server configuration.
For example, if you add real servers A, B and C in that order, then traffic
always go to A as long as it is alive. If A goes down then traffic goes to B and
if B goes down the traffic goes to C. If A comes back up traffic goes to A. Real
servers are ordered in the virtual server configuration in the order in which
you add them, with the most recently added real server last. If you want to
change the order you must delete and re-add real servers as required.
Least RTT: Directs requests to the server with the least round trip time. The
round trip time is determined by a Ping health check monitor and is defaulted
to 0 if no Ping health check monitors are added to the virtual server.
Least Session: Directs requests to the server that has the least number of
current connections. This method works best in environments where the
servers or other equipment you are load balancing have similar capabilities.
Persistence Configure persistence to make sure that a user is connected to the same server
every time they make a request that is part of the same session.
When you configure persistence, the FortiGate unit load balances a new session
to a real server according to the Load Balance Method. If the session has an
HTTP cookie or an SSL session ID, the FortiGate unit sends all subsequent
sessions with the same HTTP cookie or SSL session ID to the same real server.
You can configure persistence if Type is set to HTTP, HTTPS, or SSL.
Select None for no persistence. Sessions are distributed solely according to
the Load Balance Method. Setting Load Balance Method to Static (the
default) results in behavior equivalent to persistence. See the description of
Load Balance Method for more information.
Select HTTP Cookie so that all HTTP or HTTPS sessions with the same
HTTP session cookie are sent to the same real server. HTTP Cookie is
available if Type is set to HTTP or HTTPS. See the description of the conf i g
f i r ewal l VI P command in the FortiGate CLI Reference for information
about advanced HTTP Cookie persistence options.
Select SSL Session ID so that all sessions with the same SSL session ID are
sent to the same real server. SSL Session ID is available if Type is set to
HTTPS or SSL.
Note: The Static load balancing method provides persistence as long as the
number of real servers does not change.
HTTP
Multiplexing
Select to use the FortiGate unit to multiplex multiple client connections into a few
connections between the FortiGate unit and the real server. This can improve
performance by reducing server overhead associated with establishing multiple
connections. The server must be HTTP/1.1 compliant.
This option appears only if HTTP or HTTS are selected for Type.
Note: Additional HTTP Multiplexing options are available in the CLI. For more
information, see the FortiGate CLI Reference.
Preserve
Client IP
Select to preserve the IP address of the client in the X- For war ded- For HTTP
header. This can be useful if you want log messages on the real servers to the
clients original IP address. If this option is not selected, the header will contain
the IP address of the FortiGate unit.
This option appears only if HTTP or HTTS are selected for Type, and is available
only if HTTP Multiplexing is selected.
Configuring real servers Firewall Load Balance
450 01-410-89802-20091022
3 Select OK.
Configuring real servers
Configure a real server to bind it to a virtual server.
To view the real server list, go to Firewall > Load Balance > Real Server.
For limitations on creating real servers, see Virtual IP, load balance virtual server and load
balance real server limitations on page 425.
Figure 259: Real server list
SSL
Offloading
Select to accelerate clients SSL connections to the server by using the FortiGate
unit to perform SSL operations, then select which segments of the connection
will receive SSL offloading.
Client <-> FortiGate
Select to apply hardware accelerated SSL only to the part of the connection
between the client and the FortiGate unit. The segment between the
FortiGate unit and the server will use clear text communications. This results
in best performance, but cannot be used in failover configurations where the
failover path does not have an SSL accelerator.
Client <-> FortiGate <-> Server
Select to apply hardware accelerated SSL to both parts of the connection: the
segment between client and the FortiGate unit, and the segment between the
FortiGate unit and the server. The segment between the FortiGate unit and
the server will use encrypted communications, but the handshakes will be
abbreviated. This results in performance which is less than the other option,
but still improved over communications without SSL acceleration, and can be
used in failover configurations where the failover path does not have an SSL
accelerator. If the server is already configured to use SSL, this also enables
SSL acceleration without requiring changes to the servers configuration.
SSL 3.0 and TLS 1.0 are supported.
SSL Offloading appears only if HTTPS or SSL are selected for Type, and only on
FortiGate models with hardware that supports SSL acceleration.
Note: Additional SSL Offloading options are available in the CLI. For more
Certificate Select the certificate to use with SSL Offloading. The certificate key size must be
1024 or 2048 bits. 4096-bit keys are not supported.
This option appears only if HTTPS or SSL are selected for Type, and is available
only if SSL Offloading is selected.
Health Check Select which health check monitor configuration will be used to determine a
servers connectivity status.
For information on configuring health check monitors, see Configuring health
check monitors on page 451.
Comments Any comments or notes about this virtual server.
Create New Select to add real servers. For more information, see To create a real
server on page 451.
IP Address Select the blue arrow beside a virtual server name to view the IP
addresses of the real servers that are bound to it.
Port The port number on the destination network to which the external port
number is mapped.
Edit
Delete
Firewall Load Balance Configuring health check monitors
01-410-89802-20091022 451
To create a real server
1 Go to Firewall > Load Balance > Real Server > Create New.
Figure 260: Creating a real server
3 Select OK.
Configuring health check monitors
You can specify which health check monitor configuration to use when polling to
determine a virtual servers connectivity status.
Health check monitor configurations can specify TCP, HTTP or ICMP PING. A health
check occurs every number of seconds indicated by the interval. If a reply is not received
within the timeout period, and you have configured the health check to retry, it will attempt
a health check again; otherwise, the virtual server is deemed unresponsive, and load
balancing will compensate by disabling traffic to that server until it becomes responsive
again.
Weight The weight value of the real server. The higher the weight value, the
higher the percentage of connections the server will handle.
Max Connections The limit on the number of active connections directed to a real server. If
the maximum number of connections is reached for the real server, the
FortiGate unit will automatically switch all further connection requests to
another server until the connection number drops below the specified
limit.
Delete icon Remove the real server from the list.
Edit icon Edit the real server to change any virtual server option.
Virtual Server Select the virtual server to which you want to bind this real server.
IP Enter the IP address of the real server.
Port Enter the port number on the destination network to which the external
port number is mapped.
Weight Enter the weight value of the real server. The higher the weight value,
the higher the percentage of connections the server will handle. A
range of 1-255 can be used. This option is available only if the
associated virtual servers load balance method is Weighted.
Maximum Connections Enter the limit on the number of active connections directed to a real
server. A range of 1-99999 can be used. If the maximum number of
connections is reached for the real server, the FortiGate unit will
automatically switch all further connection requests to another server
until the connection number drops below the specified limit.
Setting Maximum Connections to 0 means that the FortiGate unit does
not limit the number of connections to the real server.
Configuring health check monitors Firewall Load Balance
452 01-410-89802-20091022
Figure 261: Health check monitor
To create a health check monitor configuration
1 Go to Firewall > Virtual IP > Health Check Monitor > Create New.
Figure 262: Creating a health check monitor
Create New Select to add a health check monitor configuration. For more information, see
To create a health check monitor configuration on page 452.
Name The name of the health check monitor configuration. The names are grouped
by the health check monitor types.
Details The details of the health check monitor configuration, which vary by the type of
the health check monitor, and do not include the interval, timeout, or retry,
which are settings common to all types.
This field is empty if the type of the health check monitor is PING.
Delete Select to remove the health check monitor configuration. This option appears
only if the health check monitor configuration is not currently being used by a
virtual server configuration.
Edit Select to change the health check monitor configuration.
Name Enter the name of the health check monitor configuration.
Type Select the protocol used to perform the health check.
TCP
HTTP
PING
Port Enter the port number used to perform the health check. If you set the Port
to 0, the health check monitor uses the port defined in the real server. This
way you can use a single health check monitor for different real servers.
This option does not appear if the Type is PING.
Delete
Edit
Firewall Load Balance Monitoring the servers
01-410-89802-20091022 453
3 Select OK.
Monitoring the servers
You can monitor the status of each virtual server and real server and start or stop the real
servers.
Figure 263: Server monitor
URL For HTTP health check monitors, add a URL that the FortiGate unit uses
when sending a get request to check the health of a HTTP server. The URL
should match an actual URL for the real HTTP servers. The URL is optional.
The URL would not usually include an IP address or domain name. Instead
it should start with a / and be followed by the address of an actual web
page on the real server. For example, if the IP address of the real server is
10.10.10.1, the URL /test_page.htm causes the FortiGate unit to send an
HTTP get request to http://10.10.10.1/test_page.htm.
This option appears only if Type is HTTP.
Matched Content For HTTP health check monitors, add a phrase that a real HTTP server
should include in response to the get request sent by the FortiGate unit
using the content of the URL option. If the URL returns a web page, the
Matched Content should exactly match some of the text on the web page.
You can use the URL and Matched Content options to verify that an HTTP
server is actually operating correctly by responding to get requests with
expected web pages. Matched content is only required if you add a URL.
For example, you can set Matched Content to server test page if the real
HTTP server page defined by the URL option contains the phrase server
test page. When the FortiGate unit receives the web page in response to
the URL get request, the system searches the content of the web page for
the Matched Content phrase.
This option appears only if Type is HTTP.
Interval Enter the number of seconds between each server health check.
Timeout Enter the number of seconds which must pass after the server health check
to indicate a failed health check.
Retry Enter the number of times, if any, a failed health check will be retried before
the server is determined to be inaccessible.
Virtual Server The IP addresses of the existing virtual servers.
Real Server The IP addresses of the existing real servers.
Health Status Display the health status according to the health check results for each real
server. A green arrow means the server is up. A red arrow means the server is
down.
Monitor Events Display each real server's up and down times.
Active Sessions Display each real server's active sessions.
RTT (ms) Display the Round Trip Time of each real server. By default, the RTT is <1".
This value will change only when ping monitoring is enabled on a real server.
Load balancing examples Firewall Load Balance
454 01-410-89802-20091022
Load balancing examples
This section includes the following examples:
Configuring a virtual web server with three real web servers
Adding a server load balance port forwarding virtual IP
Weighted load balancing configuration
HTTP and HTTPS persistence configuration
Configuring a virtual web server with three real web servers
In this example, the virtual web server IP address 192.168.37.4 on the Internet, is mapped
to three real web servers connected to the FortiGate unit dmz1 interface. The real servers
have IP addresses 10.10.123.42, 10.10.123.43, and 10.10.123.44. The virtual server uses
the First Alive load balancing method. The configuration also includes an HTTP health
check monitor that includes a URL used by the FortiGate unit for get requests to monitor
the health of the real servers.
Connections to the virtual web server at IP address 192.168.37.4 from the Internet are
translated and load balanced to the real servers by the FortiGate unit. First alive load
balancing directs all sessions to the first real server. The computers on the Internet are
unaware of this translation and load balancing and see a single virtual server at IP
address 192.168.37.4 rather than the three real servers behind the FortiGate unit.
Figure 264: Virtual server configuration example
To add an HTTP health check monitor
In this example, the HTTP health check monitor includes the URL /index.html and the
Matched Phrase Fortinet products.
1 Go to Firewall > Load Balance > Health Check Monitor.
3 Add an HTTP health check monitor that sends get requests to
http://<real_server_IP_address>/index.html and searches the returned web page for
the phrase Fortinet products.
Bytes Processed Display the traffic processed by each real server.
Graceful
Stop/Start
Select to start or stop real servers. When stopping a server, the FortiGate unit
will not accept new sessions but will wait for the active sessions to finish.
dmz1 IP
10.10.10.2
HTTP load balancing
virtual server
Source IP 172.199.190.25
Destination IP Range 10.10.10.[42-44]
Virtual Server IP
192.168.37.4
Client IP
172.199.190.25
DMZ network
Real HTTP
Server IP
10.10.10.42
Real HTTP
Server IP
10.10.10.43
Real HTTP
Server IP
10.10.10.44
3 1
2
3 1
2
Firewall Load Balance Load balancing examples
01-410-89802-20091022 455
Figure 265: Example HTTP health monitor
4 Select OK.
To add the HTTP virtual server
1 Go to Firewall > Load Balance > Virtual Server.
3 Add an HTTP virtual server that allows users on the Internet to connect to the real
servers on the internal network. In this example, the FortiGate wan1 interface is
connected to the Internet.
Name HTTP_health_chk_1
Type HTTP
Port 80
URL /index.html
Matched Content Fortinet products
Interval 10 seconds
Timeout 2 seconds
Retry 3
456 01-410-89802-20091022
Figure 266: Virtual HTTP server configuration
Name Load_Bal_VS1
Type HTTP
Interface wan1
Virtual Server IP 192.168.37.4
The public IP address of the web server.
The virtual server IP address is usually a static IP address
obtained from your ISP for your web server. This address must be
a unique IP address that is not used by another host and cannot be
the same as the IP address of the external interface the virtual IP
will be using. However, the external IP address must be routed to
the selected interface. The virtual IP address and the external IP
address can be on different subnets. When you add the virtual IP,
the external interface responds to ARP requests for the external IP
address.
Virtual Server Port 80
Load Balance Method First Alive
Persistence HTTP cookie
HTTP Multiplexing Select.
The FortiGate unit multiplexes multiple client into a few
connections between the FortiGate unit and a real HTTP server.
This can improve performance by reducing server overhead
associated with establishing multiple connections.
Preserve Client IP Select
The FortiGate unit preserves the IP address of the client in the X-
For war ded- For HTTP header.
Health Check Move the HTTP_health_chk_1 health check monitor to the
Selected list.
01-410-89802-20091022 457
4 Select OK.
To add the real servers and associate them with the virtual server
1 Go to Firewall > Load Balance > Real Server.
3 Configure three real servers that include the virtual server Load_Bal_VS1. Each real
server must include the IP address of a real server on the internal network.
Figure 267: Configuration for the real server at IP address 10.10.10.42
Configuration for the first real server.
Configuration for the second real server.
Configuration for the third real server.
Virtual Server Load_Bal_VS1
IP 10.10.10.42
Port 80
Weight Cannot be configured because the virtual server does not include
weighted load balancing.
Maximum Connections 0
Setting Maximum Connections to 0 means the FortiGate unit does
not limit the number of connections to the real server. Since the
virtual server uses First Alive load balancing you may want to limit
the number of connections to each real server to limit the traffic
received by each server. In this example, the Maximum
Connections is initially set to 0 but can be adjusted later if the real
servers are getting too much traffic.
IP 10.10.10.43
Port 80
IP 10.10.10.44
Port 80
458 01-410-89802-20091022
To add the virtual server to a firewall policy
Add a wan1 to dmz1 firewall policy that uses the virtual server so that when users on the
Internet attempt to connect to the web servers IP address, packets pass through the
destination address of these packets from the virtual server IP address to the real server
IP addresses.
Figure 268: Adding a firewall policy for the virtual server
Source Address all (or a more specific address)
Destination Interface/Zone dmz1
Destination Address Load_Bal_VS1
Schedule always
01-410-89802-20091022 459
4 Select other firewall options as required.
5 Select OK.
Adding a server load balance port forwarding virtual IP
This example is the same as the example described in Configuring a virtual web server
with three real web servers on page 454 except that each real server accepts HTTP
connections on a different port number. The first real server accepts connections on port
8080, the second on port 8081, and the third on 8082.
Figure 269: Server load balance virtual IP port forwarding
To complete this configuration, all of the steps would be the same as in Configuring a
virtual web server with three real web servers on page 454 except for configuring the real
servers.
Use the following steps to configure the FortiGate unit to port forward HTTP packets to the
three real servers on ports 8080, 8081, and 8082.
3 Configure three real servers that include the virtual server Load_Bal_VS1. Each real
server must include the IP address of a real server on the internal network and have a
different port number.
Service HTTP
Action ACCEPT
NAT Select
Log Allowed Traffic Select to log virtual server traffic
IP 10.10.10.42
Port 8080
dmz1 IP
10.10.10.2
HTTP load balancing
virtual server
Source IP 172.199.190.25
Port 80
Destination IP Range 10.10.10.[42-44]
Port Range 8080 - 8082
Virtual Server IP
192.168.37.4
Client IP
172.199.190.25
DMZ network
Real HTTP
Server IP
10.10.10.42
Real HTTP
Server IP
10.10.10.43
Real HTTP
Server IP
10.10.10.44
3 1
2
3 1
2
460 01-410-89802-20091022
Weighted load balancing configuration
This example shows how to using firewall load balancing to load balances all traffic among
3 real servers. In the example the Internet is connected to por t 2 and the virtual IP
address of the virtual server is 192.168.20.20. The load balancing method is wei ght ed.
The IP addresses of the real servers are 10.10.10.1, 10.10.10.2, and 10.10.10.3. The
weights for the real servers are 1, 2, and 3.
This configuration does not include an health check monitor.
To add the HTTP virtual server
3 Add an IP virtual server that allows users on the Internet to connect to the real servers
on the internal network. In this example, the FortiGate port2 interface is connected to
the Internet.
All other virtual server settings are not required or cannot be changed.
4 Select OK.
3 Configure three real servers that include the virtual server All_Load _Balance.
Because the Load Balancing Method is Weighted, each real server includes a weight.
Servers with a greater weight receive a greater proportion of forwarded connections,
IP 10.10.10.43
Port 8081
IP 10.10.10.44
Port 8082
Name All_Load_Balance
Type IP
Interface port2
Load Balance Method Weighted
01-410-89802-20091022 461
To add the virtual server to a firewall policy
Add a prot2 to port1 firewall policy that uses the virtual server so that when users on the
IP addresses.
Virtual Server All_Load_Balance
IP 10.10.10.1
Port Cannot be configured because the virtual server is an IP server.
Weight 1
IP 10.10.10.2
Weight 2
IP 10.10.10.3
Weight 3
462 01-410-89802-20091022
5 Select OK.
CLI configuration
Load balancing is configured from the CLI using the conf i g f i r ewal l vi p command
and by setting t ype to ser ver - l oad- bal ance. The default weight is 1 and does not
have to be changed for the first real server.
Use the following command to add the virtual server and the three weighted real servers.
edi t Al l _Load_Bal ance
set t ype ser ver - l oad- bal ance
set ser ver - t ype i p
set ext i nt f por t 2
set ext i p 192. 168. 20. 20
set l db- met hod wei ght ed
conf i g r eal ser ver s
edi t 1
set i p 10. 10. 10. 1
next
edi t 2
set i p 10. 10. 10. 2
set wei ght 2
next
edi t 3
set i p 10. 10. 10. 3
set wei ght 3
end
end
HTTP and HTTPS persistence configuration
This example shows how to add a virtual server named Http_Load_Balance that load
balances HTTP traffic using port 80 and a second virtual server named
Https_Load_Balance that load balances HTTPS traffic using port 443. The Internet is
connected to port2 and the virtual IP address of the virtual server is 192.168.20.20. Both
server load balancing virtual IPs load balance sessions to the same three real servers with
IP addresses 10.10.10.2, 10.10.10.2, and 10.10.10.3. The real servers provide HTTP and
HTTPS services.
For both virtual servers, persistence is set to HTTP Cookie to enable HTTP cookie
persistence.
Source Interface/Zone port2
Source Address all (or a more specific address)
Destination Interface/Zone port1
Destination Address All_Load_Balance
Schedule always
Service ANY
Action ACCEPT
NAT Select
01-410-89802-20091022 463
To add the HTTP and HTTPS virtual servers
2 Add the HTTP virtual server that includes HTTP Cookie persistence.
3 Select OK.
5 Add the HTTPs virtual server that also includes HTTP Cookie persistence.
6 Select OK.
To add the real servers and associate them with the virtual servers
3 Configure three real servers for HTTP that include the virtual server
HTTP_Load_Balance.
Configuration for the first HTTP real server.
Configuration for the second HTTP real server.
Name HTTP_Load_Balance
Type HTTP
Interface port2
In this example the virtual server uses port 8080 for HTTP
sessions instead of port 80.
Load Balance Method Static
Name HTTPS_Load_Balance
Type HTTPS
Interface port2
Load Balance Method Static
Virtual Server HTTP_Load_Balance
IP 10.10.10.1
Port 80
464 01-410-89802-20091022
Configuration for the third HTTP real server.
4 Configure three real servers for HTTPS that include the virtual server
HTTPS_Load_Balance.
Configuration for the first HTTPS real server.
Configuration for the second HTTPS real server.
Configuration for the third HTTPS real server.
IP 10.10.10.2
Port 80
IP 10.10.10.3
Port 80
IP 10.10.10.1
Port 443
IP 10.10.10.2
Port 443
Virtual Server HTTPS_Load_Balance
IP 10.10.10.3
Port 443
01-410-89802-20091022 465
To add the virtual servers to firewall policies
Add a port2 to port1 firewall policy that uses the virtual server so that when users on the
IP addresses.
3 Configure the HTTP firewall policy:
5 Select OK.
7 Configure the HTTP firewall policy:
9 Select OK.
CLI configuration: adding persistence for a specific domain
Load balancing is configured from the CLI using the conf i g f i r ewal l vi p command
and by setting t ype to ser ver - l oad- bal ance.
For the CLI configuration, both virtual servers include setting ht t p- cooki e- domai n to
. exampl e. or g because HTTP cookie persistence is just required for the exampl e. or g
domain.
First, the configuration for the HTTP virtual IP:
edi t HTTP_Load_Bal ance
set ser ver - t ype ht t p
Source Address all
Destination Address HTTP_Load_Balance
Schedule always
Service HTTP
Action ACCEPT
NAT Select
Source Address all
Destination Address HTTPS_Load_Balance
Schedule always
Service HTTPS
Action ACCEPT
NAT Select
466 01-410-89802-20091022
set ext por t 8080
set ext i p 192. 168. 20. 20
set per si st ence ht t p- cooki e
set ht t p- cooki e- domai n . exampl e. or g
edi t 1
set i p 10. 10. 10. 1
next
edi t 2
set i p 10. 10. 10. 2
next
edi t 3
set i p 10. 10. 10. 3
end
end
Second, the configuration for the HTTPS virtual IP. In this configuration you dont have to
set ext por t to 443 because ext por t is automatically set to 443 when ser ver - t ype
is set to ht t ps.
edi t HTTPS_Load_Bal ance
set ser ver - t ype ht t ps
set ext por t 443
set ext i p 192. 168. 20. 20
set per si st ence ht t p- cooki e
set ht t p- cooki e- domai n . exampl e. or g
edi t 1
set i p 10. 10. 10. 1
next
edi t 2
set i p 10. 10. 10. 2
next
edi t 3
set i p 10. 10. 10. 3
end
end
Firewall Protection Profile What is a protection profile?
01-410-89802-20091022 467
Firewall Protection Profile
Protection profiles contain settings for many application layer and other types of
protection, such as antivirus, web filtering, and logging, that you can apply to a firewall
policy. For information on applying a protection profile to a firewall policy, see Configuring
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall protection profiles
are configured separately for each virtual domain. For more information, see Using virtual
This section contains the following topics:
What is a protection profile?
Adding a protection profile to a firewall policy
Default protection profiles
Viewing the protection profile list
SSL content scanning and inspection
Configuring a protection profile
What is a protection profile?
A protection profile is a group of settings that you can apply to one or more firewall
policies.
Because protection profiles can be used by more than one firewall policy, you can
configure one protection profile for the traffic types handled by a set of firewall policies
requiring identical protection levels and types, rather than repeatedly configuring those
same protection profile settings for each individual firewall policy.
For example, while traffic between trusted and untrusted networks might need strict
protection, traffic between trusted internal addresses might need moderate protection. To
provide the different levels of protection, you might configure two separate protection
profiles: one for traffic between trusted networks, and one for traffic between trusted and
untrusted networks.
You can use protection profiles to configure:
antivirus protection
web filtering
FortiGuard Web Filtering
email filtering
IPS
data leak prevention sensor
dashboard statistics
Note: If the firewall policy requires authentication, do not select the protection profile in the
firewall policy. The protection profile is specific to the authenticating user group. For details
on configuring the protection profile associated with the user group, see Configuring a user
group on page 661.
Adding a protection profile to a firewall policy Firewall Protection Profile
468 01-410-89802-20091022
application control
logging for traffic which violates the protection profile.
Adding a protection profile to a firewall policy
Protection profiles are used when specified in one or more firewall policies whose Action
is set to ACCEPT, IPSEC, or SSL VPN.
For example, if you create a protection profile containing SMTP antivirus settings that you
want to apply to all incoming SMTP connections, you might select that protection profile in
all external-to-internal firewall policies whose service group contain the SMTP service.
Protection profiles can contain settings relevant to many different services. Each firewall
policy uses the subset of the protection profile settings which apply to its specified Service.
In this way, you might define one protection profile that can be used by many firewall
policies, each policy using a different or overlapping subset of the protection profile.
To add a protection profile to a firewall policy
If virtual domains are enabled on the FortiGate unit, protection profiles are applied
separately in firewall policies for each virtual domain (VDOM). To access firewall
policies, first select a virtual domain from the main menu.
2 Select Create New to add a policy, or select Edit for the policy to which you want to
apply the protection profile.
3 Enable Protection Profile in the firewall policy.
4 Select the protection profile that you want to apply to the firewall policy.
The firewall policy will use settings from the protection profile that apply to its Services.
5 If you are creating a new firewall policy, configure other required policy options. For
more information, see Configuring firewall policies on page 367.
6 Select OK.
Default protection profiles
FortiGate units have four default protection profiles. You can use these default protection
profiles as bases for creating your own.
Strict Apply maximum protection to HTTP, FTP, IMAP, POP3, and SMTP traffic. The
strict protection profile may not be useful under normal circumstances, but it is
available when maximum protection is required.
Scan Apply virus scanning to HTTP, FTP, IMAP, POP3, and SMTP traffic. Quarantine is
also selected for all content services. On FortiGate models with a hard drive, if
antivirus scanning finds a virus in a file, the file is quarantined on the FortiGate
hard disk. If a FortiAnalyzer unit is configured, files are quarantined remotely.
Quarantine permits system administrators to inspect, recover, or submit
quarantined files to Fortinet for analysis.
Web Apply virus scanning and web content filtering to HTTP traffic. Add this protection
profile to firewall policies that control HTTP traffic.
Unfiltered Apply no scanning, blocking or IPS. Use the unfiltered content profile if no content
protection for content traffic is required. Add this protection profile to firewall
policies for connections between highly trusted or highly secure networks where
content does not need to be protected.
Firewall Protection Profile Viewing the protection profile list
01-410-89802-20091022 469
Viewing the protection profile list
Both default and customized protection profiles appear in the protection profile list.
To view the protection profile list, go to Firewall > Protection Profile.
Figure 270: Default protection profiles
SSL content scanning and inspection
Using SSL content scanning and inspection you can apply antivirus scanning, web
filtering, FortiGuard web filtering, email filtering, DLP, and DLP archiving to HTTPS,
IMAPS, POP3S, and SMTPS traffic. To perform SSL content scanning and inspection, the
FortiGate unit does the following:
intercepts and decrypts HTTPS, IMAPS, POP3S, and SMTPS sessions between
clients and servers (FortiGate SSL acceleration speeds up decryption)
applies content inspection to decrypted content, including:
HTTPS, IMAPS, POP3S, and SMTPS Antivirus, DLP, and DLP archiving
HTTPS web filtering and FortiGuard web filtering
IMAPS, POP3S, and SMTPS email filtering
re-encrypts the sessions and forwards them to their destinations.
Create New Add a protection profile.
Name The name of the protection profile.
Delete icon Delete a protection profile from the list. The Delete icon appears only if the
protection profile is not currently selected in a firewall policy or user group.
Edit icon Modify a protection profile.
Delete
Edit
SSL content scanning and inspection Firewall Protection Profile
470 01-410-89802-20091022
Figure 271: FortiGate SSL content scanning and inspection packet flow
Supported FortiGate models
FortiGate models that support SSL acceleration also support SSL content scanning and
inspection. The following FortiGate models support SSL content scanning and inspection:
110C
111C
310B
620B
3016B
3600A
3810A
5005FA2
5001A.
Setting up certificates to avoid client warnings
FortiGate SSL content scanning and inspection intercepts the SSL keys that are passed
between clients and servers during SSL session handshakes and substitutes spoofed
keys. Two encrypted SSL sessions are set up, one between the client and the FortiGate
unit, and a second one between the FortiGate unit and the server. Inside the FortiGate unit
the packets are decrypted.
HTTPS, IMAPS,
POP3S, or
SMTPS Server
Client Starts
HTTPS, IMAPS,
POP3S or
SMTPS session
HTTPS, IMAPS, POP3S or
SMTPS encrypted packets
accepted by firewall policy
1
Protection profile includes
SSL content scanning and
inspection
2
SSL decrypt/encrypt process
decrypts SSL sessions
using session certificate
and key
Protection Profile content
scanning and inspection
applied (antivirus, web filtering,
spam filtering, DLP,
content archiving)
3
Session encrypted
using SSL session
certificate and key
Encrypted packets
forwarded to destination
4
5
6
Protection
profile
Firewall
SSL Decrypt/
Encrypt Process
Content scanning
and inspection
3 1
2
Encrypted
packets
3 1
2
Encrypted
packets
3 1
2
Decrypted
packets
Firewall Protection Profile SSL content scanning and inspection
01-410-89802-20091022 471
While the SSL sessions are being set up, the client and server communicate in clear text
to exchange SSL session keys. The session keys are based on the client and server
certificates. The FortiGate SSL decrypt/encrypt process intercepts these keys and uses a
built-in signing CA certificate named Fortinet_CA_SSLProxy to create keys to send to the
client and the server. This signing CA certificate is used only by the SSL decrypt/encrypt
process. The SSL decrypt/encrypt process then sets up encrypted SSL sessions with the
client and server and uses these keys to decrypt the SSL traffic to apply content scanning
and inspection.
Some client programs (for example, web browsers) can detect this key replacement and
will display a security warning message. The traffic is still encrypted and secure, but the
security warning indicates that a key substitution has occurred.
You can stop these security warnings by importing the signing CA certificate used by the
server into the FortiGate unit SSL content scanning and inspection configuration. Then the
FortiGate unit creates keys that appear to come from the server and not the FortiGate unit.
You can replace the default signing CA certificate, Fortinet_CA_SSLProxy, with another
signing CA certificate. To do this you need the signing CA certificate file, the CA certificate
key file, and the CA certificate password.
All SSL content scanning and inspection uses the same signing CA certificate. If your
FortiGate unit is operating with virtual domains enabled, the same signing CA certificate is
used by all virtual domains.
To add a signing CA certificate for SSL content scanning and inspection
1 Obtain a copy of the signing CA certificate file, the CA certificate key file, and the
password for the CA certificate.
3 Set Type to Certificate.
4 For Certificate file use the Browse button to select the signing CA certificate file.
5 For Key file use the Browse button to select the CA certificate key file.
6 Enter the CA certificate Password.
Figure 272: Importing a signing CA certificate for SSL content scanning and inspection
7 Select OK.
The CA certificate is added to the Local Certificates list. In this example the signing CA
certificate name is Example_CA. This name comes from the certificate file and key file
name. If you want the certificate to have a different name, change these file names.
8 Add the imported signing CA certificate to the SSL content scanning and inspection
configuration. Use the following CLI command if the certificate name is Example_CA.
Note: You can add one signing CA certificate for SSL content scanning and inspection. The
CA certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported for SSL
content scanning and encryption.
SSL content scanning and inspection Firewall Protection Profile
472 01-410-89802-20091022
conf i g f i r ewal l ssl set t i ng
set caname Exampl e_CA
end
The Example_CA signing CA certificate will now be used by SSL content scanning and
inspection for establishing encrypted SSL sessions.
Configuring SSL content scanning and inspection
If SSL content scanning and inspection is available on your FortiGate unit, you can
configure the following SSL content scanning and inspection settings:
Predefined firewall
services
The IMAPS, POP3S and SMTPS predefined services. You can select
these services in a firewall policy and a DoS policy. For more information,
see Table 50, Predefined services, on page 402.
Protocol Recognition The TCP port numbers that the FortiGate unit inspects for HTTPS, IMAPS,
POP3S, and SMTPS. Go to Firewall > Protection Profile. Add or edit a
protection profile and configure Protocol Recognition for HTTPS, IMAPS,
POP3S, and SMTPS.
Using protocol recognition you can also configure the FortiGate unit to just
perform URL filtering of HTTPS or to use SSL content scanning and
inspection to decrypt HTTPS so that the FortiGate unit can also apply
Antivirus and DLP content inspection and DLP archiving to HTTPS. Using
SSL content scanning and inspection to decrypt HTTPS also allows you to
apply more web filtering and FortiGuard Web Filtering options to HTTPS.
For more information, see Protocol recognition options on page 475.
Antivirus Antivirus options including virus scanning, file filtering, and client
comforting for HTTPS, IMAPS, POP3S, and SMTPS.
Go to Firewall > Protection Profile. Add or edit a protection profile and
configure Anti-Virus for HTTPS, IMAPS, POP3S, and SMTPS. For more
information, see Anti-Virus options on page 477.
Antivirus quarantine Antivirus quarantine options to quarantine files in HTTPS, IMAPS, POP3S,
and SMTPS sessions.
Go to UTM > AntiVirus > Config. You can quarantine infected files,
suspicious files, and blocked files found in IMAPS, POP3S, and SMTPS
sessions. You can also quarantine infected files and suspicious files found
in HTTPS sessions. For more information, see Configuring quarantine
options on page 518.
Web Filtering Web filtering options for HTTPS:
Web Content Filter
Web Content Exempt
Web URL Filter
ActiveX Filter
Cookie Filter
J ava Applet Filter
Web Resume Download Block
Block invalid URLs
HTTP POST Action
configure Web Filtering for HTTPS. For more information, see Web
Filtering options on page 480.
Firewall Protection Profile SSL content scanning and inspection
01-410-89802-20091022 473
FortiGuard Web
Filtering
FortiGuard Web Filtering options for HTTPS:
Enable FortiGuard Web Filtering
Enable FortiGuard Web Filtering Overrides
Provide details for blocked HTTP 4xx and 5xx errors
Rate images by URL (blocked images will be replaced with blanks)
Allow websites when a rating error occurs
Strict Blocking
Rate URLs by domain and IP address
Go to Firewall > Profile. Add or edit a protection profile and configure Web
Filtering > FortiGuard Web Filtering for HTTPS. For more information, see
FortiGuard Web Filtering options on page 483.
Email Filtering Email filtering options for IMAPS, POP3S, and SMTPS:
FortiGuard Email Filtering (or Antispam) IP address check, URL check,
E-mail checksum check, and Spam submission
IP address BWL check
HELO DNS lookup
E-mail address BWL check
Return e-mail DNS check
Banned word check
Spam Action
Tag Location
Tag Format
configure Email Filtering for IMAPS, POP3S, and SMTPS. For more
information, see Email Filtering options on page 485.
Data Leak Prevention DLP for HTTPS, IMAPS, POP3S, and SMTPS. To apply DLP, follow the
steps below:
Go to UTM > Data Leak Prevention > Rule to add DLP rules. For
HTTPS, add an HTTP rule and select HTTPS POST and HTTPS GET.
For IMAPS, POP3S, and SMTPS, add an Email rule and select
IMAPS, POP3S, and SMTPS. See Adding or configuring DLP rules
on page 588.
Go to UTM > Data Leak Prevention > Sensor and add the DLP rules to
a DLP sensor. See Adding or editing a rule or compound rule in a DLP
sensor on page 577.
use Data Leak Prevention Sensor to add the DLP sensor to a
protection profile. Note: In a protection profile, if you set Protocol
Recognition > HTTPS Content Filtering Mode to URL Filtering, DLP
rules cannot inspect HTTPS. Set this option to Deep Scan.
Go to Firewall > Policy and add the protection profile to a firewall
policy. See Data Leak Prevention Sensor options on page 488.
DLP archiving DLP archiving for HTTPS, IMAPS, POP3S, and SMTPS. Add DLP Rules
for the protocol to be archived. See DLP archiving on page 580.
Configuring a protection profile Firewall Protection Profile
474 01-410-89802-20091022
Configuring a protection profile
If the default protection profiles do not provide the settings required, you can create
custom protection profiles.
To add a protection profile, go to Firewall > Protection Profile and select Create New.
Figure 273: New Protection Profile
Displaying DLP meta-
information on the
system dashboard
DLP archive information on the Log and Archive Statistics widget on the
system dashboard for HTTPS, IMAPS, POP3S, and SMTPS.
open Data Leak Prevention Sensor. For Displaying content meta-
information on the system dashboard select HTTPS, IMAPS, POP3S, and
SMTPS as required.
These options display meta-information on the Statistics dashboard
widget. For more information, see Viewing DLP Archive information on
the Statistics widget on page 91.
Archive SPAM email DLP archiving of email tagged as spam by FortiGate Email Filtering in
IMAPS, POP3S, and SMTPS sessions. Archive SPAMed emails to
FortiAnalyzer/FortiGuard is available only if you have configured logging to
a FortiAnalyzer unit or to the FortiGuard Analysis and Management
Service.
select the Expand Arrow to view Data Leak Prevention Sensor. For
Archive SPAMed emails to FortiAnalyzer/FortiGuard, select IMAPS,
POP3S, and SMTPS as required. For more information, see Data Leak
Prevention Sensor options on page 488 and DLP archiving on
page 580.
Expand Arrow
Firewall Protection Profile Configuring a protection profile
01-410-89802-20091022 475
Protocol recognition options
You configure protocol recognition options to set the HTTPS content filtering mode and to
select the TCP port numbers that the protection profile monitors for the HTTP, HTTPS,
SMTP, POP3, IMAP, NNTP, and FTP content protocols.
If your FortiGate unit supports SSL content scanning and inspection you can also select
the TCP port numbers for SMTPS, POP3S, and IMAPS. You can also configure the
HTTPS content filtering mode. For more information, see SSL content scanning and
inspection on page 469.
By default the protection profile monitors the default content protocol port numbers (for
example, port 80 for HTTP). You can edit the settings for each content protocol and select
inspection for all port numbers for that protocol, or select one or more port numbers to
monitor for that protocol.
To configure protocol recognition options, go to Firewall > Protection Profile. Select Create
New to add a protection profile, or the Edit icon beside an existing protection profile. Then
select the Expand Arrow beside Protocol Recognition, enter the information as described
below, and select OK.
Profile Name Enter a name for the protection profile.
Comments Enter a description of the profile. The maximum length is 63 characters.
Protocol Recognition See Protocol recognition options on page 475.
Anti-Virus See Anti-Virus options on page 477.
IPS See IPS options on page 480.
Web Filtering See Web Filtering options on page 480.
FortiGuard Web Filtering See FortiGuard Web Filtering options on page 483.
Email Filtering See Email Filtering options on page 485.
Data Leak Prevention
Sensor
See Data Leak Prevention Sensor options on page 488.
Application Control See Application Control options on page 489
Logging See Logging options on page 489.
Expand Arrow
476 01-410-89802-20091022
Figure 274: Protection profile Protocol Recognition options (SSL content scanning and
inspection)
Figure 275: Protection profile Protocol Recognition options
Add or
Edit Monitored
Remove
Port
Numbers
Ports
Add or
Edit Monitored
Remove
Port
Numbers
Ports
Note: If your FortiGate unit supports SSL content scanning and inspection, you must set
HTTPS Content Filtering Mode to Deep Scan before you can configure additional HTTPS
content scanning protection profile options.
01-410-89802-20091022 477
Anti-Virus options
You can apply antivirus options through a protection profile for the HTTP, SMTP, POP3,
IMAP, NNTP, and content protocols.
If your FortiGate unit includes SSL content inspection and filtering, you can also apply
antivirus scanning options through a protection profile for HTTPS, IMAPS, POP3S, and
SMTPS content protocols. For more information, see SSL content scanning and
To configure antivirus options, go to Firewall > Protection Profile. Select Create New to
add a protection profile, or the Edit icon beside an existing protection profile. Then select
the Expand Arrow beside Anti-Virus, enter the information as described below, and select
OK. For more antivirus configuration options, see AntiVirus on page 509.
HTTPS Content Filtering Mode If your FortiGate unit supports SSL content scanning and
inspection, you can select the content filtering mode used for
HTTPS traffic. The mode can be:
URL Filtering This option limits HTTPS content filtering to URL filtering only. If
you select this option the FortiGate unit does not perform SSL
content scanning and inspection of HTTPS traffic. Instead the
FortiGate unit just applies web filtering to HTTPS URLs. Also, if
you select URL Filtering, you cannot select any Anti-Virus options
for HTTPS. Under Web Filtering you can select only Web URL
Filter and Block invalid URLs for HTTPS. Selecting URL Filtering
also limits the FortiGuard Web Filtering options that you can
select for HTTPS.
Deep Scan (Decryption on
SSL Traffic)
Select this option to apply full SSL content scanning and
inspection of HTTPS traffic.
Protocol The names of the content protocols that you can configure
recognition for: HTTP, HTTPS, SMTP, POP3, IMAP, NNTP, and
FTP.
If your FortiGate unit supports SSL content scanning and
inspection the content protocols also include SMTPS, POP3S,
and IMAPS.
Monitored Ports The port numbers that the protection profile monitors for each
content protocol. You can select multiple port numbers to monitor
for each content protocol. For HTTP, SMTP, POP3, IMAP, NNTP,
and FTP you can also select Inspect All Ports to monitor all ports
for these content protocols. Monitoring all ports means the
protection profile uses protocol recognition techniques to
determine the protocol of a communication session independent
of the port number that the session uses.
Edit icon Select Edit for a content protocol to configure how the protection
profile monitors traffic for that content protocol. Select one of the
following options:
Inspect All Ports Select to monitor all ports for the content protocol. This option is
available for HTTP, SMTP, POP3, IMAP, NNTP, and FTP.
Specify Ports Select this option and then enter the port numbers to monitor for
the content protocol. You can specify up to 20 ports for each
content protocol.
Note: You cannot select Anti-Virus options for HTTPS if under protocol recognition HTTPS
Content Filtering Mode is set to URL Filtering. For more information, see Protocol
recognition options on page 475.
478 01-410-89802-20091022
Figure 276: Protection Profile Anti-Virus options (including SSL content scanning and
inspection)
Virus Scan Select virus scanning for each protocol. Virus Scan includes grayware,
as well as heuristic scanning. However, by default neither is enabled.
To enable specific grayware, go to UTM >AntiVirus > Grayware. To
enable heuristic scanning, see the conf i g ant i vi r us heur i st i c
command in the FortiGate CLI Reference.
Note: When you enable virus scanning, scanning by splice, also
called streaming mode, is enabled automatically. When scanning by
splice, the FortiGate unit simultaneously scans and streams traffic to
the destination, terminating the stream to the destination if a virus is
detected. For details on configuring splicing, see the spl i ce option
for each protocol in the conf i g f i r ewal l pr of i l e command in
the FortiGate CLI Reference. For details on splicing behavior for each
protocol, see the Knowledge Center article FortiGate Proxy Splice and
Client Comforting Technical Note.
File Filter Select to filter files, then under Option, specify a file filter, which can
consist of file name patterns and file types. For more information, see
File Filter on page 513.
Quarantine Select for each protocol to quarantine suspect files for later inspection
or submission to Fortinet for analysis.
This option appears only if the FortiGate unit has a hard drive or a
configured FortiAnalyzer unit, and will take effect only if you have first
enabled and configured the quarantine. For more information, see
File Quarantine on page 516.
Pass Fragmented Emails Select to allow fragmented email for mail protocols (IMAP, POP3, and
SMTP as well as IMAPS, POP3S, and SMTPS if SSL content
scanning and inspection is supported). Fragmented email messages
cannot be scanned for viruses.
Comfort Clients Select client comforting for the HTTP, FTP, and HTTPS protocols. See
HTTP and FTP client comforting on page 479.
Interval The time in seconds before client comforting starts sending data after
the download has begun, and also the time interval between sending
subsequent data.
Amount The number of bytes sent at each interval.
Oversized File/Email Select Block or Pass for files and email messages exceeding
configured thresholds for each protocol.
For email scanning, the oversize threshold refers to the final size of
the email, including attachments, after encoding by the email client.
Email clients can use a variety of encoding types; some result in larger
file sizes than the original attachment. The most common encoding,
base64, translates 3 bytes of binary data into 4 bytes of base64 data.
As a result, a file may be blocked or logged as oversized even if the
attachment is several megabytes smaller than the configured oversize
threshold.
01-410-89802-20091022 479
HTTP and FTP client comforting
In general, client comforting provides a visual display of progress for web page loading or
HTTP or FTP file downloads. Client comforting does this by sending the first few packets
of the file or web page being downloaded to the client at configured time intervals so that
the client is not aware that the download has been delayed. The client is the web browser
or FTP client. Without client comforting, clients and their users have no indication that the
download has started until the FortiGate unit has completely buffered and scanned the
download. During this delay users may cancel or repeatedly retry the transfer, thinking it
has failed.
The appearance of a client comforting message (for example, a progress bar) is client-
dependent. In some instances, there will be no visual client comforting cue.
During client comforting, if the file being downloaded is found to be infected, then the
FortiGate unit caches the URL and drops the connection. The client does not receive any
notification of what happened because the download to the client had already started.
Instead the download stops, and the user is left with a partially downloaded file.
If the user tries to download the same file again within a short period of time, then the
cached URL is matched and the download is blocked. The client receives the Infection
cache message replacement message as a notification that the download has been
blocked. The number of URLs in the cache is limited by the size of the cache.
Threshold If the file is larger than the threshold value in megabytes, the file is
passed or blocked. The maximum threshold for scanning in memory is
10% of the FortiGate units RAM.
Allow Invalid Server
Certificate
If your FortiGate unit supports SSL content scanning and inspection,
you can allow HTTPS, IMAPS, POP3S, and SMTPS sessions that
include an invalid server certificate. If these options are not selected,
HTTPS, IMAPS, POP3S, and SMTPS with invalid server certificates
are blocked. Use this feature to validate server certificates.
Quarantine Virus Sender
(to Banned Users List)
Select Enabled to quarantine or ban either the IP address of the
sender of the virus or the FortiGate interface that received the virus.
The senders IP address or the interface that received the virus is
added to the banned users list. For more information about the
banned user list including how to manage the duration of items and
how to remove them manually, see NAC quarantine and the Banned
User list on page 670.
Method If a virus is found, select the method used to quarantine the virus
sender. You can select Source IP Address to add the senders source
IP address to the banned users list, or you can select Viruss Incoming
Interface to add the interface that received the virus to the banned
user list.
Expires Select Indefinite to permanently quarantine virus senders. Only a
FortiGate administrator can remove them from the banned users list.
Or, configure how long the virus sender remains on the banned user
list in minutes, hours, or days. A FortiGate administrator can manually
remove a virus sender from the banned user list before the expiry
time.
Add signature to outgoing
emails
Create and enable a signature to append to outgoing SMTP email
messages. The signature will also be appended to outgoing SMTPS
email messages if your FortiGate unit supports SSL content scanning
and inspection.
Caution: Client comforting can send unscanned and therefore potentially infected content
to the client. You should only enable client comforting if you are prepared to accept this risk.
Keeping the client comforting interval high and the amount low will reduce the amount of
potentially infected data that is downloaded.
480 01-410-89802-20091022
FTP and HTTP client comforting steps
The following steps show how client comforting works for an FTP or HTTP download of a
10 Mbyte file with the client comforting interval set to 20 seconds and the client comforting
amount set to 512 bytes.
1 The FTP or HTTP client requests the file.
2 The FortiGate unit buffers the file from the server. The connection is slow, so after 20
seconds about one half of the file has been buffered.
3 The FortiGate unit continues buffering the file from the server, and also sends 512
bytes to the client.
4 After 20 more seconds, the FortiGate unit sends the next 512 bytes of the buffered file
to the client.
5 When the file has been completely buffered, the client has received the following
amount of data:
ca * ( T/ ci ) byt es == 512 * ( 40/ 20) == 512 * 2 == 1024 byt es,
where ca is the client comforting amount, T is the buffering time and ci is the client
comforting interval.
6 FTP client: If the file does not contain a virus, the FortiGate unit sends the rest of the
file to the client. If the file is infected, the FortiGate unit closes the data connection and
sends the FTP Virus replacement message to the client.
HTTP client: If the file does not contain a virus, the FortiGate unit sends the rest of the
file to the client. If the file is infected, the FortiGate unit closes the data connection but
cannot send a message to the client.
IPS options
You can use the IPS options in a protection profile to enable IPS for the protection profile
and add an IPS sensor. To add an IPS sensor, go to Firewall > Protection Profile. Select
Create New to add a protection profile, or the Edit icon beside an existing protection
profile. Then select the Expand Arrow beside IPS, select the check box to enable IPS,
select an IPS Sensor, and select OK.
For more information on IPS, see Intrusion Protection on page 523.
Figure 277: Protection Profile IPS options
Web Filtering options
Web filtering sorts millions of web pages into a wide range of categories that you can
allow, block or monitor. Content block uses words and patterns to block web pages
containing the words or patterns, URL filtering uses URLs and URL patterns to exempt or
block web pages from specific sources, and FortiGuard web filter provides many
additional categories by which to filter web traffic. In some instances, users may require
access to web sites that are blocked by a policy. An administrator can give the user the
ability to override the block for a specified period of time. For more information about
overrides, see Web Filter on page 541.
IPS Select to enable and use the specified IPS sensor.
You cannot select denial of service (DoS) sensors through this option. For information on
configuring DoS sensors, see DoS sensors on page 537.
01-410-89802-20091022 481
You can configure web filtering for HTTP and HTTPS traffic. If your FortiGate unit supports
SSL content scanning and inspection and if you have set HTTPS Content Filtering Mode
in the Protocol Recognition part of this protection profile to Deep Scan, you can select the
same web filtering options for HTTPS and HTTP. For more information, see SSL content
scanning and inspection on page 469 and Protocol recognition options on page 475.
Filters defined in the web filtering settings are turned on through a protection profile. To
configure web filtering options, go to Firewall > Protection Profile. Select Create New to
the Expand Arrow beside Web Filtering, enter the information as described below, and
select OK.
Figure 278: Protection Profile Web Filtering options
Note: Protection profile web filtering also includes FortiGuard Web Filtering. For
information about FortiGuard Web Filtering, see FortiGuard Web Filtering options on
page 483.
Note: If your FortiGate unit does not support SSL content scanning and inspection, or if you
have set HTTPS Content Filtering Mode to URL Filtering, you can only select URL filtering
and blocking invalid URLs for HTTPS.
Web Content Filter Select to filter HTTP and HTTPS web pages based on matching the
content of the web page with the words or patterns in the selected web
content filter list. For more information, see Web content filter on
page 544.
Web content filter list Select the web content filter list to add to the protection profile. For
more information, see Creating a new web content filter list on
page 545.
Threshold Enter a web content filter threshold.
Each entry in the web content filter list added to the protection profile
incudes a score. When a web page is matched with an entry in the
content block list the score is recorded. If a web page matches more
than one entry the score for the web page increases. When the total
score for a web page equals or exceeds the threshold the page is
blocked.
The default score for content block list entry is 10 and the default
threshold is 10. This means that by default a web page is blocked by a
single match. You can change the scores and threshold so that web
pages can only be blocked if there are multiple matches.
Web URL Filter Select to block HTTP and HTTPS web pages based on matching the
URL of the web page with a URL in the selected URL filter list. For
more information, see URL filter on page 547.
Web URL filter list Select the URL filter list to add to this protection profile. For more
information, see Creating a new URL filter list on page 548.
482 01-410-89802-20091022
Blocked pages are replaced with a message indicating that the page is not accessible
according to the Internet usage policy. To configure replacement messages, go to
System > Config > Replacement Messages.
For more information on web filter configuration options, see Web Filter on page 541.
For details on how web URL filter lists are used with HTTP and HTTPS URLs, see URL
formats on page 550.
Web Resume Download
Block
Select to block downloading parts of a file that have already been
downloaded. Enabling this option will prevent the unintentional
download of virus files hidden in fragmented files. Note that some
types of files, such as PDFs, are fragmented to increase download
speed, and that selecting this option can cause download interruptions
with these types.
Block invalid URLs Select to block web sites whose SSL certificates CN field does not
contain a valid domain name.
FortiGate units always validate the CN field, regardless of whether this
option is enabled. However, if this option is not selected, the following
behavior occurs:
If the request is made directly to the web server, rather than a web
server proxy, the FortiGate unit queries for FortiGuard Web
Filtering category or class ratings using the IP address only, not
the domain name.
If the request is to a web server proxy, the real IP address of the
web server is not known. Therefore, rating queries by either or
both the IP address and the domain name is not reliable. In this
case, the FortiGate unit does not perform FortiGuard Web
Filtering.
HTTP POST Action Select the action to take with HTTP POST traffic.
Normal Do not affect HTTP POST traffic.
Block Block HTTP POST requests. When the post request is blocked the
FortiGate unit sends a web page to the users web browser instead of
the requested POST page. You can configure the content of this web
page by going to from System > Config > Replacement Message by
customizing the HTTP > POST message.
Comfort Use the comfort amount and interval settings to send comfort bytes
to the server in case the client connection is too slow. Select this
option to prevent a server timeout when scanning or other filtering tool
is turned on.
Safe Search Enforce the strictest level the safe search feature of the Google,
Yahoo!, and Bing search engines. This feature works by manipulating
search URL requests to add code used by the safe search features of
the search engines.
Enforcing safe searching provides additional protection in
environments such as schools or other environments that use web
filtering to block sites with inappropriate content. Web Filtering alone
may not block offensive content that appears search results. This
offensive content could include offensive text in search results or
offensive images in image search results.
Google Enforce the strict filtering level of safe search protection for Google
searches by adding &safe=on to search URL requests. Strict filtering
filters both explicit text and explicit images.
Yahoo! Enforce filtering out adult web, video, and image search results from
Yahoo! searches by adding &vm=r to search URL requests.
Bing Enforce the strict level of safe search protection for Bing searches by
adding adlt=strict to search URL requests.
01-410-89802-20091022 483
Character sets and Web content filtering, Email filtering banned word,
and DLP scanning
The FortiGate unit converts HTTP, HTTPS, and email content to the UTF-8 character set
before applying email filtering banned word checking, web filtering and DLP content
scanning as specified in the protection profile.
For email messages, while parsing the MIME content, the FortiGate unit converts the
content to UTF-8 encoding according to the email message charset field before applying
Email filtering banned word checking and DLP scanning.
For HTTP get pages, the FortiGate unit converts the content to UTF-8 encoding according
to the character set specified for the page before applying web content filtering and DLP
scanning.
For HTTP post pages, because character sets are not always accurately indicated in
HTTP posts, you can use the following CLI command to specify up to five character set
encodings.
edi t <pr of i l e_name>
set ht t p- post - l ang <char set 1> [ <char set 2> . . . <char set 5>]
end
The FortiGate unit performs a forced conversion of HTTP post pages to UTF-8 for each
specified character set. After each conversion the FortiGate unit applies web content
filtering and DLP scanning to the content of the converted page.
To view the list of available character sets, enter set ht t p- post - l ang ? from within
the edit shell for the protection profile. Separate multiple character set names with a
space. You can add up to 5 character set names.
FortiGuard Web Filtering options
You can enable and apply FortiGuard Web Filtering options using a protection profile.
If you have blocked a pattern using the FortiGuard Web Filtering, but want certain users to
have access to URLs within the pattern, you can use the FortiGate web filtering override
feature. For more information about FortiGuard web filtering, see FortiGuard Web
Filtering on page 552.
You can configure FortiGuard Web Filtering for HTTP and HTTPS traffic. If your FortiGate
unit supports SSL content scanning and inspection and if you have set HTTPS Content
Filtering Mode in the Protocol Recognition part of this protection profile to Deep Scan you
can select all but one of the same web filtering options for HTTPS and HTTP. If your
FortiGate unit does not support SSL content scanning and inspection or if you have set
HTTPS Content Filtering Mode to URL Filtering you can have fewer options for HTTPS.
See the field descriptions below for details.
For more information, see SSL content scanning and inspection on page 469 and
Protocol recognition options on page 475.
To configure FortiGuard Web Filtering options, go to Firewall > Protection Profile. Select
Create New to add a protection profile, or the Edit icon beside an existing protection
profile. Then select the Expand Arrow beside Web Filtering and scroll down to FortiGuard
Web Filtering. Enter the information as described below, and select OK.
Caution: Specifying multiple character sets reduces web filtering and DLP performance.
484 01-410-89802-20091022
Figure 279: Protection Profile FortiGuard Web Filtering options
Enable FortiGuard Web
Filtering
Select to enable FortiGuard Web Filtering for this protection profile.
Enable FortiGuard Web
Filtering Overrides
Select to enable category overrides. For more information, see
FortiGuard Web filtering overrides on page 552 and Configuring
administrative override rules on page 553.
Provide details for
blocked HTTP 4xx and
5xx errors
Display a replacement message for 400 and 500-series HTTP errors. If
the error is allowed through, malicious or objectionable sites can use
these common error pages to circumvent web filtering. Only supported
for HTTPS if your FortiGate unit supports SSL content scanning and
inspection.
Rate images by URL
(blocked images will be
replaced with blanks)
Block images that have been rated by FortiGuard. Blocked images are
replaced on the originating web pages with blanks. Rated image file
types include GIF, J PEG, PNG, BMP, and TIFF. Only supported for
HTTPS if your FortiGate unit supports SSL content scanning and
inspection.
Allow websites when a
rating error occurs
Allow web pages that return a rating error from the web filtering service.
01-410-89802-20091022 485
Email Filtering options
Several email filters can be configured in the protection profile. With the IP address filter,
FortiGuard AntiSpam extracts the email server source address and sends the IP address
to a FortiGuard Antispam server to check if this IP address matches the list of known
spammers. If the IP address is found, FortiGuard Antispam terminates the session. If
FortiGuard Antispam does not find a match, the email server sends the email to the
recipient. With the URL filter, FortiGuard Antispam checks the body of email messages to
extract any URL links. These URL links are sent to a FortiGuard Antispam server to
determine if any are listed. Spam messages often contain URL links to advertisements
(also called spamvertizing). If a URL match is found, FortiGuard Antispam terminates the
Strict Blocking This option is enabled by default. Strict Blocking only has an effect when
either a URL fits into a protection profile category and classification or
Rate URLs by domain and IP address is enabled. With Rate URLs by
domain and IP address enabled, all URLs have two categories and up to
two classifications (one set for the domain and one set for the IP
address). All URLs belong to at least one category (including the Unrated
category) and may also belong to a classification.
If you enable Strict Blocking, a site is blocked if it is in at least one
blocked category or classification and only allowed if all categories or
classifications it falls under are allowed.
If you do not enable Strict Blocking, a site is allowed if it belongs to at
least one allowed category or classification and only blocked if all
categories or classifications it falls under are allowed.
For example, suppose that a protection profile blocks Search Engines
but allows Image Search, and that the URL images.example.com falls
into the General Interest / Search Engines category and the Image
Search classification.
With Strict Blocking enabled, this URL is blocked because it belongs to
the Search Engines category, which is blocked.
With Strict Blocking disabled, the URL is allowed because it is classified
as Image Search, which the profile allows. It would be blocked only if
both the Search Engines category and Image Search classification were
blocked.
Rate URLs by domain
and IP address
Select to send both the URL and the IP address of the requested site for
checking, and thus provide additional security against attempts to bypass
the FortiGuard system.
However, because IP rating is not updated as quickly as URL rating,
some false ratings may occur.
Block HTTP redirects
by rating
Enable to block HTTP redirects.
Many web sites use HTTP redirects legitimately; however, in some
cases, redirects may be designed specifically to circumvent web filtering,
as the initial web page could have a different rating than the destination
web page of the redirect. Not supported for HTTPS.
Category FortiGuard Web Filtering provides many content categories for filtering
web traffic. Categories reflect the subject matter of the content.
For each category, select to Allow or Block and, if the category is
blocked, whether or not to Allow Override to permit users to override the
filter if they successfully authenticate. You can also select to log each
traffic occurrence of the category.
Classification In addition to content categories, FortiGuard Web Filtering provides
functional classifications that block whole classes of web sites based
upon their functionality, media type, or source, rather than the web sites
subject matter.
Using classifications, you can block web sites that host cached content or
that facilitate image, audio, or video searches, or web sites from spam
URLs. Classification is in addition to, and can be configured separately
from, the category.
For each class, select to Allow or Block and, if the class is blocked,
whether or not to Allow Override to permit users to override the filter if
they successfully authenticate. You can also select to log each traffic
occurrence of the class.
486 01-410-89802-20091022
session. If FortiGuard Antispam does not find a match, the email server sends the email to
the recipient. The email checksum filter calculates the checksum of an email message and
sends this checksum to the FortiGuard servers to determine if the checksum is in the
blacklist. The FortiGate unit then passes or marks/blocks the email message according to
the server response.
To configure email filtering options, go to Firewall > Protection Profile. Select Create New
to add a protection profile, or the Edit icon beside an existing protection profile. Then
select the Expand Arrow beside Email Filtering, enter the information as described below,
and select OK.
You can configure email filtering for IMAP, POP3, and SMTP email. If your FortiGate unit
supports SSL content scanning and inspection you can also configure email filtering for
IMAPS, POP3S, and SMTPS email. For information about SSL content scanning and
inspection, see SSL content scanning and inspection on page 469.
For more information about the FortiGuard Antispam service, see FortiGuard Antispam
service on page 301 and Configuring the FortiGate unit for FDN and FortiGuard
subscription services on page 302.
For more email filter configuration options, see Email filtering on page 559.
For information about character sets and email filter banned word, see Character sets
and Web content filtering, Email filtering banned word, and DLP scanning on page 483.
Figure 280: Protection Profile Email Filtering options
Note: Some popular email clients cannot filter messages based on the MIME header. For
these clients, select to tag email message subject lines instead.
FortiGuard Email Filtering Also called FortiGuard Antispam. Select one or more check boxes to
enable protocols (IMAP, POP3, SMTP), then apply the options that
you need. If your FortiGate unit supports SSL content scanning and
inspection you can also enable FortiGuard Antispam for IMAPS,
POP3S, and SMTPS.
IP address check Select to enable the FortiGuard AntiSpam IP address blacklist.
URL check Select to enable the FortiGuard AntiSpam URL blacklist.
E-mail checksum check Select to enable the FortiGuard Antispam email message checksum
blacklist.
01-410-89802-20091022 487
Spam submission Select to add a spam submission message and a link to the
message body of all email messages marked as spam by
FortiGuard Antispam. If the receiver considers that the email
message is not spam, he or she can use the link in the message to
inform FortiGuard Antispam. You can change the content of this
message by going to System > Config > Replacement Message and
customizing the Spam > Spam submission message. For more
information, see Spam replacement messages on page 231.
IP address BWL check Select to compare the IP address of email message senders to the
selected IP address black/white list and, if a match is found, to take
the action configured in the list for the IP address. For more
information, see IP address and email address black/white lists on
page 565.
IP address BWL check
list
Select the IP address black/white list to add to the protection profile.
For more information, see Creating a new IP address list on
page 566.
HELO DNS lookup Select to look up the source domain name (from the SMTP HELO
command) for SMTP email messages.
E-mail address BWL check Select to compare the email address of message senders to the
selected email address black/white list and if a match is found to
take the action configured in the list for the email address. For more
information, see IP address and email address black/white lists on
page 565.
E-mail address BWL list Select the email address black/white list to add to the protection
profile. For more information, see Creating a new email address list
on page 568.
Return e-mail DNS check Select to enable checking that the domain specified in the reply-to or
from address has an A or MX record.
Banned word check Select to block email messages based on matching the content of
the message with the words or patterns in the selected email filter
banned word list. For more information, see Banned word on
page 562.
Banned word list Select the banned word list to add to the protection profile. For more
information, see Creating a new banned word list on page 563.
Threshold Enter a email filter banned word block threshold.
Each entry in the banned word list added to the protection profile
incudes a score. When an email message is matched with an entry
in the banned word list, the score is recorded. If an email message
matches more than one entry, the score for the email message
increases. When the total score for an email message equals or
exceeds the threshold, the message is tagged as spam.
The default score for a banned word list entry is 10 and the default
threshold is 10. This means that by default an email message is
tagged as spam by a single match. You can change the scores and
threshold so email messages are only tagged as spam if there are
multiple matches.
Spam Action Select to either tag or discard email that the FortiGate unit
determines to be spam. Tagging adds the text in the Tag Format
field to the subject line or header of email identified as spam.
Note: When you enable virus scanning for SMTP and SMTPS in the
Anti-virus section of the protection profile, scanning by splice, also
called streaming mode, is enabled automatically. When scanning by
splice, the FortiGate unit simultaneously scans and streams traffic to
the destination, terminating the stream to the destination if a virus is
detected. For details on configuring splicing, see the spl i ce option
for each protocol in the conf i g f i r ewal l pr of i l e command in
the FortiGate CLI Reference. For details on splicing behavior for
SMTP, see the Knowledge Center article FortiGate Proxy Splice and
Client Comforting Technical Note.
When virus scanning is enabled for SMTP the FortiGate unit can
only discard spam email if a virus is detected. Discarding
immediately drops the connection. If virus scanning is not enabled,
you can choose to either tag or discard SMTP spam.
488 01-410-89802-20091022
Data Leak Prevention Sensor options
You apply data leak prevention (DLP) to traffic by selecting a data leak prevention sensor.
You can use DLP to prevent sensitive data from leaving your network and to provide DLP
archiving.
You can also use protection profile DLP settings to:
display DLP archive meta-information on the Log and Archive Statistics system
dashboard widget
archive spam email (requires a FortiAnalyzer unit or the FortiGuard Analysis and
Management Service).
To configure DLP sensor options, go to Firewall > Protection Profile. Select Create New to
the Expand Arrow beside Data Leak Prevention Sensor. Select a DLP sensor, enter the
information as described below, and select OK.
For information about DLP, see Data Leak Prevention on page 575.
For information about character sets and DLP scanning, see Character sets and Web
content filtering, Email filtering banned word, and DLP scanning on page 483.
Figure 281: Data Leak Prevention Sensor options
Figure 282: Data Leak Prevention Sensor options (SSL content scanning inspection and
FortiAnalyzer unit configured)
Tag Location Select to add the tag to the subject or MIME header of email
identified as spam.
If you select to add the tag to the subject line, the FortiGate unit
converts the entire subject line, including the tag, to UTF-8 format.
This improves display for some email clients that cannot properly
display subject lines that use more than one encoding. For details on
preventing conversion of subject line to UTF-8, see the System
Settings chapter of the FortiGate CLI Reference.
To add the tag to the MIME header, you must enable
spamhdr check in the CLI for each protocol (IMAP, SMTP, and
POP3). For more information see profile in the FortiGate CLI
Reference.
Tag Format Enter a word or phrase with which to tag email identified as spam.
When typing a tag, use the same language as the FortiGate units
current administrator language setting. Tag text using other
encodings may not be accepted. For example, when entering a
spam tag that uses J apanese characters, first verify that the
administrator language setting is J apanese; the FortiGate unit will
not accept a spam tag written in J apanese characters while the
administrator language setting is English. For details on changing
the language setting, see Settings on page 261.
Tags must not exceed 64 bytes. The number of characters
constituting 64 bytes of data varies by text encoding, which may vary
by the FortiGate administrator language setting.
01-410-89802-20091022 489
Application Control options
You can apply application control options through a protection profile.
For more information about application control, see Application Control on page 595.
To configure application control options, go to Firewall > Protection Profile. Select Create
New to add a protection profile, or the Edit icon beside an existing protection profile. Then
select the Expand Arrow beside Application Control and select the application control
black/white list to add to the protection profile.
Figure 283: Protection Profile Application Control options
Logging options
You can enable logging options in a protection profile to write log messages when the
options that you have enabled in this protection profile perform an action. For example, if
you enable antivirus protection you could also enable the antivirus protection profile
logging options to write a an antivirus log message every time a virus is detected by this
protection profile.
To record these log messages you must first configure how the FortiGate unit stores log
messages. See Configuring how a FortiGate unit stores logs on page 704.
For information about viewing log messages, see Accessing and viewing log messages
on page 714.
You can also view and customize reports based on these log messages. See Viewing
Executive Summary reports from SQL logs on page 724 and Viewing FortiAnalyzer
reports on page 724.
To configure Logging options, go to Firewall > Protection Profile. Select Create New to
the Expand Arrow beside Logging, select logging options, and select OK.
Data Leak
Prevention
Sensor
Select the check box and then specify the DLP sensor to add to the protection
profile. For more information, see Adding and configuring a DLP sensor on
page 577.
Display DLP
meta-
information on
the system
dashboard
For each protocol, select whether or not to display DLP archiving data in the
dashboard Log and Archive Statistics widget. You can select HTTP, HTTPS, FTP,
IMAP, POP3, and SMTP.
If your FortiGate unit supports SSL content scanning and inspection you can also
select IMAPS, POP3S, and SMTPS.
For more information about the Log and Archive Statistics widget, see Log and
Archive Statistics on page 77.
Archive
SPAMed emails
to
FortiAnalyzer/
FortiGuard
For each email protocol, select to archive email messages identified as spam by
FortiGate Email filtering or by FortiGuard Antispam. You must configure the
FortiGate unit to log to a FortiAnalyzer unit or enable the FortiGuard Analysis and
Management Service. For more information, see Configuring spam email
message archiving on page 585.
Application
Black/White List
Select the check box and then specify the application control black/white list
to add to the protection profile. For more information, see Creating a new
application control black/white list on page 597.
490 01-410-89802-20091022
Figure 284: Protection Profile Logging options
Antivirus If antivirus settings are enabled for this protection profile, select the
following options to record Antivirus Log messages.
Viruses Record a log message when this protection profile detects a virus.
Blocked Files Record a log message when antivirus file filtering enabled in this
protection profile blocks a file.
Oversized Files /
E-mails
Record a log message when this protection profile encounters and
oversized file or email. Oversized files and emails cannot be scanned
for viruses.
Web Filtering If Web Filtering settings are enabled for this protection profile, select the
following options to record Web Filter Log messages.
Content Block Record a log message when this protection profile matches the content
of a web page with the web content filter added to this protection profile.
The log message records whether the web page was blocked or
exempted.
URL Filter Record a log message when this protection profile matches the URL of
a web page with the web URL filter added to this protection profile. The
log message records whether the web page was blocked, exempted, or
allowed.
Invalid Domain Name
Warnings
Record a log message when this protection profile detects an invalid
domain name. A domain name is considered invalid if the name fails a
reverse DNS lookup.
FortiGuard Web Filtering If FortiGuard Web Filtering settings are enabled for this protection
profile, select the following option to record Web Filter Log messages.
Rating Errors (HTTP
only)
Record a log message when FortiGuard Web Filtering configured in this
protection profile encounters a rating error.
Email Filtering If Email Filtering settings are enabled for this protection profile, select
the following option to record Email Filter Log messages.
Log Spam Record a log message when the email filtering configured in this profile
determines that an email message is spam.
IPS If Intrusion Protection is enabled for this protection profile, select the
following option to record Attack Log messages.
01-410-89802-20091022 491
Log Intrusions Record a log message when this protection profile encounters a session
that the IPS Sensor added to this protection profile determines is an
attack or intrusion. The log message records the IPS signature that
detected the attack or intrusion.
Application Control If Application Control is enabled for this protection profile, select the
following option to record Application Control Log messages.
Log Application
Control
Record a log message when the Application Control list added to this
protection profile detects an application. The log message records the
application detected and the action taken by application control.
Sensor
If Data Leak Prevention is enabled for this protection profile, select the
following option to record DLP Log messages.
Log DLP Record a log message when the data leak prevention sensor added to
this protection profile matches the content of a session.
492 01-410-89802-20091022
SIP support VoIP and SIP
01-410-89802-20091022 493
SIP support
The Session Initiation Protocol (SIP) is a signaling protocol used for establishing and
conducting multiuser calls over TCP/IP networks using any media. Due to the complexity
of the call setup, not every firewall can handle SIP calls correctly, even if the firewall is
stateful. The FortiGate unit has a pre-defined SIP firewall service that tracks and scans
SIP calls and makes adjustments, to both the firewall state and call data, to ensure a
seamless call is established through the FortiGate unit regardless of its operation mode,
NAT, route, or transparent. FortiGate units support SIP RFC 3261.
You can use protection profiles to control the SIP protocol and SIP call activity.
A statistical summary of SIP protocol activity is also available for managing SIP use.
This section includes some information about VoIP and SIP. It also describes how FortiOS
SIP support works and how to configure the key SIP features. For more configuration
The FortiGate unit supports the following SIP features:
stateful SIP tracking
RTP Pinholing
request control
rate limiting
event logging
communication archiving
NAT IP preservation
client connection control
register response acceptance
Application Level Gateway (ALG) control
SIP stateful HA
IPv6 support
VoIP and SIP
The FortiGate unit and VoIP security
How SIP support works
Configuring SIP
VoIP and SIP
SIP is an IETF protocol for establishing Voice over IP (VoIP) connections. Many VoIP
networks choose SIP to handle multimedia sessions between endpoints. This lightweight
text-based signaling protocol is transported over either Transmission Control Protocol
(TCP) or User Datagram Protocol (UDP). SIP uses invitations to create Session
Description Protocol (SDP) messages that allow participants to agree on a set of
compatible media types.
SIP applications are based on a client-server structure and support user mobility with two
operating modes: proxy and redirect.
VoIP and SIP SIP support
494 01-410-89802-20091022
In proxy mode (shown in Figure 285), SIP clients send requests to the proxy server. The
proxy server either handles the requests or forwards them to other SIP servers. Proxy
servers can insulate and hide SIP users by proxying the signaling messages. To the other
users on the VoIP network, the signaling invitations look as if they come from the SIP
proxy server.
Figure 285: SIP in proxy mode
When the SIP server operates in redirect mode (shown in Figure 286), the SIP client
sends its signaling request to a SIP server, which then looks up the destination address.
The SIP server returns the destination address to the originator of the call, who uses it to
signal the destination SIP client.
Figure 286: SIP in redirect mode
SIP Client A SIP Client B

SIP Proxy Server

IP Network

(b@example.com) (a@example.com)

RTP Session
1. SIP clients register with SIP server
5. RTP session opens when
Client B answers
2. Client A dials Client B
and a request is sent to the SIP proxy server
3. Proxy server looks up phone number
or URL of destination client (Client B) and sends
invite to Client B
4. Client B is
notified of incoming
call by proxy server
phone rings

SIP Client A SIP Client B

IP Network

(b@example.com) (a@example.com)

RTP Session
1. SIP clients register with SIP server
6. RTP session opens when
Client B answers
SIP Redirect Server
2. Client A dials Client B and
request is sent to SIP redirect server
3. Redirect server looks up phone number
or URL of destination client (Client B) and sends
address back to the caller (Client A)
5. Client B is
notified of incoming
call by redirect server
phone rings

4. Client A sends invitation
to Client B

SIP support The FortiGate unit and VoIP security
01-410-89802-20091022 495
The FortiGate unit and VoIP security
Like data networks, VoIP networks are vulnerable to many of the same security risks,
including denial of service (DoS) attacks, service theft, tampering, and fraud. Many
conventional firewalls cannot protect VoIP networks from attacks because VoIP is
implemented at both the signaling and media layers. VoIP calls cannot go through these
firewalls unless a range of ports are opened which exposes the network for
unauthorized access.
The FortiGate unit can effectively secure VoIP solutions since it supports VoIP protocols
such as SIP, MGCP, and H.323, and associates state at the signaling layer with packet
flows at the media layer. Using SIP ALG controls, the FortiGate unit can interpret the VoIP
signaling protocols used in the network and dynamically open and close ports (pinholes)
for each specific VoIP call to maintain security.
The FortiGate intrusion prevention system (IPS) provides another strategic line of
defense, particularly against VoIP network predators. The IPS has deep-packet inspection
capabilities to provide continuous surveillance across multiple network sectors
simultaneously, recognizing network traffic expected within each and alerting network
managers to malicious packets and other protocol anomalies.
SIP NAT
The FortiGate unit supports network address translation (NAT) of SIP because the
FortiGate ALG can modify the SIP headers correctly.
This section uses scenarios to explain the FortiGate SIP NAT support.
Source NAT (SIP and RTP)
In the source NAT scenario shown in Figure 287, a SIP phone connects to the Internet
through a FortiGate unit with PPPoE. The FortiGate ALG translates all private IPs in the
SIP contact header into public IPs.
You need to configure an internal to external UDP firewall policy with NAT checked and a
SIP-enabled protection profile. For more information about firewall policies, see Firewall
Policy on page 363.
Figure 287: SIP source NAT
10.72.0.57

SIP Server
Internet
217.233.122.132
RTP Server
217.10.79.9 217.10.69.11
SIP service provider has a SIP server
and a separate RTP server
The FortiGate unit and VoIP security SIP support
496 01-410-89802-20091022
Destination NAT (SIP and RTP)
In the destination NAT scenario, a SIP phone can connect to a local IP using a FortiOS
VIP. The FortiGate unit translates the SIP contact header to the IP of the real SIP server
located outside.
Figure 288: SIP destination NAT
In the scenario, shown in Figure 288, the SIP phone connects to a VIP (10.72.0.60). The
FortiGate SIP ALG translates the SIP contact header to 217.10.79.9. The FortiGate ALG
will open the Real-time Transport Protocol (RTP) pinholes and manage NAT.
The FortiGate unit also supports a variation of this scenariothe RTP server hides its real
address.
Figure 289: SIP destination NAT-RTP server hidden
In this scenario, shown in Figure 289, a SIP phone connects to the Internet. The VoIP
service provider only publishes a single public IP (a VIP). The SIP phone connects to the
FortiGate unit (217.233.90.60) and the FortiGate unit then translates the SIP contact
header to the SIP server (10.0.0.60). The SIP server changes the SIP/SDP connection
information (which tells the SIP phone which RTP IP it should contact) also to
217.233.90.60.
10.72.0.57
SIP Server
Internet
217.233.122.132
RTP Server
217.10.79.9
SIP service provider has a SIP server
and a separate RTP server
217.10.69.11
10.72.0.60
219.29.81.21
SIP Server
Internet
217.233.90.60
RTP Server
10.0.0.60
192.168.200.99
SIP support How SIP support works
01-410-89802-20091022 497
Source NAT with IP pool
You can choose NAT with the Dynamic IP Pool option when configuring a firewall policy if
the source IP of the SIP packets is different from the interface IP. The FortiGate ALG
interprets this configuration and translates the SIP header accordingly.
This configuration also applies to destination NAT.
Different source and destination NAT for SIP and RTP
This is a more complex scenario that a SIP service provider may use. It can also be
deployed in large-scale SIP environments where RTP has to be processed by the
FortiGate unit and the RTP server IP has to be translated differently than the SIP
server IP.
Figure 290: Different source and destination NAT for SIP and RTP
In this scenario, shown in Figure 290, assume there is a SIP server and a separate media
gateway. The SIP server is configured so that the SIP phone (219.29.81.20) will connect
to 217.233.90.60. The media gateway (RTP server: 219.29.81.10) will connect to
217.233.90.65.
What happens is as follows:
1 The SIP phone connects to the SIP VIP. The FortiGate ALG translates the SIP contact
header to the SIP server: 219.29.81.20 >217.233.90.60 (>10.0.0.60).
2 The SIP server carries out RTP to 217.233.90.65.
3 The FortiGate ALG opens pinholes, assuming that it knows the ports to be opened.
4 RTP is sent to the RTP-VIP (217.233.90.65.) The FortiGate ALG translates the SIP
contact header to 192.168.0.21.
How SIP support works
The FortiGate unit uses firewall policies to protect communications between servers and
VoIP end devices. These policies restrict VoIP communication based on authorized end
devices or traffic sourced or destined for a particular IP address or interface. The
FortiGate unit segments the VoIP network, separating the voice traffic from other traffic to
ensure that appropriate priority and policies are applied.
219.29.81.20
SIP Server
Internet
SIP: 217.233.90.60
RTP Servers
10.0.0.60
192.168.0.23
RTP Server
219.29.81.10
192.168.0.21 -
RTP-1: 217.233.90.65
RTP-2: 217.233.90.70
Configuring SIP SIP support
498 01-410-89802-20091022
You need to configure the FortiOS SIP support in the following order:
1 Create a firewall protection profile that enables SIP (see Enabling SIP support and
setting rate limiting from the web-based manager on page 498).
Once the profile is included in a policy, the ALG will parse the SIP traffic and open the
RTP ports for each specific VoIP call.
When creating a protection profile, you configure SIP features using the web-based
manager and CLI. You then apply the profile to a firewall policy. You can apply a profile
to multiple policies.
2 Create a firewall policy that allows SIP and includes a SIP-enabled protection profile.
Specifically, select the SIP or ANY pre-defined service for the policy.
When the FortiGate unit receives a SIP packet, it checks the packet against the firewall
policies. If the packet matches a policy, the FortiGate firewall inspects and processes
the packet according to the SIP profile applied to the policy.
For more information about firewall policies, see Firewall Policy on page 363.
3 Configure advanced SIP features as required (see Configuring SIP on page 498).
Configuring SIP
You can enable SIP support, set two rate limits, enable SIP logging, and view SIP
statistics using the web-based manager. You can do this plus configure many other SIP
support features from the CLI.
This section describes the following SIP configuration options:
Enabling SIP support and setting rate limiting from the web-based manager
Enabling SIP support from the CLI
More about rate limiting
Enabling SIP logging
Enabling advanced SIP features in an application list
Turning on SIP tracking
Managing RTP pinholing
Blocking SIP requests
Archiving SIP communication
Preserving NAT IP
Controlling SIP client connections
Accepting SIP register responses
Controlling how SIP handles contact header NAT
Support for RFC 2543-compliant branch parameters
Enabling SIP support and setting rate limiting from the web-based manager
To enable SIP support you need to:
enable SIP in an application control list
select this application control list in a protection profile
add this protection profile to a firewall policy that accepts SIP traffic.
SIP support Configuring SIP
01-410-89802-20091022 499
From the web-based manager, you can also configure some SIP rate limiting settings.
Rate limiting for SIP also limits SIMPLE traffic. SIP rate limiting is useful for protecting a
SIP server within a company. Most SIP servers do not have integrated controls and it is
very easy to flood SIP servers with INVITE or REGISTER requests.
Enabling SIP in an application control list actually enables the SIP application level
gateway (SIP ALG) for sessions accepted by a firewall policy that includes the SIP
application.
To enable SIP and set REGISTER and INVITE rate limiting from the web-based
manager
1 Go to UTM > Application Control.
2 If you want to enable SIP for an existing application control list, select the Edit icon for
an application control list. Otherwise, select Create New to add a new application
control list.
3 Then, select Create New in the list to add a new application to the list.
4 Set Application to SIP.
You can optionally set Category to voip to make the SIP application easier to find.
5 Optionally configure REGISTER and INVITE limiting.
For example:
Set Limit REGISTER request to 100.
Set Limit INVITE request to 100.
Figure 291: Example SIP Application control configuration
6 Select OK.
7 Go to Firewall > Profile and add the application control list to a protection profile.
8 Go to Firewall > Policy and add the protection profile to a firewall policy that accepts
SIP sessions.
For more information about application control, see Application Control on page 595.
Tip: The SIP and SCCP application control list entries are used only for enabling the SIP or
SCCP application level gateways (ALGs). They are not like any other application control list
entry. For example, you cannot use the SIP and SCCP application control list entries to
block SIP or SCCP traffic. From the CLI SIP is application number 12 and SCCP is
application number 13.
Tip: The SIP.TCP and SIP.UDP application control list entries are normal application
control list entries and are not involved with the SIP ALG. You can use the SIP.TCP or
SIP.UDP application control list entries to block SIP sessions.
500 01-410-89802-20091022
Enabling SIP support from the CLI
From the FortiGate CLI, you can enable rate limiting for a more extensive range of SIP
requests, including ACK, INFO, NOTIFY, OPTIONS, PRACK, REFER, SUBSCRIBE, and
UPDATE. For more information, see the FortiGate CLI Reference.
From the CLI, you enable SIP support using the conf i g appl i cat i on l i st command
to add SIP to an application control list. The conf i g appl i cat i on l i st command
uses application list names or numbers to identify applications. SIP is application number
12.
To enable SIP and set REGISTER and INVITE rate limiting from the CLI
1 Enter the following command to add an application control list called App_l i st _SI P,
enable SIP support in the list, and limit REGISTER and INVITE requests to 100
requests per second per firewall policy.
conf i g appl i cat i on l i st
edi t App_l i st _SI P
conf i g ent r i es
edi t 1
set cat egor y voi p
set appl i cat i on SI P
set r egi st er - r at e 100
set i nvi t e- r at e 100
end
end
2 Enter the following command to add the App_l i st _SI P to a protection profile called
SI P_Pr of i l e.
edi t SI P_Pr of i l e
set appl i cat i on- l i st - st at us enabl e
set appl i cat i on- l i st App_l i st _SI P
end
3 Enter the following command to add the SI P_Pr of i l e protection profile to a firewall
policy. The example uses generic firewall policy settings. The example also uses the
SI P service. You could also set ser vi ce to ANY.
conf i g f i r ewal l pol i cy
edi t 1
set sr ci nt f por t 1
set dst i nt f por t 2
set sr caddr al l
set dst addr al l
set act i on accept
set schedul e al ways
set ser vi ce SI P
set pr of i l e- st at us enabl e
set comment s " Exampl e SI P pol i cy"
set pr of i l e SI P_Pr of i l e
end
01-410-89802-20091022 501
More about rate limiting
FortiGate units support rate limiting for the following types of VoIP traffic:
Session Initiation Protocol (SIP)
Skinny Call Control Protocol (SCCP)
Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions
(SIMPLE).
You can use rate limiting of these VoIP protocols to protect the FortiGate unit and your
network from SIP and SCCP Denial of Service (DoS) attacks. Rate limiting protects
against SIP DoS attacks by limiting the number of SIP REGISTER and INVITE requests
that the FortiGate unit receives per second. Rate limiting protects against SCCP DoS
attacks by limiting the number of SCCP call setup messages that the FortiGate unit
receives per minute.
When VoIP rate limiting is enabled, if the FortiGate unit receives more messages per
second (or minute) than the configured rate, the extra messages are dropped.
If you are experiencing denial of service attacks from traffic using these VoIP protocols,
you can enable VoIP rate limiting and limit the rates for your network. Limit the rates
depending on the amount of SIP and SCCP traffic that you expect the FortiGate unit to be
handling. You can adjust the settings if some calls are lost or if the amount of SIP or
SCCP traffic is affecting FortiGate unit performance.
From the CLI you can configure additional SIP, SCCP, as well as SIMPLE extensions. For
more information, see the description of the conf i g si p, conf i g sccp, and conf i g
si mpl e subcommands of the appl i cat i on command in the FortiGate CLI Reference.
You can also block SIMPLE sessions by enabling block login for the SIMPLE application.
For more information, see Application Control on page 595.
Enabling SIP logging
SIP logging is enabled by default when you add a SIP entry to an application control list.
However, you must also enable application control logging in the protection profile that you
add the application control list too before the FortiGate unit actually records SIP log
messages. And you must also go to Log&Report > Log Config and enable remote or local
logging for the FortiGate unit.
For more information about enabling and configuring logging, see Log&Report on
page 703.
To enable SIP logging from the web-based manager
1 Go to UTM > Application Control.
2 Add a new or edit an application list that includes a SIP entry.
3 Make sure Enable Logging is selected.
You can also select Enable Logging of Violations.
4 Go to Firewall > Profile and add a new protection profile or edit the protection profile
that contains the SIP application control list.
5 Select the Logging Expand Arrow.
6 Select Log Application Control.
This option enables logging for all entries in the application control list with Enable
Logging selected.
7 Go to Firewall > Policy and add the protection profile to a firewall policy that accepts
SIP sessions.
502 01-410-89802-20091022
To enable SIP logging from the CLI
1 Enter the following command to add an application control list called App_l i st _SI P,
enable SIP support and enable SIP logging. You can also optionally enable logging of
SIP violations.
Logging is enabled by default but you can use the following command to verify that
logging is enabled and to also enable logging SIP violations.
edi t App_l i st _SI P
conf i g ent r i es
edi t 1
set l og enabl e
set si p- l og- vi ol at i ons enabl e
end
end
2 Enter the following command to add the App_l i st _SI P to a protection profile called
SI P_Pr of i l e and enable application control logging for the protection profile.
edi t SI P_Pr of i l e
set appl i cat i on- l i st - st at us enabl e
set appl i cat i on- l i st App_l i st _SI P
conf i g l og
set l og- app- ct r l enabl e
end
end
Enabling advanced SIP features in an application list
Table 51 lists the advanced SIP features that you can configure in an application control
list using the conf i g appl i cat i on l i st CLI command.
Table 51: Application control list advanced SIP features
SIP CLI Option Description
bl ock- ack {enabl e |
di sabl e}
Enable to block SIP ACK requests.
bl ock- audi o {enabl e |
di sabl e}
Enable to block audio.
This command is available only when appl i cat i on is set to AI M,
I CQ, MSN, or Yahoo.
bl ock- bye {enabl e |
di sabl e}
Enable to block SIP BYE requests.
bl ock- cancel {enabl e |
di sabl e}
Enable to block SIP CANCEL requests.
bl ock- i nf o {enabl e |
di sabl e}
Enable to block SIP INFO requests.
bl ock- i nvi t e {enabl e |
di sabl e}
Enable to block SIP INVITE requests.
bl ock- l ong- l i nes
Enable to block SIP requests with headers exceeding the value set
in max- l i ne- l engt h.
bl ock- not i f y {enabl e |
di sabl e}
Enable to block SIP NOTIFY requests.
01-410-89802-20091022 503
Turning on SIP tracking
The FortiGate SIP Application Level Gateway (SIP ALG) tracks the SIP session over its
life span. A SIP session (or SIP dialog) is normally established after the SIP INVITE
procedure. The ALG then tracks this call as a SIP session. A session can end by regular
BYE procedure, such as callers hanging up the phone, or by an unexpected signalling or
transport error.
You can continue tracking a SIP session for a specified period of time even when RTP
(Real-time Transport Protocol) is lost.
bl ock- opt i ons {enabl e
| di sabl e}
Enable to block SIP OPTIONS requests.
bl ock- pr ack {enabl e |
di sabl e}
Enable to block SIP PRACK requests.
bl ock- publ i sh {enabl e
| di sabl e}
Enable to block SIP PUBLISH requests.
bl ock- r ef er {enabl e |
di sabl e}
Enable to block SIP REFER requests.
bl ock- r egi st er {enabl e
| di sabl e}
Enable to block SIP REGISTER requests.
bl ock- subscr i be
Enable to block SIP SUBSCRIBE requests.
bl ock- unknown {enabl e
| di sabl e}
Enable to block unrecognized SIP requests.
bl ock- updat e {enabl e |
di sabl e}
Enable to block SIP UPDATE requests.
cal l - keepal i ve
<mi nut es_i nt >
Enter the number of minutes the FortiGate unit continues tracking
SIP calls with no RTP.
max- di al ogs
<cal l s_i nt >
Enter the maximum number of concurrent SIP dialogs.
max- l i ne- l engt h
<l engt h_i nt >
Enter the maximum SIP header line length. The value must be
between 78 and 4096. The default is 998 characters. Enable
bl ock- l ong- l i nes to enforce this limit.
open- cont act - pi nhol e
{di sabl e | enabl e}
Open or close SIP pinholes for SIP NON-REGISTER requests
(usually INVITE requests). By default open- cont act - pi nhol e is
enabled and the FortiGate unit opens pinholes for non-REGISTER
requests. Set to di sabl e to prevent the FortiGate unit from
opening these pinholes.
open- r egi st er - pi nhol e
Open or close SIP pinholes for SIP REGISTER requests. By
default open- r egi st er - pi nhol e is enabled and the FortiGate
unit opens pinholes for REGISTER requests. Set to di sabl e
prevent the FortiGate unit from opening these pinholes.
r eg- di f f - por t {enabl e
| di sabl e}
Enable to accept SIP REGISTER responses even if the source port
is different from the destination port in the register request.
r f c2543- br anch {enabl e
| di sabl e}
Enable to support RFC 2543-complaint SIP calls involving branch
commands that are missing or that are valid for RFC 2543 but
invalid for RFC 3261. RFC 3261 is the most recent SIP RFC. RFC
3261 obsoletes RFC 2543.
r t p {enabl e | di sabl e} Enable to allow RTP traffic.
st r i ct - r egi st er
Enable to allow only the SIP registrar to connect.
Table 51: Application control list advanced SIP features
SIP CLI Option Description
504 01-410-89802-20091022
From the CLI, type the following commands:
edi t <l i st _name>
conf i g ent r i es
edi t 1
set cal l - keepal i ve <i nt eger >
end
end
Managing RTP pinholing
Once you create a firewall policy that allows SIP, the FortiGate ALG will automatically
open the respective RTP ports as long as the SIP session is alive.
You can also manually close RTP ports. This may be useful in cases where the FortiGate
unit only acts as a signalling firewall while RTP is bypassed. Therefore, no pinholes need
to be created.
conf i g ent r i es
edi t 1
set r t p di sabl e
end
end
Since SIP requests can be transmitted via UDP, broadcast attacks are possible. To
prevent your site from being used as an intermediary in an attack, you can block various
SIP requests including ACK, INVITE, INFO, PRACK, and so on directed to broadcast
addresses at your router.
For example, you can type the following commands to block INVITE requests:
conf i g ent r i es
edi t 1
set bl ock- i nvi t e enabl e
end
end
Archiving SIP communication
You can DLP archive SIP call metadata by DLP archiving session control content. You
can view the archived information on FortiAnalyzer unit or the FortiGuard Analysis and
Management Service. For more information, see DLP archiving on page 580.
01-410-89802-20091022 505
Preserving NAT IP
In NAT operation mode, you can preserve the original source IP address in the SDP i line.
This allows the SIP server to parse this IP for billing purposes.
conf i g ent r i es
edi t 1
set nat - t r ace enabl e
end
end
In addition, you can overwrite or append the SDP i line:
conf i g ent r i es
edi t 1
set pr eser ve- over r i de {enabl e | di sabl e}
end
end
where selecting enable removes the original source IP address from the SDP i line and
disable appends the address.
Controlling SIP client connections
You can control the SIP client to only connect to the registrar itself. This can avoid VoIP
spoofing.
conf i g ent r i es
edi t 1
set st r i ct - r egi st er enabl e
end
end
Accepting SIP register responses
You can enable r eg- di f f - por t to accept a SIP register response from a SIP server
even if the source port of the register response is different from the destination port of the
register request.
Most SIP servers use 5060 as the source port in the SIP register response. Some SIP
servers, however, may use a different source port. If your SIP server uses a different
source port, you can enable r eg- di f f - por t and the FortiGate SIP ALG will create a
temporary pinhole when receiving a register request from a SIP client. As a result, the
FortiGate unit will accept a register response with any source port number from the SIP
server.
506 01-410-89802-20091022
conf i g ent r i es
edi t 1
set r eg- di f f - por t enabl e
end
end
Controlling how SIP handles contact header NAT
You can enable cont act - f i xup so that the FortiGate ALG performs normal SIP NAT
translation to SIP contact headers as SIP sessions pass through the FortiGate unit.
Disable cont act - f i xup if you do not want the FortiGate ALG to perform normal SIP
NAT translation of the SIP contact header if a Record-Route header is also available. If
cont act - f i xup is disabled, the FortiGate ALG does the following with contact headers:
For Contact in Requests, if a Record-Route header is present and the request comes
from the external network, the SIP Contact header is not translated.
For Contact in Responses, if a Record-Route header is present and the response
comes from the external network, the SIP Contact header is not translated.
If cont act - f i xup is disabled, the FortiGate ALG must be able to identify the external
network. To identify the external network, you must use the conf i g syst em
i nt er f ace command to set the ext er nal keyword to enabl e for the interface that is
connected to the external network.
conf i g ent r i es
edi t 1
set cont act - f i xup {enabl e | di sabl e}
end
end
You can use open- r egi st er - pi nhol e and open- cont act - pi nhol e to control
whether the FortiGate unit opens register and non-register pinholes. Non-register pinholes
are usually opened for SIP invite requests.
By default, open- r egi st er - pi nhol e is enabled and the FortiGate unit opens pinholes
for register requests. You can disable open- r egi st er - pi nhol e so that the FortiGate
unit does not open pinholes for register requests.
By default, open- cont act - pi nhol e is also enabled and the FortiGate unit opens
pinholes for non-register requests. You can disable open- cont act - pi nhol e so that the
FortiGate unit does not open pinholes for non-register requests.
01-410-89802-20091022 507
Usually you would want to open these pinholes. Keeping the closed may prevent SIP from
functioning properly through the FortiGate unit.They can be disabled, however, for
interconnect scenarios (where all SIP traffic is between proxies and traveling over a single
session). In some cases these settings can also be disabled in access scenarios if it is
known that all users will be registering regularly so that their contact information can be
learned from the register request.
You might want to prevent pinholes from being opened to avoid creating a pinhole for
every register or non-register request. Each pinhole uses additional system memory,
which can affect system performance if there are hundreds or thousands of users, and
requires refreshing which can take a relatively long amount of time if there are thousands
of active calls.
To stop the FortiGate unit from opening register and non-register pinholes:
conf i g ent r i es
edi t 1
set open- r egi st er - pi nhol e di sabl e
set open- cont act - pi nhol e di sabl e
end
end
SIP uses a variety of text-based messages or requests to communicate information about
SIP clients and servers to the various components of the SIP network. Since SIP requests
are simple text messages and since the requests or their replies can contain information
about network components on either side of the FortiGate unit, it may be a security risk to
allow these messages to pass through.
As listed in Table 51 on page 502 the conf i g appl i cat i on l i st command includes
options for blocking a wide range of SIP messages. By default most of these options are
disabled and the FortiGate unit allows all message types with two exceptions:
bl ock- l ong- l i nes blocks messages with lines longer that the max- l i ne- l engt h
(default 998 characters).
bl ock- unknown blocks unrecognized SIP message types.
You can selectively enable SIP block options to block SIP messages that you consider a
security risk or that are not required for you implementation. For example, enter the
following command to block SIP OPTIONS and PUBLISH messages:
conf i g ent r i es
edi t 1
set bl ock- opt i ons enabl e
set bl ock- publ i sh enabl e
end
end
508 01-410-89802-20091022
Support for RFC 2543-compliant branch parameters
FortiGate units support SIP RFC 3261. RFC 3261 is the most recent SIP RFC, it obsoletes
RFC 2543. However, some SIP implementations may use RFC 2543-compliant SIP calls.
The r f c2543- br anch CLI keyword of the conf i g appl i cat i on l i st command has
been added to allow the FortiGate unit to support SIP calls that include an
RFC 2543-compliant branch parameter in the SIP Via header. This option also allows
FortiGate units to support SIP calls that include Via headers that are missing the branch
parameter.
conf i g ent r i es
edi t 1
set r f c2543- br anch enabl e
end
end
AntiVirus Order of operations
01-410-89802-20091022 509
AntiVirus
This section describes how to configure the antivirus options associated with firewall
protection profiles. From a protection profile you can configure the FortiGate unit to apply
antivirus protection to HTTP, FTP, IMAP, POP3, SMTP, IM, and NNTP sessions. If your
FortiGate unit supports SSL content scanning and inspection you can also configure
antivirus protection for HTTPS, IMAPS,POP3S, and SMTPS sessions. For more
information, see SSL content scanning and inspection on page 469.
This section provides an introduction to antivirus settings. For more information see the
FortiGate UTM User Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, UTM > Antivirus options are
page 125.
Order of operations
Antivirus tasks
Antivirus settings and controls
File Filter
File Quarantine
Selecting the virus database
Antivirus CLI configuration
Order of operations
Antivirus scanning function includes various modules and engines that perform separate
tasks. The FortiGate unit performs antivirus processing in the following order:
File size
File pattern
File type
Virus scan
Grayware
Heuristics
If a file fails any of the tasks of the antivirus scan, no further scans are performed. For
example, if the file fakefile.EXE is recognized as a blocked pattern, the FortiGate unit will
send the end user a replacement message and the file will be deleted or quarantined. The
virus scan, grayware, heuristics, and file type scans will not be performed as the file is
already been determined to be a threat and has been dealt with.
Note: File filter includes file pattern and file type scans which are applied at different stages
in the antivirus process.
Antivirus tasks AntiVirus
510 01-410-89802-20091022
Figure 292: Order of operation
Antivirus tasks
The antivirus tasks work in sequence to efficiently scan incoming files and offer your
network unparalleled antivirus protection. The first four tasks have specific functions, the
fifth, the heuristics, is to cover any new, previously unknown, virus threats. To ensure that
your system is providing the most protection available, all virus definitions and signatures
are updated regularly through the FortiGuard antivirus services. The tasks will be
discussed in the order that they are applied followed by FortiGuard antivirus.
File size
This task checks if files and email messages exceed configured thresholds. It is enabled
by setting the Oversized File/Email option under Firewall > Protection Profile > Antivirus to
Pass.
For more information, see Anti-Virus options on page 477.
Start
FTP, NNTP, SMTP,
POP3, or IMAP traffic
after web filter spam
checking.
File or message
is buffered
Oversized
file/email
action
Pass
Block
File type
match?
File/email
exceeds
oversized
threshold
Yes
No
Block
file/email
File
Pattern
Match?
Matching
file pattern
action Block
Allow
File/email
exceeds
oversized
threshold
Yes
No
Pass
file/email
No
Yes
AV scan
detects
infection?
Matching
file type
action
No
Yes
Allow
Block
Pass
file/email
Yes
No
AntiVirus Antivirus tasks
01-410-89802-20091022 511
File pattern
Once a file is accepted, the FortiGate unit applies the file pattern recognition filter. The
FortiGate unit will check the file against the file pattern setting you have configured. If the
file is a blocked pattern, .EXE for example, then it is stopped and a replacement
message is sent to the end user. No other levels of protections are applied. If the file is not
a blocked pattern the next level of protection is applied.
File type
Once a file passes the heuristic scan, the FortiGate unit applies the file type recognition
filter. The FortiGate unit will check the file against the file type setting you have configured.
If the file is a blocked type, then it is stopped and a replacement message is sent to the
end user. No other levels of protections are applied. If the file is not a blocked type, the
next level of protection is applied.
Virus scan
If the file passes the file pattern scan, it will have a virus scan applied to it. The virus
definitions are keep up to date through the FortiNet Distribution Network. The list is
updated on a regular basis so you do not have to wait for a firmware upgrade. For more
information on updating virus definitions, see FortiGuard antivirus on page 511.
Grayware
Once past the virus scan, the incoming file will be checked for grayware. Grayware
checking can be turned on and off as required. Grayware signatures are kept up to date
because the are included in the antivirus definitions. For more information on see
Selecting the virus database on page 519.
Heuristics
After an incoming file has passed the grayware scan, it is subjected to the heuristics scan.
The FortiGate heuristic antivirus engine, if enabled, performs tests on the file to detect
virus-like behavior or known virus indicators. In this way, heuristic scanning may detect
new viruses, but may also produce some false positive results.
FortiGuard antivirus
FortiGuard antivirus services are an excellent resource and include automatic updates of
virus and IPS (attack) engines and definitions, as well as the local spam DNSBL, through
the FortiGuard Distribution Network (FDN). The FortiGuard Center also provides the
FortiGuard antivirus virus and attack encyclopedia and the FortiGuard Bulletin. Visit the
Fortinet Knowledge Center for details and a link to the FortiGuard Center.
The connection between the FortiGate unit and FortiGuard Center is configured in
System > Maintenance > FortiGuard. See Configuring the FortiGate unit for FDN and
FortiGuard subscription services on page 302 for more information.
Note: Heuristics is configurable only through the CLI. See the FortiGate CLI Reference.
Antivirus settings and controls AntiVirus
512 01-410-89802-20091022
Antivirus settings and controls
While antivirus settings are configured for system-wide use, specific settings can be
implemented on a per profile basis. Table 52 compares antivirus options in protection
profiles and the antivirus menu.
Note: If virtual domains are enabled, you configure antivirus file filtering and antivirus
settings in protection profiles separately for each virtual domain. Antivirus file quarantine
and grayware settings are part of the global configuration.
Table 52: Antivirus and Protection Profile antivirus configuration
Protection Profile antivirus options Antivirus setting
Virus Scan UTM > AntiVirus > Virus Database
Enable or disable virus scanning for each
supported protocol: HTTP, FTP, IMAP, POP3,
SMTP, IM. If your FortiGate unit supports SSL
content scanning and inspection you can also
enable virus scanning for HTTPS, IMAPS,
POP3S, and SMTPS.
View information regarding the current viruses
database. If your FortiGate unit supports the
extended virus database, you may enable it.
Enable or disable grayware scanning.
File Filter UTM > AntiVirus > File Filter
Enable or disable file pattern and file type
handling for each protocol.
Configure file patterns and types to block or allow
files. Patterns and types can also be individually
enabled or disabled.
Quarantine UTM > AntiVirus > Quarantine
Enable or disable quarantining for each
protocol. File Quarantine is only available on
units with a local disk, or with a configured
FortiAnalyzer unit.
Configure file patterns to upload automatically to
Fortinet for analysis, and configure quarantine
options in AntiVirus.
Pass fragmented email messages.
Enable or disable passing fragmented email
messages. Fragmented email messages
cannot be scanned for viruses.
Comfort Clients
Enable or disable for HTTP and FTP traffic
(and HTTPS traffic if your FortiGate unit
supports SSL content scanning and
inspection and HTTPS content filtering mode
is set to Deep Scan in the protocol recognition
part of the protection profile). Set the interval
and byte amount to trigger client comforting.
Oversized file/email
Configure the FortiGate unit to block or pass
oversized files and email messages for each
protocol. Set the size thresholds for files and
email messages for each protocol in
AntiVirus.
Add signature to outgoing email messages
Create and enable a signature to append to
outgoing email messages (SMTP only).
AntiVirus File Filter
01-410-89802-20091022 513
File Filter
Configure the FortiGate file filter to block files by:
File pattern: Files can be blocked by name, extension, or any other pattern. File pattern
blocking provides the flexibility to block potentially harmful content.
File pattern entries are not case sensitive. For example, adding *. exe to the file
pattern list also blocks any files ending in . EXE.
In addition to the built-in patterns, you can specify more file patterns to block. For
details, see Configuring the file filter list on page 516.
File type: Files can be blocked by type, without relying on the file name to indicate what
type of files they are. When blocking by file type, the FortiGate unit analyzes the file
and determines the file type regardless of the file name. For details about supported
file types, see Built-in patterns and supported file types on page 513.
For standard operation, you can choose to disable file filter in the protection profile, and
enable it temporarily to block specific threats as they occur.
The FortiGate unit can take either of these actions toward files that match a configured file
pattern or type:
Allow: the file is allowed to pass.
Block: the file is blocked and a replacement messages will be sent to the user. If both
file filter and virus scan are enabled, the FortiGate unit blocks files that match the
enabled file filter and does not scan these files for viruses.
The FortiGate unit also writes a message to the virus log and sends an alert email
message if configured to do so.
Files are compared to the enabled file patterns and then the file types from top to bottom.
If a file does not match any specified patterns or types, it is passed along to antivirus
scanning (if enabled). In effect, files are passed if not explicitly blocked.
Using the allow action, this behavior can be reversed with all files being blocked unless
explicitly passed. Simply enter all the file patterns or types to be passed with the allow
attribute. At the end of the list, add an all-inclusive wildcard (*.*) with a block action.
Allowed files continue to antivirus scanning (if enabled) while files not matching any
allowed patterns are blocked by the wildcard at the end.
Built-in patterns and supported file types
The FortiGate unit is preconfigured with a default list of file patterns:
executable files (*.bat, *.com, and *.exe)
compressed or archive files (*.gz, *.rar, *.tar, *.tgz, and *.zip)
dynamic link libraries (*.dll)
HTML application (*.hta)
Microsoft Office files (*.doc, *.ppt, *.xl?)
Microsoft Works files (*.wps)
Visual Basic files (*.vb?)
screen saver files (*.scr)
program information files (*.pif)
control panel files (*.cpl)
The FortiGate unit can take actions against the following file types:
File Filter AntiVirus
514 01-410-89802-20091022
Viewing the file filter list catalog
You can add multiple file filter lists and then select the best file filter list for each protection
profile. To view the file filter list catalog, go to UTM > AntiVirus > File Filter. To view any
individual file filter list, select the edit icon for the list you want to see.
Figure 293: Sample file pattern list catalog
File filter lists are selected in protection profiles. For more information, see Anti-Virus
Table 53: Supported file types
arj activemime aspack base64 bat binhex bzip bzip2
cab class cod elf exe fsg gzip hlp
hta html jad javascript lzh mime msc msoffice
petite prc rar sis tar upx uue zip
unknown ignored
Note: The unknown type is any file type that is not listed in the table. The ignored type is
the traffic the FortiGate unit typically does not scan. This includes primarily streaming audio
and video.
Note: The default file pattern list catalog is called builtin-patterns.
Create New Select Create New to add a new file filter list to the catalog.
Name The available file filter lists.
# Entries The number of file patterns or file types in each file filter list.
Profiles The protection profiles each file filter list has been applied to.
DLP Rule The DLP rules in which each filter is used.
Comments An optional description of each file filter list.
Delete icon Select to remove the file filter list from the catalog. The delete icon is only
available if the file filter list is not selected in any protection profiles.
Edit icon Select to edit the file filter.
AntiVirus File Filter
01-410-89802-20091022 515
Creating a new file filter list
To add a file pattern list to the file pattern list catalog, go to UTM > AntiVirus > File Filter
and select Create New.
Figure 294: New File Filter List dialog box
Viewing the file filter list
To view the file filter list, go to UTM > AntiVirus > File Filter and select the edit icon of the
file filter list you want to view.
Figure 295: Sample file filter list
The file filter list has the following icons and features:
Name Enter the name of the new list.
Comments Enter a comment to describe the list, if required.
Name File filter list name. To change the name, edit the text in the name field and
select OK.
Comment Optional comment. To add or edit comment, enter text in comment field and
select OK.
OK If you make changes to the list name or comments, select OK to save the
changes.
Create New Select Create New to add a new file pattern or type to the file filter list.
Filter The current list of file patterns and types.
Action Files matching the file patterns and types can be set to Block or Allow. For
information about actions, see File Filter on page 513.
Enable Clear the checkbox to disable the file pattern or type.
Delete icon Select to remove the file pattern or type from the list.
Edit icon Select to edit the file pattern/type and action.
Move To icon Select to move the file pattern or type to any position in the list.
File Quarantine AntiVirus
516 01-410-89802-20091022
Configuring the file filter list
For file patterns, you can add a maximum of 5000 patterns to a list. For file types, you can
select only from the supported types.
Figure 296: New file filter
To add a file pattern or type go to UTM > AntiVirus > File Filter. Select the Edit icon for a
file filter catalog. Select Create New.
File Quarantine
FortiGate units with a local disk can quarantine blocked and infected files. View the file
name and status information about the file in the Quarantined Files list. Submit specific
files and add file patterns to the AutoSubmit list so they will automatically be uploaded to
Fortinet for analysis.
FortiGate units can also quarantine blocked and infected files to a FortiAnalyzer unit. Files
stored on the FortiAnalyzer unit can also be viewed from the Quarantined Files list. To
configure quarantine to a FortiAnalyzer unit, go to Log & Report > Log Config > Log
Setting.
To configure and enable file quarantine
1 Go to UTM > AntiVirus > Config to configure the quarantine service and destination.
For details, see Configuring quarantine options on page 518.
2 Go to Firewall > Protection Profile > Antivirus to enable quarantine for required
protocols in the protection profiles. For details, see Configuring a protection profile on
page 474.
You can configure a protection profile to quarantine blocked and infected files from
HTTP, FTP, IMAP, POP3, SMTP, IM, and NNTP Traffic. If your FortiGate unit supports
SSL content scanning and inspection you can also quarantine blocked and infected
files from HTTPS, IMAPS, POP3S, and SMTPS traffic. To enable HTTPS quarantine
you must set HTTPS Content Filtering Mode to Deep Scan in the Protocol Recognition
part of the protection profile. For more information, see SSL content scanning and
3 Go to Firewall > Policy and add the protection profile to a firewall policy.
Filter Type Select File Name Pattern or File Type.
Pattern Enter the file pattern. The file pattern can be an exact file name or can include
wildcards. The file pattern can be 80 characters long.
File Type Select a file type from the list. For information about supported file types, see Built-
in patterns and supported file types on page 513.
Action Select an action from the drop down list: Block or Allow. For more information about
actions, see File Filter on page 513.
Enable Select to enable the pattern.
AntiVirus File Quarantine
01-410-89802-20091022 517
Viewing the AutoSubmit list
If the FortiGate unit has a local hard disk, you can configure the FortiGate unit to upload
suspicious files automatically to Fortinet for analysis. You can add file patterns to the
AutoSubmit list using wildcard characters (* or ?). File patterns are applied for AutoSubmit
regardless of file blocking settings.
Upload files to Fortinet based on status (blocked or heuristics), or submit individual files
directly from the file quarantine. The FortiGate unit uses encrypted email to autosubmit
files to an SMTP server through port 25.
To view the AutoSubmit list, go to UTM > AntiVirus > AutoSubmit.
The autosubmit feature is not available on the FortiGate models without a local hard disk.
Figure 297: Sample AutoSubmit list
AutoSubmit list has the following icons and features:
Configuring the AutoSubmit list
To add a file pattern to the AutoSubmit list, go to UTM > AntiVirus > AutoSubmit. Note that
the autosubmit feature is available only if your FortiGate unit has a local hard disk.
Figure 298: New File Pattern dialog box
Create New Select to add a new file pattern to the AutoSubmit list.
File Pattern The current list of file patterns that will be automatically uploaded. Create a
pattern by using ? or * wildcard characters. Enable the check box to enable all
file patterns in the list.
Delete icon Select to remove the entry from the list.
Edit icon Select to edit the following information: File Pattern and Enable.
File Pattern Enter the file pattern or file name to be upload automatically to Fortinet.
Enable Select to enable the file pattern
Note: To enable automatic uploading of the configured file patterns, go to UTM >
AntiVirus > Quarantine, select Enable AutoSubmit, and select Use File Pattern.
File Quarantine AntiVirus
518 01-410-89802-20091022
Configuring quarantine options
Go to UTM > AntiVirus > Config to set quarantine configuration options, such as whether
to quarantine blocked, suspicious, and infected files and from which service.
You can configure quarantine options for HTTP, FTP, IMAP, POP3, SMTP, IM, and NNTP
Traffic. If your FortiGate unit supports SSL content scanning and inspection you can also
quarantine blocked and infected files from HTTPS, IMAPS, POP3S, and SMTPS traffic.
To enable HTTPS quarantine you must set HTTPS Content Filtering Mode to Deep Scan
in the Protocol Recognition part of the protection profile. For more information, see SSL
content scanning and inspection on page 469.
Figure 299: Quarantine Configuration (quarantine to FortiAnalyzer unit)
Figure 300: Quarantine Configuration (SSL content scanning and inspection and quarantine
to disk)
Quarantine configuration has the following options:
AntiVirus Selecting the virus database
01-410-89802-20091022 519
Selecting the virus database
The FortiGate unit contains the wildlist antivirus database. It is used to detect viruses in
network traffic. In addition to the wildlist antivirus database, which contains actively
spreading viruses, some newer FortiGate models are also equipped with an extended
antivirus database, which contains viruses that are not considered to be actively
spreading. If required, you can enable this feature to allow the FortiGate unit to scan for
non-active viruses. For details, see Anti-Virus options on page 477.
To view information about the virus databases, go to UTM > AntiVirus > Virus Database.
The FortiGuard virus definitions are updated every time the FortiGate unit receives a new
version of the FortiGuard antivirus definitions.
The FortiGuard Center Virus Encyclopedia contains detailed descriptions of the viruses,
worms, trojans, and other threats that can be detected and removed by your FortiGate unit
using the information in the FortiGuard virus definitions.
Options Quarantine Infected Files: Select the protocols from which to quarantine infected
files identified by antivirus scanning.
Quarantine Suspicious Files: Select the protocols from which to quarantine
suspicious files identified by heuristic scanning.
Quarantine Blocked Files. Select the protocols from which to quarantine blocked
files identified by antivirus file filtering. The Quarantine Blocked Files option is not
available for IM and HTTPS because a file name is blocked before downloading
and cannot be quarantined.
Age Limit The time limit in hours for which to keep files in quarantine. The age limit is used
to formulate the value in the TTL column of the quarantined files list. When the
limit is reached, the TTL column displays EXP. and the file is deleted (although the
entry in the quarantined files list is maintained). Entering an age limit of 0 (zero)
means files are stored on disk indefinitely, depending on low disk space action.
Max Filesize to
Quarantine
The maximum size of quarantined files in MB. Setting the maximum file size too
large may affect performance.
Low Disk Space Select the action to take when the local disk is full: overwrite the oldest file or drop
the newest file.
Quarantine to
FortiAnalyzer
Select to enable storage of blocked and quarantined files on a FortiAnalyzer unit.
See Log&Report on page 703 for more information about configuring a
FortiAnalyzer unit.
Enable
AutoSubmit
Enable AutoSubmit: enables the automatic submission feature. Select one or both
of the options below.
Use File Pattern: Enables the automatic upload of files matching the file patterns
in the autoSubmit list.
Use File Status: Enables the automatic upload of quarantined files based on their
status. Select either Heuristics or Block Pattern.
Apply Select to save the configuration.
Antivirus CLI configuration AntiVirus
520 01-410-89802-20091022
Figure 301: Virus database information
Usually the FortiGuard AV definitions are updated automatically from the FortiGuard
Distribution Network (FDN). Go to System > Maintenance > FortiGuard to configure
automatic antivirus definition updates from the FDN.
You can also update the antivirus definitions manually from the system dashboard (go to
System > Status).
Antivirus CLI configuration
This section describes the CLI commands that extend features available through the web-
based manager. For complete descriptions and examples of how to enable additional
features through CLI commands, see the FortiGate CLI Reference.
system global optimize
The optimize feature configures CPU settings to ensure efficient operation of the FortiGate
unit for either antivirus scanning or straight throughput traffic. When optimize is set to
antivirus, the FortiGate unit uses symmetric multiprocessing to spread the antivirus tasks
to several CPUs, making scanning faster.
This feature is available on only some models.
There are two options for opt i mi ze command:
ant i vi r us The FortiGate unit spreads the antivirus scanning tasks across several
CPUs (symmetric multiprocessing).
t hr oughput Default setting. The FortiGate unit uses a single CPU to process traffic.
Use optimize antivirus in conjunction with antivirus failopen to ensure maximum efficiency
and safeguard against system crashes if the system does become overloaded because of
high traffic.
config antivirus heuristic
The FortiGate heuristic antivirus engine performs tests on files to detect virus-like
behavior or known virus indicators. Heuristic scanning is performed last, after file blocking
and virus scanning have found no matches. In this way, heuristic scanning may detect
new viruses, but may also produce some false positive results.
AntiVirus Antivirus CLI configuration
01-410-89802-20091022 521
The heuristic engine is disabled by default. You need to enable it to pass suspected files
to the recipient and send a copy to the file quarantine. Once enabled in the CLI, heuristic
scanning is enabled in a protection profile when Virus Scan is enabled.
Use the heuristic command to change the heuristic scanning mode.
config antivirus quarantine
The quarantine command also allows configuration of heuristic related settings.
config antivirus service <service_name>
Use this command to configure how the FortiGate unit handles antivirus scanning of large
files, and what ports the FortiGate unit scans for the service.
Antivirus CLI configuration AntiVirus
522 01-410-89802-20091022
Intrusion Protection About intrusion protection
01-410-89802-20091022 523
Intrusion Protection
The FortiGate Intrusion Protection system combines signature and anomaly detection and
prevention with low latency and excellent reliability. With intrusion Protection, you can
create multiple IPS sensors, each containing a complete configuration based on
signatures. Then, you can apply any IPS sensor to each protection profile. You can also
create DoS sensors to examine traffic for anomaly-based attacks.
This section describes how to configure the FortiGate Intrusion Protection settings. For
more information about Intrusion Protection, see the FortiGate UTM User Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, intrusion protection is
page 125.
About intrusion protection
Signatures
Custom signatures
Protocol decoders
IPS sensors
DoS sensors
Intrusion protection CLI configuration
About intrusion protection
The FortiGate unit can log suspicious traffic, send alert email messages to system
administrators, and log, pass, or block suspicious packets or sessions. You can adjust the
DoS sensor anomaly thresholds to work best with the normal traffic on the protected
networks. You can also create custom signatures to tailor the FortiGate Intrusion
Protection system to your network environment.
The FortiGate Intrusion Protection system matches network traffic against patterns
contained in attack signatures. Attack signatures reliably protect your network from known
attacks. Fortinets FortiGuard infrastructure ensures the rapid identification of new threats
and the development of new attack signatures.
FortiGuard services provide automatic updates of virus and intrusion protection (attack)
engines and definitions to FortiGate customers through the FortiGuard Distribution
Network (FDN). The FortiGuard Center also provides the FortiGuard virus and attack
encyclopedia and the FortiGuard Bulletin. Visit the Fortinet Knowledge Center for details
and a link to the FortiGuard Center.
For more information about configuring the connection between the FortiGate unit and
FortiGuard see Configuring the FortiGate unit for FDN and FortiGuard subscription
Signatures Intrusion Protection
524 01-410-89802-20091022
Using Intrusion Protection, you can configure the FortiGate unit to check for and
automatically download updated attack definition files containing the latest signatures, or
download the updated attack definition file manually. Alternately, you can configure the
FortiGate unit to allow push updates of the latest attack definition files as soon as they are
available from the FortiGuard Distribution Network.
You can also create custom attack signatures for the FortiGate unit to use in addition to an
extensive list of predefined attack signatures.
Whenever the Intrusion Protection system detects or prevents an attack, it generates an
attack log message. You can configure the FortiGate unit to add the message to the attack
log and send an alert email to administrators, as well as schedule how often it should send
this alert email. You can also reduce the number of log messages and alerts by disabling
signatures for attacks that will not affect your network. For example, you do not need to
enable signatures to detect web attacks when there is no web server to protect.
You can also use the packet logging feature to analyze packets for false positive
detection.
For more information about FortiGate logging and alert email, see Log&Report on
page 703.
Intrusion Protection settings and controls
You can configure the Intrusion Protection system and then select IPS sensors in
individual firewall protection profiles.
For information about creating IPS sensors, see Configuring IPS sensors on page 530.
For information about accessing and modifying the protection profile IPS sensor selection,
see IPS options on page 480. For information about creating DoS Sensors, see DoS
sensors on page 537.
When to use Intrusion Protection
Intrusion Protection is best for large networks or for networks protecting highly sensitive
information. Using IPS effectively requires monitoring and analysis of the attack logs to
determine the nature and threat level of an attack. An administrator can adjust the
threshold levels to ensure a balance between performance and intrusion prevention.
Small businesses and home offices without network administrators may be overrun with
attack log messages and not have the networking background required to configure the
thresholds and other IPS settings.
However, the other protection features in the FortiGate unit, such as antivirus (including
grayware), email filters, and web filters offer excellent protection for all networks.
Signatures
The FortiGate Intrusion Protection system can use signatures once you have grouped the
required signatures in an IPS sensor, and then selected the IPS sensor in the protection
profile. If required, you can override the default settings of the signatures specified in an
IPS sensor. The FortiGate unit provides a number of pre-built IPS sensors, but you should
check their settings before using them, to ensure they meet your network requirements.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
are configured separately in each VDOM. All sensors and custom signatures will appear
only in the VDOM in which they were created.
Intrusion Protection Signatures
01-410-89802-20091022 525
By using only the signatures you require, you can improve system performance and
reduce the number of log messages and alert email messages the IPS sensor generates.
For example, if the FortiGate unit is not protecting a web server, do not include any web
server signatures.
Viewing the predefined signature list
The predefined signature list includes all the signatures currently in the FortiGuard Center
Vulnerability Encyclopedia. Each signature name is a link to the vulnerability encyclopedia
entry for the signature. The vulnerability encyclopedia describes the attack detected by
the signature and provides recommended actions and links for more information.
The predefined signature list also includes characteristics such as severity of the attack,
protocol, and applications affected for each signature. These characteristics give you a
quick reference to what the signature is for. You can also use these characteristics to sort
the signature list, grouping signatures by common characteristics. The signature list also
displays the default action, the default logging status, and whether the signature is
enabled by default.
To view the predefined signature list, go to UTM > Intrusion Protection > Predefined. You
can also use filters and column settings to display the signatures you want to view. For
more information, see Using display filters on page 526.
Figure 302: Predefined signature list
By default, the signatures are sorted by name. To sort the table by another column, select
the header of the column to sort by.
Note: Some default protection profiles include IPS Sensors that use all the available
signatures. By using these default settings, you may be slowing down the overall
performance of the FortiGate unit. By creating IPS sensors with only the signatures your
network requires, you can ensure maximum performance as well as maximum protection.
Current Page The current page number of list items that are displayed. Select the left and
right arrows to display the first, previous, next or last page of signatures.
Column Settings Select to customize the signature information displayed in the table. You can
also readjust the column order. For more information, see Using column
settings to control the columns displayed on page 61 and Web-based
manager icons on page 63.
Current page Filter
Signatures Intrusion Protection
526 01-410-89802-20091022
Using display filters
By default, all the predefined signatures are displayed. You can apply filters to display only
the signatures you want to view. For example, if you want to view only the Windows
signatures, you can use the OS status filter. For more information, see Adding filters to
To apply filters to the predefined signature list
1 Go to UTM > Intrusion Protection > Predefined.
2 Select the filter icon beside any column name in the signature table.
3 In Edit Filters, specify the filtering criteria. The criteria will vary depending on the
column name.
4 Select the Enable check box.
5 Select OK.
Clear All Filters If you have applied filtering to the predefined signature list display, select this
option to clear all filters and display all the signatures.
Filter icons Edit the column filters to filter or sort the predefined signature list according to
the criteria you specify. For more information, see Adding filters to web-based
Name The name of the signature. Each name is also a link to the description of the
signature in the FortiGuard Center Vulnerability Encyclopedia.
Severity The severity rating of the signature. The severity levels, from lowest to highest,
are Information, Low, Medium, High, and Critical.
Target The target of the signature: servers, clients, or both.
Protocols The protocol the signature applies to.
OS The operating system the signature applies to.
Applications The applications the signature applies to.
Enable The default status of the signature. A green circle indicates the signature is
enabled. A gray circle indicates the signature is not enabled.
Action The default action for the signature:
Pass allows the traffic to continue without any modification.
Drop prevents the traffic with detected signatures from reaching its
destination.
If Logging is enabled, the action appears in the status field of the log message
generated by the signature.
ID A unique numeric identifier for the signature.
Logging The default logging behavior of the signature. A green circle indicates logging is
enabled. A gray circle indicates logging is disabled.
Group A functional group that is assigned to that signature. This group is only for
reference and cannot be used to define filters.
Packet Log The default packet log status of the signature. A green circle indicates that the
packet log is enabled. A gray circle indicates that the packet log is not enabled.
Revision The revision level of the signature. If the signature is updated, the revision
number will be incremented.
Tip: To determine what effect IPS protection would have on your network traffic, you can
enable the required signatures, set the action to pass, and enable logging. Traffic will not be
interrupted, but you will be able to examine in detail which signatures were detected.
Intrusion Protection Custom signatures
01-410-89802-20091022 527
Custom signatures
Custom signatures provide the power and flexibility to customize the FortiGate Intrusion
Protection system for diverse network environments. The FortiGate predefined signatures
represent common attacks. If you use an unusual or specialized application or an
uncommon platform, you can add custom signatures based on the security alerts released
by the application and platform vendors.
You can also create custom signatures to help you block P2P protocols.
After creation, you need to specify custom signatures in IPS sensors created to scan
traffic. For more information about creating IPS sensors, see Adding an IPS sensor on
page 530.
For more information about custom signatures, see the FortiGate UTM User Guide.
Viewing the custom signature list
To view the custom signature list, go to UTM > Intrusion Protection > Custom.
Figure 303: The custom signature list
Creating custom signatures
Use custom signatures to block or allow specific traffic. For example, to block traffic
containing profanity, add custom signatures similar to the following:
set si gnat ur e ' F- SBI D ( - - pr ot ocol t cp; - - f l ow bi _di r ect i on; - -
pat t er n " bad wor ds" ; - - no_case) '
For more information on custom signature syntax, see the FortiGate UTM User Guide.
Create New Select to create a new custom signature.
Name The custom signature name.
Signature The signature syntax.
Delete and Edit
icons
Delete or edit the custom signature.
Edit
Delete
Note: Custom signatures are an advanced feature. This document assumes the user has
previous experience creating intrusion detection signatures.
Note: Custom signatures must be added to a signature override in an IPS filter to have any
effect. Creating a custom signature is a necessary step, but a custom signature does not
affect traffic simply by being created.
Protocol decoders Intrusion Protection
528 01-410-89802-20091022
To create a custom signature, go to UTM > Intrusion Protection > Custom.
Figure 304: Edit Custom Signature
Protocol decoders
The FortiGate Intrusion Protection system uses protocol decoders to identify the abnormal
traffic patterns that do not meet the protocol requirements and standards. For example,
the HTTP decoder monitors traffic to identify any HTTP packets that do not meet the
HTTP protocol standards.
Viewing the protocol decoder list
To view the decoders and the port numbers that the protocol decoders monitor, go to
UTM > Intrusion Protection > Protocol Decoder. The decoder list is provided for your
reference and can be configured using the CLI. For more information, see the
Figure 305: The protocol decoder list
Name Enter a name for the custom signature.
Signature Enter the custom signature, using the appropriate syntax. For more information,
Protocols The protocol decoder name.
Ports The port number or numbers that the decoder monitors.
Intrusion Protection IPS sensors
01-410-89802-20091022 529
Upgrading the IPS protocol decoder list
The Intrusion Protection system protocol decoders are upgraded automatically through
the FortiGuard Distribution Network (FDN) if existing decoders are modified or new
decoders added. The FDN keeps the protocol decoder list up-to-date with protection
against new threats such as the latest versions of existing IM/P2P as well as against new
applications.
IPS sensors
You can group signatures into IPS sensors for easy selection in protection profiles. You
can define signatures for specific types of traffic in separate IPS sensors, and then select
those sensors in profiles designed to handle that type of traffic. For example, you can
specify all of the web-server related signatures in an IPS sensor, and the sensor can then
be used by a protection profile in a policy that controls all of the traffic to and from a web
server protected by the FortiGate unit.
The FortiGuard Service periodically updates the pre-defined signatures, with signatures
added to counter new threats. Because the signatures included in filters are defined by
specifying signature attributes, new signatures matching existing filter specifications will
automatically be included in those filters. For example, if you have a filter that includes all
signatures for the Windows operating system, your filter will automatically incorporate new
Windows signatures as they are added.
Viewing the IPS sensor list
To view the IPS sensors, go to UTM > Intrusion Protection > IPS Sensor.
Figure 306: IPS Sensor list showing the default sensors
Five default IPS sensors are provided with the default configuration.
Create New Add a new IPS sensor. For more information, see Adding an IPS
sensor on page 530.
Name The name of each IPS sensor.
Comments An optional description of the IPS sensor.
Delete and Edit icons Delete or edit an IPS sensor.
all_default Includes all signatures. The sensor is set to use the default enable
status and action of each signature.
all_default_pass Includes all signatures. The sensor is set to use the default enable
status of each signature, but the action is set to pass.
protect_client Includes only the signatures designed to detect attacks against clients
and uses the default enable status and action of each signature.
Edit
Delete
IPS sensors Intrusion Protection
530 01-410-89802-20091022
Adding an IPS sensor
An IPS sensor must be created before it can be configured by adding filters and overrides.
To create an IPS sensor, go to UTM > Intrusion Protection > IPS Sensor and select
Create New.
Figure 307: New IPS sensor
Configuring IPS sensors
Each IPS sensor consists of two parts: filters and overrides. Overrides are always
checked before filters.
Each filter consists of a number of signatures attributes. All of the signatures with those
attributes, and only those attributes, are checked against traffic when the filter is run. If
multiple filters are defined in an IPS Sensor, they are checked against the traffic one at a
time, from top to bottom. If a match is found, the FortiGate unit takes the appropriate
action and stops further checking.
A signature override can modify the behavior of a signature specified in a filter. A signature
override can also add a signature not specified in the sensors filters. Custom signatures
are included in an IPS sensor using overrides.
The signatures in the overrides are first compared to network traffic. If the IPS sensor
does not find any matches, it then compares the signatures in each filter to network traffic,
one filter at a time, from top to bottom. If no signature matches are found, the IPS sensor
allows the network traffic.
To view an IPS sensor, go to UTM > Intrusion Protection > IPS Sensor and select the Edit
icon of any IPS sensor. The Edit IPS Sensor window is divided into three parts: the sensor
attributes, Filters, and Overrides.
protect_email_server Includes only the signatures designed to detect attacks against
servers and the SMTP, POP3, or IMAP protocols and uses the default
enable status and action of each signature.
protect_http_server Includes only the signatures designed to detect attacks against
servers and the HTTP protocol and uses the default enable status and
action of each signature.
Name Enter the name of the new IPS sensor.
Comment Enter an optional comment to display in the IPS sensor list.
01-410-89802-20091022 531
Figure 308: Edit IPS sensor
IPS sensor attributes:
IPS sensor filters:

Name The name of the IPS sensor. You can change it at any time.
Comments An optional comment describing the IPS sensor. You can change it at any time.
OK Select to save changes to Name or Comments
Add Filter Add a new filter to the end of the filter list. For more information, see
Configuring filters on page 532.
# Current position of each filter in the list.
Name The name of the filter.
Signature
attributes
Signature attributes specify the type of network traffic the signature applies to.
Severity The severity of the included signatures.
Target The type of system targeted by the attack. The targets are client
and server.
Protocol The protocols to which the signatures apply. Examples include
HTTP, POP3, H323, and DNS.
OS The operating systems to which the signatures apply.
Application The applications to which the signatures apply.
Enable The status of the signatures included in the filter. The signatures can be set to
enabled, disabled, or default. The default setting uses the default status of each
individual signature as displayed in the signature list.
Logging The logging status of the signatures included in the filter. Logging can be set to
enabled, disabled, or default. The default setting uses the default status of each
Action The action of the signatures included in the filter. The action can be set to pass
all, block all, reset all, or default. The default setting uses the action of each
Count The number of signatures included in the filter. Overrides are not included in this
total.
Delete icon Delete the filter.
Edit icon Edit the filter.
Insert icon Create a new filter and insert it above the current filter.
Move to icon After selecting this icon, enter the destination position in the window that
appears, and select OK.
Insert
Move To
View
Delete
Edit
Signature attributes
532 01-410-89802-20091022
IPS sensor overrides:
Configuring filters
To configure a filter, go to UTM > Intrusion Protection > IPS Sensor. Select the Edit icon of
the IPS sensor containing the filter you want to edit. When the sensor window opens,
select the Edit icon of the filter you want to change, or select Add Filter to create a new
filter. Enter the information as described below and select OK.
Figure 309: Edit IPS Filter
View Rules icon Open a window listing all of the signatures included in the filter.
Add Pre-defined
Override
Select to create an override based on a pre-defined signature.
Add Custom
Override
Select to create an override based on a custom signature.
# Current position of each override in the list.
Name The name of the signature.
Enable The status of the override. A green circle indicates the override is enabled. A
gray circle indicates the override is not enabled.
Logging The logging status of the override. A green circle indicates logging is enabled. A
gray circle indicates logging is not enabled.
Action The action set for the override. The action can be set to pass, block, or reset.
Delete and Edit
icons
Delete or edit the filter.
Name Enter or change the name of the IPS filter.
Severity Select All, or select Specify and then choose one or more severity rating. Severity
defines the relative importance of each signature. Signatures rated critical detect
the most dangerous attacks while those rated as info pose a much smaller threat.
Right Arrow
Left Arrow
01-410-89802-20091022 533
The signatures included in the filter are only those matching every attribute specified.
When created, a new filter has every attribute set to all which causes every signature to be
included in the filter. If the severity is changed to high, and the target is changed to server,
the filter includes only signatures checking for high priority attacks targeted at servers.
Configuring pre-defined and custom overrides
Pre-defined and custom overrides are configured and work mainly in the same way as
filters. Unlike filters, each override defines the behavior of one signature.
Overrides can be used in two ways:
To change the behavior of a signature already included in a filter. For example, to
protect a web server, you could create a filter that includes and enables all signatures
related to servers. If you wanted to disable one of those signatures, the simplest way
would be to create an override and mark the signature as disabled.
Target Select All, or select Specify and then choose the type of system targeted by the
attack. The choices are server or client.
OS Select All, or select Specify and then select one or more operating systems that
are vulnerable to the attack.
Signatures with an OS attribute of All affect all operating systems. These
signatures will be automatically included in any filter regardless of whether a
single, multiple, or all operating systems are specified.
Protocol Select All, or select Specify to list what network protocols are used by the attack.
Use the Right Arrow to move the ones you want to include in the filter from the
Available to the Selected list, or the Left Arrow to remove previously selected
protocols from the filter.
Application Select All, or select Specify to list the applications or application suites vulnerable
to the attack. Use the Right Arrow to move the ones you want to include in the
filter from the Available to the Selected list, or the Left Arrow to remove previously
selected protocols from the filter.
Quarantine
Attackers (to
Banned Users
List)
Select to enable NAC quarantine for this filter. For more information about NAC
quarantine, see NAC quarantine and the Banned User list on page 670.
The FortiGate unit deals with the attack according to the IPS sensor or DoS
sensor configuration regardless of this setting.
Method Select Attackers IP address to block all traffic sent from the attackers IP
address. The attackers IP address is also added to the banned user list. The
targets address is not affected.
Select Attacker and Victim IP Addresses to block all traffic sent from the attacker
IP address to the target (victim) IP address. Traffic from the attacker IP address to
addresses other than the victim IP address is allowed. The attacker and target IP
addresses are added to the banned user list as one entry.
Select Attacks Incoming Interface to block all traffic from connecting to the
FortiGate interface that received the attack. The interface is added to the banned
user list.
Expires You can select whether the attacker is banned indefinitely or for a specified
number of days, hours, or minutes.
Signature
Settings
Configure whether the filter overrides the following signature settings or accepts
the settings in the signatures.
Enable Select from the options to specify what the FortiGate unit will do with the
signatures included in the filter: enable all, disable all, or enable or disable each
according to the individual default values shown in the signature list.
Logging Select from the options to specify whether the FortiGate unit will create log entries
for the signatures included in the filter: enable all, disable all, or enable or disable
logging for each according to the individual default values shown in the signature
list.
Action Select from the options to specify what the FortiGate unit will do with traffic
containing a signature match: pass all, block all, reset all, or block or pass traffic
according to the individual default values shown in the signature list.
534 01-410-89802-20091022
To add an individual signature, not included in any filters, to an IPS sensor. This is the
only way to add custom signatures to IPS sensors.
When a pre-defined signature is specified in an override, the default status and action
attributes have no effect. These settings must be explicitly set when creating the override.
To edit a pre-defined or custom override, go to UTM > Intrusion Protection > IPS Sensor
and select the Edit icon of the IPS sensor containing the override you want to edit. When
the sensor window opens, select the Edit icon of the override you want to change.
Figure 310: Configure IPS override
Note: Before an override can affect network traffic, you must add it to a filter, and you must
select the sensor in a protection profile applied to a policy. An override does not have the
ability to affect network traffic until these steps are taken.
Signature Select the browse icon to view the list of available signatures. From this list,
select a signature the override will apply to and then select OK.
Enable Select to enable the signature override.
Action Select Pass, Block or Reset. When the override is enabled, the action
determines what the FortiGate will do with traffic containing the specified
signature.
Logging Select to enable creation of a log entry if the signature is discovered in
network traffic.
Packet Log Select to save packets that trigger the override to the FortiGate hard drive for
later examination.
Quarantine
Attackers (to
Banned Users List)
Select to enable NAC quarantine for this override. For more information
about NAC quarantine, see NAC quarantine and the Banned User list on
page 670.
The FortiGate unit deals with the attack according to the IPS sensor or DoS
sensor configuration regardless of this setting.
01-410-89802-20091022 535
Packet logging
Packet logging is a way you can debug custom signatures or how any signature is
functioning in your network environment.
If a signature is selected in a custom override, and packet logging is enabled, the
FortiGate unit will save any network packet triggering the signature to memory, the internal
hard drive (if so equipped), a FortiAnalyzer, or the FortiGuard Analysis and Management
Service. These saved packets can be later viewed and saved in PCAP format for closer
examination.
Configuring packet logging
Packet logging saves the network packets matching an IPS signature to the attack log.
The FortiGate unit will save the logged packets to wherever the logs are configured to be
stored, whether memory, internal hard drive, a FortiAnalyzer unit, or the FortiGuard
Analysis and Management Service.
You can enable packet logging only in signature overrides. It not an available option in
IPS sensors or filters because enabling packet logging on a large number of signatures
could produce an unusably large amount of data. Packet logging is designed as focused
diagnostic tool.
There are a number of CLI commands available to further configure packet logging. When
logging to memory, the packet - l og- memor y command defines the maximum amount
of memory is used to store logged packets. This command only takes effect when logging
to memory.
Since only the packet containing the signature is sometimes not sufficient to troubleshoot
a problem, the packet - l og- hi st or y command allows you to specify how many
packets are captured when an IPS signature is found in a packet. If the value is set to
larger than 1, the packet containing the signature is saved in the packet log, as well as
those preceding it, with the total number of logged packets equalling the value. For
example, if packet - l og- hi st or y is set to 7, the FortiGate unit will save the packet
containing the IPS signature and the six before it.
Method Select Attackers IP address to block all traffic sent from the attackers IP
address. The attackers IP address is also added to the banned user list. The
target address is not affected.
Select Attacker and Victim IP Addresses to block all traffic sent from the
attacker IP address to the target (victim) IP address. Traffic from the attacker
IP address to addresses other than the victim IP address is allowed. The
attacker and target IP addresses are added to the banned user list as one
entry.
Select Attacks Incoming Interface to block all traffic from connecting to the
FortiGate interface that received the attack. The interface is added to the
banned user list.
Expires You can select whether the attacker is banned indefinitely or for a specified
number of days, hours, or minutes.
Exempt IP Enter IP addresses to exclude from the override. The override will then apply
to all IP addresses except those defined as exempt. The exempt IP
addresses are defined in pairs, with a source and destination, and traffic
moving from the source to the destination is exempt from the override.
Source The exempt source IP address. Enter 0. 0. 0. 0/ 0 to include all source IP
addresses.
Destination: The exempt destination IP address. Enter 0. 0. 0. 0/ 0 to include all
destination IP addresses.
536 01-410-89802-20091022
To enable packet logging for a signature
1 Create either a pre-defined override or a custom override in an IPS sensor. For more
information. For more information, see Configuring pre-defined and custom overrides
on page 533.
2 Enable Packet Log in the override.
3 Select the IPS sensor in the protection profile applied to the firewall policy that allows
the network traffic the FortiGate unit will examine for the signature.
Viewing and saving logged packets
Once the FortiGate unit logs packets, you can view or save them.
To view and save logged packets
1 Go Log & Report > Log Access.
2 Depending on where the logs are configured to be stored, select the appropriate tab:
Memory: Select Memory if logs are stored in the FortiGate unit memory.
Disk: Select Disk if the FortiGate unit has an internal hard disk and logs are stored
there.
Remote: Select Remote if logs are sent to a FortiAnalyzer unit or to the FortiGuard
Analysis and Management Service.
3 Select the Attack Log log type.
4 Select the Packet Log icon of the log entry you want to view.
The IPS Packet Log Viewer window appears.
Figure 311: Log entry with packet log icon
Note: Setting packet - l og- hi st or y to a value larger than 1 can affect the maximum
performance of the FortiGate unit because network traffic must be buffered. The
performance penalty depends on the model, the setting, and the traffic load.
Intrusion Protection DoS sensors
01-410-89802-20091022 537
Figure 312: IPS Packet Log Viewer
5 Select the packet to view the packet in binary and ASCII. Each table row represents a
captured packet.
6 Select Save to save the packet data in a PCAP formatted file.
PCAP files can be opened and examined in network analysis software such as Wireshark.
DoS sensors
The FortiGate IPS uses a traffic anomaly detection feature to identify network traffic that
does not fit known or common traffic patterns and behavior. For example, one type of
flooding is the denial of service (DoS) attack that occurs when an attacking system starts
an abnormally large number of sessions with a target system. The large number of
sessions slows down or disables the target system so legitimate users can no longer use
it. This type of attack gives the DoS sensor its name, although it is capable of detecting
and protecting against a number of anomaly attacks.
You can enable or disable logging for each traffic anomaly, and configure the detection
threshold and action to take when the detection threshold is exceeded.
You can create multiple DoS sensors. Each sensor consists of 12 anomaly types that you
can configure. When a sensor detects an anomaly, it applies the configured action. One
sensor can be selected for use in each DoS policy, allowing you to configure the anomaly
thresholds separately for each interface. Multiple sensors allow great granularity in
detecting anomalies because each sensor can be configured for the specific needs of the
interface it is attached to by the DoS policy.
The traffic anomaly detection list can be updated only when the FortiGate firmware image
is upgraded.
must be configured separately in each VDOM. All sensors and custom signatures will
appear only in the VDOM in which they were created.
DoS sensors Intrusion Protection
538 01-410-89802-20091022
Viewing the DoS sensor list
To view the anomaly list, go to UTM > Intrusion Protection > DoS Sensor.
Figure 313: The DoS sensor list
Configuring DoS sensors
Because an improperly configured DoS sensor can interfere with network traffic, no DoS
sensors are present on a factory default FortiGate unit. You must create your own and
then select them in a DoS policy before they will take effect. Thresholds for newly created
sensors are preset with recommended values that you can adjust to meet the needs of
your network.
To configure DoS sensors, go to UTM > Intrusion Protection > DoS Sensor. Select the Edit
icon of an existing DoS sensor, or select Create New to create a new DoS sensor.
Create New Add a new DoS sensor to the bottom of the list.
Name The DoS sensor name.
Comments An optional description of the DoS sensor.
Delete icon Delete the DoS sensor.
Edit icon Edit the following information: Action, Severity, and Threshold.
Delete
Edit
Note: It is important to know normal and expected network traffic before changing the
default anomaly thresholds. Setting the thresholds too low could cause false positives, and
setting the thresholds too high could allow otherwise avoidable attacks.
Note: You can configure NAC quarantine for DoS sensors from the FortiGate CLI. For
more information, see Configuring NAC quarantine on page 671.
Intrusion Protection DoS sensors
01-410-89802-20091022 539
Figure 314: Edit DoS Sensor
DoS sensor attributes:
Understanding the anomalies
For each of the TCP, UDP, and ICMP protocols, DoS sensors offer four statistical anomaly
types. The result is twelve configurable anomalies.
Name Enter or change the DoS sensor name.
Comments Enter or change an optional description of the DoS sensor. This description
will appear in the DoS sensor list.
Anomalies Configuration
Name The name of the anomaly.
Enable Select the check box to enable the DoS sensor to detect when the
specified anomaly occurs. Selecting the check box in the header row will
enable sensing of all anomalies.
Logging Select the check box to enable the DoS sensor to log when the anomaly
occurs. Selecting the check box in the header row will enable logging for all
anomalies. Anomalies that are not enabled are not logged.
Action Select Pass to allow anomalous traffic to pass when the FortiGate unit
detects it, or set Block to prevent the traffic from passing.
Threshold Displays the number of sessions/packets that must show the anomalous
behavior before the FortiGate unit triggers the anomaly action (pass or
block). If required, change the number. Range 1 to 2 147 483 647. For
more information about how these settings affect specific anomalies, see
Table 54 on page 539.
Table 54: The twelve individually configurable anomalies
Anomaly Description
t cp_syn_f l ood If the SYN packet rate, including retransmission, to one destination IP
address exceeds the configured threshold value, the action is executed.
The threshold is expressed in packets per second.
t cp_por t _scan If the SYN packets rate, including retransmission, from one source IP
The threshold is expressed in packets per second.
Intrusion protection CLI configuration Intrusion Protection
540 01-410-89802-20091022
Intrusion protection CLI configuration
This section describes the CLI commands that extend features available through the web-
based manager. For complete descriptions and examples of how to enable additional
features through CLI commands, see the FortiGate CLI Reference.
ips global fail-open
If for any reason the IPS should cease to function, it will fail open by default. This means
crucial network traffic will not be blocked, and the FortiGate unit will continue to operate
while the problem is being resolved.
ips global socket-size
Set the size of the IPS buffer.
t cp_sr c_sessi on If the number of concurrent TCP connections from one source IP address
exceeds the configured threshold value, the action is executed.
t cp_dst _sessi on If the number of concurrent TCP connections to one destination IP
udp_f l ood If the UDP traffic to one destination IP address exceeds the configured
threshold value, the action is executed. The threshold is expressed in
packets per second.
udp_scan If the number of UDP sessions originating from one source IP address
exceeds the configured threshold value, the action is executed. The
threshold is expressed in packets per second.
udp_sr c_sessi on If the number of concurrent UDP connections from one source IP address
exceeds the configured threshold value, the action is executed.
udp_dst _sessi on If the number of concurrent UDP connections to one destination IP
i cmp_f l ood If the number of ICMP packets sent to one destination IP address
i cmp_sweep If the number of ICMP packets originating from one source IP address
i cmp_sr c_sessi on If the number of concurrent ICMP connections from one source IP
i cmp_dst _sessi on If the number of concurrent ICMP connections to one destination IP
Table 54: The twelve individually configurable anomalies (Continued)
Anomaly Description
Web Filter Order of web filtering
01-410-89802-20091022 541
Web Filter
This chapter describes how to configure FortiGate web filtering for HTTP traffic. If your
FortiGate unit supports SSL content scanning and inspection you can also configure web
filtering for HTTPS traffic. For information about SSL content scanning and inspection, see
SSL content scanning and inspection on page 469. if your FortiGate unit does not
support HTTPS content scanning and inspection you can configure URL filtering for
HTTPS traffic.
The three main sections of the web filtering function, the Web Content Filter, the URL
Filter, and the FortiGuard Web filter, interact with each other in such a way as to provide
maximum control and protection for the Internet users.
This section provides an introduction to configuring web filtering. For more information see
the FortiGate UTM User Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, web filtering is configured
Order of web filtering
How web filtering works
Web filter controls
Web content filter
URL filter
FortiGuard Web filtering overrides
Category block CLI configuration
FortiGuard Web Filtering reports
Order of web filtering
Web filters are applied in a specific order:
1 URL Filter
2 FortiGuard Web Filter (Also called Category Block)
3 Content Filter (Web Content Filter)
4 Script Filter (Filters for J ava applets, ActiveX controls and cookies. CLI only.)
5 Antivirus scanning
The URL filter list is processed in order from top to bottom. An exempt match stops all
further checking including AV scanning. An allow match exits the URL filter list and checks
the other web filters.
Local ratings are checked prior to other FortiGuard Web Filtering categories.
The FortiGate unit applies the rules in this order and failure to comply with a rule will
automatically block a site despite what the setting for later filters might be.
How web filtering works Web Filter
542 01-410-89802-20091022
How web filtering works
The following information shows how the filters interact with each other and how to use
them to your advantage.
The first section, the URL exempt and block filters, will allow you to decide what action to
take for specific addresses. For example, if you want to exempt www.google.com from
being scanned, you can add it to the URL exempt list. Then no web filtering or virus
scanning will be taken to this web site.
If you have blocked a pattern but want certain users to have access to URLs within that
pattern, you can use the Override within the FortiGuard Web Filter. This will allow you to
specify which users have access to which blocked URLs and how long they have that
access. For example, you want user1 to be able to access www.example.com for 1 hour.
You can use this section to set up the exemption. Any user listed in an override must fill
out an online authentication form before the FortiGate unit will grant access to the blocked
URL.
FortiGuard Web Filter also lets you create local categories to block groups of URLs. Once
you have created the category, you can use the local rating to add specific sites to the
local category you have created. You then use the Firewall > Protection Profile to tell the
FortiGuard Unit what action to take with the Local category. The local ratings overwrite the
FortiGuard ratings.
Finally the FortiGuard unit applies script filtering for ActiveX, Cookie, and J ava applet,
which can be configured in Firewall > Protection Profile > Web Filtering.
Once you have finished configuring all of these settings, you still have to turn them all on
in the Firewall > Protection Profile > Web filtering and Firewall > Protection Profile >
FortiGuard Web Filtering. By enabling them here, you are telling the FortiGate unit to start
using the filters as you have configured them.
This section describes how to configure web filtering options. Web filtering functions must
be enabled in the active protection profile for the corresponding settings in this section to
have any effect.
Web filter controls
As a general rule you go to Web Filter to configure the web filtering settings and to enable
the filters for use in a protection profile. To actually activate the enabled filters you go to
Firewall > Protection Profile.
FortiGuard - Web Filter is described in detail inFortiGuard Web Filtering options on
page 483. Rating corrections as well as suggesting ratings for new pages can be
submitted on the FortiGuard Center web page. Visit the Fortinet Knowledge Center for
details and a link to the FortiGuard Center.
The following tables compare web filtering options in protection profiles and the web filter
menu.
Note: Enabled means that the filter will be used when you turn on web filtering. It does not
mean that the filter is turned on. To turn on all enabled filters you must go to Firewall >
Protection Profile.
Web Filter Web filter controls
01-410-89802-20091022 543
Table 55: Web filter and Protection Profile protocol recognition configuration
Protection Profile web filtering options Web Filter setting
HTTPS Content Filtering Mode n/a
On FortiGate units that support SSL content
scanning and inspection you can select URL
filtering to only apply URL filtering and
FortiGuard URL filtering to encrypted HTTPS
traffic. Or you can select Deep Scan to
decrypt HTTPS traffic and apply all web
filtering and FortiGuard web filtering options to
HTTPS traffic.
Table 56: Web filter and Protection Profile web content filter configuration
Web Content Filter UTM >Web Filter >Web Content Filter
Enable or disable web page filtering based on
the web content filter list for HTTP or HTTPS
traffic.
Add words and patterns to block or exempt web
pages containing those words or patterns.
Table 57: Web filter and Protection Profile web URL filtering configuration
Web URL Filter UTM >Web Filter >URL Filter
Enable or disable web page filtering for HTTP
traffic based on the URL filter list.
Add URLs and URL patterns to exempt or block
web pages from specific sources.
Table 58: Web filter and Protection Profile web script filtering and download configuration
Active X Filter, Cookie Filter, J ava Applet Filter n/a
Enable or disable blocking scripts from web
pages for HTTP traffic.
Web resume Download Block n/a
Enable to block downloading the remainder of
a file that has already been partially
downloaded. Enabling this option prevents the
unintentional download of virus files, but can
cause download interruptions.
Web content filter Web Filter
544 01-410-89802-20091022
To access protection profile web filter options
1 Go to Firewall > Protection Profile.
2 Select Edit or Create New.
3 Select Web Filtering or Web Category Filtering.
Web content filter
Control web content by creating web content filter lists that control access to web pages
containing specific words or patterns. You can add words, phrases, wild cards and Perl
regular expressions to match content on web pages.
For information, about wild cards and Perl regular expressions, see Using wildcards and
Perl regular expressions on page 571.
For each pattern you can select Block or Exempt. Block, blocks access to a web page that
matches with the pattern. Exempt allows access to the web page even if other entries in
the list that would block access to the page.
Table 59: Web filter and Protection Profile FortiGuard web filtering configuration
Enable FortiGuard Web Filtering (HTTP only).
Enable FortiGuard Web Filtering Overrides
(HTTP only).
UTM >Web Filter>Overrides
Provide details for blocked HTTP 4xx and 5xx
errors (HTTP only.)
Rate images by URL (Blocked images will be
replaced with blanks) (HTTP only).
Allow web sites when a rating error occurs
(HTTP only).
Strict Blocking (HTTP only)
Category / Action
FortiGuard Web Filtering service provides
many categories by which to filter web traffic.
Set the action to take on web pages for each
category. Choose from allow, block, log, or
allow override.
Local Categories can be configured to best
suit local requirements.
UTM >Web Filter >Local Categories | Local
Ratings
Classification/Action
When selected, users can access web sites
that provide content cache, and provide
searches for image, audio, and video files.
Choose from allow, block, log, or allow
override.
Note: If virtual domains are enabled on the FortiGate unit, web filtering features are
configured globally. To access these features, select Global Configuration on the main
menu.
Note: Perl regular expression patterns are case sensitive for the Web content filter. To
make a word or phrase case insensitive, use the regular expression / i . For example,
/ bad l anguage/ i blocks all instances of bad l anguage regardless of case. Wildcard
patterns are not case sensitive.
Web Filter Web content filter
01-410-89802-20091022 545
Viewing the web content filter list catalog
You can add multiple web content filter lists and then select the best web content filter list
for each protection profile. To view the web content filter list catalog, go to UTM >
Web Filter > Web Content Filter. To view any individual web content filter list, select the
edit icon for the list you want to see.
Figure 315: Sample web content filter list catalog
Select web content filter lists in protection profiles. For more information, see Web
Creating a new web content filter list
To add a web content filter list to the web content filter list catalog go to UTM > Web Filter
> Web Content Filter. Select Create New.
Figure 316: New Web Content Filter list dialog box
Viewing the web content filter list
With web content filter enabled, every requested web page is checked against the content
filter list. The score value of each pattern appearing on the page is added, and if the total
is greater than the threshold value set in the protection profile, the page is blocked. The
score for a pattern is applied only once even if it appears on the page multiple times.
To view the web content filter list go to UTM > Web Filter > Web Content Filter and select
the Edit icon of the web content filter list you want to view.
Create New Select to add a new web content filter list to the catalog.
Name The available web content filter lists.
# Entries The number of content patterns in each web content filter list.
Profiles The protection profiles each web content filter list has been applied to.
Comment Optional description of each web content filter list. The comment text must be
less than 63 characters long. Otherwise, it will be truncated.
Delete icon Select to remove the web content filter list from the catalog. The delete icon is
only available if the web content filter list is not selected in any protection
profiles.
Edit icon Select to edit the web content filter list, list name, or list comment.
Comment Enter a comment to describe the list, if required.
Web content filter Web Filter
546 01-410-89802-20091022
Figure 317: Sample web content filter list
The web content filter list has the following icons and features:
Configuring the web content filter list
Web content patterns can be one word or a text string up to 80 characters long. The
maximum number of patterns in the list is 5000.
To add or edit a content filter pattern go to UTM > Web Filter > Web Content Filter and
select Create New or select the Edit icon of the web content filter list you want to edit.
Note: Enable UTM > Web Filtering > Web Content Filter in a firewall Protection Profile to
activate the content filter settings.
Name Web content filter list name. To change the name, edit text in the name field and
select OK.
select OK.
Create new Select to add a pattern to the web content filter list.
Previous Page
icon
Select to view the previous page.
Next Page icon Select to view the next page.
Remove All
Entries icon
Select to clear the table.
Check Box Select the check box to enable all the patterns in the list. Clear the check box to
disable all of the patterns in the list. Use the check box for individual patterns to
enable or disable them.
Pattern The current list of patterns.
Pattern type The pattern type used in the pattern list entry. Pattern type can be wildcard or
regular expression. See Using wildcards and Perl regular expressions on
page 571.
Language The character set to which the pattern belongs: Simplified Chinese, Traditional
Chinese, Cyrillic, French, J apanese, Korean, Spanish, Thai, or Western.
Action Action can be block or exempt.
Score A numerical weighting applied to the pattern. The score values of all the matching
patterns appearing on a page are added, and if the total is greater than the
threshold value set in the protection profile, the page is blocked.
Delete icon Select to delete an entry from the list.
Edit icon Select to edit the following information: Banned Word, Pattern Type, Language,
and Enable.
Web Filter URL filter
01-410-89802-20091022 547
Figure 318: New pattern
URL filter
Allow or block access to specific URLs by adding them to the URL filter list. Add patterns
using text and regular expressions (or wildcard characters) to allow or block URLs. The
FortiGate unit allows or blocks web pages matching any specified URLs or patterns and
displays a replacement message instead.
Action Select one of:
Block If the pattern matches, the Score is added to the total for the web page.
The page is blocked if the total score of the web page exceeds the web content
block threshold defined in the protection profile.
Exempt If the pattern matches, the web page will not be blocked even if there
are matching Block entries.
Pattern Enter the content pattern. Web content patterns can be one word or a text string
up to 80 characters long.
For a single word, the FortiGate unit checks all web pages for that word. For a
phrase, the FortiGate checks all web pages for any word in the phrase. For a
phrase in quotation marks, the FortiGate unit checks all web pages for the entire
phrase.
Pattern Type Select a pattern type from the dropdown list: Wildcard or Regular Expression.
Language The character set to which the pattern belongs: Simplified Chinese, Traditional
Chinese, Cyrillic, French, J apanese, Korean, Spanish, Thai, or Western.
Score Enter a score for the pattern.
When you add a web content list to a protection profile you configure a web
content filter threshold for the protection profile. When a web page is matched with
an entry in the content block list, the score is recorded. If a web page matches
more than one entry the score for the web page increases. When the total score
for a web page equals or exceeds the threshold, the page is blocked.
The default score for a content list entry is 10 and the default threshold is 10. This
means that by default a web page is blocked by a single match. You can change
the scores and threshold so that web pages are blocked only if there are multiple
matches. For more information, see Web Filtering options on page 480.
Enable Select to enable the entry.
Note: Enable Web filtering > Web URL Filter in a firewall Protection Profile to activate the
URL filter settings.
Note: URL blocking does not block access to other services that users can access with a
web browser. For example, URL blocking does not block access to
f t p: / / f t p. exampl e. com. Instead, use firewall policies to deny FTP connections.
URL filter Web Filter
548 01-410-89802-20091022
Viewing the URL filter list catalog
You can add multiple URL filter lists and then select the best URL filter list for each
protection profile.
To view the URL filter list catalog go to UTM > Web Filter > URL Filter.
To view any individual URL filter list go to UTM > Web Filter > URL Filter. Select the Edit
icon for the list you want to see.
Figure 319: Sample URL filter list catalog
The URL filter list catalogue has the following icons and features:
Select URL filter lists in protection profiles. For more information, see Web Filtering
Creating a new URL filter list
Different FortiGate models support different maximum numbers of URL filter lists. For
details, see the FortiGate Maximum Values Matrix in Fortinets Knowledge Center web
site http://kc.forticare.com.
To add a URL filter list to the URL filter list catalog go to UTM > Web Filter > URL Filter.
Select Create New.
Figure 320: New URL Filter list dialog box
Create New Select to add a new web content URL list to the catalog.
Name The available URL filter lists.
# Entries The number of URL patterns in each URL filter list.
Profiles The protection profiles each URL filter list has been applied to.
Comment Optional description of each URL filter list.
Delete icon Select to remove the URL filter list from the catalog. The delete icon is only
available if the URL filter list is not selected in any protection profiles.
Edit icon Select to edit the URL filter list, list name, or list comment.
01-410-89802-20091022 549
Viewing the URL filter list
Add specific URLs to block or exempt. Add the following items to the URL filter list:
complete URLs
IP addresses
partial URLs to allow or block all sub-domains
To view the URL filter list go to UTM > Web Filter > URL Filter. Select the Edit icon of the
URL filter list you want to view.
Figure 321: URL filter list
The URL filter list has the following icons and features:
Name URL filter list name. To change the name, edit text in the name field and select
OK.
select OK.
Create New Select to add a URL to the URL block list.
Previous Page
icon
Select to view the previous page.
next Page icon Select to view the next page.
Clear All URL
Filters icon
Select to clear the table.
URL The current list of blocked/exempt URLs. Select the check box to enable all
the URLs in the list.
Type The type of URL: Simple or Regex (regular expression).
Action The action taken when the URL matches: Allow, Block, or Exempt.
An allow match exits the URL filter list and checks the other web filters.
An exempt match stops all further checking including AV scanning.
A block match blocks the URL and no further checking will be done.
Delete icon Select to remove an entry from the list.
Edit icon Select to edit the following information: URL, Type, Action, and Enable.
Move icon Select to open the Move URL Filter dialog box.
URL filter Web Filter
550 01-410-89802-20091022
Configuring the URL filter list
Each URL filter list can have up to 5000 entries.
To add a URL to the URL filter list go to UTM > Web Filter > URL Filter. Select Create New
or edit an existing list.
Figure 322: New URL Filter
URL formats
When adding a URL to the URL filter list (see Configuring the URL filter list on
page 550), follow these rules:
HTTPS URL formats
If your FortiGate unit does not support SSL content scanning and inspection or if you have
selected the URL filtering option in a protection profile for HTTPS content filtering mode
under Protocol Recognition, filter HTTPS traffic by entering a top level domain name, for
example, www. exampl e. com. HTTPS URL filtering of encrypted sessions works by
extracting the CN from the server certificate during the SSL negotiation. Because the CN
only contains the domain name of the site being accessed, web filtering of encrypted
HTTPS sessions can only filter by domain names.
If your FortiGate unit supports SSL content scanning and inspection and if you have
selected Deep Scan, you can filter HTTPS traffic in the same way as HTTP traffic. For
information about SSL content scanning and inspection, see SSL content scanning and
Note: Type a top-level domain suffix (for example, com without the leading period) to
block access to all URLs with this suffix.
URL Enter the URL. Do not include http://. For details about URL
formats, see URL formats on page 550.
Type Select a type from the dropdown list: Simple or Regex (regular
expression).
Action Select an action from the dropdown list: Allow, Block, or Exempt.
An allow match exits the URL filter list and checks the other web
filters.
An exempt match stops all further checking including AV
scanning.
A block match blocks the URL and no further checking will be
done.
Enable Select to enable the URL.
01-410-89802-20091022 551
HTTP URL formats
Type a top-level URL or IP address to control access to all pages on a web site. For
example, www. exampl e. comor 192. 168. 144. 155 controls access to all pages at
this web site.
Enter a top-level URL followed by the path and filename to control access to a single
page on a web site. For example, www. exampl e. com/ news. ht ml or
192. 168. 144. 155/ news. ht ml controls the news page on this web site.
To control access to all pages with a URL that ends with exampl e. com, add
exampl e. comto the filter list. For example, adding exampl e. comcontrols access to
www. exampl e. com, mai l . exampl e. com, www. f i nance. exampl e. com, and so
on.
Control access to all URLs that match patterns created using text and regular
expressions (or wildcard characters). For example, exampl e. * matches
exampl e. com, exampl e. or g, exampl e. net and so on.
FortiGate web pattern blocking supports standard regular expressions.
Moving URLs in the URL filter list
To make the URL filter list easier to use, the entries can be moved to different positions in
the list.
To move a URL in the URL filter list
1 Go to UTM > Web Filter > URL Filter.
2 Select the Edit icon for the URL list.
3 Drag and drop a URL or select the Move icon to the right of the URL to be moved.
4 Specify the location for the URL.
5 Select OK.
Figure 323: Move URL Filter
Note: URLs with an action set to exempt are not scanned for viruses. If users on
the network download files through the FortiGate unit from trusted website, add the
URL of this website to the URL filter list with an action set to exempt so the
FortiGate unit does not virus scan files downloaded from this URL.
Note: Enable Web Filtering > Web URL Filter > HTTP or HTTPS in a firewall Protection
Profile to activate the web URL filter settings for HTTP and/or HTTPS traffic.
Move to Select the location in the list to place the URL.
(URL) Enter the URL before or after which the new URL is to be located in the list.
FortiGuard Web Filtering Web Filter
552 01-410-89802-20091022
FortiGuard Web Filtering is a managed web filtering solution provided by Fortinet.
FortiGuard Web Filtering sorts hundreds of millions of web pages into a wide range of
categories users can allow, block, or monitor. The FortiGate unit accesses the nearest
FortiGuard Web Filtering Service Point to determine the category of a requested web
page then follows the firewall policy configured for that user or interface.
FortiGuard Web Filtering includes over 60 million individual ratings of web sites applying
to hundreds of millions of pages. Pages are sorted and rated into 56 categories users can
allow, block, or monitor. Categories may be added to, or updated, as the Internet evolves.
To make configuration simpler, users can also choose to allow, block, or monitor entire
groups of categories. Blocked pages are replaced with a message indicating that the page
is not accessible according to the Internet usage policy.
FortiGuard Web Filtering ratings are performed by a combination of proprietary methods
including text analysis, exploitation of the Web structure, and human raters. Users can
notify the FortiGuard Web Filtering Service Points if they feel a web page is not
categorized correctly, and new sites are quickly rated as required.
Use the procedure FortiGuard Web Filtering options on page 483 to configure
FortiGuard category blocking in a protection profile. To configure the FortiGuard Web
service, see Configuring the FortiGate unit for FDN and FortiGuard subscription services
on page 302.
Configuring FortiGuard Web Filtering
To configure the FortiGuard Web Filtering service go to System > Maintenance >
FortiGuard. See Configuring the FortiGate unit for FDN and FortiGuard subscription
You can configure FortiGuard web filtering overrides for users who may require access to
web sites that are blocked by FortiGuard web filtering. To configure web filter overrides,
see Configuring FortiGuard Web filtering override options on page 664.
When a user attempts to access a blocked site, if override is enabled in the users user
group, a link appears on the block page directing the user to an authentication form. The
user can enter a user name and password to override the FortiGuard web filtering for the
the web site.
Administrative overrides and user overrides
Go to UTM > Web Filter > Override to view administrative and user overrides.
Administrative overrides are added by administrators. See Configuring administrative
override rules on page 553.
Entries are added to the User Overrides list when a user authenticates to enable a user
override. User overrides are not backed up as part of the FortiGate configuration. These
overrides are also purged when they expire. Administrators can view and delete user
overrides.
Web Filter FortiGuard Web filtering overrides
01-410-89802-20091022 553
Figure 324: Override list
The override list has the following icons and features:
Configuring administrative override rules
Administrative override rules can be configured to allow access to blocked web sites
based on directory, domain name, or category.
Administrative are backed up with the main configuration and managed by the system.
The administrative overrides are not cleaned up when they expire and you can reuse
these override entries by extending their expiry dates. You can create administrative
overrides using both the CLI and the web-based manager.
To create an override rule for a directory or domain go to UTM > Web Filter > Override.
Select the Edit icon for Administrative Overrides.
Figure 325: New Override Rule - Directory or Domain
Create New Select to add a new override rule to the list.
This button is not available under User Overrides.
Return Select to return to the override category page.
Clear All icon Select to clear the table.
URL/Category The URL or category to which the override applies.
Scope The user or user group who may use the override.
Off-site URLs A green check mark indicates that the off-site URL option is set to Allow,
which means that the overwrite web page will display the contents from off-
site domains. A gray cross indicates that the off-site URL option is set to
Block, which means that the overwrite web page will not display the
contents from off-site domains. For details, see Configuring administrative
override rules on page 553.
Initiator The creator of the override rule.
Expiry Date The expiry date of the override rule.
Edit icon Select to edit the following information: Type, URL, Scope, User, Off-site
URLs, and Override Duration.
FortiGuard Web filtering overrides Web Filter
554 01-410-89802-20091022
To create an override for categories, go to UTM > Web Filter > Override.
Figure 326: New Override Rule - Categories
Type Select Directory or Domain.
URL Enter the URL or the domain name of the website.
Scope Select one of the following: User, User Group, IP, or Profile. Depending on
the option selected, a different option appears below Scope.
User Enter the name of the user selected in Scope.
User Group Select a user group from the dropdown list. User groups must be
configured before FortiGuard Web Filtering configuration. For more
information, see User Group on page 658.
Off-site URLs This option defines whether the override web page will display the images
and other contents from the blocked offsite URLs.
For example, all FortiGuard categories are blocked, and you want to visit a
site whose images are served from a different domain. You can create a
directory override for the site and view the page. If the offsite feature was
set to deny, all the images on the page will appear broken because they
come from a different domain for which the existing override rule does not
apply. If you set the offsite feature to allow, the images on the page will then
show up.
Only users that apply under the scope for the page override can see the
images from the temporary overrides. The users will not be able to view
any pages on the sites where the images come from (unless the pages are
served from the same directory as the images themselves) without having
to create a new override rule.
Override End Time Specify when the override rule will end.
Web Filter FortiGuard Web filtering overrides
01-410-89802-20091022 555
Creating local categories
User-defined categories can be created to allow users to block groups of URLs on a per-
profile basis. The categories defined here appear in the global URL category list when
configuring a protection profile. Users can rate URLs based on the local categories.
To create or view local categories, go to UTM > Web Filter > Local Categories.
Figure 327: Local categories list
Viewing the local ratings list
To view the local ratings list go to UTM > Web Filter > Local Ratings.
Figure 328: Local ratings list
The local ratings list has the following icons and features:
Type Select Categories.
Categories Select the categories to which the override applies. A category group or a
subcategory can be selected. Local categories are also displayed.
Classifications Select the classifications to which the override applies. When selected,
users can access web sites that provide content cache, and provide
searches for image, audio, and video files.
Scope Select one of the following: User, User Group, IP, or Profile. Depending on
the option selected, a different option appears below Scope.
User Enter the name of the user selected in Scope.
User Group Select a user group from the dropdown list.
IP Enter the IP address of the computer initiating the override.
Profile Select a protection profile from the dropdown list.
Off-site URLs Select Allow or Block. See the previous table for details about off-site
URLs.
Override End Time Specify when the override rule will end.
Add Enter the name of the category then select Add.
Create New Select to add a rating to the list.
Search Enter search criteria to filter the list.
1 - 3 of 3 The total number of local ratings in the list.
Previous Page icon Select to view the previous page.
FortiGuard Web filtering overrides Web Filter
556 01-410-89802-20091022
Figure 329: Category Filter
Configuring local ratings
Users can create user-defined categories then specify the URLs that belong to the
category. This allows users to block groups of web sites on a per profile basis. The ratings
are included in the global URL list with associated categories and compared in the same
way the URL block list is processed.
The local ratings override the FortiGuard server ratings and appear in reports as Local
Category.
To create a local rating go to UTM > Web Filter > Local Ratings.
Next Page icon Select to view the next page.
Clear All icon Select to clear the table.
URL The rated URL. Select the green arrow to sort the list by URL.
Category The category or classification in which the URL has been placed. If the URL is
rated in more than one category or classification, trailing dots appear. Select
the gray funnel to open the Category Filter dialog box. When the list has been
filtered, the funnel changes to green.
Edit icon Select to edit the following information: URL, Category Rating, and
Classification Rating.
Clear Filter Select to remove all filters.
Category Name Select the blue arrow to expand the category.
Enable Filter Select to enable the filter for the category or the individual sub-category.
Classification Name The classifications that can be filtered.
Enable Filter Select to enable the classification filter.
Web Filter Category block CLI configuration
01-410-89802-20091022 557
Figure 330: New Local Rating
Category block CLI configuration
Use the host name keyword for the webf i l t er f or t i guar d command to change the
default host name (URL) for the FortiGuard Web Filtering Service Point. The FortiGuard
Web Filtering Service Point name cannot be changed using the web-based manager.
Configure all FortiGuard Web Filtering settings using the CLI. For more information, see
the FortiGate CLI Reference for descriptions of the webf i l t er f or t i guar d keywords.
FortiGuard Web Filtering reports
Generate a text and pie chart format report on FortiGuard Web Filtering for any protection
profile. The FortiGate unit maintains statistics for allowed, blocked, and monitored web
pages for each category. View reports for a range of hours or days, or view a complete
report of all activity.
To create a web filter report go to UTM > Web Filter > Reports.
URL Enter the URL to be rated.
Category Name Select the blue arrow to expand the category.
Enable Filter Select to enable the filter for the category or the individual sub-category.
Classification Name The classifications that can be filtered.
Enable Filter Select to enable the classification filter.
Note: FortiGuard Web Filtering reports are only available on FortiGate units with a hard
disk.
FortiGuard Web Filtering reports Web Filter
558 01-410-89802-20091022
Figure 331: Sample FortiGuard Web Filtering report
The following table describes the options for generating reports:
A generated report includes a pie chart and the following information:
See also
Creating local categories
Viewing the local ratings list
Configuring local ratings
Configuring administrative override rules
Configuring FortiGuard Web Filtering
Profile Select the protection profile for which to generate a report.
Report Type Select the time frame for the report. Choose from hour, day, or all historical
statistics.
Report Range Select the time range (24 hour clock) or day range (from six days ago to today)
for the report. For example, for an hour report type with a range of 13 to 16, the
result is a category block report for 1 pm to 4 pm today. For a day report type
with a range of 0 to 3, the result is a category block report for 3 days ago to today.
Get Report Select to generate the report.
Category The category for which the statistic was generated.
Allowed The number of allowed web addresses accessed in the selected time frame.
Blocked The number of blocked web addresses accessed in the selected time frame.
Monitored The number of monitored web addresses accessed in the selected time frame.
Email filtering FortiGuard Email Filtering (also called the FortiGuard Antispam Service)
01-410-89802-20091022 559
Email filtering
This chapter describes how to configure FortiGate email filtering for IMAP, POP3, and
SMTP email. If your FortiGate unit supports SSL content scanning and inspection you can
also configure email filtering for IMAPS, POP3S, and SMTPS email traffic. For information
about SSL content scanning and inspection, see SSL content scanning and inspection
on page 469.
If you enable virtual domains (VDOMs) on the FortiGate unit, Email filtering is configured
This section provides an introduction to configuring email filtering. For more information
FortiGuard Email Filtering (also called the FortiGuard Antispam Service)
Banned word
IP address and email address black/white lists
Advanced Email Filter configuration
Using wildcards and Perl regular expressions
FortiGuard Email Filtering (also called the FortiGuard Antispam
Service)
You can configure the FortiGate unit to manage unsolicited commercial email by detecting
and identifying spam messages from known or suspected spam servers.
The FortiGuard Antispam Service uses both a sender IP reputation database and a spam
signature database, along with sophisticated spam filtering tools, to detect and block a
wide range of spam messages. Using FortiGuard Email Filtering protection profile settings
you can enable IP address checking, URL checking, E-mail checksum checking, and
Spam submission. Updates to the IP reputation and spam signature databases are
provided continuously from the global FortiGuard distribution network.
From the FortiGuard Antispam Service page in the FortiGuard center you can use IP and
signature lookup to check whether an IP address is blacklisted in the FortiGuard antispam
IP reputation database, or whether a URL or email address is in the signature database.
Order of email filtering
FortiGate email filtering uses various filtering techniques. The order the FortiGate unit
uses these filters depends on the mail protocol used.
Filters requiring a query to a server and a reply (FortiGuard Antispam Service and
DNSBL/ORDBL) are run simultaneously. To avoid delays, queries are sent while other
filters are running. The first reply to trigger a spam action takes effect as soon as the reply
is received.
Each filter passes the email to the next if no matches or problems are found. If the action
in the filter is Mark as Spam, the FortiGate unit tags as spam the email according to the
settings in the protection profile.
For SMTP and SMTPS if the action is discard the email message is discarded or dropped.
FortiGuard Email Filtering (also called the FortiGuard Antispam Service) Email filtering
560 01-410-89802-20091022
If the action in the filter is Mark as Clear, the email is exempt from any remaining filters. If
the action in the filter is Mark as Reject, the email session is dropped. Rejected SMTP or
SMTPS email messages are substituted with a configurable replacement message.
Order of SMTP and SMTPS email filtering
SMTPS email filtering is available on FortiGate units that support SSL content scanning
and inspection.
1 IP address BWL check on last hop IP.
2 DNSBL & ORDBL check on last hop IP, FortiGuard Antispam IP check on last hop IP,
HELO DNS lookup.
3 MIME headers check, E-mail address BWL check.
4 Banned word check on email subject.
5 IP address BWL check (for IPs extracted from Received headers).
6 Banned word check on email body.
7 Return email DNS check, FortiGuard Antispam email checksum check, FortiGuard
Antispam URL check, DNSBL & ORDBL check on public IP extracted from header.
Order of IMAP, POP3, IMAPS and POP3S email filtering
IMAPS and POP3S email filtering is available on FortiGate units the support SSL content
scanning and inspection.
1 MIME headers check, E-mail address BWL check.
2 Banned word check on email subject.
3 IP BWL check.
4 Banned word check on email body.
5 Return email DNS check, FortiGuard Antispam email checksum check, FortiGuard
Antispam URL check, DNSBL & ORDBL check.
Email filter controls
Email filters are configured for system-wide use, but enabled on a per profile basis.
Table 60 describes the Email filter settings and where to configure and access them.
To access protection profile Email Filter options, go to Firewall > Protection Profile, select
the Edit icon beside an existing profile, or select Create New. Select Email Filtering.
Table 60: Email filtering and Protection Profile email filtering configuration
Protection Profile Email filtering options Email Filter setting
IP address FortiGuard Email Filtering check System > Maintenance > FortiGuard
Configure the FortiGuard Email Filtering
service. Fortinet has its own DNSBL server
for FortiGuard Antispam that provides spam
IP address and URL blacklists. Fortinet
keeps the FortiGuard Antispam IP and URLs
up-to-date as new spam sources are found.
Enable FortiGuard Email Filtering, check the status
of the FortiGuard Antispam server, view the license
type and expiry date, and configure the cache. For
more information, see Configuring the FortiGate
unit for FDN and FortiGuard subscription services
on page 302
IP address BWL check UTM > Email Filter > IP Address
Black/white list check. Configure the
checking of incoming IP addresses against
the configured email filter IP address list.
Add to and edit IP addresses to the list. You can
configure the action to take as spam, clear, or reject
for each IP address. You can place an IP address
anywhere in the list. The filter checks each IP
address in sequence.
DNSBL & ORDBL check Command line only
Email filtering FortiGuard Email Filtering (also called the FortiGuard Antispam Service)
01-410-89802-20091022 561
Enable or disable checking email traffic
against configured DNS Blackhole List
(DNSBL) and Open Relay Database List
(ORDBL) servers (SMTP and SMTPS).
Add or remove DNSBL and ORDBL servers to and
from the list. You can configure the action to take as
spam or reject for email identified as spam from
each server (SMTP and SMTPS).
DNSBL and ORDBL configuration can only be
changed using the command line interface. For
more information, see the FortiGate CLI Reference.
HELO DNS lookup n/a
Enable or disable checking the source
domain name against the registered IP
address in the Domain Name Server. If the
source domain name does not match the IP
address the email is marked as spam and
the action selected in the protection profile is
taken.
E-mail address BWL check UTM > Email Filter > E-mail Address
Enable or disable checking incoming email
addresses against the configured email filter
email address list.
Add to and edit email addresses to the list, with the
option of using wildcards and regular expressions.
You can configure the action as spam or clear for
each email address. You can place an email
address anywhere in the list. The filter checks each
email address in sequence.
Return e-mail DNS check n/a
Enable or disable checking incoming email
return address domain against the registered
IP address in the Domain Name Server. If
the return address domain name does not
match the IP address the email is marked as
spam and the action selected in the
protection profile is taken.
MIME headers check Command line only
Enable or disable checking source MIME
headers against the configured email filter
MIME header list.
Add to and edit MIME headers, with the option of
using wildcards and regular expressions. You can
configure the action for each MIME header as spam
or clear.
DNSBL and ORDBL configuration can only be
changed using the command line interface. For
more information, see the FortiGate CLI Reference.
Banned word check UTM> Email Filter > Banned Word
Enable or disable checking source email
against the configured email filter banned
word list.
Add to and edit banned words to the list, with the
option of using wildcards and regular expressions.
You can configure the language and whether to
search the email body, subject, or both. You can
configure the action to take as spam or clear for
each word.
Spam Action n/a
Table 60: Email filtering and Protection Profile email filtering configuration (Continued)
Banned word Email filtering
562 01-410-89802-20091022
Banned word
Control spam by blocking email messages containing specific words or patterns. You can
add words, phrases, wild cards and Perl regular expressions to match content in email
messages.
For information, about wild cards and Perl regular expressions, see Using wildcards and
Perl regular expressions on page 571.
Viewing the banned word list catalog
You can add a maximum of two banned word lists and then select the best banned word
list for each protection profile. To view the banned word list catalog, go to UTM >
Email Filter > Banned Word. To view any individual banned word list, select the Edit icon
for the list you want to see.
Figure 332: Sample banned word list catalog
The action to take on email identified as
spam. POP3 and IMAP messages are
tagged. Choose Tagged or Discard for SMTP
or SMTPS messages. You can append a
custom word or phrase to the subject or
MIME header of tagged email. You can
choose to log any spam action in the event
log.
For IMAP, spam email may be tagged only
after the user downloads the entire message
by opening the email, since the some IMAP
email clients download the envelope portion
of the email message initially. For details,
see Email Filtering options on page 485.
Tag location: Affix the tag to the subject or
MIME header of the email identified as
spam.
Tag format: Enter a word or phrase (tag) to
affix to email identified as spam.
Add event into the system log
Enable or disable logging of spam actions to
the event log.
Table 60: Email filtering and Protection Profile email filtering configuration (Continued)
Note: Perl regular expression patterns are case sensitive for banned words. To make a
word or phrase case insensitive, use the regular expression / i . For example,
/ bad l anguage/ i will block all instances of bad l anguage regardless of case. Wildcard
patterns are not case sensitive.
Create New Add a new list to the catalog. For more information, see Creating a new
banned word list on page 563.
Name The available Email Filter banned word lists.
Delete
Edit
Email filtering Banned word
01-410-89802-20091022 563
To use the banned word list, select banned word lists in protection profiles. For more
information, see Email Filtering options on page 485.
Creating a new banned word list
To add an email filter banned word list to the email filter banned word list catalog, go to
UTM > Email Filter > Banned Word and select Create New.
Figure 333: New Banned Word list dialog box
Viewing the email filtering banned word list
The FortiGate unit checks each email message against the banned word list. The
FortiGate unit can sort email messages containing those banned words in the subject,
body, or both. The score value of each banned word appearing in the message is added,
and if the total is greater than the threshold value set in the protection profile, the
FortiGate unit processes the message according to the Spam Action setting in the
protection profile. The score for a pattern is applied only once even if the word appears in
the message multiple times.
To view the banned word list, go to UTM > Email Filter > Banned Word and select the Edit
icon of the banned word list you want to view.
Figure 334: Sample banned word List
# Entries The number of entries in each banned word list.
Profiles The protection profiles each banned word list has been applied to.
Comments Optional description of each banned word list.
Delete icon Remove the banned word list from the catalog. The delete icon is available
only if the banned word list is not selected in any protection profiles.
Edit icon Modify the banned word list, list name, or list comment.
Current Page Delete
Edit
Remove All Entries
Banned word Email filtering
564 01-410-89802-20091022
Adding words to the banned word list
For a single word, the FortiGate unit blocks all email containing the word. For a phrase,
the FortiGate unit blocks all email containing the exact phrase. To block any word in a
phrase, use Perl regular expressions.
To add a banned word list
1 Go to UTM > Email Filter > Banned Word.
3 Enter the banned word list name.
4 Optionally, enter any comments about the list.
5 Select OK.
To add a banned word
1 Go to UTM > Email Filter > Banned Word.
2 Select Edit for the banned word list to which you want to add a banned word.
Name Banned word list name. To change the name, edit text in the name field and
select OK.
Comments Optional comment. To add or edit comment, enter text in comment field and
select OK.
Create New Select to add a word or phrase to the banned word list.
Current Page The current page number of list items that are displayed. Select the left and right
arrows to display the first, previous, next or last page of the banned word list.
Remove All
Entries icon
Delete all table entries.
Pattern The list of banned words. Select the check box to enable all the banned words in
the list.
Pattern Type The pattern type used in the banned word list entry. Choose from wildcard or
regular expression. For more information, see Using wildcards and Perl regular
expressions on page 571.
Language The character set to which the banned word belongs.
Where The location where the FortiGate unit searches for the banned word: Subject,
Body, or All.
Score A numerical weighting applied to the banned word. The score values of all the
matching words appearing in an email message are added, and if the total is
greater than the Banned word check value set in the protection profile, the email
is processed according to whether the spam action is set to Discard or Tagged
in the protection profile. The score for a banned word is counted once even if the
word appears multiple times on the web page in the email. For more information,
see Configuring a protection profile on page 474.
Delete and Edit
icons
Delete or edit the banned word.
Pattern Enter the banned word pattern. A pattern can be part of a word, a whole word,
or a phrase. Multiple words entered as a pattern are treated as a phrase. The
phrase must appear exactly as entered to match. You can also use wildcards
or regular expressions to have a pattern match multiple words or phrases.
Pattern Type Select the pattern type for the banned word. Choose from wildcard or regular
expression. For more information, see Using wildcards and Perl regular
expressions on page 571.
Language Select the character set for the banned word.
Email filtering IP address and email address black/white lists
01-410-89802-20091022 565
4 Select OK.
IP address and email address black/white lists
You can add IP address black/white lists and email address black/white lists to filter email.
When performing an IP address list check, the FortiGate unit compares the IP address of
the message sender to the IP address list items in sequence. When performing an email
list check, the FortiGate unit compares the email address of the message sender to the
email address list items in sequence. If a match is found, the action associated with the IP
address or email address is taken. If no match is found, the message is passed to the next
enabled email filter.
Viewing the Email Filter IP address list catalog
You can add a maximum of two IP address lists and then select the best one for each
protection profile. To view the IP address list catalog, go to UTM > Email Filter >
IP Address. To view any individual IP address list, select the Edit icon for the list you want
to see.
Figure 335: Sample IP address list catalog
Where Select where the FortiGate unit should search for the banned word: Subject,
Body, or All.
Score Enter a score for the pattern.
Each entry in the banned word list added to the protection profile incudes a
score. When an email message is matched with an entry in the banned word
list, the score is recorded. If an email message matches more than one entry,
the score for the email message increases. When the total score for an email
message equals or exceeds the threshold, the message is considered spam
and handled according to the spam action configured in the protection profile.
The default score for a banned word list entry is 10 and the default threshold is
10. This means that by default an email message is considered spam by a
single match. You can change the scores and threshold so email messages
are only tagged as spam if there are multiple matches.
For more information, see Email Filtering options on page 485.
Enable Select to enable scanning for the banned word.
Create New Add a new IP address list to the catalog.
Name The available name of the IP address lists.
# Entries The number of entries in each IP address list.
Profiles The protection profiles each IP address list has been applied to.
Comments Optional description of each IP address list.
Delete icon Remove the IP address list from the catalog. The delete icon is available only if
the IP address list is not selected in any protection profiles.
Edit icon Edit the IP address list, list name, or list comment.
Delete
Edit
IP address and email address black/white lists Email filtering
566 01-410-89802-20091022
Creating a new IP address list
To add an IP address list to the IP address list catalog, go to UTM > Email Filter >
IP Address and select Create New.
Figure 336: New IP Address list dialog box
Viewing the IP address list
Configure the FortiGate unit to filter email from specific IP addresses. The FortiGate unit
compares the IP address of the sender to the check list in sequence. Mark each IP
address as clear, spam, or reject. Filter single IP addresses or a range of addresses at the
network level by configuring an address and mask.
To view the IP address list, go to UTM > Email Filter > IP Address and select the Edit icon
of the IP address list you want to view.
Figure 337: Sample IP address list
Name IP address list name. To change the name, edit text in the name field and
select OK.
Comments Optional comment. To add or edit a comment, enter text in the comments field
and select OK.
Create New Add an IP address to the IP address list.
right arrows to display the first, previous, next or last page of the IP address
list.
Remove All Entries
icon
IP address/Mask The list of IP addresses.
Current Page
Remove All Entries
Move To
Edit
Delete
01-410-89802-20091022 567
Adding an IP address
After creating an IP address list, you can add IP addresses to the list.
Enter an IP address or a pair of IP address and mask in the following formats:
x.x.x.x, for example, 192.168.69.100.
x.x.x.x/x.x.x.x, for example, 192.168.69.100/255.255.255.0
x.x.x.x/x, for example, 192.168.69.100/24
To add an IP address go to UTM > Email Filter > IP Address. Select Edit for the IP
address list name to which you want to add an IP address. Then select Create New.
Figure 338: Adding an IP address
Action The action to take on email from the configured IP address. Actions are: Spam
to apply the configured spam action, Clear to bypass this and remaining email
filters, or Reject (SMTP or SMTPS) to drop the session.
If an IP address is set to reject but mail is delivered from that IP address via
using POP3 or IMAP, the email messages will be marked as spam.
Delete icon Remove the address from the list.
Edit icon Edit address information.
Move To icon Select to move the entry to a different position in the list.
The firewall policy executes the list from top to bottom. For example, if you
have IP address 192.168.100.1 listed as spam and 192.168.100.2 listed as
clear, you must put 192.168.100.1 above 192.168.100.2 for 192.168.100.1 to
take effect.
IP Address/Mask Enter the IP address or the IP address/mask pair.
Action Select: Mark as Spam to apply the spam action configured in the protection
profile, Mark as Clear to bypass this and remaining email filters, or Mark as
Reject (SMTP or SMTPS) to drop the session.
Enable Select to enable the address.
IP address and email address black/white lists Email filtering
568 01-410-89802-20091022
Viewing the Email Filter email address list catalog
You can add email address lists and then select the best one for each protection profile.
To view the email address list catalog, go to UTM > Email Filter > E-mail Address. To view
any individual email address list, select the Edit icon for the list you want to see.
Figure 339: Sample email address list catalog
You enable email filter addresses in protection profiles. For more information, see Email
Creating a new email address list
To add an email address list to the email address list catalog, go to UTM > Email Filter >
E-mail Address and select Create New.
Figure 340: New E-mail Address list dialog box
Viewing the email address list
The FortiGate unit can filter email from specific senders or all email from a domain (such
as example.net).
To view the email address list, go to UTM > Email Filter > E-mail Address and select the
Edit icon of the email address list you want to view.
Create New Create a new address list.
Name The name of the email address list.
# Entries The number of entries in each email address list.
Profiles The protection profiles each email address list has been applied to.
Comments Optional description of each email address list.
Delete icon Remove the email address list from the catalog. The delete icon is only
available if the email address list is not selected in any protection profiles.
Edit icon Edit the email address list, list name, or list comment.
Delete
Edit
01-410-89802-20091022 569
Figure 341: Sample email address list
Name The email address list name. To change the name, edit text in the name field
and select OK.
Comments Optional comment. To add or edit comment, enter text in comment field and
select OK.
Create New Add a new email address to the email address list.
right arrows to display the first, previous, next or last page of the email
address list.
Remove All Entries
icon
Email address The list of email addresses.
Pattern Type The pattern type used in the email address entry.
Action The action to take on email from the configured address. Actions are: Spam to
apply the spam action configured in the protection profile, or Clear to let the
email message bypass this and remaining email filters.
Delete icon Remove the email address from the list.
Edit icon Edit the address information.
Move To icon Move the entry to a different position in the list.
The email address scan executes the list from top to bottom. For example, if
you have abc@example.com listed as clear and *@example.com as spam,
you must put abc@example.com above *@example.com for
abc@example.com to take effect.
Current Page
Remove All Entries
Delete
Edit
Move To
Advanced Email Filter configuration Email filtering
570 01-410-89802-20091022
Configuring the email address list
To add an email address or domain to a list, go to UTM > Email Filter > E-mail Address.
Select the Edit icon beside the list you want to add the address to. Select Create New,
enter the information below and select OK.
Figure 342: Add E-mail Address
Advanced Email Filter configuration
Advanced Email Filter configuration covers only command line interface (CLI) commands
not represented in the web-based manager. For complete descriptions and examples of
how to use CLI commands, see the FortiGate CLI Reference.
config spamfilter mheader
Use this command to configure email filtering based on the MIME (Multipurpose Internet
Mail Extensions) header. MIME header filtering is enabled within each protection profile.
The FortiGate unit compares the MIME header key-value pair of incoming email to the list
pair in sequence. If a match is found, the corresponding action is taken. If no match is
found, the email is passed on to the next email filter.
MIME headers are added to email to describe content type and content encoding, such as
the type of text in the email body or the program that generated the email. Some examples
of MIME headers include:
X-mailer: outgluck
X-Distribution: bulk
Content_Type: text/html
Content_Type: image/jpg
The first part of the MIME header is called the header or header key. The second part is
called the value. Spammers often insert comments into header values or leave them
blank. These malformed headers can fool some spam and virus filters.
Use the MIME headers list to mark email from certain bulk mail programs or with certain
types of content that are common in spam messages. Mark the email as spam or clear for
each header configured.
E-Mail Address Enter the email address.
Pattern Type Select a pattern type: Wildcard or Regular Expression. For more information,
see Using wildcards and Perl regular expressions on page 571.
Action Select: Mark as Spam to apply the spam action configured in the protection
profile, or Mark as Clear to bypass this and remaining email filters.
Enable Select to enable the email address for spam checking.
Email filtering Using wildcards and Perl regular expressions
01-410-89802-20091022 571
config spamfilter dnsbl
Use this command to configure email filtering using DNS-based Blackhole List (DNSBL),
and Open Relay Database List (ORDBL) servers. DNSBL and ORDBL filtering is enabled
within each protection profile.
The FortiGate unit compares the IP address or domain name of the sender to any
database lists configured, in sequence. If a match is found, the corresponding action is
taken. If no match is found, the email is passed on to the next email filter.
Some spammers use unsecured third party SMTP or SMTPS servers to send unsolicited
bulk email. Using DNSBLs and ORDBLs is an effective way to tag or reject spam as it
enters the network. These lists act as domain name servers that match the domain of
incoming email to a list of IP addresses known to send spam or allow spam to pass
through.
There are several free and subscription servers available that provide reliable access to
continually updated DNSBLs and ORDBLs. Check with the service you are using to
confirm the correct domain name for connecting to the server.
Using wildcards and Perl regular expressions
Email address list, MIME headers list, and banned word list entries can include wildcards
or Perl regular expressions.
See http://perldoc.perl.org/perlretut.html for detailed information about using Perl regular
expressions.
Regular expression vs. wildcard match pattern
A wildcard character is a special character that represents one or more other characters.
The most commonly used wildcard characters are the asterisk (*), which typically
represents zero or more characters in a string of characters, and the question mark (?),
which typically represents any one character.
In Perl regular expressions, the . character refers to any single character. It is similar to
the ? character in wildcard match pattern. As a result:
fortinet.com not only matches fortinet.com but also fortinetacom, fortinetbcom,
fortinetccom, and so on.
To match a special character such as '.' and * use the escape character \. For example:
To match fortinet.com, the regular expression should be: fortinet\.com
In Perl regular expressions, * means match 0 or more times of the character before it, not
0 or more times of any character. For example:
forti*.com matches fortiiii.com but does not match fortinet.com
To match any character 0 or more times, use .* where . means any character and the *
means 0 or more times. For example, the wildcard match pattern forti*.com should
therefore be fort.*\.com.
Note: Because the FortiGate unit uses the server domain name to connect to the DNSBL
or ORDBL server, it must be able to look up this name on the DNS server. For information
on configuring DNS, see Configuring Networking Options on page 176.
Note: To add a question mark (?) character to a regular expression from the FortiGate CLI,
enter Ctrl+V followed by ?. To add a single backslash character (\ ) to a regular expression
from the CLI you must add precede it with another backslash character. For example,
f or t i net \ \ . com.
Using wildcards and Perl regular expressions Email filtering
572 01-410-89802-20091022
Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary. For
example, the regular expression test not only matches the word test but also any word
that contains test such as atest, mytest, testimony, atestb. The notation \b
specifies the word boundary. To match exactly the word test, the expression should be
\btest\b.
Case sensitivity
Regular expression pattern matching is case sensitive in the web and Email Filter filters.
To make a word or phrase case insensitive, use the regular expression / i . For example,
/ bad l anguage/ i will block all instances of bad language, regardless of case.
Perl regular expression formats
Table 61 lists and describes some example Perl regular expression formats.
Table 61: Perl regular expression formats
Expression Matches
abc abc (the exact character sequence, but anywhere in the string)
âbc abc at the beginning of the string
abc$ abc at the end of the string
a|b Either a or b
âbc|abc$ The string abc at the beginning or at the end of the string
ab{2,4}c a followed by two, three or four bs followed by a c
ab{2,}c a followed by at least two bs followed by a c
ab*c a followed by any number (zero or more) of bs followed by a c
ab+c a followed by one or more b's followed by a c
ab?c a followed by an optional b followed by a c; that is, either abc or
ac
a.c a followed by any single character (not newline) followed by a c
a\.c a.c exactly
[abc] Any one of a, b and c
[Aa]bc Either of Abc and abc
[abc]+ Any (nonempty) string of as, bs and cs (such as a, abba,
acbabcacaa)
[âbc]+ Any (nonempty) string which does not contain any of a, b, and c
(such as defg)
\d\ d Any two decimal digits, such as 42; same as \d{2}
/i Makes the pattern case insensitive. For example, / bad l anguage/ i
blocks any instance of bad l anguage regardless of case.
\w+ A word: A nonempty sequence of alphanumeric characters and low
lines (underscores), such as foo and 12bar8 and foo_1
100\s*mk The strings 100 and mk optionally separated by any amount of white
space (spaces, tabs, newlines)
abc\b abc when followed by a word boundary (for example, in abc! but not in
abcd)
perl\B perl when not followed by a word boundary (for example, in perlert but
not in perl stuff)
Email filtering Using wildcards and Perl regular expressions
01-410-89802-20091022 573
Example regular expressions
Block any word in a phrase
/ bl ock| any| wor d/
Block purposely misspelled words
Spammers often insert other characters between the letters of a word to fool spam
blocking software.
/ ^. *v. *i . *a. *g. *r . *o. *$/ i
/ cr [ e] [ \ +\ - \ *=<>\ . \ , ; ! \ ?%&@\ ^\ $\ {\ }( ) \ [ \ ] \ | \ \ _01] di t / i
Block common spam phrases
The following phrases are some examples of common phrases found in spam messages.
/ t r y i t f or f r ee/ i
/ st udent l oans/ i
/ you r e al r eady appr oved/ i
/ speci al [ \ +\ - \ *=<>\ . \ , ; ! \ ?%&~#@\ ^\ $\ {\ }( ) \ [ \ ] \ | \ \ _1] of f er / i
Figure 343: MMS Message Flood
\x Tells the regular expression parser to ignore white space that is neither
preceded by a backslash character nor within a character class. Use this
to break up a regular expression into (slightly) more readable parts.
/x Used to add regular expressions within other text. If the first character in
a pattern is forward slash '/', the '/' is treated as the delimiter. The pattern
must contain a second '/'. The pattern between / will be taken as a
regular expressions, and anything after the second / will be parsed as a
list of regular expression options ('i', 'x', etc). An error occurs if the
second '/' is missing. In regular expressions, the leading and trailing
space is treated as part of the regular expression.
Table 61: Perl regular expression formats (Continued)
Current Page
Remove All Entries
Using wildcards and Perl regular expressions Email filtering
574 01-410-89802-20091022
Figure 344: MMS Duplicate Message
Current Page
Remove All Entries
Data Leak Prevention DLP Sensors
01-410-89802-20091022 575
You can use the FortiGate Data Leak Prevention (DLP) system to prevent sensitive data
from leaving or entering your network. You can define sensitive data patterns, and data
matching these patterns will be blocked and/or logged or archived when passing through
the FortiGate unit. The DLP system is configured by creating individual rules, combining
the rules into DLP sensors, and then assigning a sensor to a protection profile.
Although the primary use of the DLP feature is to stop sensitive data from leaving your
network, it can also be used to prevent unwanted data from entering your network and to
archive some or all of the content passing through the FortiGate unit.
This section provides an introduction to configuring DLP. For more information see the
FortiGate UTM User Guide.
If you enable virtual domains (VDOMs) on the Fortinet unit, data leak prevention is
page 125.
The section describes:
DLP Sensors
DLP archiving
DLP Rules
DLP Compound Rules
DLP Sensors
DLP sensors are simply collections of DLP rules and DLP compound rules. The DLP
sensor also includes settings such as action, archive, and severity for each rule or
compound rule. Once a DLP sensor is configured, it can be specified in a protection
profile. Any traffic handled by the policy in which the protection profile is specified will
enforce the DLP sensor configuration.
Viewing the DLP sensor list
To view the available DLP sensors, go to UTM > Data Leak Prevention > Sensor.
Figure 345: DLP sensor list
Delete
Edit
DLP Sensors Data Leak Prevention
576 01-410-89802-20091022
Default DLP sensors
The following default DLP sensors are provided with your FortiGate unit. You can use
these as provided, or modify them as required.
Create New Select to create a new DLP sensor.
Name The DLP sensor name.
Comment The optional description of the DLP sensor.
Protection Profiles The names of the protection profiles that the DLP sensor has been
added to.
Delete and Edit icons Delete or edit the DLP sensor.
Caution: Before use, examine the sensors and rules in the sensors closely to ensure you
understand how they will affect the traffic on your network.
Note: DLP prevents duplicate action. Even if more than one rule in a sensor matches some
content, DLP will not create more than one DLP archive entry, quarantine item, or ban entry
from the same content.
Content_Archive DLP archive all email (POP3, IMAP, and SMTP), FTP, HTTP, and IM traffic.
For each rule in the sensor, Archive is set to Full. No blocking or quarantine is
performed. See DLP archiving on page 580.
You can add the All-Session-Control rule to also archive session control
content.
If you have a FortiGate unit that supports SSL content scanning and
inspection, you can edit the All-Email rule to archive POP3S, IMAPS, and
SMTPS traffic. You can also edit the All-HTTP rule to archive HTTPS traffic.
Content_Summary DLP summary archive all email (POP3, IMAP, and SMTP), FTP, HTTP, and IM
traffic. For each rule in the sensor, Archive is set to Summary Only. No
blocking or quarantine is performed. See DLP archiving on page 580.
You can add the All-Session-Control rule to also archive session control
content.
If you have a FortiGate unit that supports SSL content scanning and
inspection, you can edit the All-Email rule to archive POP3S, IMAPS, and
SMTPS traffic. You can also edit the All-HTTP rule to archive HTTPS traffic.
Credit-Card The number formats used by American Express, Visa, and Mastercard credit
cards are detected in HTTP and email traffic.
As provided, the sensor is configured not to archive matching traffic and an
action of None is set. Configure the action and archive options as required.
Large-File Files larger than 5MB will be detected if attached to email messages or if send
using HTTP or FTP.
SSN-Sensor The number formats used by U.S. Social Security and Canadian Social
Insurance numbers are detected in email and HTTP traffic.
01-410-89802-20091022 577
Adding and configuring a DLP sensor
You can create a new DLP sensor and configure it to include the DLP rules and DLP
compound rules required to protect the traffic leaving your network.
A DLP sensor must be created before it can be configured by adding rules and compound
rules. To create a DLP sensor, go to UTM > Data Leak Prevention > Sensor and select
Create New. Enter the DLP sensor name and optional comment, and select OK. You can
then add the required rules and compound rules.
To configure a DLP sensor, go to UTM > Data Leak Prevention > Sensor and select the
Edit icon of the sensor to be configured. A list of the DLP rules and DLP compound rules
included in the DLP sensor is displayed. A newly created sensor will include no rules.
Figure 346: List of rules in a DLP sensor
Adding or editing a rule or compound rule in a DLP sensor
To add a rule to a DLP sensor go to UTM > Data Leak Prevention > Sensor and select the
Edit icon of the sensor to be configured. Select Create New, set the Member type to Rule
and select the rule to add to the sensor. Configure the settings for the rule.
To add a compound rule to a DLP sensor go to UTM > Data Leak Prevention > Sensor
and select the Edit icon of the sensor to be configured. Select Create New, set the
Member type to Compound Rule and select the compound rule to add to the sensor.
Configure the settings for the compound rule.
Name The DLP sensor name.
Comment The optional description of the DLP sensor.
Create New Select Create New to add a new rule or compound rule to the sensor.
Enable You can disable a rule or compound rule by clearing this check box.
The item will be listed as part of the sensor, but it will not be used.
Rule name The names of the rules and compound rules included in the sensor.
Action The action configured for each rule. If the selected action is None, no
action will be listed.
Although archiving is enabled independent of the action, the Archive
designation appears with the selected action.
For example, if you select the Block action and set Archive to Full for a
rule, the action displayed in the sensor rule list is Block, Archive.
Comment The optional description of the rule or compound rule.
Delete and Edit icons Delete or edit a rule or compound rule.
Delete
Edit
DLP Sensors Data Leak Prevention
578 01-410-89802-20091022
To edit a rule or compound rule already included in a sensor, go to UTM > Data Leak
Prevention > Sensor and select the Edit icon of the sensor to be configured. Select the
edit icon of the rule or compound rule to edit. Change the settings for the rule or
compound rule.
Figure 347: Adding a DLP rule to a DLP sensor
Figure 348: Adding a DLP compound rule to a DLP sensor
01-410-89802-20091022 579
Action Select the action to be taken against traffic matching the configured DLP rule or DLP
compound rule. The actions are:
None prevents the DLP rule from taking any action on network traffic. Other
matching rules in the same sensor and other sensors may still operate on
matching traffic.
Block prevents the traffic matching the rule from being delivered. The matching
message or download is replaced with the Data leak prevention replacement
message.
Exempt prevents any DLP sensors from taking action on matching traffic. This
action overrides any other action from any matching sensors.
Ban if the user is authenticated, blocks all traffic to or from the user using the
protocol that triggered the rule and the user will be added to the Banned User list.
If the user is not authenticated, all traffic of the protocol that triggered the rule from
the users IP address will be blocked. If the user that is banned is using HTTP,
FTP, NNTP (or HTTPS if the FortiGate unit supports SSL content scanning and
inspection) the FortiGate unit displays the Banned by data leak prevention
replacement message for the protocol. If the user is using IM, the IM and P2P
Banned by data leak prevention message replaces the banned IM message and
this message is forwarded to the recipient. If the user is using IMAP, POP3, SMTP
(or MAPS, POP3S, SMTPS if your FortiGate unit supports SSL content scanning
and inspection) the Mail Banned by data leak prevention message replaces the
banned email message and this message is forwarded to the recipient. These
replacement messages also replace all subsequent communication attempts until
the user is removed from the banned user list.
Ban Sender blocks email or IM traffic from the sender of matching email or IM
messages and adds the sender to the Banned User list. This action is available
only for email and IM protocols. For email, the sender is determined by the From:
address in the email header. For IM, all members of an IM session are senders
and the senders are determined by finding the IM user IDs in the session. Similar
to Ban, the IM or Mail Banned by data leak prevention message replaces the
banned message and this message is forwarded to the recipient. These
replacement messages also replace all subsequent communication attempts until
the user is removed from the banned user list.
Quarantine IP address blocks access through the FortiGate unit for any IP
address that sends traffic matching a sensor with this action. The IP address is
added to the Banned User list. The FortiGate unit displays the NAC Quarantine
DLP Message replacement message for all connection attempts from this IP
address until the IP address is removed from the banned user list.
Quarantine Interface blocks access to the network for all users connecting to the
interface that received traffic matching a sensor with this action. The FortiGate unit
displays the NAC Quarantine DLP Message replacement message for all
connection attempts to the interface until the interface is removed from the banned
user list.
Ban, Ban Sender, Quarantine IP, and Quarantine Interface provide functionality
similar to NAC quarantine. However, these DLP options cause DLP to block users
and IP addresses at the application layer while NAC quarantine blocks IP addresses
and interfaces at the network layer. For more information, see NAC quarantine and
the Banned User list on page 670.
For more information about configuring DLP replacement messages, see
Replacement messages on page 225.
If you have configured DLP to block IP addresses and if the FortiGate unit receives
sessions that have passed through a NAT device, all traffic from that NAT device
could be blocked not just individual users. You can avoid this problem by
implementing authentication or where possible select Ban Sender.
Archive Configure DLP archiving for the rule. Archive is available for Email, FTP, HTTP, IM,
and Session Control rules and compound rules. The options are:
Disable, do not archive.
Full, perform full DLP archiving.
Summary Only, perform summary DLP archiving.
See DLP archiving on page 580.
DLP archiving Data Leak Prevention
580 01-410-89802-20091022
DLP archiving
You can use DLP archiving to collect and view historical logs that have been archived to a
FortiAnalyzer unit or the FortiGuard Analysis and Management service. DLP archiving is
available for FortiAnalyzer when you add a FortiAnalyzer unit to the FortiGate
configuration (see Remote logging to a FortiAnalyzer unit on page 704). The FortiGuard
Analysis and Management server becomes available when you subscribe to the
FortiGuard Analysis and Management Service (see the FortiGuard Analysis and
Management Service Administration Guide).
You can configure full DLP archiving and summary DLP archiving. Full DLP archiving
includes all content, for example, full email DLP archiving includes complete email
messages and attachments. Summary DLP archiving includes just the meta data about
the content, for example, email message summary records include only the email header.
You can archive Email, FTP, HTTP, IM, MMS, and session control content:
Email content includes IMAP, POP3, and SMTP sessions. Email content can also
include email messages tagged as spam by FortiGate Email filtering. If your FortiGate
unit supports SSL content scanning and inspection, Email content can also include
IMAPS, POP3S, and SMTPS sessions.
HTTP content includes HTTP sessions. If your FortiGate unit supports SSL content
scanning and inspection HTTP content can also include HTTPS sessions.
For more information about SSL content scanning and inspection, see SSL content
scanning and inspection on page 469.
IM content includes AIM, ICQ, MSN, and Yahoo! sessions.
Session control content includes SIP, SIMPLE and SCCP sessions. Only summary
DLP archiving is available for SIP and SCCP. Full and summary DLP archiving is
available for SIMPLE.
You add DLP sensors to archive Email, Web, FTP, IM, and session control content.
Archiving of spam email messages is configured in protection profiles.
Severity Enter the severity of the content that the rule or compound rule is a match for. Use the
severity to indicate the seriousness of the problems that would result from the content
passing through the FortiGate unit. For example, if the DLP rule finds high-security
content the severity could be 5. On the other hand if the DLP rule finds any content
the severity should be 1.
DLP adds the severity to the severity field of the log message generated when the
rule or compound rule matches content. The higher the number the greater the
severity.
Expires When the action is set to Ban, Ban Sender, or Quarantine IP address, you can specify
how long the ban will last. Select Indefinite for a ban ending only if the offender is
manually removed from the banned user list, or select After and enter the required
number of minutes, hours or days the ban will last. When the specified duration
expires, the offender is automatically removed from the banned user list.
Member
Type
Select Rule or Compound Rule. The rules of the selected type will be displayed in the
table below.
Name The names of all available rules or compound rules.
Description The optional description entered for each rule or compound rule.
Data Leak Prevention DLP archiving
01-410-89802-20091022 581
Configuring DLP archiving
You enable Email, Web, FTP, IM, and session control DLP archiving in DLP sensors. Then
you add the DLP sensors to protection profiles and add the protection profiles to firewall
policies. All sessions accepted by firewall policies that are matched by rules in DLP
sensors are DLP archived.
DLP includes the Content_Archive and Content_Summary pre-defined DLP sensors. The
Content_Archive sensor includes pre-defined DLP rules that provide full DLP archiving for
HTTP, Email, FTP, and IM protocols. To provide full DLP archiving, when you add a rule to
a sensor, set Archive to Full.
The Content_Summary sensor also includes predefined DLP rules and provides summary
DLP archiving for HTTP, Email, FTP, and IM protocols. To provide summary DLP
archiving, when you add a rule to a sensor, set Archive to Summary Only.
You can add the pre-defined All-session-control DLP rule to the Content_Archive and
Content_Summary pre-defined DLP sensors to DLP archive session control sessions.
If your FortiGate unit supports SSL content scanning and inspection you can also archive
HTTPS, IMAPS, POP3S, and SMTPS content. By default the SSL protocols are not
enabled in the All-Email and All-HTTP pre-defined DLP rules. To archive the SSL
protocols, you must edit these pre-defined rules and select the SSL protocols to be able to
archive them.
In addition to these pre-defined DLP rules and sensors, you can add your own DLP rules
and sensors and use them for full and summary DLP archiving. See DLP Sensors on
page 575 for more information about configuring DLP sensors.
To DLP archive all email messages
This procedure describes how to add the All-Email DLP rule to a DLP sensor and in the
sensor to configure the rule for full DLP archiving.
1 Go to UTM > Data Leak Prevention > Sensor and add a sensor.
2 Add rules to the sensor for whatever requirements you may have for the sensor
3 Add the All-Email DLP rule to the sensor and set Archive to Full.
4 Go to Firewall > Policy > Protection Profile and add a new or edit a protection profile.
5 Select the Data Leak Prevention Sensor expand arrow.
6 Select Data Leak Prevention Sensor and select the sensor from the list.
7 Add the protection profile to a firewall policy that accepts email traffic.
The sensor will now match and archive all email messages processed by the firewall
policy.
Note: DLP prevents duplicate action. Even if more than one rule in a sensor matches some
content, DLP will not create more than one DLP archive entry from the same content.
Note: Enabling full DLP archiving reduces the amount of system memory available for virus
scanning. Fortinet recommends against using full DLP archiving if antivirus scanning is also
configured because of these memory constraints. Especially on FortiGate units with low
system memory.
582 01-410-89802-20091022
To DLP archive HTTP and HTTPS (web) sessions
This procedure describes how to configure DLP archiving for HTTP and HTTPS sessions.
You can use similar procedures to configure DLP archiving for other protocols. This
procedure is valid for FortiGate units that support SSL content scanning and inspection.
This procedure describes editing the All-HTTP DLP rule to enable HTTPS POST and
HTTPS GET, confirming that the Content_Archive DLP sensor to contains the All-HTTP
rule, then selecting the Content_Archive DLP sensor to a protection profile.
1 Go to UTM > Data Leak Prevention > Rule and edit the All-HTTP rule.
2 Select HTTPS POST and HTTPS GET.
Figure 349: Selecting HTTPS POST and HTTPS GET in the All-HTTPS DLP rule
3 Verify that Rule is set to Always so that the rule matches all HTTP and HTTPS post
and get sessions.
4 Select OK to save the changes to the rule.
5 Go to UTM > Data Leak Prevention > Sensor and edit the Content_Archive sensor.
Figure 350: The Content_Archive DLP sensor
6 Verify that the Content_Archive sensor includes the All-HTTP rule.
7 Edit the All_HTTP rule in the sensor and verify that Archive is set to Full.
01-410-89802-20091022 583
Figure 351: The All_HTTP sensor with Archive set to Full
10 Select Data Leak Prevention Sensor and select the Content_Archive sensor from the
list.
Figure 352: Adding the Content_Archive DLP sensor to a protection profile
11 Add the protection profile to a firewall policy that accepts HTTP and HTTPS traffic.
To DLP archive all email messages that contain the string confidential
This procedure describes how to add a DLP rule that finds the string confidential in the
body of POP3, IMAP, and SMTP email messages. To archive all email messages that
contain this string you must add the DLP rule to a DLP sensor and configure the sensor for
full DLP archiving.
1 Go to UTM > Data Leak Prevention > Rule and add a rule to find the string
confidential in POP3, SMTP, and IMAP email messages.
584 01-410-89802-20091022
Figure 353: DLP rule to find the string confidential in the body of email messages
2 Go to UTM > Data Leak Prevention > Sensor and add a new sensor.
3 Edit the sensor and select Create New to add a rule to the sensor.
4 Configure the rule as follows:
Action None
Archive Full
Severity 1 (Lowest)
Member type Rule
Email_confidential Select
01-410-89802-20091022 585
Figure 354: Adding the email confidential rule to a sensor
7 Select Data Leak Prevention Sensor and select the new sensor from the list.
8 Add the protection profile to a firewall policy that accepts email traffic.
Configuring spam email message archiving
DLP sensors configured to archive email will archive legitimate email and email identified
as spam by FortiGate Email filtering and by FortiGuard Antispam. By default; however, the
protection profile options under Archive SPAMed email to FortiAnalyzer/FortiGuard are
disabled. As a result, by default email identified as spam is not archived.
In most cases you would probably not want to archive email identified as spam so you can
leave these options disabled. However, if you want to archive email identified as Spam
you can use the following procedure to enabled archiving of email identified as spam.
To enable archiving of email messages identified as spam by the FortiGate unit or
by FortiGuard Antispam
2 Create or edit a protection profile.
3 Select the Expand Arrow to view the Data Leak Prevention Sensor option.
4 Select a DLP sensor from the list.
5 Select the check boxes for the email protocols to archive spam for beside Archive
SPAMed email to FortiAnalyzer/FortiGuard.
6 Select OK.
DLP Rules Data Leak Prevention
586 01-410-89802-20091022
Viewing DLP archives
Go to Log & Report > DLP Archive to view all DLP archived content stored on a
FortiAnalyzer unit or the FortiGuard Analysis and Management server.
The DLP Archive menu is only visible if you have configured the FortiGate unit for remote
logging and archiving to a FortiAnalyzer unit or to the FortiGuard Analysis and
Management Service.
To view DLP archives
1 Go to Log&Report > DLP Archive.
2 Select the following tabs to view DLP archives for one of these protocols.
E-mail to view POP3, IMAP, SMTP, POP3S, IMAPS, SMTPS, and spam email
archives.
Web to view HTTP and HTTPS archives.
FTP to view FTP archives.
IM to view AIM, ICQ, MSN, and Yahoo! archives.
VoIP to view session control (SIP, SIMPLE and SCCP) archives.
DLP Rules
DLP rules are the core element of the data leak prevention feature. These rules define the
data to be protected so the FortiGate unit can recognize it. For example, an included rule
uses regular expressions to describe Social Security number:
( [ 0- 6] \ d{2}| 7( [ 0- 6] \ d| 7[ 0- 2] ) ) [ \ - ] ?\ d{2}[ \ - ] \ d{4}
Rather than having to list every possible Social Security number, this regular expression
describes the structure of a Social Security number. The pattern is easily recognizable by
the FortiGate unit. For more information about regular expressions, see Using wildcards
and Perl regular expressions on page 571.
DLP rules can be combined into compound rules and they can be included in sensors. If
rules are specified directly in a sensor, traffic matching any single rule will trigger the
configured action. If the rules are first combined into a compound rule and then specified
in a sensor, every rule in the compound rule must match the traffic to trigger the configured
action.
Individual rules in a sensor are linked with an implicit OR condition while rules within a
compound rule are linked with an implicit AND condition.
Viewing the DLP rule list
To view the DLP rule list, go to UTM > Data Leak Prevention > Rule.
Note: Infected files are clearly indicated in the DLP Archive Email message list.
Data Leak Prevention DLP Rules
01-410-89802-20091022 587
Figure 355: The DLP rule list
Default DLP rules
A number of default DLP rules are provided with your FortiGate unit. You can use these as
provided, or modify them as required.
Create New Select Create New to add a new rule.
Name The rule name.
Comments The optional description of the rule.
Compound Rules If the rule is included in any compound rules, the compound rule
names are listed here.
DLP Sensors If the rule is used in any sensors, the sensor names are listed here.
Delete and Edit icons Delete or edit a rule.
If a compound rule is used in a compound rule or a sensor, the delete
icon will not be available. Remove the compound rule from the
compound rule or sensor and then delete it.
Delete
Edit
Note: These rules affect only unencrypted traffic types. If you are using a FortiGate unit
able to decrypt and examine encrypted traffic, you can enable those traffic types in these
rules to extend their functionality if required.
Caution: Before use, examine the rules closely to ensure you understand how they will
affect the traffic on your network.
588 01-410-89802-20091022
Adding or configuring DLP rules
Go to UTM > Data Leak Prevention > Rule. To add a new rule, select Create New. To edit
an existing rule, select the edit icon of the rule to be changed.
Figure 356: DLP rule for HTTP traffic
All-Email, All-FTP,
All-HTTP, All-IM, All-NNTP,
All-Session-Control
.These rules will detect all traffic of the specified type.
Email-AmEx,
Email-Canada-SIN,
Email-US-SSN,
Email-Visa-Mastercard
These four rules detect American Express numbers, Canadian Social
Insurance Numbers, U.S. Social Security Numbers, or Visa and
Mastercard numbers within the message bodies of SMTP, POP3, and
IMAP email traffic.
HTTP-AmEx,
HTTP-Canada-SIN,
HTTP-US-SSN,
HTTP-Visa-Mastercard
These four rules detect American Express numbers, Canadian Social
Insurance Numbers, U.S. Social Security Numbers, or Visa and
Mastercard numbers within POST command in HTTP traffic. The
HTTP POST is used to send information to a web server.
As written, these rules are designed to detect data the user is sending
to web servers. This rule does not detect the data retrieved with the
HTTP GET command, which is used to retrieve load web pages.
Email-Not-Webex,
HTTP-Post-Not-Webex
These rules prevent DLP from matching email or HTTP pages that
contain the string WebEx.
Large-Attachment This rule detects files larger than 5MB attached to SMTP, POP3, and
IMAP email messages.
Large-FTP-Put This rule detects files larger than 5MB sent using the FTP PUT
protocol. Files received using FTP GET are not examined.
Large-HTTP-Post This rule detects files larger than 5MB sent using the HTTP POST
protocol. Files received using HTTP GET are not examined.
Name The name of the rule.
Comments An optional comment describing the rule.
Data Leak Prevention DLP Rules
01-410-89802-20091022 589
Protocol Select the type of content traffic that the DLP rule the rule will apply to.
The available rule options vary depending on the protocol that you
select. You can select the following protocols: Email, HTTP, FTP,
NNTP, Instant Messaging and Session Control.
AIM, ICQ, MSN, Yahoo! When you select the Instant Messaging protocol, you can configure
the rule to apply to file transfers using any or all of the supported IM
protocols (AIM, ICQ, MSN, and Yahoo!).
Only file transfers using the IM protocols are subject to DLP rules. IM
messages are not scanned.
HTTP POST, HTTP GET When you select the HTTP protocol, you can configure the rule to
apply to HTTP post or HTTP get traffic or both.
HTTPS POST, HTTPS
GET
When you select the HTTP protocol, if your FortiGate unit supports
SSL content scanning and inspection, you can also configure the
HTTP rule to apply to HTTPS get or HTTPS post sessions or both. For
more information about SSL content scanning and inspection, see
Configuring SSL content scanning and inspection on page 472.
To scan these encrypted traffic types, you must set HTTPS Content
Filtering Mode to Deep Scan (Decrypt on SSL Traffic) in the Protocol
Recognition section of the protection profile. If URL Filtering is
selected, the DLP sensors will not scan HTTPS content.
FTP PUT, FTP GET When you select the FTP protocol, you can configure the rule to apply
to FTP put, or FTP get sessions or both.
SMTP, IMAP, POP3 When you select the Email protocol, you can configure the rule to
apply to any or all of the supported email protocols (SMTP, IMAP, and
POP3).
SMTPS IMAPS POP3S When you select the Email protocol, if your FortiGate unit supports
SSL content scanning and inspection, you can also configure the rule
to apply to SMTPS, IMAPS, POP3S or any combination of these
protocols.
For more information about SSL content scanning and inspection, see
SIP, SIMPLE, SCCP When you select the Session Control protocol, you can configure the
rule to apply to any or all of the supported session control protocols
(SIP, SIMPLE, and SCCP). The only rule option for the session control
protocols is Always. This option matches all session control traffic is
used for session control DLP archiving.
File Options You can select file options for any protocol to configure how the DLP
rule handles archive files, MS-Word files, and PDF files found in
content traffic. File options appear when you select File Type rule
option.
Scan archive contents When selected, files within archives are extracted and scanned in the
same way as files that are not archived.
Scan archive files
whole
When selected, archives are scanned as a whole. The files within the
archive are not extracted and scanned individually.
Scan MS-Word text When selected the text contents of MS Word DOC documents are
extracted and scanned for a match. All metadata and binary
information is ignored.
Note: Office 2007/2008 DOCX files are not recognized as MS-Word
by the DLP scanner. To scan the contents of DOCX files, select the
Scan archive contents option.
Scan MS-Word file
whole
When selected, MS Word DOC files are scanned. All binary and
metadata information is included.
If you are scanning for text entered in a DOC file, use the
Scan MS-Word option. Binary formatting codes and file information
may appear within the text, causing text matches to fail.
Note: Office 2007/2008 DOCX files are not recognized as MS-Word
by the DLP scanner. To scan the contents of DOCX files, select the
Scan archive contents option.
Scan PDF text When selected, the text contents of PDF documents are extracted and
scanned for a match. All metadata and binary information is ignored.
590 01-410-89802-20091022
Scan PDF file whole When selected, PDF files are scanned. All binary and metadata
information is included.
If you are scanning for text in PDF files, use the Scan PDF Text
option. Binary formatting codes and file information may appear within
the text, causing text matches to fail.
Rule Use the Rule settings to configure the content that the DLP rule
matches.
Always Match any content.
This option is available for all protocols.
Attachment size Check the attachment file size.
This option is available for Email.
Attachment type Search email messages for file types or file patterns as specified in the
selected file filter.
Authenticated User Search for traffic from the specified authenticated user.
Binary file pattern Search for the specified binary string in network traffic.
Body Search for the specified string in the message or page body.
This option is available for Email, HTTP, and NNTP.
CGI parameters Search for the specified CGI parameters in any web page with CGI
code.
This option is available for HTTP.
Cookie Search the contents of cookies for the specified text.
This option is available for HTTP.
File is/not encrypted Check whether the file is or is not encrypted. Encrypted files are
archives and MS Word files protected with passwords. Because they
are password protected, the FortiGate unit cannot scan the contents
of encrypted files.
File text Search for the specified text in transferred text files.
This option is available in FTP, IM, and NNTP.
File type Search for the specified file patterns and file types. The patterns and
types configured in file filter lists and a list is selected in the DLP rule.
For more information about file filter lists, see File Filter on page 513.
This option is available for FTP, HTTP, IM, and NNTP.
Hostname Search for the specified host name when contacting a HTTP server.
HTTP header Search for the specified string in HTTP headers.
Receiver Search for the specified string in the message recipient email address.
Sender Search for the specified string in the message sender user ID or email
address. This option is available for Email and IM.
For email, the sender is determined by the From: address in the email
header. For IM, all members of an IM session are senders and the
senders are determined by finding the IM user IDs in the session.
Server Search for the servers IP address in a specified address range.
This option is available for FTP, NNTP.
Subject Search for the specified string in the message subject.
Transfer size Check the total size of the information transfer. In the case of email
traffic for example, the transfer size includes the message header,
body, and any encoded attachment.
URL Search for the specified URL in HTTP traffic.
User group Search for traffic from any user in the specified user group.
Data Leak Prevention DLP Compound Rules
01-410-89802-20091022 591
Rule operators:
DLP Compound Rules
DLP compound rules are groupings of DLP rules that also change the way they behave
when added to a DLP sensor. Individual rules can be configured with only a single
attribute. When this attribute is discovered in network traffic, the rule is activated.
Compound rules allow you to group individual rules to specify far more detailed activation
conditions. Each included rule is configured with a single attribute, but every attribute must
be present before the rule is activated.
For example, create two rules and add them to a sensor:
Rule 1 checks SMTP traffic for a sender address of spammer@example.com
Rule 2 checks SMTP traffic for the word sale in the message body
When the sensor is used, either rule could be activated its configured condition is true. If
only one condition is true, only the corresponding rule would be activated. Depending on
the contents of the SMTP traffic, neither, either, or both could be activated.
If you remove these rules from the sensor, add them to a compound rule, and add the
compound rule to the sensor, the conditions in both rules have to be present in network
traffic to activate the compound rule. If only one condition is present, the message passes
without any rule or compound rule being activated.
By combining the individually configurable attributes of multiple rules, compound rules
allow you to specify far more detailed and specific conditions to trigger an action.
matches/does not match This operator specifies whether the FortiGate unit is searching for the
presence of specified string, or for the absence of the specified string.
Matches: The rule will be triggered if the specified string is found in
network traffic.
Does not match: The rule will be triggered if the specified string is
not found in network traffic.
ASCII/UTF-8 Select the encoding used for text files and messages.
Regular
Expression/Wildcard
Select the means by which patterns are defined.
For more information about wildcards and regular expressions, see
Using wildcards and Perl regular expressions on page 571
is/is not This operator specifies if the rule is triggered when a condition is true
or not true.
Is: The rule will be triggered if the rule is true.
Is not: The rule will be triggered if the rule is not true.
For example, if a rule specifies that a file type is found within a
specified file type list, all matching files will trigger the rule.
Conversely, if the rule specifies that a file type is not found in a file
type list, only the file types not in the list would trigger the rule.
==/>=/<=/!= These operators allow you to compare the size of a transfer or
attached file to an entered value.
==is equal to the entered value.
>=is greater than or equal to the entered value.
<=is less than or equal to the entered value.
!=is not equal to the entered value.
DLP Compound Rules Data Leak Prevention
592 01-410-89802-20091022
Viewing the DLP compound rule list
To view the DLP compound rule list, go to UTM > Data Leak Prevention > Compound.
Figure 357: DLP compound rule list
Adding and configuring DLP compound rules
Go to UTM > Data Leak Prevention > Compound. To add a new compound rule, select
Create New. To edit an existing compound rule, select the edit icon of the compound rule
to be changed.
Figure 358: DLP compound rule
Create New Select Create New to add a new compound rule.
Name The compound rule name.
Comments The optional description of the compound rule.
DLP sensors If the compound rule is used in any sensors, the sensor names are
listed here.
Delete and Edit icons Delete or edit a compound rule.
If a compound rule is used in a sensor, the delete icon will not be
available. Remove the compound rule from the sensor and then delete
it.
Delete
Edit
Name The compound rule name.
Comments An optional description of the compound rule.
Add Rule
Delete Rule
Data Leak Prevention DLP Compound Rules
01-410-89802-20091022 593
Protocol Select the type of content traffic that the DLP compound rule applies
to. The rules that you can add to the compound rule vary depending
on the protocol that you select. You can select the following protocols:
Email, HTTP, FTP, NNTP, and Instant Messaging.
AIM, ICQ, MSN, Yahoo! When you select the Instant Messaging protocol, you can select the
supported IM protocols for which to add rules. Only the rules that
include all of the selected protocols can be added to the compound
rule.
HTTP POST, HTTP GET When you select the HTTP protocol, you can configure the compound
rule to apply to HTTP post or HTTP get sessions or both. Only the
rules that include all of the selected options can be added to the
compound rule.
HTTPS POST, HTTPS
GET
When you select the HTTP protocol, if your FortiGate unit supports
SSL content scanning and inspection, you can configure the
compound rule to apply to HTTPS post or HTTPS get sessions or
both. Only the rules that include all of the selected options can be
added to the compound rule.
To scan these encrypted traffic types, you must set HTTPS Content
Filtering Mode to Deep Scan (Decrypt on SSL Traffic) in the Protocol
Recognition section of the protection profile. If URL Filtering is
selected, the DLP sensors will not scan HTTPS content.
FTP PUT, FTP GET When you select the FTP protocol, you can configure the compound
rule to apply to FTP put, or FTP get sessions or both. Only the rules
that include all of the selected options can be added to the compound
rule.
SMTP, IMAP, POP3 When you select the Email protocol, you can select the supported
email protocols for which to add rules. Only the rules that include all of
the selected protocols can be added to the compound rule.
SMTPS IMAPS POP3S When you select the Email protocol, if your FortiGate unit supports
SSL content scanning and inspection, you can also select the SMTPS,
IMAPS, POP3S protocols. Only the rules that include all of the
selected protocols can be added to the compound rule.
Rules Select the rule to include in the compound rule. Only the rules that
include all of the selected protocols can be added to the compound
rule.
Add Rule/Delete Rule Use the add rule and delete rule icons to add and remove rules from
the compound rule. Select the add rule icon and then select rule from
the list.
DLP Compound Rules Data Leak Prevention
594 01-410-89802-20091022
Application Control What is application control?
01-410-89802-20091022 595
Application Control
This section describes how to configure the application control options associated with
firewall protection profiles.
If you enable virtual domains (VDOMs) on the FortiGate unit, the application control
configuration of each VDOM is entirely separate. For example, application black/white lists
created in one VDOM will not be visible in other VDOMs. For details, see Using virtual
This section provides an introduction to configuring application control. For more
information see the FortiGate UTM User Guide.
What is application control?
FortiGuard application control database
Viewing the application control black/white lists
Creating a new application control black/white list
Configuring an application control black/white list
Adding or configuring an application control black/white list entry
Application control statistics
What is application control?
Using the application control UTM feature, your FortiGate unit can detect and take action
against network traffic depending on the application generating the traffic. Based on
FortiGate Intrusion Protection protocol decoders, application control is a more user-
friendly and powerful way to use Intrusion Protection features to log and manage the
behavior of application traffic passing through the FortiGate unit. Application control uses
IPS protocol decoders that can analyze network traffic to detect application traffic even if
the traffic uses non-standard ports or protocols.
The FortiGate unit can recognize the network traffic generated by a large number of
applications. You can create application control black/white lists that specify the action to
take with the traffic of the applications you need to manage and the network on which they
are active. Add application control black/white lists to protection profiles applied to the
network traffic you need to monitor.
FortiGuard application control database
Fortinet is constantly increasing the list of applications that application control can detect
by adding applications to the FortiGuard Application Control Database. Because intrusion
protection protocol decoders are used for application control, the application control
database is part of the FortiGuard Intrusion Protection System Database and both of
these databases have the same version number.
To view the version of the application control database installed on your FortiGate unit, go
to the License Information dashboard widget and find IPS Definitions version.
Viewing the application control black/white lists Application Control
596 01-410-89802-20091022
To see the complete list of applications supported by FortiGuard Application Control go to
the FortiGuard Application Control List. This web page lists all of the supported
applications. You can select any application name to see details about the application.
Figure 359: ISIS.Over.IPv4 application page
Viewing the application control black/white lists
Each application control black/white list contains details about the application traffic to be
monitored and the actions to be taken when it is detected. To take effect, an application
control black/white list must be selected in a protection profile.
No default black/white lists are provided.
To view the application control black/white lists, go to UTM > Application Control >
Black/White List.
Figure 360: The application control black/white lists
Create New Select Create New to add a new application control black/white list.
Name The available application control black/white lists.
# of Entries The number of application rules in each application control black/white
list.
Profiles The protection profile each application control black/white list has
been applied to. If the black/white list has not been applied to a
protection profile, this field will be blank.
Comment An optional description of each application control black/white list.
Delete icon Select to remove the application control black/white list. The delete
icon is only available if the application control black/white list is not
selected in any protection profiles.
Edit icon Select to edit the application control black/white list.
Application Control Creating a new application control black/white list
01-410-89802-20091022 597
Creating a new application control black/white list
To create a new application control black/white list, go to UTM > Application Control >
Black/White List and select Create New. Enter a name and optionally, a comment or
description. Select OK. Since a new application control black/white list is blank, the list edit
window appears. For information on creating application control black/white list entries,
see Configuring an application control black/white list on page 597.
Figure 361: The create a new application control black/white list dialog window
Configuring an application control black/white list
To configure an application control black/white list, go to UTM > Application Control >
Control Black/white List and select the Edit icon of the list you want to configure.
The FortiGate unit examines network traffic for the application entries in the listed order,
one at a time, from top to bottom. Whenever a match is detected, the action specified in
the matching rule is applied to the traffic and further checks for application entry matches
are stopped. Because of this, you can use both actions to create a complex rule with fewer
entries.
For example, if your organization has standardized on AIM for instant messaging, you can
allow AIM and block all other IM clients with just two entries. First, create an entry in which
AIM is the specified application. Set the action to Pass. Then create an entry in which the
Category is im, the Application is all, and the action is Block. Since the entries are
checked from top to bottom, AIM traffic triggers the first rule, and is passed. All other
detected IM traffic triggers the second rule, and the FortiGate unit blocks it.
Figure 362: Editing an application control black/white list
Name Enter the name of the application control black/white list.
Comments Optionally, enter a comment or description.
Adding or configuring an application control black/white list entry Application Control
598 01-410-89802-20091022
Adding or configuring an application control black/white list entry
To add a new application control black/white list entry or edit an existing one, go to UTM >
Application Control > Black/White List, and select the Edit icon for the black/white list you
want to modify. To add a new entry, select Create New. To edit an existing entry, select the
Edit icon if the entry you want to modify.
Name The name of the application control black/white list.
Comments Enter or edit a comment about the black/white list. The comment is
optional.
List Type Each application control list can behave either as a black list or as a
white list. This setting determines how the FortiGate unit will treat
traffic from applications not appearing on the list.
Black List (Allow all
undefined
applications)
Select Black List to allow application traffic from the applications not
appearing on the application black/white list. The applications
specified in the list will be handled to the action configured in each
entry.
White List (Block all
undefined
applications)
Select White List to block application traffic from the applications not
appearing on the application black/white list. The applications
specified in the list will be handled to the action configured in each
entry.
Enable logging for
undefined applications
Select whether the FortiGate unit will log the traffic of the applications
not appearing on the application black/white list.
Create New Select to create a new application entry.
ID A unique number used primarily when re-ordering application entries.
Category The category indicates the scope of the applications included in the
application entry if Application is set to all. For example, if Application
is all and Category is toolbar, then all the toolbar applications are
included in the application entry even though they are not specified
individually.
If Application is a single application, the value in Category has no
effect on the operation of the application entry.
Application The FortiGate unit will examine network traffic for the listed
application. If Application is all, every application in the selected
category is included.
Action If the FortiGate unit detects traffic from the specified application, the
selected action will be taken.
Logging If traffic from the specified application is detected, the FortiGate unit
will log the occurrence and the action taken.
Delete icon Select to delete the application entry.
Edit icon Select to edit the application entry.
Insert Application Before
icon
Select to create a new application entry above the entry in which you
selected the icon.
Move To icon Select to move the application entry to a different position in the
black/white list.
Application Control Adding or configuring an application control black/white list entry
01-410-89802-20091022 599
Figure 363: The application control black/white list entry for FTP
In addition to these option, some IM applications and VoIP protocols have additional
options:
Category The applications are categorized by type. If you want to choose an IM
application, for example, select the im category, and the application
black/white list will show only the im applications.
The Category selection can also be used to specify an entire category
of applications. To select all IM applications for example, select the im
category, and select all as the application. This specifies all the IM
applications with a single application control black/white list entry.
Application The FortiGate unit will examine network traffic for the listed
application. If Application is all, every application in the selected
category is included.
Action If the FortiGate unit detects traffic from the specified application, the
selected action will be taken.
Options
Session TTL The applications session TTL. If this option is not enabled, the TTL
defaults to the setting of the conf i g syst emsessi on- t t l CLI
command.
Enable Logging When enabled, the FortiGate unit will log the occurrence and the
action taken if traffic when the specified application is detected.
IM options
Block Login Select to prevent users from logging in to the selected IM system.
Block File Transfers Select to prevent the sending and receiving of files using the selected
IM system.
Block Audio Select to prevent audio communication using the selected IM system.
Inspect Non-standard
Port
Select to allow the FortiGate unit to examine non-standard ports for
the IM client traffic.
Display content meta-
information on the
system dashboard
Select to include meta-information detected for the IM system on the
FortiGate unit dashboard.
VoIP options
Limit Call Setup Enter the maximum number of calls each client can set up per minute.
Limit REGISTER
request
Enter the maximum number of register requests per second allowed
for the firewall policy.
Limit INVITE request Enter the maximum number of invite requests per second allowed for
the firewall policy.
Enable Logging of
Violations
Select to enable logging of violations.
Application control statistics Application Control
600 01-410-89802-20091022
Application control statistics
The FortiGate unit maintains statistics on selected IM and P2P applications, and VoIP
protocols. You can use these statistics to gain insight into how the protocols are being
used within your network. To view these statistics, go to UTM > Application Control >
Statistics.
Figure 364: Application control statistics
Other options
Command Some of traffic types include a command option. Specify a command
that appears in the traffic that you want to block or pass.
For example, enter GET as a command in the FTP.Command
application to have the FortiGate unit examine FTP traffic for the GET
command. Multiple commands can be entered.
Method A method option is available for HTTP, RTSP, and SIP protocols.
Specify a method that appears in the traffic that you want to block or
pass.
For example, enter POST as a method in the HTTP.Method application
to have the FortiGate unit examine HTTP traffic for the POST method.
Multiple methods can be entered.
Program Number Enter the program number appearing in Sun Remote Procedure Calls
(RPC) that you want to block or pass. Multiple program numbers can
be entered.
UUID Enter the UUID appearing in Microsoft Remote Procedure Calls
(MSRPC) that you want to block or pass. Multiple UUIDs can be
entered.
Automatic Refresh
Interval
Select the automatic refresh interval for statistics. Set the interval from
none to 30 seconds.
Refresh Click to refresh the page with the latest statistics.
Reset Stats Click to reset the statistics to zero.
Application Control Application control statistics
01-410-89802-20091022 601
Users For each IM protocol, the following user information is listed:
Current Users
(Users) Since Last Reset
(Users) Blocked.
Chat For each IM protocol, the following chat information is listed:
Total Chat Sessions
Server-based Chat (Sessions)
Group Chat (Sessions)
Direct/Private Chat (Sessions)
Messages For each IM protocol, the following message information is listed:
Total Messages
Sent
Received
File Transfers For each IM protocol, the following file transfer information is listed:
(Files transferred) Since Last Reset
(Files) Sent
(Files) Received
(Files) Blocked.
Voice Chat For each IM protocol, the following voice chat information is listed:
(Voice chats) Since Last Reset
(Voice chats) Blocked.
P2P Usage For each P2P protocol, the following usage information is listed:
Total Bytes (transferred)
Average Bandwidth.
If the action for a P2P application is set to pass, the statistics will
display the total usage of the P2P application. Applications set to
Block will not affect the statistics.
Note that the same application can have different actions set in
different application control black/white lists. In this case, the traffic
handled by the black/white lists with the Pass action will be reflected in
the statistics. The traffic handled by the black/white lists with the Block
action will not be reflected.
VoIP Usage For SIP and SCCP protocol, the following information is listed:
Currently Active Sessions (phones connected, etc)
Total Calls (since last reset)
Calls Failed/Dropped
Calls Succeeded
Application control statistics Application Control
602 01-410-89802-20091022
IPSec VPN Overview of IPSec VPN configuration
01-410-89802-20091022 603
IPSec VPN
This section provides information about Internet Protocol Security (IPSec) VPN
configuration options available through the web-based manager. FortiGate units support
both policy-based (tunnel-mode) and route-based (interface mode) VPNs.
If you enable virtual domains (VDOMs) on the FortiGate unit, VPN IPSec is configured
Overview of IPSec VPN configuration
Policy-based versus route-based VPNs
Auto Key
Manual Key
Internet browsing configuration
Concentrator
Monitoring VPNs
Overview of IPSec VPN configuration
FortiGate units implement the Encapsulated Security Payload (ESP) protocol. The
encrypted packets look like ordinary packets that can be routed through any IP network.
Internet Key Exchange (IKE) is performed automatically based on pre-shared keys or
X.509 digital certificates. As an option, you can specify manual keys. Interface mode,
supported in NAT/Route mode only, creates a virtual interface for the local end of a VPN
tunnel.
Use the following configuration procedures for all IPSec VPNs:
1 Define the phase 1 parameters that the FortiGate unit needs to authenticate remote
peers or clients and establish a secure a connection. See Creating a new phase 1
2 Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel
with a remote peer or dialup client. See Creating a new phase 2 configuration on
page 611.
3 Create a firewall policy to permit communication between your private network and the
VPN. For a policy-based VPN, the firewall policy action is IPSEC. For an interface-
based VPN, the firewall policy action is ACCEPT. See Configuring firewall policies on
page 367.
Note: For information about how to configure an IPSec VPN, see the FortiGate IPSec VPN
User Guide.
Note: You must use steps 1 and 2 if you want the FortiGate unit to generate unique
IPSec encryption and authentication keys automatically. If a remote VPN peer or client
requires a specific IPSec encryption or authentication key, you must configure the
FortiGate unit to use manual keys instead. For more information, see Manual Key on
page 614.
Policy-based versus route-based VPNs IPSec VPN
604 01-410-89802-20091022
For more information about configuring IPSec VPNs, see the FortiGate IPSec VPN User
Guide.
Policy-based versus route-based VPNs
FortiGate units support both policy-based and route-based VPNs. Generally, you can
configure route-based VPNs more easily than policy-based VPNs. However, the two types
have different requirements that limit where you can use them, as shown in Table 62.
You create a policy-based VPN by defining an IPSEC firewall policy between two network
interfaces and associating it with the VPN tunnel (phase 1 or manual key) configuration.
You need only one firewall policy, even if either end of the VPN can initiate a connection.
You create a route-based VPN by enabling IPSec interface mode when you create the
VPN phase 1 or manual key configuration. This creates a virtual IPSec interface that is
bound to the local interface you selected. You then define an ACCEPT firewall policy to
permit traffic to flow between the virtual IPSec interface and another network interface. If
either end of the VPN can initiate the connection, you need two firewall policies, one for
each direction.
Virtual IPSec interface bindings are shown on the network interfaces page. (Go to System
> Network > Interface.) The names of all tunnels bound to physical, aggregate, VLAN,
inter-VDOM link or wireless interfaces are displayed under their associated interface
names in the Name column. For more information, see Configuring interfaces on
page 145. As with other interfaces, you can include a virtual IPSec interface in a zone.
Hub-and-spoke configurations
To function as the hub of a hub-and-spoke VPN, the FortiGate unit provides a
concentrator function. This is available only for policy-based VPNs, but you can create the
equivalent function for a route-based VPN in any of the following ways:
Define a firewall policy between each pair of IPSec interfaces that you want to
concentrate. This can be time-consuming to maintain if you have many site-to-site
connections, since the number of policies required increases rapidly as the number of
spokes increases.
Put all the IPSec interfaces into a zone and then define a single zone-to-zone policy.
Put all the IPSec interfaces in a zone and enable intra-zone traffic. There must be more
than one IPSec interface in the zone.
For more information and an example, see the FortiGate IPSec VPN User Guide.
Table 62: Comparison of policy-based and route-based VPNs
Policy-based Route-based
Available in NAT/Route or Transparent
mode
Available only in NAT/Route mode
Requires a firewall policy with IPSEC
action that specifies the VPN tunnel. One
policy controls connections in both
directions.
Requires only a simple firewall policy with
ACCEPT action. A separate policy is required
for connections in each direction.
IPSec VPN Auto Key
01-410-89802-20091022 605
Redundant configurations
Route-based VPNs help to simplify the implementation of VPN tunnel redundancy. You
can configure several routes for the same IP traffic with different route metrics. You can
also configure the exchange of dynamic (RIP, OSPF, or BGP) routing information through
VPN tunnels. If the primary VPN connection fails or the priority of a route changes through
dynamic routing, an alternative route will be selected to forward traffic through the
redundant connection.
A simple way to provide failover redundancy is to create a backup IPSec interface. You
can do this in the CLI. For more information, including an example configuration, see the
moni t or - phase1 keyword for the i psec vpn phase1- i nt er f ace command in the
Routing
Optionally, through the CLI, you can define a specific default route for a virtual IPSec
interface. For more information, see the def aul t - gw keyword for the
vpn i psec phase1- i nt er f ace command in the FortiGate CLI Reference.
Auto Key
You can configure two VPN peers (or a FortiGate dialup server and a VPN client) to
generate unique Internet Key Exchange (IKE) keys automatically during the IPSec
phase 1 and phase 2 exchanges.
When you define phase 2 parameters, you can choose any set of phase 1 parameters to
set up a secure connection for the tunnel and authenticate the remote peer.
Auto Key configuration applies to both tunnel-mode and interface-mode VPNs.
To configure an Auto Key VPN, go to VPN > IPSEC > Auto Key (IKE).
Figure 365: Auto Key list
Create Phase 1 Create a new phase 1 tunnel configuration. For more information, see
Creating a new phase 1 configuration on page 606.
Create Phase 2 Create a new phase 2 configuration. For more information, see Creating a
new phase 2 configuration on page 611.
Phase 1 The names of existing phase 1 tunnel configurations.
Phase 2 The names of existing phase 2 configurations.
Interface Binding The names of the local interfaces to which IPSec tunnels are bound. These
can be physical, aggregate, VLAN, inter-VDOM link or wireless interfaces.
Delete and Edit icons Delete or edit a phase 1 configuration.
Edit
Delete
Auto Key IPSec VPN
606 01-410-89802-20091022
Creating a new phase 1 configuration
In phase 1, two VPN peers (or a FortiGate dialup server and a VPN client) authenticate
each other and exchange keys to establish a secure communication channel between
them. The basic phase 1 settings associate IPSec phase 1 parameters with a remote
gateway and determine:
whether the various phase 1 parameters will be exchanged in multiple rounds with
encrypted authentication information (main mode) or in a single message with
authentication information that is not encrypted (Aggressive mode)
whether a pre-shared key or digital certificates will be used to authenticate the
identities of the two VPN peers (or a VPN server and its client)
whether a special identifier, certificate distinguished name, or group name will be used
to identify the remote VPN peer or client when a connection attempt is made.
To define basic IPSec phase 1 parameters, go to VPN > IPSEC > Auto Key (IKE) and
select Create Phase 1. For information about how to choose the correct phase 1 settings
for your particular situation, see the FortiGate IPSec VPN User Guide.
Figure 366: New Phase 1
Name Type a name to represent the phase 1 definition. The maximum
name length is 15 characters for an interface mode VPN, 35
characters for a policy-based VPN. If Remote Gateway is Dialup
User, the maximum name length is further reduced depending on the
number of dialup tunnels that can be established: by 2 for up to 9
tunnels, by 3 for up to 99 tunnels, 4 for up to 999 tunnels, and so on.
For a tunnel mode VPN, the name should reflect where the remote
connection originates. For a route-based tunnel, the FortiGate unit
also uses the name for the virtual IPSec interface that it creates
automatically.
Remote Gateway Select the category of the remote connection:
Static IP Address If the remote peer has a static IP address.
Dialup User If one or more FortiClient or FortiGate dialup clients
with dynamic IP addresses will connect to the FortiGate unit.
Dynamic DNS If a remote peer that has a domain name and
subscribes to a dynamic DNS service will connect to the FortiGate
unit.
IP Address If you selected Static IP Address, type the IP address of the remote
peer.
Dynamic DNS If you selected Dynamic DNS, type the domain name of the remote
peer.
IPSec VPN Auto Key
01-410-89802-20091022 607
Local Interface This option is available in NAT/Route mode only. Select the name of
the interface through which remote peers or dialup clients connect to
the FortiGate unit.
By default, the local VPN gateway IP address is the IP address of
the interface that you selected. Optionally, you can specify a unique
IP address for the VPN gateway in the Advanced settings. For more
information, see Local Gateway IP on page 609.
Mode Select Main or Aggressive:
In Main mode, the phase 1 parameters are exchanged in multiple
rounds with encrypted authentication information.
In Aggressive mode, the phase 1 parameters are exchanged in
single message with authentication information that is not
encrypted.
When the remote VPN peer has a dynamic IP address and is
authenticated by a pre-shared key, you must select Aggressive
mode if there is more than one dialup phase1 configuration for the
interface IP address.
When the remote VPN peer has a dynamic IP address and is
authenticated by a certificate, you must select Aggressive mode if
there is more than one phase 1 configuration for the interface IP
address and these phase 1 configurations use different proposals.
Peer Options settings may require a particular mode. See Peer
Options, below.
Authentication Method Select Preshared Key or RSA Signature.
Pre-shared Key If you selected Pre-shared Key, type the pre-shared key that the
FortiGate unit will use to authenticate itself to the remote peer or
dialup client during phase 1 negotiations. You must define the same
value at the remote peer or client. The key must contain at least 6
printable characters and should be known only by network
administrators. For optimum protection against currently known
attacks, the key should consist of a minimum of 16 randomly chosen
alphanumeric characters.
Certificate Name If you selected RSA Signature, select the name of the server
certificate that the FortiGate unit will use to authenticate itself to the
remote peer or dialup client during phase 1 negotiations. For
information about obtaining and loading the required server
certificate, see the FortiGate Certificate Management User Guide.
Peer Options One or more of the following options are available to authenticate
VPN peers or clients, depending on the Remote Gateway and
Authentication Method settings.
Accept any peer ID Accept the local ID of any remote VPN peer or client. The FortiGate
unit does not check identifiers (local IDs). You can set Mode to
Aggressive or Main.
You can use this option with RSA Signature authentication. But, for
highest security, you should configure a PKI user/group for the peer
and set Peer Options to Accept this peer certificate only.
Accept this peer ID This option is available only if the remote peer has a dynamic IP
address. Enter the identifier that is used to authenticate the remote
peer. This identifier must match the identifier that the remote peers
administrator has configured.
If the remote peer is a FortiGate unit, the identifier is specified in the
Local ID field of the phase 1 configuration.
If the remote peer is a FortiClient dialup client, the identifier is
specified in the Local ID field, accessed by selecting Config in the
Policy section of the VPN connections Advanced Settings.
Auto Key IPSec VPN
608 01-410-89802-20091022
Defining phase 1 advanced settings
You use the advanced P1 Proposal parameters to select the encryption and
authentication algorithms that the FortiGate unit uses to generate keys for the IKE
exchange. You can also select these advanced settings to ensure the smooth operation of
phase 1 negotiations.
To modify IPSec phase 1 advanced parameters, go to VPN > IPSEC > Auto Key (IKE),
select Create Phase 1, and then select Advanced. For information about how to choose
the correct advanced phase 1 settings for your particular situation, see the FortiGate
IPSec VPN User Guide.
Accept peer ID in dialup
group
Authenticate multiple FortiGate or FortiClient dialup clients that use
unique identifiers and unique pre-shared keys (or unique pre-shared
keys only) through the same VPN tunnel.
You must create a dialup user group for authentication purposes.
(For more information, see User Group on page 658.) Select the
group from the list next to the Accept peer ID in dialup group option.
For more information about configuring FortiGate dialup clients, see
the FortiGate IPSec VPN User Guide. For more information about
configuring FortiClient dialup clients, see the Authenticating
FortiClient Dialup Clients Technical Note.
You must set Mode to Aggressive when the dialup clients use unique
identifiers and unique pre-shared keys. If the dialup clients use
unique pre-shared keys only, you can set Mode to Main if there is
only one dialup phase 1 configuration for this interface IP address.
Accept this peer
certificate only
This option is available when Authentication Method is set to
RSA Signature.
Authenticate remote peers or dialup clients that use a security
certificate. Select the certificate from the list next to the option.
You must add peer certificates to the FortiGate configuration before
you can select them here. For more information, see PKI on
page 656.
Accept this peer
certificate group only
This option is available when Authentication Method is set to
RSA Signature and Remote Gateway is set to Dialup User.
Use a certificate group to authenticate dialup clients that have
dynamic IP addresses and use unique certificates.
Select the name of the peer group from the list. You must first create
the group through the conf i g user peer gr p CLI command
before you can select it. For more information, see the user chapter
of the FortiGate CLI Reference. Members of the peer group must be
certificates added by using the conf i g user peer CLI command.
You can also add peer certificates using the web-based manager.
For more information, see PKI on page 656.
Advanced Define advanced phase 1 parameters. For more information, see
Defining phase 1 advanced settings on page 608.
IPSec VPN Auto Key
01-410-89802-20091022 609
Figure 367: Phase 1 advanced settings
Enable IPSec Interface
Mode
This is available in NAT/Route mode only.
Create a virtual interface for the local end of the VPN tunnel. Select this
option to create a route-based VPN, clear it to create a policy-based
VPN.
IKE Version Select the version of IKE to use: 1 or 2. The default is 1. This is available
only if IPsec Interface Mode is enabled. For more information about IKE
v2, refer to RFC 4306.
IKE v2 is not available if Mode is Aggressive.
When IKE Version is 2, Mode and XAUTH are not available.
IPv6 Version Select if you want to use IPv6 addresses for the remote gateway and
interface IP addresses. This is available only when Enable IPSec
Interface Mode is enabled and IPv6 Support is enabled in the
administrative settings.
Local Gateway IP If you selected Enable IPSec Interface Mode, specify an IP address for
the local end of the VPN tunnel. Select one of the following:
Main Interface IP The FortiGate unit obtains the IP address of the
interface from the network interface settings. For more information, see
Configuring interfaces on page 145.
Specify You can specify a secondary address of the interface
selected in the phase 1 Local Interface field. For more information, see
Local Interface on page 607.
You cannot configure Interface mode in a Transparent mode VDOM.
P1 Proposal Select the encryption and authentication algorithms used to generate
keys for protecting negotiations.
Add or delete encryption and authentication algorithms as required.
Select a minimum of one and a maximum of three combinations. The
remote peer or client must be configured to use at least one of the
proposals that you define.
Select one of the following symmetric-key algorithms:
DES Digital Encryption Standard, a 64-bit block algorithm that uses a
56-bit key.
3DES Triple-DES, in which plain text is encrypted three times by three
keys.
AES128 a 128-bit block Cipher Block Chaining (CBC) algorithm that
uses a 128-bit key.
uses a 192-bit key.
uses a 256-bit key.
Add
Delete
Auto Key IPSec VPN
610 01-410-89802-20091022
Select either of the following message digests to check the authenticity
of messages during phase 1 negotiations:
MD5 Message Digest 5, the hash algorithm developed by RSA Data
Security.
SHA1 Secure Hash Algorithm 1, which produces a 160-bit message
digest.
To specify a third combination, use the Add button beside the fields for
the second combination.
DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, 5 and 14.
At least one of the DH Group settings on the remote peer or client must
match one the selections on the FortiGate unit.
Keylife Type the time (in seconds) that must pass before the IKE encryption key
expires. When the key expires, a new key is generated without
interrupting service. The keylife can be from 120 to 172 800 seconds.
Local ID If the FortiGate unit will act as a VPN client and you are using peer IDs
for authentication purposes, enter the identifier that the FortiGate unit
will supply to the VPN server during the phase 1 exchange.
If the FortiGate unit will act as a VPN client and you are using security
certificates for authentication, select the distinguished name (DN) of the
local server certificate that the FortiGate unit will use for authentication
purposes.
If the FortiGate unit is a dialup client and will not be sharing a tunnel with
other dialup clients (that is, the tunnel will be dedicated to this FortiGate
dialup client), set Mode to Aggressive.
XAuth This option supports the authentication of dialup clients. It is available for
IKE v1 only.
Disable Select if you do not use XAuth.
Enable as Client If the FortiGate unit is a dialup client, type the user
name and password that the FortiGate unit will need to authenticate
itself to the remote XAuth server.
Enable as Server This is available only if Remote Gateway is set to
Dialup User. Dialup clients authenticate as members of a dialup user
group. You must first create a user group for the dialup clients that need
access to the network behind the FortiGate unit. For more information,
see Configuring a user group on page 661.
You must also configure the FortiGate unit to forward authentication
requests to an external RADIUS or LDAP authentication server. For
information about these topics, see Configuring a RADIUS server on
page 648 or Configuring an LDAP server on page 650.
Select a Server Type setting to determine the type of encryption method
to use between the FortiGate unit, the XAuth client and the external
authentication server, and then select the user group from the User
Group list.
Nat-traversal Select the check box if a NAT device exists between the local FortiGate
unit and the VPN peer or client. The local FortiGate unit and the VPN
peer or client must have the same NAT traversal setting (both selected
or both cleared) to connect reliably.
Keepalive Frequency If you enabled NAT-traversal, enter a keepalive frequency setting. The
value represents an interval ranging from 10 to 900 seconds.
Dead Peer Detection Select this check box to reestablish VPN tunnels on idle connections and
clean up dead IKE peers if required. You can use this option to receive
notification whenever a tunnel goes up or down, or to keep the tunnel
connection open when no traffic is being generated inside the tunnel.
(For example, in scenarios where a dialup client or dynamic DNS peer
connects from an IP address that changes periodically, traffic may be
suspended while the IP address changes).
With Dead Peer Detection selected, you can use the conf i g vpn
i psec phase1 (tunnel mode) or conf i g vpn i psec phase1-
i nt er f ace (interface mode) CLI command to optionally specify a retry
count and a retry interval. For more information, see the FortiGate CLI
Reference.
IPSec VPN Auto Key
01-410-89802-20091022 611
Creating a new phase 2 configuration
After IPSec phase 1 negotiations end successfully, you begin phase 2. You configure the
phase 2 parameters to define the algorithms that the FortiGate unit may use to encrypt
and transfer data for the remainder of the session. During phase 2, you select specific
IPSec security associations needed to implement security services and establish a tunnel.
The basic phase 2 settings associate IPSec phase 2 parameters with the phase 1
configuration that specifies the remote end point of the VPN tunnel. In most cases, you
need to configure only basic phase 2 settings.
To configure phase 2 settings, go to VPN > IPSEC > Auto Key (IKE) and select Create
Phase 2. For information about how to choose the correct phase 2 settings for your
particular situation, see the FortiGate IPSec VPN User Guide.
Figure 368: New Phase 2
Defining phase 2 advanced settings
In phase 2, the FortiGate unit and the VPN peer or client exchange keys again to establish
a secure communication channel between them. You select the encryption and
authentication algorithms needed to generate keys for protecting the implementation
details of Security Associations (SAs). These are called P2 Proposal parameters. The
keys are generated automatically using a Diffie-Hellman algorithm.
You can use a number of additional advanced phase 2 settings to enhance the operation
of the tunnel. To modify IPSec phase 2 advanced parameters, go to VPN > IPSEC
Auto Key (IKE), select Create Phase 2, and then select Advanced. For information about
how to choose the correct advanced phase 2 settings for your particular situation, see the
FortiGate IPSec VPN User Guide.
Name Type a name to identify the phase 2 configuration.
Phase 1 Select the phase 1 tunnel configuration. For more information, see Creating a
new phase 1 configuration on page 606. The phase 1 configuration describes
how remote VPN peers or clients will be authenticated on this tunnel, and how the
connection to the remote peer or client will be secured.
Advanced Define advanced phase 2 parameters. For more information, see Defining
phase 2 advanced settings on page 611.
Auto Key IPSec VPN
612 01-410-89802-20091022
Figure 369: Phase 2 advanced settings
P2 Proposal Select the encryption and authentication algorithms that will be proposed to
the remote VPN peer. You can specify up to three proposals. To establish a
VPN connection, at least one of the proposals that you specify must match
configuration on the remote peer.
Initially there are two proposals. Add and Delete icons are next to the
second Authentication field. To specify only one proposal, select Delete to
remove the second proposal. To specify a third proposal, select Add.
It is invalid to set both Encryption and Authentication to NULL.
Encryption Select one of the following symmetric-key algorithms:
NULL Do not use an encryption algorithm.
DES Digital Encryption Standard, a 64-bit block algorithm that uses a 56-
bit key.
keys.
AES128 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses
a 128-bit key.
a 192-bit key.
a 256-bit key.
Authentication Select one of the following message digests to check the authenticity of
messages during an encrypted session:
NULL Do not use a message digest.
MD5 Message Digest 5, the hash algorithm developed by RSA Data
Security.
digest.
digest.
Enable replay
detection
Optionally enable or disable replay detection. Replay attacks occur when an
unauthorized party intercepts a series of IPSec packets and replays them
back into the tunnel.
Enable perfect
forward secrecy
(PFS)
Enable or disable PFS. Perfect forward secrecy (PFS) improves security by
forcing a new Diffie-Hellman exchange whenever keylife expires.
DH Group Select one Diffie-Hellman group (1, 2, 5 or 14). This must match the DH
Group that the remote peer or dialup client uses.
Keylife Select the method for determining when the phase 2 key expires: Seconds,
KBytes, or Both. If you select Both, the key expires when either the time has
passed or the number of KB have been processed. The range is from 120 to
172 800 seconds, or from 5120 to 2 147 483 648 KB.
Add
Delete
IPSec VPN Auto Key
01-410-89802-20091022 613
Autokey Keep Alive Select the check box if you want the tunnel to remain active when no data is
being processed.
DHCP-IPSec Provide IP addresses dynamically to VPN clients. This is available for
phase 2 configurations associated with a dialup phase 1 configuration.
You also need configure a DHCP server or relay on the private network
interface. You must configure the DHCP parameters separately. For more
information, see System DHCP on page 199.
If you configure the DHCP server to assign IP addresses based on RADIUS
user group attributes, you must also set the Phase 1 Peer Options to Accept
peer ID in dialup group and select the appropriate user group. See Creating
a new phase 1 configuration on page 606.
If the FortiGate unit acts as a dialup server and you manually assigned
FortiClient dialup clients VIP addresses that match the network behind the
dialup server, selecting the check box will cause the FortiGate unit to act as
a proxy for the dialup clients.
Note: You can configure settings so that VPN users can browse the Internet through the
FortiGate unit. For more information, see Internet browsing configuration on page 616.
Quick Mode
Selector
Optionally specify the source and destination IP addresses to be used as selectors
for IKE negotiations. If the FortiGate unit is a dialup server, you should keep the
default value 0.0.0.0/0 unless you need to circumvent problems caused by
ambiguous IP addresses between one or more of the private networks making up
the VPN. You can specify a single host IP address, an IP address range, or a
network address. You may optionally specify source and destination port numbers
and a protocol number.
If you are editing an existing phase 2 configuration, the Source address and
Destination address fields are unavailable if the tunnel has been configured to use
firewall addresses as selectors. This option exists only in the CLI. For more
information, see the dst - addr - t ype, dst - name, sr c- addr - t ype and sr c-
name keywords for the vpn i psec phase2 command in the FortiGate CLI
Reference.
Source address If the FortiGate unit is a dialup server, type the source IP
address that corresponds to the local senders or network
behind the local VPN peer (for example, 172. 16. 5. 0/ 24 or
172. 16. 5. 0/ 255. 255. 255. 0 for a subnet, or
172. 16. 5. 1/ 32 or 172. 16. 5. 1/ 255. 255. 255. 255 for a
server or host, or 192. 168. 10. [ 80- 100] or
192. 168. 10. 80- 192. 168. 10. 100 for an address range).
A value of 0. 0. 0. 0/ 0 means all IP addresses behind the
local VPN peer.
If the FortiGate unit is a dialup client, source address must
refer to the private network behind the FortiGate dialup client.
Source port Type the port number that the local VPN peer uses to
transport traffic related to the specified service (protocol
number). The range is from 0 to 65535. To specify all ports,
type 0.
Destination
address
Type the destination IP address that corresponds to the
recipients or network behind the remote VPN peer (for
example, 192. 168. 20. 0/ 24 for a subnet, or
172. 16. 5. 1/ 32 for a server or host, or 192. 168. 10. [ 80-
100] for an address range). A value of 0. 0. 0. 0/ 0 means all
IP addresses behind the remote VPN peer.
Destination port Type the port number that the remote VPN peer uses to
transport traffic related to the specified service (protocol
number). The range is from 0 to 65535. To specify all ports,
type 0.
Protocol Type the IP protocol number of the service. The range is from
0 to 255. To specify all services, type 0.
Manual Key IPSec VPN
614 01-410-89802-20091022
Manual Key
If required, you can manually define cryptographic keys for establishing an IPSec VPN
tunnel. You would define manual keys in situations where:
You require prior knowledge of the encryption or authentication key (that is, one of the
VPN peers requires a specific IPSec encryption or authentication key).
You need to disable encryption and authentication.
In both cases, you do not specify IPSec phase 1 and phase 2 parameters; you define
manual keys by going to VPN > IPSEC > Manual Key instead.
For general information about how to configure an IPSec VPN, see the FortiGate IPSec
VPN User Guide.
Figure 370: Manual Key list
Creating a new manual key configuration
If one of the VPN devices is manually keyed, the other VPN device must also be manually
keyed with the identical authentication and encryption keys. In addition, it is essential that
both VPN devices be configured with complementary Security Parameter Index (SPI)
settings. The administrators of the devices need to cooperate to achieve this.
Each SPI identifies a Security Association (SA). The value is placed in ESP datagrams to
link the datagrams to the SA. When an ESP datagram is received, the recipient refers to
the SPI to determine which SA applies to the datagram. You must manually specify an SPI
for each SA. There is an SA for each direction, so for each VPN you must specify two
SPIs, a local SPI and a remote SPI, to cover bidirectional communications between two
VPN devices.
Note: You should use manual keys only if it is unavoidable. There are potential difficulties in
keeping keys confidential and in propagating changed keys to remote VPN peers securely.
Create New Create a new manual key configuration. See Creating a new manual key
Tunnel Name The names of existing manual key configurations.
Remote Gateway The IP addresses of remote peers or dialup clients.
Encryption Algorithm The names of the encryption algorithms specified in the manual key
configurations.
Authentication
Algorithm
The names of the authentication algorithms specified in the manual key
configurations.
Delete and Edit icons Delete or edit a manual key configuration.
Edit
Delete
Caution: If you are not familiar with the security policies, SAs, selectors, and SA databases
for your particular installation, do not attempt the following procedure without qualified
assistance.
IPSec VPN Manual Key
01-410-89802-20091022 615
To specify manual keys for creating a tunnel, go to VPN > IPSEC > Manual Key and
select Create New.
Figure 371: New Manual Key
Name Type a name for the VPN tunnel. The maximum name length is 15 characters
for an interface mode VPN, 35 characters for a policy-based VPN.
Local SPI Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the
SA that handles outbound traffic on the local FortiGate unit. The valid range is
from 0x100 to 0xf f f f f f f f . This value must match the Remote SPI value in
the manual key configuration at the remote peer.
Remote SPI Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the
SA that handles inbound traffic on the local FortiGate unit. The valid range is
from 0x100 to 0xf f f f f f f f . This value must match the Local SPI value in
the manual key configuration at the remote peer.
Remote Gateway Type the IP address of the public interface to the remote peer. The address
identifies the recipient of ESP datagrams.
Local Interface This option is available in NAT/Route mode only. Select the name of the
interface to which the IPSec tunnel will be bound. The FortiGate unit obtains
the IP address of the interface from the network interface settings. For more
information, see Configuring interfaces on page 145.
Encryption
Algorithm
Select one of the following symmetric-key encryption algorithms:
DES Digital Encryption Standard, a 64-bit block algorithm that uses a 56-
bit key.
keys.
a 128-bit key.
a 192-bit key.
a 256-bit key.
Note: The algorithms for encryption and authentication cannot both be NULL.
Encryption Key Enter an encryption key appropriate to the encryption algorithm:
for DES, type a 16-character hexadecimal number (0-9, a-f).
for 3DES, type a 48-character hexadecimal number (0-9, a-f) separated
into three segments of 16 characters.
for AES128, type a 32-character hexadecimal number (0-9, a-f) separated
into two segments of 16 characters.
into three segments of 16 characters.
into four segments of 16 characters.
Internet browsing configuration IPSec VPN
616 01-410-89802-20091022
Internet browsing configuration
By using appropriate firewall policies, you can enable VPN users to browse the Internet
through the FortiGate unit. The required policies are different for policy-based and route-
based VPNs. For more information, see Configuring firewall policies on page 367.
To create a policy-based VPN Internet browsing configuration
2 Select Create New and enter the following information
4 Select OK.
To configure a route-based VPN Internet browsing configuration
2 Select Create New and enter the following information.
Authentication
Algorithm
Select one of the following message digests:
MD5 Message Digest 5 algorithm, which produces a 128-bit message
digest.
digest.
digest.
Note: The Algorithms for encryption and authentication cannot both be NULL.
Authentication Key Enter an authentication key appropriate to the authentication algorithm:
for MD5, type a 32-character hexadecimal number separated into two
segments of 16 characters.
for SHA1, type a 40-character hexadecimal number separated into two
segments of 16 characters and a third segment of 8 characters.
for SHA256, type a 64-character hexadecimal number separated into four
segments of 16 characters.
Digits can be 0 to 9, and a to f .
IPSec Interface
Mode
Create a virtual interface for the local end of the VPN tunnel. Select this check
box to create a route-based VPN, clear it to create a policy-based VPN.
This is available only in NAT/Route mode.
Source Interface/Zone Select the FortiGate unit public interface.
Source Address Select All.
Destination Interface/Zone Select the FortiGate unit public interface.
Destination Address Select the remote network address name.
Action Select IPSEC.
VPN Tunnel Select the tunnel that provides access to the private network
behind the FortiGate unit.
Inbound NAT Select the check box.
Source Interface/Zone Select the IPSec interface.
Source Address Select All.
Destination Interface/Zone Select the FortiGate unit public interface.
Destination Address Select All.
IPSec VPN Concentrator
01-410-89802-20091022 617
4 Select OK.
Concentrator
In a hub-and-spoke configuration, policy-based VPN connections to a number of remote
peers radiate from a single, central FortiGate unit. Site-to-site connections between the
remote peers do not exist; however, You can establish VPN tunnels between any two of
the remote peers through the FortiGate unit hub.
In a hub-and-spoke network, all VPN tunnels terminate at the hub. The peers that connect
to the hub are known as spokes. The hub functions as a concentrator on the network,
managing all VPN connections between the spokes. VPN traffic passes from one tunnel to
the other through the hub.
You define a concentrator to include spokes in the hub-and-spoke configuration.
To define a concentrator, go to VPN > IPSEC > Concentrator. For detailed information and
step-by-step procedures about how to set up a hub-and-spoke configuration, see the
FortiGate IPSec VPN User Guide.
Figure 372: Concentrator list
Defining concentrator options
A concentrator configuration specifies which spokes to include in an IPSec hub-and-spoke
configuration.
To specify the spokes of an IPSec hub-and-spoke configuration, go to VPN > IPSEC >
Concentrator and select Create New.
Action Select ACCEPT.
NAT Select the check box.
Create New Define a new concentrator for an IPSec hub-and-spoke configuration. For
more information, see Defining concentrator options on page 617.
Concentrator Name The names of existing IPSec VPN concentrators.
Members The tunnels that are associated with the concentrators.
Delete and Edit
icons
Delete or edit a concentrator.
Edit
Delete
Monitoring VPNs IPSec VPN
618 01-410-89802-20091022
Figure 373: New VPN Concentrator
Monitoring VPNs
You can use the IPSec monitor to view activity on IPSec VPN tunnels and start or stop
those tunnels. The display provides a list of addresses, proxy IDs, and timeout information
for all active tunnels, including tunnel mode and route-based (interface mode) tunnels.
You can use filters to control the information displayed in the list. For more information,
see Adding filters to web-based manager lists on page 57.
To view active tunnels, go to VPN > IPSec > Monitor.
Figure 374: IPSec Monitor list
Concentrator Name Type a name for the concentrator.
Available Tunnels A list of defined IPSec VPN tunnels. Select a tunnel from the list and then
select the right arrow. Repeat these steps until all of the tunnels associated
with the spokes are included in the concentrator.
Members A list of tunnels that are members of the concentrator. To remove a tunnel
from the concentrator, select the tunnel and select the left arrow.
Right Arrow
Left Arrow
Type Select the types of VPN to display: All, Dialup, or Static IP or Dynamic DNS.
Column
Settings
Customize the table view. You can select the columns to hide or display and
specify the column displaying order in the table. For more information, see Using
column settings to control the columns displayed on page 61 and Web-based
Clear All Filters Select to clear any column display filters you might have applied.
arrows to display the first, previous, next or last page of monitored VPNs.
Filter icons Edit the column filters to filter or sort the IPSec monitor list according to the
criteria you specify. For more information, see Adding filters to web-based
Name The name of the phase 1 configuration for the VPN.
Remote
Gateway
The public IP address of the remote host device, or if a NAT device exists in front
of the remote host, the public IP address of the NAT device.
Current Page
IPSec VPN Monitoring VPNs
01-410-89802-20091022 619
For Dialup VPNs, the list provides status information about the VPN tunnels established
by dialup clients, including their IP addresses. The number of tunnels shown in the list can
change as dialup clients connect and disconnect.
For Static IP or dynamic DNS VPNs, the list provides status and IP addressing information
about VPN tunnels, active or not, to remote peers that have static IP addresses or domain
names. You can also start and stop individual tunnels from the list.
Remote Port The UDP port of the remote host device, or if a NAT device exists in front of the
remote host, the UDP port of the NAT device. Zero (0) indicates that any port can
be used.
Proxy ID Source The IP addresses of the hosts, servers, or private networks behind the FortiGate
unit. The page may display a network range if the source address in the firewall
encryption policy was expressed as a range of IP addresses.
Proxy ID
Destination
When a FortiClient dialup client establishes a tunnel:
If VIP addresses are not used, the Proxy ID Destination field displays the
public IP address of the remote host Network Interface Card (NIC).
If VIP addresses were configured (manually or through FortiGate DHCP
relay), the Proxy ID Destination field displays either the VIP address belonging
to the FortiClient dialup client, or the subnet address from which VIP
addresses were assigned.
When a FortiGate dialup client establishes a tunnel, the Proxy ID Destination field
displays the IP address of the remote private network.
Tunnel up or
tunnel down
icon
A green arrow means the tunnel is currently processing traffic. Select to bring
down the tunnel.
A red arrow means the tunnel is not processing traffic. Select to bring up the
tunnel.
Monitoring VPNs IPSec VPN
620 01-410-89802-20091022
PPTP VPN PPTP configuration using FortiGate web-based manager
01-410-89802-20091022 621
PPTP VPN
FortiGate units support PPTP to tunnel PPP traffic between two VPN peers. Windows or
Linux PPTP clients can establish a PPTP tunnel with a FortiGate unit that has been
configured to act as a PPTP server. As an alternative, you can configure the FortiGate unit
to forward PPTP packets to a PPTP server on the network behind the FortiGate unit.
PPTP VPN is available only in NAT/Route mode. The current maximum number of PPTP
sessions is 254. If you enable virtual domains (VDOMs) on the FortiGate unit, you need to
configure VPN PPTP separately for each virtual domain. For more information, see Using
virtual domains on page 125.
When you intend to use the FortiGate unit as a PPTP gateway, you can select a PPTP
client IP from a local address range or use the server defined in the PPTP user group. You
select which method to use for IP address retrieval and, in the case of the user group
server, provide the IP address and the user group.
This section explains how to specify a range of IP addresses for PPTP clients or configure
the PPTP client-side IP address to be used in the tunnel setup. For information about how
to perform other related PPTP VPN setup tasks, see the FortiGate PPTP VPN User
Guide.
PPTP configuration using FortiGate web-based manager
PPTP configuration using CLI commands
PPTP configuration using FortiGate web-based manager
To configure the PPTP tunnel, create a customized screen in the web-based manager.
The PPTP Range tab is found under the Categories heading as a selection in the
Additional category:
Note: The PPTP feature is disabled by default in the FortiGate web-based manager. You
configure the PPTP tunnel configuration by creating a customized FortiGate screen.
PPTP configuration using FortiGate web-based manager PPTP VPN
622 01-410-89802-20091022
Figure 375: Categories > Additional > PPTP Range
For information about creating customized screens in the FortiGate web-based manager,
see Customizable web-based manager on page 268.
PPTP requires two IP addresses, one for each end of the tunnel. The PPTP address
range is the range of addresses reserved for remote PPTP clients. When the remote
PPTP client establishes a connection, the FortiGate unit assigns an IP address from the
reserved range of IP addresses to the client PPTP interface or retrieves the assigned IP
address from the PPTP user group. If you use the PPTP user group, you must also define
the FortiGate end of the tunnel by entering the IP address of the unit in Local IP (web-
based manager) or l ocal - i p (CLI). The PPTP client uses the assigned IP address as its
source address for the duration of the connection.
To enable PPTP and specify the PPTP address range or specify the IP address for the
peers remote IP on the PPTP client side, go to the customized screen in the web-based
manager, select the required options, and then select Apply.
Note: The start and end IPs in the PPTP address range must be in the same 24-bit subnet,
e.g. 192.168.1.1 - 192.168.1.254.
PPTP VPN PPTP configuration using CLI commands
01-410-89802-20091022 623
Figure 376: Edit PPTP range options, showing both Range and User Group
PPTP configuration using CLI commands
If you prefer not to set up a customized screen in the FortiGate web-based manager, you
can configure the PPTP tunnel using CLI.
Syntax
conf i g vpn ppt p
set ei p <addr ess_i pv4>
set i p- mode {r ange | usr gr p}
set l ocal - i p <addr ess_l ocal i p>
set si p <addr ess_i pv4>
set st at us {di sabl e | enabl e}
set usr gr p <gr oup_name>
end
Enable PPTP Enable PPTP. You must add a user group before you can select the
option. See User Group on page 658.
IP Mode Select how PPTP users are assigned an IP address.
Range Users IP addresses are assigned from the range of IP addresses
configured by Starting IP and Ending IP.
User Group Users IP addresses are assigned by the user group used to
authenticate the user. Select the user group. See Dynamically
assigning VPN client IP addresses from a user group on page 665.
Starting IP Type the starting address in the range of reserved IP addresses.
Ending IP Type the ending address in the range of reserved IP addresses.
Local IP Type the IP address to be used for the peers remote IP on the PPTP
client side.
User Group Select the PPTP user group from the list.
Disable PPTP Select to disable PPTP support.
Variables Description Default
ei p <addr ess_i pv4> The ending address of the PPTP address range. 0. 0. 0. 0
PPTP configuration using CLI commands PPTP VPN
624 01-410-89802-20091022
i p- mode
{r ange | usr gr p}
Select one of:
r ange Assign user IP addresses from the IP
address range of configured by si p and ei p.
usr gr p Retrieve the IP address from the user
group used to authenticate the user. Select the user
group in usr gr p.
r ange
l ocal - i p
<addr ess_l ocal i p>
Enter the IP address to be used for the peers
remote IP on the PPTP client side.
0. 0. 0. 0
si p <addr ess_i pv4> The starting address of the PPTP IP address range. 0. 0. 0. 0
st at us
Enable or disable PPTP VPN. di sabl e
usr gr p <gr oup_name> This keyword is available when i p- mode is set to
usr gr p.
Enter the name of the user group for authenticating
PPTP clients. The user group must be added to the
FortiGate configuration before it can be specified
here.
Null.
ei p <addr ess_i pv4> The ending address of the PPTP address range. 0. 0. 0. 0
SSL VPN
01-410-89802-20091022 625
SSL VPN
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be
used with a standard Web browser. SSL VPN does not require the installation of
specialized client software on end users computers, and is ideal for applications including
web-based email, business and government directories, file sharing, remote backup,
remote system management, and consumer-level electronic commerce.
The two modes of SSL VPN operation (supported in NAT/Route mode only) are:
web-only mode, for thin remote clients equipped with a web-browser only.
tunnel mode, for remote computers that run a variety of client and server applications.
When the FortiGate unit provides services in web-only mode, a secure connection
between the remote client and the FortiGate unit is established through the SSL VPN
security in the FortiGate unit and the SSL security in the web browser. After the
connection has been established, the FortiGate unit provides access to selected services
and network resources through a web portal. The FortiGate SSL VPN web portal has a
widget-based layout with customizable themes. Each widget is displayed in a 1- or 2-
column format with the ability to modify settings, minimize the widget window, or other
functions depending on the type of content within the widget.
When users have complete administrative rights over their computers and use a variety of
applications, tunnel mode allows remote clients to access the local internal network as if
they were connected to the network directly.
This section provides information about the features of SSL VPN available for
configuration in the web-based manager. Only FortiGate units that run in NAT/Route mode
support the SSL VPN feature.
If you enable virtual domains (VDOMs) on the FortiGate unit, VPN SSL is configured
ssl.root
Configuring SSL VPN
SSL VPN web portal
Configuring web portal layout
Configuring the virtual desktop
Host Check list
SSL VPN monitor list
Note: For detailed instructions about how to configure web-only mode or tunnel-mode
operation, see the FortiGate SSL VPN User Guide.
ssl.root SSL VPN
626 01-410-89802-20091022
ssl.root
The FortiGate unit has a virtual SSL VPN interface called ssl.<vdomname>. The root
VDOM, called ssl.root, appears in the firewall policy interface lists and static route
interface lists. You can use the ssl-root interface to allow access to additional networks
and facilitate a connected users ability to browse the Internet through the FortiGate unit.
SSL VPN tunnel-mode access requires the following firewall policies:
External >Internal, with the action set to SSL, with an SSL user group
ssl.root >Internal, with the action set to Accept
Internal >ssl.root, with the action set to Accept.
Access also requires a new static route: Destination network - <ssl tunnel mode assigned
range>interface ssl.root.
If you are configuring Internet access through an SSL VPN tunnel, you must add the
following configuration: ssl.root >External, with the action set to Accept, NAT enabled.
Configuring SSL VPN
You can configure basic SSL VPN settings including timeout values and SSL encryption
preferences. If required, you can also enable the use of digital certificates for
authenticating remote clients.
To enable SSL VPN connections and configure SSL VPN settings, go to VPN > SSL >
Config and select Enable SSL-VPN. When you have completed configuring the settings,
select Apply.
Figure 377: SSL-VPN Settings
Note: If required, you can enable SSL version 2 encryption (for compatibility with older
browsers) through a FortiGate CLI command. For more information, see the ssl
set t i ngs command in the FortiGate CLI Reference.
SSL VPN SSL VPN web portal
01-410-89802-20091022 627
SSL VPN web portal
The SSL VPN Service portal allows you to access network resources through a secure
channel using a web browser. FortiGate administrators can configure log in privileges for
system users and which network resources are available to the users, such as
HTTP/HTTPS, telnet, FTP, SMB/CIFS, VNC, RDP and SSH.
The portal configuration determines what the system user sees when they log in to the
FortiGate. Both the system administrator and the system user have the ability to
customize the SSL VPN portal.
Default web portal configurations
Configuring web portal settings
Configuring security control
Enable SSL VPN Select to enable SSL VPN connections.
IP Pools Select Edit to select the range or subnet firewall addresses that
represent IP address ranges reserved for tunnel-mode SSL VPN
clients. If the appropriate addresses do not exist, go to Firewall >
Address to create them. You cannot add the all firewall address or a
FQDN firewall address. You also cannot add an address group that
includes the all firewall address or a FQDN address.
Server Certificate Select the signed server certificate to use for authentication purposes. If
you leave the default setting (Self-Signed), the FortiGate unit offers its
factory installed (self-signed) certificate from Fortinet to remote clients
when they connect.
Require Client Certificate If you want to enable the use of group certificates for authenticating
remote clients, select the check box. Afterward, when the remote client
initiates a connection, the FortiGate unit prompts the client for its client-
side certificate as part of the authentication process.
Encryption Key
Algorithm
Select the algorithm for creating a secure SSL connection between the
remote client web browser and the FortiGate unit.
Default - RC4(128
bits) and higher
If the web browser on the remote client can match a cipher suite greater
than or equal to 128 bits, select this option.
High - AES(128/256
bits) and 3DES
If the web browser on the remote client can match a high level of SSL
encryption, select this option to enable cipher suites that use more than
128 bits to encrypt data.
Low - RC4(64 bits),
DES and higher
If you are not sure which level of SSL encryption the remote client web
browser supports, select this option to enable a cipher suite greater
than or equal to 64 bits.
Idle Timeout Type the period of time (in seconds) to control how long the connection
can remain idle before the system forces the user to log in again. The
range is from 10 to 28800 seconds. You can also set the value to 0 to
have no idle connection timeout. This setting applies to the SSL VPN
session. The interface does not time out when web application sessions
or tunnels are up.
Advanced (DNS and WINS Servers)
DNS Server #1
DNS Server #2
Enter up to two DNS Servers to be provided for the use of clients.
WINS Server #1
WINS Server #2
Enter up to two WINS Servers to be provided for the use of clients.
Apply Select to save and apply settings.
SSL VPN web portal SSL VPN
628 01-410-89802-20091022
Session Information widget
Bookmarks widget
Connection Tool widget
Tunnel Mode widget
Default web portal configurations
There are three pre-defined default web portal configurations available:
full-access: Includes all widgets available to the user - Session Information,
Connection Tool, Bookmarks, and Tunnel Mode.
tunnel-access: Includes Session Information and Tunnel Mode widgets.
web-access: Includes Session Information and Bookmarks widgets.
To use a default SSL VPN web portal configuration, select the Edit icon next to the web
portal in the Portal list. The SSL VPN web portal that you select will open.
Figure 378: Default web portals
Configuring web portal settings
Go to VPN >SSL >Portal to adjust web portal settings. If you want to create a new web
portal, select Create New. To edit settings for an existing web portal configuration, select
the Edit icon for the web portal and then select Settings.
Default full-access web portal
Edit button
01-410-89802-20091022 629
Figure 379: SSL VPN web portal configuration - General tab
Select Apply or OK to save the new web portal.
Available for Windows XP and Windows Vista client PCs, the virtual desktop feature
completely isolates the SSL VPN session from the client computers desktop environment.
All data is encrypted, including cached user credentials, browser history, cookies,
temporary files, and user files created during the session. When the SSL VPN session
ends normally, the files are deleted. If the session ends due to a malfunction, files might
remain, but they are encrypted, so the information is protected.
When the user starts an SSL VPN session with virtual desktop enabled, the virtual
desktop replaces the users normal desktop. When the virtual desktop exits, the users
normal desktop is restored.
Virtual desktop requires the Fortinet host check plugin. If the plugin is not present, it is
automatically downloaded to the client computer.
OK/Cancel Select OK to save the configuration and Cancel to exit the
configuration window without any saving changes made. If you select
OK, the main portal configuration window appears.
General tab
Name Name of the web portal configuration.
Applications Select the abbreviated name of the server applications or network
services clients can use.
Portal Message Enter the caption that appears at the top of the web portal home page.
Theme Select the color scheme for the web portal home page from the list.
Page Layout Select the one or two page column format for the web portal home
page.
630 01-410-89802-20091022
To enable virtual desktop
1 Go to VPN > SSL > Portal and select the Edit icon for the web portal.
2 Select the Settings button.
3 Select the Virtual Desktop tab.
4 Select Enable Virtual Desktop.
Figure 380: Configuring Virtual Desktop
5 Enable options as required.
6 Select OK.
7 Select Apply.
Enable Virtual Desktop Enable the virtual desktop and the following settings. If this is
not enabled, user has browser access on the regular desktop.
Allow switching between
virtual desktop and regular
desktop
By default, the regular desktop is not accessible while the
virtual desktop is active. With this option enabled, user can
switch between them.
Allow clipboard contents to
be shared with regular
desktop
Enable to allow cut-and-paste operations between the virtual
desktop and the regular desktop.
Allow use of removable
media
Enable to allow the user to copy files between the virtual
desktop and removable media such as USB drives.
Allow network share access Enable to allow the user to copy files between the virtual
desktop and network drives.
Allow printing Enable to allow the user to use printers from the virtual
desktop.
Quit the virtual desktop and
logout session when
browser is closed
By default, the virtual desktop remains in effect even if the user
closes the browser. Enable to automatically close the virtual
desktop and logout if the user closes the browser.
Application Control List Optionally, select an application control list. This controls which
applications the user can run on the virtual desktop. See
Virtual Desktop Application Control.
01-410-89802-20091022 631
Configuring security control
You can apply cache cleaning and host checking to the clients of your web portal.
Cache cleaning clears information from the client browser cache just before the SSL VPN
session ends. The cache cleaner is effective only if the session terminates normally. The
cache is not cleaned if the session ends due to a malfunction, such as a power failure.
Host checking enforces the clients use of antivirus or firewall software. Each client is
checked for security software that is recognized by the Windows Security Center. As an
alternative, you can create a custom host check that looks for specific security software
selected from the Host Check list located at VPN > SSL > Host Check. See Host Check
list on page 640.
To configure Security Control
1 Go to VPN > SSL > Portal and select the Edit icon for the web portal.
2 Select the Settings button.
3 Select the Security Control tab.
5 Select OK.
Clean Cache Enable to clear client cache when the SSL VPN session ends.
Host Check Select the type of host checking to use.
AV Check for antivirus software recognized by the Windows Security Center.
AV-FW Check for both antivirus and firewall software recognized by the Windows
Security Center.
Custom Check for the security software listed in the Policy field.
FW Check for firewall software recognized by the Windows Security Center.
None Do not perform host checking.
Interval Select how often to recheck the host. Range is every 120 seconds to 259 200
seconds. Enter 0 to not recheck the host during the session.
Policy The list of acceptable security applications for clients. These application names
are from the Host Check list. This field is available if Host Check is Custom.
Select Edit to choose the host check applications to use. Use the arrow buttons
to move applications between the Available and Selected lists. Clients will be
checked for the applications in the Selected list. Select OK.
632 01-410-89802-20091022
To add or edit SSL VPN web portal widgets, go to VPN >SSL >Portal and select Create
New, then select OK. The SSL VPN web portal is displayed. You can also edit an existing
SSL VPN web portal. You can add, remove, and edit the widgets that appear on the web
portal.
Figure 381: SSL VPN web portal - full-access Default configuration window
OK Select to save the configuration. If you select OK, you exit out of the
SSL VPN web portal configuration window.
Cancel Select to exit the configuration window without saving any changes.
Apply Select to apply any changes made in the web portal configuration. If
you select Apply, you will not leave the portal configuration window.
Settings Select to edit the General or Advanced settings for the SSL VPN web
portal. See SSL VPN web portal on page 627.
Help Indicates the location of the SSL VPN web portal online help icon. You
cannot change or move this icon. Active when SSL VPN web portal is
activated by user.
Log out Indicates the location of the SSL VPN web portal log out icon. You
cannot change or move this icon. Active when SSL VPN web portal is
activated by user.
Add Widget list Select to add a widget to the SSL VPN web portal configuration.
Session Information Displays the login name of the user, the amount of time the user has
been logged in, and the inbound and outbound traffic of HTTP and
HTTPS.
Bookmarks Displays configured bookmarks, allows for the addition of new
bookmarks and editing of existing bookmarks.
Help icon
Log out icon
Add Widget list
01-410-89802-20091022 633
Session Information widget
The Session Information widget displays the login name of the user, along with the
amount of time the user has been logged in and the inbound and outbound traffic statistics
of HTTP and HTTPS.
To edit the session information, in the Session Information widget select Edit.
Figure 382: Session Information widget - Edit
Connection Tool Enter the URL or IP address for a connection tool application/server
(selected when configuring the Connection Tool). You can also check
connectivity to a host or server on the network behind the FortiGate
unit by selecting the Type Ping.
Tunnel Mode Displays tunnel information and actions in user mode. The
administrator can configure a split-tunneling option.
Edit Select to edit the information in the widget.
Remove widget Select to close the widget and remove it from the web portal home
page.
OK Select to save the Session Information configuration.
Cancel Select to exit the Session Information widget without saving any
changes.
Name Enter a customized name for the Session Information widget.
Edit
Remove widget
634 01-410-89802-20091022
Bookmarks widget
Bookmarks are used as links to specific resources on the network. When a bookmark is
selected from a bookmark list, a pop-up window appears with the requested web page.
Telnet, VNC, and RDP all pop up a window that requires a browser plug-in. FTP and
Samba replace the bookmarks page with an HTML file-browser.
A web bookmark can include login credentials to automatically log the SSL VPN user into
the web site. This means that once the user logs into the SSL VPN, he or she does not
have to enter any more credentials to visit preconfigured web sites. When the
administrator configures bookmarks, the web site credentials must be the same as the
users SSL VPN credentials. Users configuring their own bookmarks can specify
alternative credentials for the web site.
To configure the Bookmarks widget
1 Open the web portal.
2 If the Bookmarks widget is missing, add it by selecting Bookmarks from the Add Widget
list in the top right corner of the web portal window.
3 Select the Edit icon in the Bookmarks widget title bar.
4 Optionally, you can change the Name of the Bookmarks widget.
5 Select the Applications check boxes for the types of bookmarks that you want to
support.
6 Select OK.
To add or edit bookmarks
2 In the Bookmarks widget, do one of the following:
To add a bookmark, select Add.
To edit an existing bookmark, select the Edit button and then select the bookmark.
3 Enter or edit the following information:
Name Enter a name for the bookmark.
Type Select the type of application to which the bookmark links. For example, select
HTTP/HTTPS for a web site.
Only the application types that you configured for this widget are in the list. You
can select Edit in the widget title bar to enable additional application types. See
To configure the Bookmarks widget.
Location Enter the destination of the bookmark.
For HTTP, enter the URL or just the hostname.
For HTTPS, enter the URL.
For RDP, VNC, Telnet or SSH, enter the hostname.
For FTP or SMB, enter hostname or / / <host name>/ <pat h>.
Description Optionally, enter a descriptive tooltip for the bookmark.
SSO A Single Sign-On (SSO) bookmark automatically enters the login credentials
for the bookmark destination. Select one of:
Disabled This is not an SSO bookmark.
Automatic Use the users SSL VPN credentials for login.
Static Use the login credentials defined below.
Single Sign-On settings available when SSO is Static
Field Name Enter a required login page field name, User Name for example.
01-410-89802-20091022 635
4 Select OK.
5 If there is a Done button, you can select another bookmark to edit or select Done to
leave the edit mode.
6 Select Apply at the top of the web portal page to save the changes that you made.
Figure 383: Using the Bookmarks widget to add a bookmark
Value Enter the value to enter in the field identified by Field Name.
If you are an administrator configuring a bookmark for users:
Enter %usr name%to represent the users SSL VPN user name.
Enter %passwd%to represent the users SSL VPN password.
Add Enter another Field Name / Value pair, for the password, for example.
A new set of Field Name / Value fields is added. Fill them in.
Edit
Remove widget
Select OK
Add bookmark
window
Bookmark
added
636 01-410-89802-20091022
Figure 384: Using the Bookmarks widget to edit a bookmark
To delete bookmarks
2 In the Bookmarks widget, select the Edit button.
3 Select the X to the right of the bookmark that you want to delete.
4 Select Done.
Connection Tool widget
You can use the Connection Tool widget to connect to a network resource without adding
a bookmark to the bookmark list. You select the type of resource and specify the URL or
IP address of the host computer.
To configure the Connection Tool widget
2 If the Connection Tool widget is missing, add it by selecting Connection Tool from the
Add Widget list in the top right corner of the web portal window.
Edit
Remove widget
Delete
bookmark
Select
OK
Select
Done
Select
bookmark
to edit
Bookmarks
widget with
list of bookmarks
Bookmark
detail
window
01-410-89802-20091022 637
3 In the Connection Tool widget select the Edit icon in the widget title bar.
5 Select OK.
To use the Connection Tool widget
2 In the Connection Tool widget, from the Type list select the type network service you
want to use.
The available types of network service depend on the widget configuration. See To
configure the Connection Tool widget.
3 In the Host field, enter the URL, host name, or IP address as appropriate.
4 Select Go.
Tunnel Mode widget
If your web portal provides tunnel mode access, you need to configure the Tunnel Mode
widget. These settings determine how tunnel mode clients are assigned IP addresses.
Also, you can enable a split tunneling configuration so that the VPN carries only the traffic
for the networks behind the FortiGate unit. The users other traffic follows its normal route.
To configure tunnel mode settings
2 If the Tunnel Mode widget is missing, add it by selecting Tunnel Mode from the Add
Widget list in the top right corner of the window.
3 Select the Edit icon in the Tunnel Mode widget title bar.
The remaining items in the widget are available to the user during an SSL VPN
session.
Name Optionally, enter a customized name for the Connection Tool widget.
Applications Select the types of server applications or network services that will be available
to users through the Connection Tool widget.
Type Select the server/application that the FortiGate unit will use to establish a
connection.
Name Enter a name for the Tunnel Mode widget. The default is Tunnel Mode.
IP Mode Select the mode by which the IP address is assigned to the user.
Range The user IP address is allocated from the IP addresses specified in
IP Pools. If IP Pools is empty, the IP Pools specified in VPN > SSL > Config
are used.
User Group The user is assigned the IP address specified in the Framed-IP-Address
field of the users record on the RADIUS server. This option is valid only for
users authenticated by a RADIUS server.
IP Pools Select Edit to select the range or subnet firewall addresses that represent
IP address ranges reserved for tunnel-mode SSL VPN clients. If the
appropriate addresses do not exist, go to Firewall > Address to create them.
You cannot add the all firewall address or a FQDN firewall address. You
also cannot add an address group that includes the all firewall address or a
FQDN address.
Split tunneling Select to enable split tunneling. In a split tunneling configuration, the tunnel
mode client uses the SSL VPN only for traffic destined for the networks
behind the FortiGate unit. The users other traffic follows its normal route.
638 01-410-89802-20091022
5 Select OK in the Tunnel Mode widget.
6 Select Apply.
Figure 385: Configuring the Tunnel Mode widget
To use the tunnel mode widget
When logged into the portal as an SSL VPN user:
1 View any of the following information:
2 Do any of the following:
Link status The state of the SSL VPN tunnel:
Up an SSL VPN tunnel with the FortiGate unit has been
established.
Down there is no tunnel connection.
Bytes sent: The number of bytes of data transmitted from the client to the
FortiGate unit since the tunnel was established.
Bytes received: The number of bytes of data received by the client from the FortiGate
unit since the tunnel was established.
<status information> Detailed information about the tunnel connection, for example,
Fortinet SSL VPN client connected to server.
Connect Initiate a session and establish an SSL VPN tunnel with the FortiGate unit.
Disconnect End the session and close the tunnel to the FortiGate unit.
Refresh now Refresh the Fortinet SSL VPN Client page (web portal).
Edit
Remove widget
SSL VPN Virtual Desktop Application Control
01-410-89802-20091022 639
You can control which applications users can run on their virtual desktop. To do this, you
create a list of either allowed or blocked applications which you then select when you
configure the virtual desktop.
Go to VPN > SSL > Virtual Desktop Application Control to create a virtual desktop
application control list.
Figure 386: Virtual Desktop Application Control
Create New Add a new virtual desktop application control list.
Name The names of the virtual desktop application control lists.
Action The action configured for each virtual desktop application control list:
Block the applications on this list and allow all others
or Allow the applications on this list and block all others.
Edit icon Select Edit beside an existing application control list to modify it.
Delete icon Delete an application control list.
Clone icon Make a copy of an application control list. Make a copy and then modify it to
create a new application control list.
Add button Add an application to the application control list.
Name Enter the name of the application to be added to the application control list. This
can be any name and does not have to match the official name of the application.
MD5 Signatures Enter one or more known MD5 signatures for the application executable file.You
can use a third-party utility to calculate MD5 signatures or hashes for any file.
You can enter multiple signatures to match multiple versions of the application.
Delete
Edit
Clone
Delete
Edit
Host Check list SSL VPN
640 01-410-89802-20091022
Host Check list
When you enable AV, FW, or AV-FW host checking in the web portal Security Control
settings, each client is checked for security software that is recognized by the Windows
Security Center. As an alternative, you can create a custom host check that looks for
security software selected from the Host Check list. For more information, see
Configuring security control on page 631.
The Host Check list includes default entries for many security software products. To add,
modify, or delete entries, go to VPN > SSL > Host Check.
Figure 387: Configuring the host check list
Host check list and software entries
Create New Add a new application to the host check list.
Name The name of the applications added to the host check list. The name does not
need to match the actual application name.
Type The type of host check application. Can be AV for antivirus or FW for firewall.
Version The version of the host check application.
Edit icon Select Edit beside an existing host check application to modify it.
Delete icon Delete a host check application.
Delete
Edit
SSL VPN SSL VPN monitor list
01-410-89802-20091022 641
SSL VPN monitor list
You can view a list of all active SSL VPN sessions. The list displays the user name of the
remote user, the IP address of the remote client, and the time the connection was made.
You can also see which services are being provided, and delete an active web or tunnel
session from the FortiGate unit. For more information, see SSL VPN on page 625.
To view the list of active SSL VPN sessions, go to VPN > SSL > Monitor.
Figure 388: SSL VPN monitor list
GUID Enter the globally unique identifier (GUID) for the host check application. The
GUID is usually in the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx, where each x
is a hexadecimal digit. Windows uses GUIDs to identify applications in the
Windows Registry.
Add button If you do not know the GUID, add alternative checks for the application. The host
check software is considered found only if all checks succeed.
Check Item entry
Type Select how to check for the application:
File Look for a file. This could be the applications executable file or any
other file that would confirm the presence of the application. In File/Path,
enter the full path to the file. Where applicable, you can use environment
variables enclosed in percent (%) marks. For example,
%Pr ogr amFi l es%\ For t i net \ For t i Cl i ent \ For t i Cl i ent . exe.
Process Look for the application as a running process. In Process, enter
the applications executable file name.
Registry Search for a Windows Registry entry. In Registry, enter a registry
item, for example HKLM\ SOFTWARE\ For t i net \ For t i Cl i ent \ Mi sc.
Action Select one of
Require If the item is found, the client meets the check item condition.
Deny If the item is found, the client is considered to not meet the check item
condition. Use this option if it is necessary to prevent use of a particular security
product.
MD5 Signatures If Type is File or Process, enter one or more known MD5 signatures for the
application executable file.You can use a third-party utility to calculate MD5
signatures or hashes for any file. You can enter multiple signatures to match
multiple versions of the application.
No. The connection identifiers.
User The user names of all connected remote users.
Source IP The IP addresses of the host devices connected to the FortiGate unit.
Begin Time The starting time of each connection.
Description For an SSL VPN tunnel subsession, the clients assigned tunnel IP
address is shown.
Action Select action to apply to current SSL VPN tunnel session or
subsession.
Delete icon Delete the current session or subsession.
Delete
SSL VPN monitor list SSL VPN
642 01-410-89802-20091022
User Getting started - User authentication
01-410-89802-20091022 643
User
This section explains how to set up user accounts, user groups, and external
authentication servers. You can use these components of user authentication to control
access to network resources.
If you enable virtual domains (VDOMs) on the FortiGate unit, user authentication is
page 125.
Getting started - User authentication
Local user accounts
Remote
RADIUS
LDAP
TACACS+
PKI
Directory Service
User Group
Options
Monitor
NAC quarantine and the Banned User list
Getting started - User authentication
FortiGate authentication controls access by user group, but you need to complete one or
more of the following tasks prior to configuring the user groups.
Configure local user accounts. For each user, you can choose whether the password is
verified by the FortiGate unit, by a RADIUS server, by an LDAP server, or by a
TACACS+server. For more information, see Local user accounts on page 644.
Configure IM user profiles. For IM users, you can configure user lists that either allow
or block use of network resources.FortiGate. For more information, see IM user
monitor list on page 669.
Configure your FortiGate unit to authenticate users by using your RADIUS, LDAP, or
TACACS+servers. For more information, see RADIUS on page 647, LDAP on
page 649, and TACACS+ on page 652.
Configure access to the FortiGate unit if you use a Directory Service server for
authentication. For more information, see Configuring a Directory Service server on
page 655.
Configure for certificate-based authentication for administrative access (HTTPS web-
based manager), IPSec, SSL-VPN, and web-based firewall authentication. For more
information, see PKI on page 656.
Local user accounts User
644 01-410-89802-20091022
You can configure your FortiGate unit to authenticate system administrators with your
FortiGate unit, using RADIUS, LDAP and TACACS+servers and with certificate-based
authentication using PKI. For more information, see System Admin on page 241. You
can change the authentication timeout value or select the protocol supported for Firewall
authentication. For more information, see Options on page 667. You can view lists of
currently authenticated users, authenticated IM users, and banned users. For more
information, see Monitor on page 668.
For each network resource that requires authentication, you specify which user groups are
permitted access to the network. There are three types of user groups: Firewall, Directory
Service, and SSL VPN. For more information, see Firewall user groups on page 659,
Directory Service user groups on page 660, and SSL VPN user groups on page 660.
Local user accounts
A local user is a user configured on a FortiGate unit. The user can be authenticated with a
password stored on the FortiGate unit (the user name and password must match a user
account stored on the FortiGate unit) or with a password stored on an authentication
server (the user name must match a user account stored on the FortiGate unit and the
user name and password must match a user account stored on the authentication server
associated with the user).
Instant Messenger (IM) protocols are gaining in popularity as an essential way to
communicate between two or more individuals in real time. Some companies even rely on
IM protocols for critical business applications such as Customer/Technical Support.
The most common IM protocols in use today include AOL Instant Messenger, Yahoo
Instant Messenger, MSN messenger, and ICQ. FortiGate units allow you to set up IM
users that either allow or block the use of applications, to determine which applications are
allowed.
Configuring Local user accounts
You can block a user with a valid local user account from authenticating at all, or configure
the FortiGate unit to allow a user to authenticate with a user name and password stored
on the FortiGate unit, or with an account stored on a specific server (LDAP, RADIUS, or
TACACS+).
To view the list of existing local users, go to User > Local.
Figure 389: Example Local user list
Create New Add a new local user account.
User Name The local user name.
Edit
Delete
User Local user accounts
01-410-89802-20091022 645
To add a Local user, go to User > Local, select Create New, and enter or select the
following:
Figure 390: Local user
Configuring IM user policies
IM user policies determine whether users are permitted to access instant messaging
services or are blocked from these services.
If you enable virtual domains (VDOMs) on the FortiGate unit, IM is available separately for
each virtual domain. For more information, see Using virtual domains on page 125.
The IM user list displays information about configured instant messaging user policies.
The list can be filtered by protocol and policy.
Type The authentication type to use for this user. The authentication types are Local
(user and password stored on FortiGate unit), LDAP, RADIUS, and TACACS+
(user and password matches a user account stored on the authentication
server).
Delete icon Delete the user.
The delete icon is not available if the user belongs to a user group.
Edit icon Edit the user account.
Note: Deleting the user name deletes the authentication configured for the user.
User Name A name that identifies the user.
Disable Select to prevent this user from authenticating.
Password Select to authenticate this user using a password stored on the FortiGate unit
and then enter the password. The password should be at least six characters.
LDAP Select to authenticate this user using a password stored on an LDAP server.
Select the LDAP server from the list.
You can select only an LDAP server that has been added to the FortiGate LDAP
configuration. For more information, see LDAP on page 649.
RADIUS Select to authenticate this user using a password stored on a RADIUS server.
Select the RADIUS server from the list.
You can select only a RADIUS server that has been added to the FortiGate
RADIUS configuration. For more information, see RADIUS on page 647.
TACACS+ Select to authenticate this user using a password stored on a TACACS server.
Select the TACACS+server from the list.
You can select only a TACACS server that has been added to the FortiGate
TACACS configuration. For more information, see TACACS+ on page 652.
Local user accounts User
646 01-410-89802-20091022
To view the list of IM users, go to User > Local > IM.
Figure 391: IM user list
To add an IM user, go to User > Local > IM, select Create New, and enter or select the
following:
Figure 392: Edit User dialog
The IM user monitor list displays information about instant messaging users who are
currently connected. For more information, see IM user monitor list on page 669.
Configuring older versions of IM applications
Some older versions of IM protocols are able to bypass file blocking because the message
types are not recognized.
Supported IM protocols include:
MSN 6.0 and above
ICQ 4.0 and above
AIM 5.0 and above
Yahoo 6.0 and above
Create New Add a new user to the list.
Protocol Filter the list by selecting a protocol: AIM, ICQ, MSN, Yahoo, or All.
Policy Filter the list by selecting a policy: Allow, Block, or All.
Protocol The protocol associated with the user.
Username The name selected by the user when registering with an IM protocol. The
same user name can be used for multiple IM protocols. Each user
name/protocol pair appears separately in the list.
Policy The policy applied to the user when attempting to use the protocol: Block
or Deny.
Edit icon Change the following user information: Protocol, Username, and Policy.
Delete icon Permanently remove users from the User List.
Protocol Select a protocol from the dropdown list: AIM, ICQ, MSN, or Yahoo!.
Username Enter a name for the user.
Policy Select a policy from the dropdown list: Allow or Block.
User Remote
01-410-89802-20091022 647
If you want to block a protocol that is older than the ones listed above, use the CLI
command:
conf i g i mp2p ol d- ver si on
Remote
Remote authentication is generally used to ensure that employees working offsite can
remotely access their corporate network with appropriate security measures in place. In
general terms, authentication is the process of attempting to verify the (digital) identity of
the sender of a communication such as a login request. The sender may be someone
using a computer, the computer itself, or a computer program. Since a computer system
should be used only by those who are authorized to do so, there must be a measure in
place to detect and exclude any unauthorized access.
On a FortiGate unit, you can control access to network resources by defining lists of
authorized users, called user groups. To use a particular resource, such as a network or
VPN tunnel, the user must:
belong to one of the user groups that is allowed access
correctly enter a user name and password to prove his or her identity, if asked to do so.
RADIUS
Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication,
authorization, and accounting functions. FortiGate units use the authentication function of
the RADIUS server. To use the RADIUS server for authentication, you must configure the
server before you configure the FortiGate users or user groups that will need it.
If you have configured RADIUS support and a user is required to authenticate using a
RADIUS server, the FortiGate unit sends the users credentials to the RADIUS server for
authentication. If the RADIUS server can authenticate the user, the user is successfully
authenticated with the FortiGate unit. If the RADIUS server cannot authenticate the user,
the FortiGate unit refuses the connection. You can override the default authentication
scheme by selecting a specific authentication protocol or changing the default port for
RADIUS traffic.
To view the list of RADIUS servers, go to User > Remote > RADIUS.
Figure 393: Example RADIUS server list
Note: The default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645,
use the CLI to change the default RADIUS port. For more information, see the conf i g
syst emgl obal command in the FortiGate CLI Reference.
Create New Add a new RADIUS server. The maximum number is 10.
Name Name that identifies the RADIUS server on the FortiGate unit.
Edit
Delete
RADIUS User
648 01-410-89802-20091022
Configuring a RADIUS server
The RADIUS server uses a shared secret key to encrypt information passed between it
and clients such as the FortiGate unit. When you configure a RADIUS server, you can also
configure a secondary RADIUS server. The FortiGate unit attempts authentication with the
primary server first, and if there is no response, uses the secondary server. You can
include the RADIUS server in every user group without including it specifically in user
group configurations.
The RADIUS server can use several different authentication protocols during the
authentication process:
MS-CHAP-V2 is the Microsoft challenge-handshake authentication protocol v2
MS-CHAP is the Microsoft challenge-handshake authentication protocol v1
CHAP (challenge-handshake authentication protocol) provides the same functionality
as PAP, but does not send the password and other user information over the network to
a security server
PAP (password authentication protocol) is used to authenticate PPP connections. PAP
transmits passwords and other user information in clear text (unencrypted).
If you have not selected a protocol, the default protocol configuration uses PAP, MS-
CHAPv2, and CHAP, in that order.
To add a new RADIUS server, go to User > Remote > RADIUS, select Create New, and
enter or select the following:
Figure 394: RADIUS server configuration
Server Name/IP Domain name or IP address of the RADIUS server.
Delete icon Delete a RADIUS server configuration.
You cannot delete a RADIUS server that has been added to a user group.
Edit icon Edit a RADIUS server configuration.
Note: The server secret key should be a maximum of 16 characters in length.
User LDAP
01-410-89802-20091022 649
LDAP
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain
authentication data that may include departments, people, groups of people, passwords,
email addresses, and printers. An LDAP consists of a data-representation scheme, a set
of defined operations, and a request/response network.
If you have configured LDAP support and require a user to authenticate using an LDAP
server, the FortiGate unit contacts the LDAP server for authentication. To authenticate
with the FortiGate unit, the user enters a user name and password. The FortiGate unit
sends this user name and password to the LDAP server. If the LDAP server can
authenticate the user, the FortiGate unit successfully authenticates the user. If the LDAP
server cannot authenticate the user, the FortiGate unit refuses the connection.
The FortiGate unit supports LDAP protocol functionality defined in RFC 2251: Lightweight
Directory Access Protocol v3, for looking up and validating user names and passwords.
FortiGate LDAP supports all LDAP servers compliant with LDAP v3. In addition, FortiGate
LDAP supports LDAP over SSL/TLS. To configure SSL/TLS authentication, refer to the
FortiGate LDAP support does not extend to proprietary functionality, such as notification of
password expiration, that is available from some LDAP servers. Nor does the FortiGate
LDAP supply information to the user about why authentication failed.
To view the list of LDAP servers, go to User > Remote > LDAP.
Name Enter the name that is used to identify the RADIUS server on the
FortiGate unit.
Primary Server Name/IP Enter the domain name or IP address of the primary RADIUS server.
Primary Server Secret Enter the RADIUS server secret key for the primary RADIUS server.
The primary server secret key should be a maximum of 16
characters in length.
Secondary Server Name/IP Enter the domain name or IP address of the secondary RADIUS
server, if you have one.
Secondary Server Secret Enter the RADIUS server secret key for the secondary RADIUS
server. The secondary server secret key should be a maximum of 16
characters in length.
Authentication Scheme Select Use Default Authentication Scheme to authenticate with the
default method. The default authentication scheme uses PAP, MS-
CHAP-V2, and CHAP, in that order.
Select Specify Authentication Protocol to override the default
authentication method, and choose the protocol from the list: MS-
CHAP-V2, MS-CHAP, CHAP, or PAP, depending on what your
RADIUS server needs.
NAS IP/Called Station ID Enter the NAS IP address and Called Station ID (for more
information about RADIUS Attribute 31, see RFC 2548 Microsoft
Vendor-specific RADIUS Attributes). If you do not enter an IP
address, the IP address that the FortiGate interface uses to
communicate with the RADIUS server will be applied.
Include in every User Group Select to have the RADIUS server automatically included in all user
groups.
LDAP User
650 01-410-89802-20091022
Figure 395: Example LDAP server list
Configuring an LDAP server
A directory is a set of objects with similar attributes organized in a logical and hierarchical
way. Generally, an LDAP directory tree reflects geographic or organizational boundaries,
with the Domain Name System (DNS) names at the top level of the hierarchy. The
common name identifier for most LDAP servers is cn; however some servers use other
common name identifiers such as uid.
For example, you could use the following base distinguished name:
ou=mar ket i ng, dc=f or t i net , dc=com
where ou is organization unit and dc is a domain component.
You can also specify multiple instances of the same field in the distinguished name, for
example, to specify multiple organization units:
ou=account s, ou=mar ket i ng, dc=f or t i net , dc=com
Binding is said to occur when the LDAP server successfully authenticates the user and
allows the user access to the LDAP server based on his or her permissions.
You can configure the FortiGate unit to use one of three types of binding:
anonymous - bind using anonymous user search
regular - bind using user name/password and then search
simple - bind using a simple password authentication without a search.
You can use simple authentication if the user records all fall under one dn. If the users are
under more than one dn, use the anonymous or regular type, which can search the entire
LDAP database for the required user name.
If your LDAP server requires authentication to perform searches, use the regular type and
provide values for user name and password.
To add an LDAP server, go to User > Remote > LDAP and select Create New. Enter the
information below and select OK.
Create New Add a new LDAP server. The maximum number is 10.
Port The TCP port used to communicate with the LDAP server.
Common Name
Identifier
The common name identifier for the LDAP server. Most LDAP servers use cn.
However, some servers use other common name identifiers such as uid.
Distinguished
Name
The distinguished name used to look up entries on the LDAP servers use. The
distinguished name reflects the hierarchy of LDAP database object classes
above the common name identifier.
Delete icon Delete the LDAP server configuration.
Edit icon Edit the LDAP server configuration.
Edit
Delete
User LDAP
01-410-89802-20091022 651
Figure 396: LDAP server configuration
Name Enter the name that identifies the LDAP server on the FortiGate unit.
Server Name/IP Enter the domain name or IP address of the LDAP server.
Server Port Enter the TCP port used to communicate with the LDAP server.
By default, LDAP uses port 389.
If you use a secure LDAP server, the default port changes when you
select Secure Connection.
Common Name Identifier Enter the common name identifier for the LDAP server. The maximum
number of characters is 20.
Distinguished Name Enter the base distinguished name for the server using the correct
X.500 or LDAP format. The FortiGate unit passes this distinguished
name unchanged to the server. The maximum number of characters is
512.
Query icon View the LDAP server Distinguished Name Query tree for the LDAP
server that you are configuring so that you can cross-reference to the
Distinguished Name.
For more information, see Using Query.
Bind Type Select the type of binding for LDAP authentication.
Regular Connect to the LDAP server directly with user name/password, then
receive accept or reject based on search of given values.
Anonymous Connect as an anonymous user on the LDAP server, then retrieve the
user name/password and compare them to given values.
Simple Connect directly to the LDAP server with user name/password
authentication.
Filter Enter the filter to use for group searching. Available if Bind Type is
Regular or Anonymous.
User DN Enter the Distinguished name of the user to be authenticated.
Available if Bind Type is Regular.
Password Enter the password of the user to be authenticated. Available if Bind
Type is Regular.
Secure Connection Select to use a secure LDAP server connection for authentication.
Query
TACACS+ User
652 01-410-89802-20091022
Using Query
The LDAP Distinguished Name Query list displays the LDAP Server IP address, and all
the distinguished names associated with the Common Name Identifier for the LDAP
server. The tree helps you to determine the appropriate entry for the DN field. To see the
distinguished name associated with the Common Name identifier, select the Expand
Arrow beside the CN identifier and then select the DN from the list. The DN you select is
displayed in the Distinguished Name field. Select OK to save your selection in the
Distinguished Name field of the LDAP Server configuration.
To see the users within the LDAP Server user group for the selected Distinguished Name,
select the Expand arrow beside the Distinguished Name in the LDAP Distinguished Name
Query tree.
Figure 397: Example LDAP server Distinguished Name Query tree
TACACS+
In recent years, remote network access has shifted from terminal access to LAN access.
Users connect to their corporate network (using notebooks or home PCs) with computers
that use complete network connections and have the same level of access to the
corporate network resources as if they were physically in the office. These connections
are made through a remote access server. As remote access technology has evolved, the
need for network access security has become increasingly important.
Terminal Access Controller Access-Control System (TACACS+) is a remote
authentication protocol that provides access control for routers, network access servers,
and other networked computing devices via one or more centralized servers. TACACS+
allows a client to accept a user name and password and send a query to a TACACS+
authentication server. The server host determines whether to accept or deny the request
and sends a response back that allows or denies network access to the user. The default
TCP port for a TACACS+server is 49.
To view the list of TACACS+servers, go to User > Remote > TACACS+.
Protocol Select a secure LDAP protocol to use for authentication. Depending on
your selection, the value in Server Port will change to the default port
for the selected protocol. Available only if Secure Connection is
selected.
LDAPS: port 636
STARTTLS: port 389
Certificate Select a certificate to use for authentication from the list. The certificate
list comes from CA certificates at System > Certificates >
CA Certificates.
Common Name Identifier (CN)
Expand Arrow
Distinguished Name (DN)
User TACACS+
01-410-89802-20091022 653
Figure 398: Example TACACS+ server list
Configuring TACACS+ servers
There are several different authentication protocols that TACACS+can use during the
authentication process:
ASCII
Machine-independent technique that uses representations of English characters.
Requires user to type a user name and password that are sent in clear text
(unencrypted) and matched with an entry in the user database stored in ASCII format.
PAP (password authentication protocol)
Used to authenticate PPP connections. Transmits passwords and other user
information in clear text.
CHAP (challenge-handshake authentication protocol)
Provides the same functionality as PAP, but more secure as it does not send the
password and other user information over the network to the security server.
MS-CHAP (Microsoft challenge-handshake authentication protocol v1)
Microsoft-specific version of CHAP.
The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order.
To add a new TACACS+server, go to User > Remote > TACACS+, select Create New,
and enter or select the following:
Figure 399: TACACS+ server configuration
Create New Add a new TACACS+server. The maximum number is 10.
Server The server domain name or IP address of the TACACS+server.
Authentication Type The supported authentication method. TACACS+authentication methods
include: Auto, ASCII, PAP, CHAP, and MSCHAP.
Delete icon Delete this TACACS+server.
Edit icon Edit this TACACS+server.
Edit
Delete
Directory Service User
654 01-410-89802-20091022
Directory Service
Windows Active Directory (AD) and Novell eDirectory provide central authentication
services by storing information about network resources across a domain (a logical group
of computers running versions of an operating system) in a central directory database.
Each person who uses computers within a domain receives his or her own unique
account/user name. This account can be assigned access to resources within the domain.
In a domain, the directory resides on computers that are configured as domain controllers.
A domain controller is a server that manages all security-related features that affect the
user/domain interactions, security centralization, and administrative functions.
FortiGate units use firewall policies to control access to resources based on user groups
configured in the policies. Each FortiGate user group is associated with one or more
Directory Service user groups. When a user logs in to the Windows or Novell domain, a
Fortinet Server Authentication Extension (FSAE) sends the FortiGate unit the users IP
address and the names of the Directory Service user groups to which the user belongs.
The FSAE has two components that you must install on your network:
The domain controller (DC) agent must be installed on every domain controller to
monitor user logins and send information about them to the collector agent.
The collector agent must be installed on at least one domain controller to send the
information received from the DC agents to the FortiGate unit.
The FortiGate unit uses this information to maintain a copy of the domain controller user
group database. Because the domain controller authenticates users, the FortiGate unit
does not perform authentication. It recognizes group members by their IP address.
You must install the Fortinet Server Authentication Extensions (FSAE) on the network and
configure the FortiGate unit to retrieve information from the Directory Service server. For
more information about FSAE, see the Fortinet Server Authentication Extension
To view the list of Directory Service servers, go to User > Directory Service.
Name Enter the name of the TACACS+server.
Server Name/IP Enter the server domain name or IP address of the TACACS+server.
Server Key Enter the key to access the TACACS+server. The server key should be a
maximum of 16 characters in length.
Authentication Type Select the authentication type to use for the TACACS+server. Selection
includes: Auto, ASCII, PAP, CHAP, and MSCHAP. Auto authenticates using
PAP, MSCHAP, and CHAP (in that order).
User Directory Service
01-410-89802-20091022 655
Figure 400: Example Directory Service server list
Configuring a Directory Service server
You need to configure the FortiGate unit to access at least one FSAE collector agent. You
can specify up to five Directory Service servers on which you have installed a collector
agent. If your FSAE collector agent requires authenticated access, you enter a password
for the server. The server name appears in the list of Directory Service servers when you
create user groups. You can also retrieve Directory Service information directly through an
LDAP server instead of through the FSAE agent.
You can enter information for up to five collector agents.
To add a new Directory Service server, go to User > Directory Service, select Create New,
and enter or select the following:
Create New Add a new Directory Service server.
Name Select the Expand arrow beside the server/domain/group name to
display Directory Service domain and group information.
AD Server The name defined for the Directory Service server.
Domain The domain name imported from the Directory Service server.
Groups The group names imported from the Directory Service server.
FSAE Collector IP The IP addresses and TCP ports of up to five FSAE collector agents
that send Directory Service server login information to the FortiGate
unit.
Delete icon Delete this Directory Service server.
Edit icon Edit this Directory Service server.
Add User/Group Add a user or group to the list. You must know the distinguished name
for the user or group.
Edit Users/Group Select users and groups to add to the list.
Expand Arrow (Directory Service server)
Domain and groups
Edit User/Group
Add User/Group
Edit
Delete
Note: You can create a redundant configuration on your FortiGate unit if you install a
collector agent on two or more domain controllers. If the current (or first) collector agent
fails, the FortiGate unit switches to the next one in its list of up to five collector agents.
PKI User
656 01-410-89802-20091022
Figure 401: Directory Service server configuration
PKI
Public Key Infrastructure (PKI) authentication utilizes a certificate authentication library
that takes a list of peers, peer groups, and/or user groups and returns authentication
successful or denied notifications. Users only need a valid certificate for successful
authenticationno user name or password are necessary. Firewall and SSL VPN are the
only user groups that can use PKI authentication.
For more information about certificate authentication, see the FortiGate Certificate
Management User Guide. For information about the detailed PKI configuration settings
available only through the CLI, see the FortiGate CLI Reference.
To view the list of PKI users, go to User > PKI.
Figure 402: Example PKI User list
Name Enter the name of the Directory Service server. This name appears in the list of
Directory Service servers when you create user groups.
FSAE Collector
IP/Name
Enter the IP address or name of the Directory Service server where this
collector agent is installed. The maximum number of characters is 63.
Port Enter the TCP port used for Directory Service. This must be the same as the
FortiGate listening port specified in the FSAE collector agent configuration.
Password Enter the password for the collector agent. This is required only if you
configured your FSAE collector agent to require authenticated access.
LDAP Server Select the check box and select an LDAP server to access the Directory
Service.
Edit
Delete
User PKI
01-410-89802-20091022 657
Configuring peer users and peer groups
You can define peer users and peer groups used for authentication in some VPN
configurations and for PKI certificate authentication in firewall policies.
A peer user is a digital certificate holder that can use PKI authentication. Before using PKI
authentication, you must define peer users to include in the user group that is incorporated
into the firewall authentication policy.
To define a peer user, you need:
a peer user name
the text from the subject field of the certificate of the authenticating peer user, or the
CA certificate used to authenticate the peer user.
You can add or modify other configuration settings for PKI authentication. For more
To create a peer user for PKI authentication, go to User > PKI, select Create New., and
enter the following:
Figure 403: PKI user
Name The name of the PKI user.
Subject The text string that appears in the subject field of the certificate of the
CA The CA certificate that is used to authenticate this user.
Delete icon Delete this PKI user.
The delete icon is not available if the peer user belongs to a user group.
Remove it from the user group first.
Edit icon Edit this PKI user.
Caution: If you use the CLI to create a peer user, Fortinet recommends that you enter a
value for either subject or ca. If you do not do so, and then open the user record in the web-
based manager, you will be prompted to enter a subject or ca value before you can
continue.
Name Enter the name of the PKI user.
Subject Enter the text string that appears in the subject field of the certificate of the
authenticating user. This field is optional.
CA Enter the CA certificate that must be used to authenticate this user. This
field is optional.
User Group User
658 01-410-89802-20091022
You can configure peer user groups only through the CLI. For more information, see the
User Group
A user group is a list of user identities. An identity can be:
a local user account (user name and password) stored on the FortiGate unit
a local user account with a password stored on a RADIUS, LDAP, or TACACS+server
a RADIUS, LDAP, or TACACS+server (all identities on the server can authenticate)
a user or user group defined on a Directory Service server.
Each user group belongs to one of three types: Firewall, Directory Service or SSL VPN.
For information about each type, see Firewall user groups on page 659, Directory
Service user groups on page 660, and SSL VPN user groups on page 660. For
information on configuring each type of user group, see Configuring a user group on
page 661.
In most cases, the FortiGate unit authenticates users by requesting each user name and
password. The FortiGate unit checks local user accounts first. If the unit does not find a
match, it checks the RADIUS, LDAP, or TACACS+servers that belong to the user group.
Authentication succeeds when the FortiGate unit finds a matching user name and
password.
For a Directory Service user group, the Directory Service server authenticates users when
they log in to the network. The FortiGate unit receives the users name and IP address
from the FSAE collector agent. For more information about FSAE, see the Fortinet Server
Authentication Extension Administration Guide.
You can configure user groups to provide authenticated access to:
Firewall policies that require authentication
See Adding authentication to firewall policies on page 372.
You can choose the user groups that are allowed to authenticate with these policies.
SSL VPNs on the FortiGate unit
See Configuring SSL VPN identity-based firewall policies on page 376.
IPSec VPN Phase 1 configurations for dialup users
See Creating a new phase 1 configuration on page 606.
Only users in the selected user group can authenticate to use the VPN tunnel.
XAuth for IPSec VPN Phase 1 configurations
See XAUTH in Defining phase 1 advanced settings on page 608.
Only user groups in the selected user group can be authenticated using XAuth.
Require two-factor
authentication
Require this PKI user to authenticate by password in addition to
certificate authentication. Enter a Password.
Password Enter the password that this PKI user must enter.
Note: You must enter a value for at least one of Subject or CA.
User User Group
01-410-89802-20091022 659
FortiGate PPTP configuration
See PPTP configuration using FortiGate web-based manager on page 621.
Only users in the selected user group can use PPTP.
FortiGate L2TP configuration
You can configure this only by using the conf i g vpn l 2t p CLI command. See the
Only users in the selected user group can use L2TP.
Administrator login with RADIUS authentication
See Configuring RADIUS authentication for administrators on page 247.
Only administrators with an account on the RADIUS server can log in.
FortiGuard Web Filtering override groups
See FortiGuard Web Filtering on page 552.
When FortiGuard Web Filtering blocks a web page, authorized users can authenticate
to access the web page or to allow members of another group to access it.
For each resource that requires authentication, you specify which user groups are
permitted access. You need to determine the number and membership of user groups
appropriate to your authentication needs.
Firewall user groups
A firewall user group provides access to a firewall policy that requires authentication and
lists the user group as one of the allowed groups. The FortiGate unit requests the group
members user name and password when the user attempts to access the resource that
the policy protects.
You can also authenticate a user by certificate if you have selected this method. For more
information, see Adding authentication to firewall policies on page 372.
A firewall user group can also provide access to an IPSec VPN for dialup users. In this
case, the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup group peer
option. The users VPN client is configured with the user name as peer ID and the
password as pre-shared key. The user can connect successfully to the IPSec VPN only if
the user name is a member of the allowed user group and the password matches the one
stored on the FortiGate unit.
For more information, see Creating a new phase 1 configuration on page 606.
For information about configuring a Firewall user group, see Configuring a user group on
page 661.
You can also use a firewall user group to provide override privileges for FortiGuard web
filtering. For more information, see Configuring FortiGuard Web filtering override options
on page 664. For detailed information about FortiGuard Web Filter, including the override
feature, see FortiGuard Web Filtering on page 552.
Note: A user group cannot be a dialup group if any member is authenticated using a
RADIUS or LDAP server.
User Group User
660 01-410-89802-20091022
Directory Service user groups
On a network, you can configure the FortiGate unit to allow access to members of
Directory Service server user groups who have been authenticated on the network. The
Fortinet Server Authentication Extensions (FSAE) must be installed on the network
domain controllers.
A Directory Service user group provides access to a firewall policy that requires Directory
Service type authentication and lists the user group as one of the allowed groups. The
members of the user group are Directory Service users or groups that you select from a
list that the FortiGate unit receives from the Directory Service servers that you have
configured. See Directory Service on page 654.
You can also use a Directory Service user group to provide override privileges for
FortiGuard web filtering. For more information, see Configuring FortiGuard Web filtering
override options on page 664. For detailed information about FortiGuard Web Filter,
including the override feature, see FortiGuard Web Filtering on page 552.
For information on configuring user groups, see Configuring a user group on page 661.
SSL VPN user groups
An SSL VPN user group provides access to a firewall policy that requires SSL VPN type
authentication and lists the user group as one of the allowed groups. Local user accounts,
LDAP, and RADIUS servers can be members of an SSL VPN user group. The FortiGate
unit requests the users user name and password when the user accesses the SSL VPN
web portal. The user group settings include options for SSL VPN features.
An SSL VPN user group can also provide access to an IPSec VPN for dialup users. In this
case, the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup group peer
option. You configure the users VPN client with the user name as peer ID and the
password as pre-shared key. The user can connect successfully to the IPSec VPN only if
the user name is a member of the allowed user group and the password matches the one
stored on the FortiGate unit. For more information about configuring user groups for IPSec
VPN, see Creating a new phase 1 configuration on page 606.
For information on configuring user groups, see Configuring a user group on page 661.
For information on configuring SSL VPN user group options, see Configuring SSL VPN
identity-based firewall policies on page 376.
Note: You cannot use Directory Service user groups directly in FortiGate firewall policies.
You must add Directory Service groups to FortiGate user groups. A Directory Service group
should belong to only one FortiGate user group. If you assign it to multiple FortiGate user
groups, the FortiGate unit recognizes only the last user group assignment.
Note: A Directory Service user group cannot have SSL VPN access.
Note: A user group cannot be an IPSec dialup group if any member is authenticated using
a RADIUS or LDAP server.
User User Group
01-410-89802-20091022 661
Viewing the User group list
To view the User group list, go to User > User Group.
Figure 404: Example User group list
Configuring a user group
To add a new user group, go to User > User Group, select Create New, and enter or select
the following according to user group type:
Create New Add a new user group.
Group Name The name of the user group. User group names are listed by type of user
group: Firewall, Directory Service and SSL VPN. For more information, see
Firewall user groups on page 659, Directory Service user groups on
page 660, and SSL VPN user groups on page 660.
Members The Local users, RADIUS servers, LDAP servers, TACACS+servers, Directory
Service users/user groups or PKI users found in the user group.
Delete icon Delete the user group.
You cannot delete a user group that is included in a firewall policy, a dialup user
phase 1 configuration, or a PPTP or L2TP configuration.
Edit icon Edit the membership and options of the group.
Expand Arrow
Delete
Edit
Note: By default, the FortiGate web-based manager displays Firewall options. The
following figures show the variations that display for each of the user group types: Firewall,
Directory Service, and SSL VPN.
Note: You cannot add local users to a group that is used to authenticate administrators.
User Group User
662 01-410-89802-20091022
Figure 405: User group configuration - Firewall
Figure 406: User group configuration - Directory Service
Right Arrow
Left Arrow
Expand Arrow
Right Arrow
Left Arrow
Expand Arrow
User User Group
01-410-89802-20091022 663
Figure 407: User group configuration - SSL VPN
Name Enter the name of the user group.
Type Select the user group type.
Firewall Select this group in any firewall policy that requires Firewall
authentication. See Adding authentication to firewall policies on
page 372 and Configuring FortiGuard Web filtering override options
on page 664.
Directory Service Select this group in any firewall policy that requires Directory Service
authentication. See Adding authentication to firewall policies on
page 372.
SSL VPN Select this group in any firewall policy with Action set to SSL VPN.
Not available in Transparent mode.
See Configuring SSL VPN identity-based firewall policies on
page 376.
Portal Select the SSL VPN web portal configuration to use with the User
Group. For more information, see SSL VPN web portal on page 627.
Available Users/Groups
or Available Members*
The list of Local users, RADIUS servers, LDAP servers, TACACS+
servers, Directory Service users/user groups, or PKI users that can be
added to the user group. To add a member to this list, select the name
and then select the Right Arrow.
* Available Members if user group type is Directory Service.
Members The list of Local users, RADIUS servers, LDAP servers, TACACS+
servers, Directory Service users/user groups, or PKI users that belong
to the user group. To remove a member, select the name and then
select the Left Arrow.
Override
Available only if Type is Firewall or Directory Service.
Configure Web Filtering override capabilities for this group.
See Configuring FortiGuard Web filtering override options on
page 664.
Right Arrow
Left Arrow
User Group User
664 01-410-89802-20091022
Configuring FortiGuard Web filtering override options
FortiGuard Web Filtering overrides are available for Firewall and Directory Service user
groups.
To configure FortiGuard Web Filtering Override, go to User > User Group and select the
Edit icon for a Firewall or Directory Service user group. Select the Expand Arrow beside
FortiGuard Web Filtering Override.
For more information about FortiGuard Web Filtering overrides, see FortiGuard Web
filtering overrides on page 552.
Figure 408: FortiGuard Web Filtering Override configuration
Allow to create FortiGuard
Web Filtering overrides
Select to allow members of this group to request an override on the
FortiGuard Web Filtering Block page. The firewall protection profile
governing the connection must have FortiGuard overrides enabled.
The protection profile may have more than one user group as an
override group. Members of an override group can authenticate on the
FortiGuard Web Filter Block Override page to access the blocked site.
For more information, see FortiGuard Web Filtering on page 552.
Override Scope The override can apply to just the user who requested the override, or
include others. Select one of the following from the list:
User Only the user.
User Group The user group to which the user belongs.
IP Any user at the users IP address.
Profile Any user with the specified protection profile of the user group.
Ask Authenticating user, who chooses the override scope.
Override Type Select from the list to allow access to:
Directory Only the lowest level directory in the URL.
Domain The entire website domain.
Categories The FortiGuard category.
Ask Authenticating user, who chooses the override type.
Off-site URLs Select one of the following from the list to set permissions for users
linking to sites off the blocked site:
Expand Arrow
User User Group
01-410-89802-20091022 665
Dynamically assigning VPN client IP addresses from a user group
SSL VPN tunnel mode, dialup IPSec VPN, and PPTP VPN sessions can assign IP
addresses to remote users by getting the IP address to assign to the user from the
Framed-IP-Address field in the RADIUS record received when the RADIUS server
confirms that the user has authenticated successfully. See RFC 2865 and RFC 2866 for
more information about RADIUS fields.
For the FortiGate unit to dynamically assign an IP address, the VPN users must be
configured for RADIUS authentication and you must include the IP address to assign to
the user in the Framed-IP-Address RADIUS field on your RADIUS server. You configure
each type of VPN differently. In each case you are associating the configuration that
assigns IP addresses to users with a user group.
Assigning IP addresses from a RADIUS record replaces dynamically assigning IP
addresses from an address range. You cannot include an IP address range and assigning
IP addresses from a RADIUS record in the same configuration.
To add a RADIUS server that assigns IP addresses
1 Go to User > Remote > RADIUS and select Create New to add a RADIUS server.
2 Configure the RADIUS server as require.
No special FortiGate configuration is required.
3 Select OK to save the RADIUS server.
To dynamically assign IP addresses for SSL VPN tunnel mode users
To use a RADIUS server to assign IP addresses for SSL VPN tunnel mode users, you
enable tunnel mode for an SSL VPN portal by adding the Tunnel Mode widget to the
portal. In the Tunnel Mode widget set IP Mode to User Group. You must also add the
portal and the RADIUS server that assigns IP addresses to the same SSL VPN user
group. Finally, you must select the user group in an SSL VPN firewall policy.
1 Go to VPN > SSL > Portal.
2 Create a new or edit an SSL VPN portal.
3 Add a Tunnel mode widget to the portal or edit the tunnel mode widget if it has already
been added to the portal.
4 Set IP Mode to User Group and save the changes to the portal.
Allow User can follow links to other sites.
Deny User can follow links only to destinations as defined by Override Type.
Ask Authenticating user, who chooses whether to allow use of off-site links.
Override Time Select to set the duration of the override:
Constant Select to set the duration of override in days, hours, minutes.
Ask Authenticating user, who determines the duration of override. The
duration set is the maximum.
Protection Profiles
Available
One protection profile can have several user groups with override
permissions. Verification of the user group occurs once the user name
and password are entered. The overrides can still be enabled or not
enabled on a profile-wide basis regardless of the user groups that
have permissions to override the profile.
Permission Granted For The list of defined protection profiles applied to user groups that have
override privileges.
User Group User
666 01-410-89802-20091022
Figure 409: Using RADIUS records to assign IP addresses for SSL VPN Tunnel Mode
5 Go to User > User Group and create a new user group or edit an SSL VPN user group.
6 Set Type to SSL VPN.
7 Select the name of the Portal that contains the tunnel mode widget.
8 Add the RADIUS server that assigns IP addresses to the Members list and save the
SSL VPN user group.
10 Set Action to SSL VPN.
11 Add an identity based policy and add the SSL VPN user group containing the RADIUS
server and the portal to the Selected User Groups list.
12 Configure the remaining firewall policy settings as required.
To dynamically assign IP addresses for dialup IPSec VPN
To use a RADIUS server to assign IP addresses for dialup IPSec VPN users you
configure an IPSec DHCP server for your IPSec VPN configuration and configure
advanced settings to set IP Assignment Mode to User-group defined method. You must
also add the RADIUS server to a firewall user group. Then in the phase 1 configuration of
the dialup VPN you configure advanced settings to set XAUTH to server mode and select
the firewall user group that you added the RADIUS server to.
1 Go to System > DHCP and add or edit the IPSec DHCP server used by the IPSec VPN
configuration.
2 Select Advanced and set IP Assignment Mode to User-group defined method and save
the changes to the DHCP server.
3 Go to User > User Group and create a new user group or edit a Firewall user group.
4 Set Type to Firewall.
Firewall user group.
6 Go to VPN > IPSec and create or edit a User Phase 1 with Remote Gateway set to
Dialup User.
7 Select Advanced.
8 Set XAUTH to Enable as Server.
9 Set User Group to the firewall user group containing the RADIUS server.
10 Configure the remaining IPSec VPN settings as required.
User Options
01-410-89802-20091022 667
To dynamically assign IP addresses for PPTP VPN users
For PPTP VPN you can use a RADIUS server to assign IP addresses for PPTP users by
adding the RADIUS server that can assign IP addresses to a firewall user group. Then
configure PPTP VPN to use this user group.
1 Go to User > User Group and create a new user group or edit a firewall user group.
2 Set Type to Firewall.
Firewall user group.
4 Connect to the FortiGate CLI and enter the following command to enable PPTP,
configure assigning IP addresses with a user group, and add the user group containing
the RADIUS server to the PPTP VPN configuration.
conf i g vpn ppt p
set st at us enabl e
set i p- mode usr gr p
set usr gr p <user _gr oup>
set si p <addr ess>
set ei p <addr ess>
end
Options
You can define setting options for user authentication, including authentication timeout,
supported protocols, and authentication certificates.
Authentication timeout controls how long an authenticated firewall connection can be idle
before the user must authenticate again.
When user authentication is enabled on a firewall policy, the authentication challenge is
normally issued for any of the four protocols (depending on the connection protocol):
HTTP (can also be set to redirect to HTTPS)
HTTPS
FTP
Telnet.
The selections made in the Protocol Support list of the Authentication Settings screen
control which protocols support the authentication challenge. Users must connect with a
supported protocol first so they can subsequently connect with other protocols. If HTTPS
is selected as a method of protocol support, it allows the user to authenticate with a
customized Local certificate.
When you enable user authentication on a firewall policy, the firewall policy user will be
challenged to authenticate. For user ID and password authentication, users must provide
their user names and passwords. For certificate authentication (HTTPS or HTTP
redirected to HTTPS only), you can install customized certificates on the FortiGate unit
and the users can also have customized certificates installed on their browsers.
Otherwise, users will see a warning message and have to accept a default FortiGate
certificate.
Note: When you use certificate authentication, if you do not specify any certificate when
you create the firewall policy, the global settings will be used. If you specify a certificate, the
per-policy setting will overwrite the global setting. For information about how to use
certificate authentication, see FortiGate Certificate Management User Guide.
Monitor User
668 01-410-89802-20091022
To configure authentication setting options, go to User > Options.
Figure 410: Authentication Settings
Monitor
You can go to User > Monitor to view lists of currently authenticated users, authenticated
IM users, and banned users. For each authenticated user, the list includes the user name,
user group, how long the user has been authenticated (Duration), how long until the users
session times out (Time left), and the method of authentication used. The list of IM users
includes the source IP address, protocol, and last time the protocol was used. The
Banned User list includes users configured by administrators in addition to those
quarantined based on AV, IPS, or DLP rules.
The following lists are available:
Firewall user monitor list
IM user monitor list
Firewall user monitor list
In some environments, it is useful to determine which users are authenticated by the
FortiGate unit and allow the system administrator to de-authenticate (stop current session)
users. With the Firewall monitor, you can de-authenticate all currently authenticated users,
or select single users to de-authenticate. To permanently stop a user from re-
authenticating, change the FortiGate configuration (disable a user account) and then use
the User monitor to immediately end the users current session.
To view the list of authenticated users (Firewall), go to User > Monitor > Firewall.
Authentication Timeout Enter a length of time in minutes, from 1 to 480. Authentication
Timeout controls how long an authenticated firewall connection can be
idle before the user must authenticate again. The default value is 30
Protocol Support Select the protocols to challenge during firewall user authentication.
Certificate If using HTTPS protocol support, select the Local certificate to use for
authentication. Available only if HTTPS protocol support is selected.
Apply Apply selections for user Authentication Settings.
User Monitor
01-410-89802-20091022 669
Figure 411: Firewall user monitor list
IM user monitor list
User lists can be managed to allow or block certain users. Each user can be assigned a
policy to allow or block activity for each IM protocol. Each IM function can be individually
allowed or blocked providing the administrator the granularity to block the more bandwidth
consuming features such as voice chat while still allowing text messaging. The IM user
monitor list displays information about instant messaging users who are currently
connected. The list can be filtered by protocol. After IM users connect through the firewall,
the FortiGate unit displays which users are connected. You can analyze the list and
decide which users to allow or block.
To view the list of active IM users, go to User > Monitor > IM.
Refresh Refresh the Firewall user monitor list.
right arrows to display the first, previous, next or last page of logged in users.
Column Settings Customize the table view. You can select the columns to hide or display and
specify the column displaying order in the table. For more information, see
Using column settings to control the columns displayed on page 61 and
Web-based manager icons on page 63.
Clear All Filters Remove all filters applied to the Firewall user monitor list.
De-authenticate All
Users
Stop authenticated sessions for all users in the Firewall user monitor list.
User(s) must re-authenticate with the firewall to resume their communication
session.
Filter icons Edit the column filters to filter or sort the firewall user monitor list according to
the criteria you specify. For more information, see Adding filters to web-based
User Name The user names of all connected remote users.
User Group The user group that the remote user is part of.
Duration Length of time since the user was authenticated.
Time-left Length of time remaining until the user session times out. Only available if the
authentication time of the session will be automatically extended
(authentication keepalive is enabled). If authentication keepalive is not
enabled, the value in Time-left will be N/A. For more information, see the
IP Address The users source IP address.
Traffic Volume The amount of traffic through the FortiGate unit generated by the user.
Method Authentication method used for the user by the FortiGate unit (authentication
methods can be FSAE, firewall authentication, or NTLM).
Refresh
Stop individual
authentication session
Current Page
NAC quarantine and the Banned User list User
670 01-410-89802-20091022
Figure 412: IM user monitor list
You can use Network Access Control (NAC) quarantine to block access through the
FortiGate unit when virus scanning detects a virus, or when an IPS sensor or a DoS
sensor detects an attack. You can configure NAC quarantine for IPS sensor filters and
overrides. NAC quarantine blocks access for the IP address that sent the virus or attack or
blocks all traffic from connecting to the FortiGate interface that received the virus or attack.
You can also configure IPS sensors and DoS sensors to block communication between
the IP address that sent the attack and the target or receiver (victim) of the attack. NAC
quarantine blocking drops blocked packets at the network layer before the packets are
accepted by firewall policies.
NAC quarantine adds blocked IP addresses or interfaces to the Banned User list. To view
the Banned User list, go to User > Monitor > Banned User. When you configure NAC
quarantine settings, you can specify how long to block the IP addresses or interfaces.
FortiGate administrators can manually enable access again by removing IP addresses or
interfaces from the Banned User list. Removing an IP address from the Banned User list
means the user can start accessing network services through the FortiGate unit again.
Removing an interface from the list means the interface can resume normal receiving and
processing of communication sessions. For more information, see The Banned User list
on page 672.
NAC quarantine and DLP
You can also use Data Leak Prevention (DLP) sensors to block access and to add users
to the Banned User list. However, unlike NAC quarantine, which drops packets at the
network layer, DLP blocks packets at the application layer, after the packets have been
accepted by firewall policies. Because of this difference, with DLP you have more control
over what is blocked and what is not. For example, if a DLP sensor matches content in an
Protocol Filter the list by selecting the protocol for which to display current users: AIM, ICQ,
MSN, or Yahoo. All current users can also be displayed.
# The position number of the IM user in the list.
Protocol The protocol being used.
User Name The name selected by the user when registering with an IM protocol. The same user
name can be used for multiple IM protocols. Each user name/protocol pair appears
separately in the list.
Source IP The Address from which the user initiated the IM session.
Last Login The last time the current user used the protocol.
Block Select to add the user name to the permanent black list. Each user name/protocol pair
must be explicitly blocked by the administrator.
Caution: If you have configured NAC quarantine to block IP addresses and if the FortiGate
unit receives sessions that have passed through a NAT device, all trafficnot just
individual userscould be blocked from that NAT device.
User NAC quarantine and the Banned User list
01-410-89802-20091022 671
SMTP email message, you can configure DLP to block all SMTP email from a sender
identified in the From: field of the email messages, without blocking the user from web
browsing. DLP will also add the senders name to the Banned User list. For more
information about using actions in DLP sensors, see Adding or editing a rule or
compound rule in a DLP sensor on page 577.
NAC quarantine and DLP replacement messages
A user who is blocked by NAC quarantine or a DLP sensor with action set to Quarantine
IP address will typically attempt to start an HTTP session through the FortiGate unit using
TCP port 80. When this happens, the FortiGate unit connects the user to one of four NAC
quarantine web pages displaying messages that access has been blocked. You can
customize these web pages by going to System > Config > Replacement Message and
editing the NAC Quarantine replacement messages. For more information, see NAC
quarantine replacement messages on page 235.
When an interface is blocked by NAC quarantine or a DLP sensor with action set to
Quarantine Interface, any user attempting to start an HTTP session through this interface
using TCP port 80 will also be connected by the FortiGate unit to one of the four NAC
quarantine web pages.
The DLP Ban and Ban Sender options also send messages to blocked users. For more
information, see Adding or editing a rule or compound rule in a DLP sensor on page 577.
Configuring NAC quarantine
You can configure NAC quarantine for antivirus protection in a protection profile and for
IPS sensors and DoS sensors:
To configure NAC quarantine for antivirus protection, go to Firewall > Protection
Profile. Add or edit a protection profile and configure Anti-Virus. Enable Quarantine
Virus Sender (to Banned Users List), select a Method, and configure Expires. For more
information, see Anti-Virus options on page 477.
To configure NAC quarantine for an IPS sensor, go to UTM > Intrusion Protection >
IPS Sensor. Add or edit an IPS sensor. To add NAC quarantine to a filter, select Add
Filter, enable Quarantine Attackers (to Banned Users List) select a Method, and
configure Expires. You can also add NAC quarantine to pre-defined and custom
overrides in an IPS sensor. For more information, see Configuring filters on page 532
and Configuring pre-defined and custom overrides on page 533.
To configure NAC quarantine for a DoS sensor, you create or edit a DoS sensor and
from the CLI configure NAC quarantine for one or more of the 12 anomaly types. To
configure NAC quarantine for an anomaly, you set quar ant i ne to at t acker to block
the attacker, bot h to block both the attacker and the target, or i nt er f ace to block the
interface that received the attack.
You can add the DoS sensor from the web-based manager or the CLI but you can only
configure NAC quarantine from the CLI. The following example shows how to edit a
DoS sensor named QDoS_sensor , set quarantine to at t acker for the
udp_dst _sessi on and set the quarantine expiry time to 30 minutes. The example
also shows how to set quarantine to bot h for the i cmp_f l ood anomaly:
672 01-410-89802-20091022
conf i g i ps DoS
edi t QDoS_sensor
conf i g anomal y
edi t udp_dst _sessi on
set quar ant i ne at t acker
set quar ant i ne- expi r y 30
next
edi t i cmp_f l ood
set quar ant i ne bot h
end
end
The Banned User list
The Banned User list shows all IP addresses and interfaces blocked by NAC quarantine.
The list also shows all IP addresses, authenticated users, senders, and interfaces blocked
by Data Leak Prevention (DLP). The system administrator can selectively release users or
interfaces from quarantine or configure quarantine to expire after a selected time period.
All sessions started by users or IP addresses on the Banned User list are blocked until the
user or IP address is removed from the list. All sessions to an interface on the list are
blocked until the interface is removed from the list.
You can configure NAC quarantine to add users or IP addresses to the Banned User list
under the following conditions:
Users or IP addresses that originate attacks detected by IPS - To quarantine users
or IP addresses that originate attacks, enable and configure Quarantine Attackers in
an IPS Sensor Filter. For more information, see Configuring filters on page 532.
IP addresses or interfaces that send viruses detected by virus scanning - To
quarantine IP addresses that send viruses or interfaces that accept traffic containing a
virus, enable Quarantine Virus Sender in a protection profile. For more information,
see Anti-Virus options on page 477.
Users or IP addresses that are banned or quarantined by Data Leak Prevention -
Set various options in a DLP sensor to add users or IP addresses to the Banned User
list. For more information, see Adding or editing a rule or compound rule in a DLP
sensor on page 577.
To view the Banned User list, go to User > Monitor > Banned User.
Figure 413: Banned User list
Current Page
Clear
Delete
User NAC quarantine and the Banned User list
01-410-89802-20091022 673
arrows to display the first, previous, next or last page of banned users or IP
addresses.
Clear icon Remove all users and IP addresses from the Banned User list.
# The position number of the user or IP address in the list.
Application
Protocol
The protocol that was used by the user or IP address added to the Banned User
list.
Cause or rule The FortiGate function that caused the user or IP address to be added to the
Banned User list. Cause or rule can be IPS, Antivirus, or Data Leak Prevention.
Created The date and time the user or IP address was added to the Banned User list.
Expires The date and time the user or IP address will be automatically removed from the
Banned User list. If Expires is Indefinite you must manually remove the user or host
from the list.
Delete icon Delete the selected user or IP address from the Banned User list.
674 01-410-89802-20091022
WAN optimization and web caching Configuring WAN optimization
01-410-89802-20091022 675
WAN optimization and web
caching
You can use FortiGate WAN optimization and web caching to improve performance and
security of traffic passing between locations on your wide area network (WAN) or from the
Internet to your web servers. This section introduces FortiGate WAN optimization and web
caching and describes how to configure these features.
WAN optimization is available only on some FortiGate models. For a list of some of the
supported models and a more complete description of FortiGate WAN optimization, web
caching see the FortiGate WAN Optimization, Web Cache, and Web Proxy User Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, WAN optimization is
available separately for each virtual domain. For details, see Using virtual domains on
page 125.
This section contains the following topics:
Configuring WAN optimization
Configuring a WAN optimization rule
Configuring WAN optimization peers
Configuring authentication groups
WAN optimization monitoring
Changing web cache settings
Configuring WAN optimization
The WAN optimization rule list displays WAN optimization rules in their order of matching
precedence.
If virtual domains are enabled on the FortiGate unit, WAN optimization rules are
configured separately for each virtual domain; you must access the VDOM before you can
configure its rules. To access a VDOM, go to System > VDOM, and in the row
corresponding to the VDOM whose policies you want to configure, select Enter. For more
information about enabling virtual domains, see Enabling virtual domains on page 130.
You can add, delete, edit, and re-order rules in the rule list. WAN optimization rule order
affects rule matching. For details about arranging rules in the rule list, see Moving a rule
to a different position in the rule list on page 677.
To view the WAN optimization rule list, go to WAN Opt. & Cache > Rule.
Before you add WAN optimization rules, you must add firewall policies to accept the traffic
that you want to optimize. Then you add WAN optimization rules that:
match WAN traffic to be optimized that is accepted by a firewall policy according to
source and destination addresses and destination port of the traffic
add the WAN optimization techniques to be applied to the traffic.
Configuring WAN optimization WAN optimization and web caching
676 01-410-89802-20091022
Figure 414: WAN optimization rule list
Create New Add a new WAN optimization rule. New rules are added to the bottom of the list.
Status Select to enable a rule or deselect to disable a rule. A disabled rule is out of
service.
ID The rule identifier. Rules are numbered in the order they are added to the rule
list.
Source The source address or address range that the rule matches. See About WAN
optimization addresses on page 679.
Destination The destination address or address range that the rule matches. See About
WAN optimization addresses on page 679.
Port The destination port number or port number range that the rule matches.
Method Indicates whether you have selected byte caching in the WAN optimization rule.
Auto-Detect Indicates whether the rule is an active (client) rule, a passive (server) rule or if
auto-detect is off. If auto-detect is off, the rule can be a peer-to-peer rule or a
Web Cache Only rule.
Protocol The protocol optimization WAN optimization technique applied by the rule. See
the FortiGate WAN Optimization, Web Cache, and Web Proxy User Guide.
Peer For a peer-to-peer rule, the name of the peer WAN optimizer at the other end of
the link.
Mode Indicates whether the rule applies Full Optimization or Web Cache Only.
SSL Indicates whether the rule is configured for SSL offloading.
Secure Tunnel Indicates whether the rule is configured to used a WAN optimization tunnel.
Delete icon Delete a rule from the list.
Edit icon Edit a rule.
Insert WAN
Optimization
Rule Before icon
Add a new rule above the corresponding rule (the New rule screen appears).
Move To icon Move the corresponding rule before or after another rule in the list. See Moving
a rule to a different position in the rule list on page 677.
Enable/
Delete
Disable
Rules
Edit
Insert WAN Optimization
Rule Before
Move To
WAN optimization and web caching Configuring a WAN optimization rule
01-410-89802-20091022 677
Moving a rule to a different position in the rule list
You can arrange the WAN optimization rule list to influence the order in which rules are
evaluated for matches with incoming traffic. When more than one rule has been defined,
the first matching rule will be applied to the traffic session.
Moving a rule in the rule list does not change its ID, which only indicates the order in which
the rule was created.
Figure 415:Move rule
To move a rule in the WAN optimization rule list
1 Go to WAN Opt & Cache > Rule.
2 In the rule list, note the ID of a rule that is before or after your intended destination.
3 In the row corresponding to the rule that you want to move, select the Move To icon.
4 Select Before or After, and enter the ID of the rule that is before or after your intended
destination. This specifies the rules new position in the WAN optimization rule list.
5 Select OK.
Configuring a WAN optimization rule
This section describes the WAN optimization rule options. The options that appear in
WAN optimization rules depend on how you configure the rule. This section describes all
of the options.
To add a WAN optimization rule, go to WAN Opt. & Cache > Rule and select Create New.
Figure 416: Configuring a WAN optimization rule
Configuring a WAN optimization rule WAN optimization and web caching
678 01-410-89802-20091022
Mode Select Full Optimization to add a rule that can apply all WAN optimization features.
Select Web Cache Only to add a rule that just applies web caching. If you select
Web Cache Only, you can configure the source and destination address and port
for the rule. You can also select Transparent Mode and Enable SSL.
Source Enter an IP address, followed by a forward slash (/), then subnet mask, or enter an
IP address range separated by a hyphen. See About WAN optimization
addresses on page 679.
Only packets whose source address header contains an IP address matching this
IP address or address range will be accepted by and subject to this rule.
For a passive rule, the server (passive) source address range should be
compatible with the source addresses of the matching client (active) rule. To match
one passive rule with many active rules, the passive rule source address range
should include the source addresses of all of the active rules.
Destination Enter an IP address, followed by a forward slash (/), then subnet mask, or enter an
IP address range separated by a hyphen. See About WAN optimization
addresses on page 679.
Only a packet whose destination address header contains an IP address matching
this IP address or address range will be accepted by and subject to this rule.
Tip: For a Web Cache Only rule, if you set Destination to 0.0.0.0, the rule caches
web pages on the Internet or any network.
For a passive rule, the server (passive) destination address range should be
compatible with the destination addresses of the matching client (active) rule. To
match one passive rule with many active rules, the passive rule destination
address range should include the destination addresses of all of the active rules.
Port Enter a single port number or port number range. Only packets whose destination
port number matches this port number or port number range will be accepted by
and subject to this rule.
For a passive rule, the server (passive) port range should be compatible with the
port range of the matching client (active) rule. To match one passive rule with many
active rules, the passive rule port range should include the port ranges of all of the
active rules.
Auto-Detect Available only if Mode is set to Full Optimization.
Specify whether the rule is an Active (client) rule, a Passive (server) rule or if auto-
detect is Off. If auto-detect is off the rule is a peer-to-peer rule.
For an Active (client) rule, you must select all of the WAN optimization features to
be applied by the rule. You can select the protocol to optimize, transparent mode,
byte caching, SSL offloading, secure tunneling, and an authentication group.
A Passive (server) rule uses the settings in the active rule on the client FortiGate
unit to apply WAN optimization settings. You can also select web caching for a
passive rule.
If Auto-Detect is Off, the rule must include all required WAN optimization features
and you must select a Peer for the rule. Select this option to configure peer-to-
peer WAN optimization where this rule can start a WAN optimization tunnel with
this peer only.
Protocol Available only if Mode is set to Full Optimization, and Auto-Detect is set to Off or
Active.
Select CIFS, FTP, HTTP, or MAPI to apply protocol optimization for one of these
protocols. For information about protocol optimization, see the FortiGate WAN
Optimization, Web Cache, and Web Proxy User Guide.
Select TCP if the WAN optimization tunnel accepts sessions that use more than
one protocol or that do not use the CIFS, FTP, HTTP, or MAPI protocol.
Peer Available only if Mode is set to Full Optimization, and Auto-Detect is set to Off.
Select the peer host ID of the peer that this peer-to-peer WAN optimization rule will
start a WAN optimization tunnel with. You can also select [Create New ...] to add a
new peer.
Enable Web
Cache
Available only if Mode is set to Full Optimization, and Auto-Detect is set to Off or
Passive. If Auto-Detect is set to Off, then Protocol must be set to HTTP.
Select to apply WAN optimization web caching to the sessions accepted by this
rule. For more information, see the FortiGate WAN Optimization, Web Cache, and
Web Proxy User Guide.
WAN optimization and web caching Configuring a WAN optimization rule
01-410-89802-20091022 679
About WAN optimization addresses
A WAN optimization source or destination address can contain one or more network
addresses. Network addresses can be represented by an IP address with a netmask or an
IP address range.
When representing hosts by an IP address with a netmask, the IP address can represent
one or more hosts. For example, a source or destination address can be:
a single computer, such as 192. 45. 46. 45
a subnetwork, such as 192. 168. 1. 0 for a class C subnet
0. 0. 0. 0, which matches any IP address.
The netmask corresponds to the subnet class of the address being added, and can be
represented in either dotted decimal or CIDR format. The FortiGate unit automatically
converts CIDR formatted netmasks to dotted decimal format. Example formats:
Transparent
Mode
Servers receiving packets after WAN optimization see different source addresses
depending on whether or not you select Transparent Mode. You can select this
option if Auto-Detect is set to Active or Off. You can also select it for Web Cache
Only rules.
Select this option to keep the original source address of the packets when they are
sent to servers. The servers appear to receive traffic directly from clients. The
server network should be configured to route traffic with client source IP addresses
from the server side FortiGate unit to the server and back to the server side
FortiGate unit.
If this option is not selected, the server side FortiGate unit changes the source
address of the packets received by servers to the address of the server side
FortiGate unit interface that sends the packets to the servers. So servers appear to
receive packets from the server side FortiGate unit. Routing on the server network
is usually simpler in this case because client addresses are not involved, but the
server sees all traffic as coming from the server side FortiGate unit and not from
individual clients.
Enable Byte
Caching
Available only if Mode is set to Full Optimization, and Auto-Detect is set to Off or
Active.
Select to apply WAN optimization byte caching to the sessions accepted by this
rule. For more information, see the FortiGate WAN Optimization, Web Cache, and
Web Proxy User Guide.
Enable SSL Available only if Auto-Detect is set to Active or Off.
Select to apply SSL offloading for HTTPS traffic. You can use SSL offloading to
offload SSL encryption and decryption from one or more HTTP servers to the
FortiGate unit. If you enable this option, you must configure the rule to accept
SSL-encrypted traffic, for example, by configuring the rule to accept HTTPS traffic
by setting Port to 443.
If you enable SSL offloading, you must also use the CLI command conf i g
wanopt ssl - ser ver to add an SSL server for each HTTP server that you want
to offload SSL encryption/decryption for. For more information, see the FortiGate
WAN Optimization, Web Cache, and Web Proxy User Guide.
Enable Secure
Tunnel
Available only if Mode is set to Full Optimization, and Auto-Detect is set to Active or
Off.
If you select Enable Secure Tunnel, the WAN optimization tunnel is encrypted
using SSL encryption. You must also add an authentication group to the rule. For
more information, see the FortiGate WAN Optimization, Web Cache, and Web
Proxy User Guide.
Authentication
Group
Available only if Mode is set to Full Optimization, and Auto-Detect is set to Active or
Off.
Select this option and select an authentication group from the list if you want
groups of FortiGate units to authenticate with each other before starting the WAN
optimization tunnel. You must also select an authentication group if you select
Enable Secure Tunnel.
You must add identical authentication groups to both of the FortiGate units that will
participate in the WAN optimization tunnel started by the rule. For more
information, see Configuring authentication groups on page 681.
Configuring WAN optimization peers WAN optimization and web caching
680 01-410-89802-20091022
netmask for a single computer: 255. 255. 255. 255, or / 32
netmask for a class A subnet: 255. 0. 0. 0, or / 8
netmask for a class B subnet: 255. 255. 0. 0, or / 16
netmask for a class C subnet: 255. 255. 255. 0, or / 24
netmask including all IP addresses: 0. 0. 0. 0
Valid IP address and netmask formats include:
x.x.x.x/x.x.x.x, such as 192. 168. 1. 0/ 255. 255. 255. 0
x.x.x.x/x, such as 192. 168. 1. 0/ 24
When representing hosts by an IP range, the range indicates hosts with continuous IP
addresses in a subnet, such as 192. 168. 1. [ 2- 10] , or 192. 168. 1. * to indicate the
complete range of hosts on that subnet. Valid IP range formats include:
x.x.x.x-x.x.x.x, such as 192. 168. 110. 100- 192. 168. 110. 120
x.x.x.[x-x], such as 192. 168. 110. [ 100- 120]
x.x.x.*, such as 192. 168. 110. *
Configuring WAN optimization peers
You can add the local host ID that identifies the FortiGate unit for WAN optimization and
add the peer host ID and IP address of each FortiGate unit with which a FortiGate unit can
create WAN optimization tunnels.
To configure WAN optimization peers, go to WAN Opt. & Cache > Peer.
Figure 417: WAN optimization peer list
Note: An IP address 0. 0. 0. 0 with netmask 255. 255. 255. 255 is not a valid source or
destination address.
Viewing basic information
Create New Add a new peer.
Local Host ID Enter the local host ID of this FortiGate unit and select Apply. If you add this
FortiGate unit as a peer to another FortiGate unit, use this ID as its peer host ID.
Apply Save a change to the Local Host ID to the FortiGate configuration.
Adding or modifying a peer
Create New Select to add a new peer.
Delete
Edit
WAN optimization and web caching Configuring authentication groups
01-410-89802-20091022 681
Configuring authentication groups
You need to add authentication groups to support authentication and secure tunneling
between WAN optimization peers.
To perform authentication, WAN optimization peers use a certificate or a pre-shared key
added to an authentication group to identify each other before forming a WAN optimization
tunnel. Both peers must have an authentication group with the same name and settings.
You add the authentication group to a peer-to-peer or active rule on the client side
FortiGate unit. When the server side FortiGate unit receives a tunnel start request from
the client side FortiGate unit that includes an authentication group, the server side
FortiGate unit finds an authentication group in its configuration with the same name. If
both authentication groups have the same certificate or pre-shared key, the peers can
authenticate and set up the tunnel.
Authentication groups are also required for secure tunneling. To configure secure
tunneling, both peers must have an authentication group with the same name and
settings. On the client side FortiGate unit, to enable secure tunneling you select Enable
Secure Tunnel in a peer-to-peer or active rule and select the authentication group. After
the client and server side FortiGate units authenticate with each other, they also use the
pre-shared key or certificate in the authentication group to encrypt and decrypt the tunnel
packets. The encrypted tunnel uses SSL encryption.
To add authentication groups, go to WAN Opt. & Cache > Peer > Authentication Group.
Figure 418: WAN optimization Authentication Group list
Edit icon Select Edit beside an existing peer to modify it.
Delete icon Delete a peer.
Peer Host ID The peer host ID of the peer FortiGate unit. This is the local host ID added to the
peer FortiGate unit.
IP Address The IP address of the FortiGate unit. Usually this is the IP address of the
FortiGate interface connected to the WAN.
Viewing basic information
Create New Add a new authentication group.
Name The name of the authentication group.
Delete
Edit
WAN optimization monitoring WAN optimization and web caching
682 01-410-89802-20091022
WAN optimization monitoring
Using WAN optimization monitoring, you can view and improve WAN optimization
performance. The monitoring tools help isolate performance problems, aid in
troubleshooting, and enable network optimization and capacity planning.
The monitor unit uses collected log information and presents it in a graphical format to
show network traffic summary and bandwidth optimization information.
To view the WAN optimization monitor, go to WAN Opt. & Cache > Monitor.
Authentication
method
The method used to authenticate the tunnels: certificate (plus certificate
name) or pre-shared key.
Peer(s) The host IDs of the peers added to the authentication group. When you add
the authentication group to a WAN optimization rule, only these FortiGate
units can authenticate to use this WAN optimization rule. Peer(s) can be any
peer, a peer added to the FortiGate unit peer list (defined peers), or a
selected peer.
Adding or modifying an authentication group
Create New Select to add a new authentication group
Edit icon Select Edit beside an existing authentication group to modify it.
Delete icon Select to delete an authentication group.
Name Add or change the name of the authentication group. Select this name when
adding the authentication group to a rule.
Other FortiGate units that participate in WAN optimization tunnels with this
FortiGate unit must have an authentication group with the same name.
Authentication
Method
Select the authentication method to use.
Select Certificate if you want to use a certificate to authenticate and encrypt
WAN optimization tunnels.
Select Pre-shared key if you want to use a pre-shared key or password to
authenticate and encrypt WAN optimization tunnels.
Certificate (list) Available only when Authentication Method is Certificate.
Select a local certificate that has been added to this FortiGate unit. Other
FortiGate units that participate in WAN optimization tunnels with this
FortiGate unit must have an authentication group with the same name and
certificate.
Go to System > Certificates > Local Certificates to add a local certificate to a
FortiGate unit.
Password Available only when Authentication Method is Pre-shared key.
Add the password (or pre-shared key) used by the authentication group.
Other FortiGate units that participate in WAN optimization tunnels with this
FortiGate unit must have an authentication group with the same name and
password.
The key must contain at least 6 printable characters and should be known
only by network administrators. For optimum protection against currently
known attacks, the key should consist of a minimum of 16 randomly chosen
alphanumeric characters.
Peer Acceptance One or more of the following options are available to authenticate WAN
optimization peers:
Accept Any Peer Authenticate with any peer. Use this setting if you do not know the peer host
IDs or IP addresses of the peers that will use this authentication group. This
setting is most often used for WAN optimization with the FortiClient
application.
Accept Defined
Peers
Authenticate with any peer in the FortiGate unit peer list.
Specify Peer Authenticate with the selected peer only. Select this option and then select
the peer to add to this authentication group.
WAN optimization and web caching WAN optimization monitoring
01-410-89802-20091022 683
Figure 419: WAN optimization monitor
Traffic Summary This section provides traffic optimization information. The piechart illustrates
the percentage of traffic for supported applications processed during the
selected Period. The table displays how much traffic has been reduced by
WAN optimization by comparing the amount of LAN and WAN traffic for
each protocol.
Refresh icon Refresh the Traffic Summary.
Period Select a time period to show traffic summary for. You can select:
Last 10 Minutes
Last 1 Hour
Last 1 Day
Last 1 Week
Last 1 Month
Reduction Rate Displays each applications optimization rate. For example, a rate of 80%
means the amount of data processed by that application has been reduced
by 20%.
LAN The amount of data in MB received from the LAN for each application.
WAN The amount of data in MB sent across the WAN for each application. The
greater the difference between the LAN and WAN data, the greater the
amount of data reduced by WAN optimization byte caching, web caching,
and protocol optimization.
Bandwidth
Optimization
This section shows network bandwidth optimization per time Period. A line
or column chart compares an applications pre-optimized (LAN data) size
with its optimized size (WAN data).
Refresh icon Select to refresh the Bandwidth Optimization display.
Refresh Traffic Summary
Refresh Bandwidth Optimization
Changing web cache settings WAN optimization and web caching
684 01-410-89802-20091022
Changing web cache settings
In most cases the default settings for the WAN optimization web cache are acceptable.
However, you may want to change them to improve performance or optimize the cache for
your configuration. To change these settings, go to WAN Opt. & Cache > Cache.
Figure 420: Web Cache Settings
Period Select a time frame to show bandwidth optimization. You can select:
Last 10 Minutes
Last 1 Hour
Last 1 Day
Last 1 Week
Last 1 Month
Protocol Select All to display bandwidth optimization for all applications. Select an
individual protocol to display bandwidth optimization for that individual
protocol.
Chart Type Select to display bandwidth optimization with a line chart or a column chart.
Note: For more information about many of these web cache settings, see RFC 2616.
Always revalidate Select to always revalidate requested cached object with content on the
server before serving it to the client.
Max Cache Object
Size
Set the maximum object size to cache. The default size is 512000 KB. This
object size determines the maximum object size to store in the web cache.
Objects retrieved that are larger than the maximum size are still delivered to
the client but are not stored in the web cache.
Negative Response
Duration
Set how long in minutes to cache negative responses. The default is 0,
meaning negative responses are not cached. The content server might send
a client error code (4xx HTTP response) or a server error code (5xx HTTP
response) as a response to some requests. If the web cache is configured to
cache these negative responses, it returns that response in subsequent
requests for that page or image for the specified number of minutes.
WAN optimization and web caching Changing web cache settings
01-410-89802-20091022 685
Fresh Factor Set the fresh factor as a percentage. The default is 100, and the range is 1 to
100. For cached objects that do not have an expiry time, the web cache
periodically checks the server to see if the objects have expired. The higher
the fresh factor the less often the checks occur. For example, if you set the
Max TTL value and Default TTL at 7200 minutes (5 days) and set the Fresh
Factor at 20, the web cache will check the cached objects 5 times before
they expire, but if you set the Fresh Factor at 100, the web cache will check
once.
Max TTL The maximum amount of time (Time to Live) an object can stay in the web
cache without the cache checking to see if it has expired on the server. The
default is 7200 minutes (120 hours or 5 days).
Min TTL The minimum amount of time an object can stay in the web cache before the
web cache checks to see if it has expired on the server. The default is 5
minutes.
Default TTL The default expiry time for objects that do not have an expiry time set by the
web server. The default expiry time is 1440 minutes (24 hours).
Explicit Proxy Indicates whether the explicit proxy has been enabled for the FortiGate unit.
See Configuring the explicit web proxy on page 182.
Enable Cache
Explicit Proxy
Select to enable using the WAN optimization web cache to cache for the
explicit proxy.
Ignore
If-modified-since By default, if the time specified by the if-modified-since (IMS) header in the
client's conditional request is greater than the last modified time of the object
in the cache, it is a strong indication that the copy in the cache is stale. If so,
HTTP does a conditional GET to the Overlay Caching Scheme (OCS), based
on the last modified time of the cached object. Enable ignoring If-modified-
since to override this behavior.
HTTP 1.1
Conditionals
HTTP 1.1 provides additional controls to the client over the behavior of
caches toward stale objects. Depending on various cache-control headers,
the FortiGate unit can be forced to consult the OCS before serving the object
from the cache. For more information about the behavior of cache-control
header values, see RFC 2616.
Pragma-no-
cache
Typically, if a client sends an HTTP GET request with a pragma no-cache
(PNC) or cache-control no-cache header, a cache must consult the OCS
before serving the content. This means that the FortiGate unit always re-
fetches the entire object from the OCS, even if the cached copy of the object
is fresh.
Because of this behavior, PNC requests can degrade performance and
increase server-side bandwidth utilization. However, if ignore Pragma-no-
cache is enabled, then the PNC header from the client request is ignored.
The FortiGate unit treats the request as if the PNC header is not present at
all.
IE Reload Some versions of Internet Explorer issue Accept / header instead of Pragma
no-cache header when you select Refresh. When an Accept header has only
the / value, the FortiGate unit treats it as a PNC header if it is a type-N object.
When ignore IE Reload is enabled, the FortiGate unit ignores the PNC
interpretation of the Accept / header.
Changing web cache settings WAN optimization and web caching
686 01-410-89802-20091022
Cache Expired
Objects
Applies only to type-1 objects. When this option is selected, expired type-1
objects are cached (if all other conditions make the object cacheable).
Revalidated Pragma-
no-cache
The pragma-no-cache (PNC) header in a client's request can affect the
efficiency of the FortiGate units bandwidth. If you do not want to completely
ignore PNC in client requests (which you can do by selecting to ignore
Pragma-no-cache, above), you can nonetheless lower the impact on the
bandwidth by selecting Revalidate Pragma-no-cache. When this option is
selected, a client's non-conditional PNC-GET request results in a conditional
GET request sent to the OCS if the object is already in the cache. This gives
the OCS a chance to return the 304 Not Modified response, which consumes
less server-side bandwidth, because the OCS has not been forced to
otherwise return full content. By default, Revalidate Pragma-no-cache is
disabled and is not affected by changes in the top-level profile. When the
Substitute Get for PNC configuration is enabled, the revalidate PNC
configuration has no effect.
Most download managers make byte-range requests with a PNC header. To
serve such requests from the cache, you should also configure byte-range
support when you configure the Revalidate pragma-no-cache option.
Endpoint NAC Configuring Endpoint NAC overview
01-410-89802-20091022 687
Endpoint NAC
Endpoint Network Access Control (NAC) enforces the use of the FortiClient End Point
Security (Enterprise Edition) application on your network. It can also allow or deny
endpoints access to the network based on the applications installed on them.
FortiClient enforcement can check that the endpoint is running the most recent version of
the FortiClient application, that the antivirus signatures are up-to-date and that the firewall
is enabled. An endpoint is most often a single PC with a single IP address being used to
access network services through a FortiGate unit.
You enable endpoint NAC in a firewall policy. When traffic attempts to pass through the
firewall policy, the FortiGate unit runs compliance checks on the originating host on the
source interface. Non-compliant endpoints are blocked. If web browsing, the endpoints
are redirected to a web portal that explains the non-compliance and provides a link to
download the FortiClient application installer.
To ease introduction of endpoint NAC on your network, the FortiGate unit can optionally
recommend non-compliant users install FortiClient software but allow them to continue
without doing so.
You can monitor the endpoints that are subject to endpoint NAC, viewing information
about the computer, its operating system and detected applications.
Configuring Endpoint NAC overview
Configuring FortiClient installer download and version enforcement
Configuring application detection lists
Configuring Endpoint NAC profiles
Monitoring endpoints
Configuring Endpoint NAC overview
Endpoint NAC requires that all hosts using the firewall policy have the FortiClient Endpoint
Security application installed. Make sure that all hosts affected by this policy are able to
install this application. Currently, FortiClient Endpoint Security is available for Microsoft
Windows 2000 and later only.
To set up endpoint NAC, you need to
Enable Central Management by the FortiGuard Analysis & Management Service if you
will use FortiGuard Services to update the FortiClient application or antivirus
signatures. You do not need to enter account information. See Central Management
on page 260.
Configure the minimum required version of FortiClient and the source of FortiClient
installer downloads for non-compliant endpoints. See Configuring FortiClient installer
download and version enforcement on page 688.
Note: Endpoint NAC does not function if enabled in a firewall policy that contains a load
balance VIP.
Configuring FortiClient installer download and version enforcement Endpoint NAC
688 01-410-89802-20091022
Define application detection lists to specify which applications are allowed or not
allowed. Optionally, you can deny access to endpoints that have applications installed
that are not on the detection list. See Configuring application detection lists on
page 689.
Configure Endpoint NAC profiles which specify the FortiClient enforcement settings
and the application detection list to apply. You select the Endpoint NAC profile to use
when you enable Endpoint NAC in the firewall policy.
Enable endpoint NAC in firewall policies.
Optionally, modify the inactivity timeout for endpoints. The default is 5 minutes. After
that time period, the FortiGate unit rechecks the endpoint for Endpoint NAC
compliance. To change the timeout, adjust the compl i ance- t i meout value in the
conf i g endpoi nt - cont r ol set t i ngs CLI command.
You can also modify the appearance of the Endpoint NAC Download Portal and the
Endpoint NAC Recommendation Portal. These are replacement messages. For more
information, see Endpoint NAC replacement messages on page 235.
Configuring FortiClient installer download and version
enforcement
Go to Endpoint NAC > Config to set the minimum FortiClient version that endpoints are
required to run and to configure the download source for the FortiClient installer.
Figure 421: Configuring FortiClient version requirements and installer source
Note: You cannot enable Endpoint NAC in firewall policies if Redirect HTTP Challenge
to a Secure Channel (HTTPS) is enabled in User > Options > Authentication.
Information
FortiGuard Availability FortiGuard Services is available if the indicator is green.
FortiClient Endpoint
Versions
FortiClient software versions available from FortiGuard Services are
listed. Select the Download link to download the installer.
Endpoint NAC Configuring application detection lists
01-410-89802-20091022 689
Configuring application detection lists
Application detection lists determine which applications are permitted or not permitted on
network endpoints. An application detection list is part of an Endpoint NAC profile that you
can apply in your firewall policies. You can create multiple lists.
Application detection is based on application signatures provided by FortiGuard Services.
You create your application detection list entries by selecting applications from
FortiGuard-supplied lists of categories, vendors, and application names. To view
application information from FortiGuard services, go to Endpoint NAC >
Application Detection > Predefined.
Application detection checks applications against the detection list from the top down until
it finds a match. Specific entries, such as those that list one particular application, should
precede more general entries, such as those that match all applications of a particular
category.
Go to Endpoint NAC > Application Detection > Detection List to create application
detection lists.
AV Signature Package The latest AV signature package available from FortiGuard Services.
Application Signature
Package
The latest application signature package available from FortiGuard
Services.
FortiClient Downloads The number of FortiClient software downloads through this FortiGate
unit.
Update Now Retrieve the latest information from FortiGuard Services.
FortiClient Installer
Download Location
Select one of the following options to determine the link that the
FortiClient Download Portal provides to non-compliant users to
download the FortiClient installer.
FortiGuard Distribution
Network
The FortiClient application is provided by the FortiGuard Distribution
Network. The FortiGate unit must be able to access the FortiGuard
Distribution Network. See Configuring FortiGuard Services on
page 300.
If the FortiGate unit contains a hard disk drive, the files from
FortiGuard Services are cached to more efficiently serve downloads
to multiple end points.
This FortiGate Users download a FortiClient installer file from this FortiGate unit.
This option is available only on FortiGate models that support upload
of FortiClient installer files. Upload your FortiClient installer file using
the execut e r est or e f or t i cl i ent CLI command. For more
information, refer to the FortiGate CLI Reference.
Custom URL Specify a URL from which users can download the FortiClient
installer. You can use this option to provide custom installer files even
if your FortiGate unit does not have storage space for them.
Enforce Minimum Version From the list select either Latest Available or a specific FortiClient
version as the minimum requirement for endpoints.
The list contains the FortiClient versions available from the selected
FortiClient Installer Download Location.
Fortinet recommends that administrators deploy a FortiClient version
update to their users or ask users to install the update and then wait a
reasonable period of time for the updates to be installed before
updating the minimum version required to the most recent version.
Note: Select This FortiGate or Custom URL if you want to provide a customized FortiClient
application. This is required if a FortiManager unit will centrally manage FortiClient
applications. For information about customizing the FortiClient application, see the
FortiClient Administration Guide.
Configuring application detection lists Endpoint NAC
690 01-410-89802-20091022
Figure 422: Creating an application detection list
Application Detection List
Create New Create a new application detection list.
Name Enter a name for the application detection list.
Comments Optionally, enter descriptive information about this list.
# of Entries The number of application entries in the list.
Profiles The Endpoint NAC profiles that use this application detection list.
Edit Edit this application detection list.
Application Detection List Entry
Other Applications
(not specified below)
Select what to do if applications not included in this list are installed on the
endpoint:
Allow allow the endpoint to connect
Deny quarantine the endpoint
Monitor include this endpoints information in statistics and logs
Create New Create a new application entry.
Category Select the software category, Remote Access, for example.
Vendor Select the software vendor.
Application Select the application from the list.
Status Select one of the following:
Installed application is installed but not currently running
Running application is currently running
1 2
3
4 5
Edit
Edit
Delete
Insert
Move To
Endpoint NAC Configuring application detection lists
01-410-89802-20091022 691
Viewing the application list
You can view the application list provided by FortiGuard Services. Go to Endpoint NAC >
Application Detection > Predefined.
Figure 423: Endpoint NAC Predefined application list
Action Select what to do if the application is running on the endpoint:
Allow allow the endpoint to connect
Deny quarantine the endpoint
Monitor include this endpoints information in statistics and logs on
the Endpoint NAC Monitor page.
Delete Delete this application entry.
Edit Edit this application entry.
Insert Add a new entry preceding this one.
Move To Move this entry. Enter the ID of another entry and select Before or After.
Page Shows the current page number in the list. Select the left and right
arrows to display the first, previous, next or last page of known
endpoints.
Column Settings Select the columns to display in the list. You can also determine the
order in which they appear. For more information, see Using column
Clear All Filters Clear any column display filters you might have applied.
Filter icons Edit the column filters to filter or sort the endpoints list according to the
criteria you specify. For example, you could add a filter to the Detected
Software column to display all endpoints running BitTorrent software.
For more information, see Adding filters to web-based manager lists
on page 57.
Configuring Endpoint NAC profiles Endpoint NAC
692 01-410-89802-20091022
Configuring Endpoint NAC profiles
An Endpoint NAC profile contains FortiClient enforcement settings and can specify an
application detection list. Firewall policies can apply an Endpoint NAC profile to the traffic
they handle.
Go to Endpoint NAC > Profile to create Endpoint NAC profiles.
Figure 424: Creating Endpoint NAC profiles
Profile list
Create New Create a new Endpoint NAC profile.
Name The name of the Endpoint NAC profile.
FortiClient Enforcement Green check mark icon - enabled.
Grey X icon - not enabled.
Application Detection List The application detection list specified in this profile.
Delete Delete this profile.
Edit Edit this profile.
Endpoint NAC Profile settings
Name Enter a name for the Endpoint NAC profile.
For non-compliant hosts: Enable one of the following options:
Notify hosts to install
FortiClient (warn only)
Allow users to continue browsing without installing
FortiClient Endpoint Security.
Quarantine hosts to user
portal (enforce compliance)
Keep endpoint quarantined until user installs FortiClient
Endpoint Security.
Additional Client Options Enable to enforce any of the following:
Anti-virus Enabled Require that the antivirus feature is enabled.
Anti-virus Up-to-date Require that the antivirus signatures are up-to-date.
Firewall Enabled Require that the firewall feature is enabled.
Edit
Delete
Endpoint NAC Monitoring endpoints
01-410-89802-20091022 693
Monitoring endpoints
To view the list of known endpoints, go to Endpoint NAC > Monitor > Endpoints. An
endpoint is added to the list when it uses a firewall policy that has Endpoint NAC enabled.
Once an endpoint is added to the list it remains there until you manually delete it or until
the FortiGate unit restarts. Every time an endpoint accesses network services through the
FortiGate unit (or attempts to access services) the entry for the endpoint is updated.
The endpoints list can provide an inventory of the endpoints on your network. Entries for
endpoints not running the FortiClient application include the IP address, last update time,
and traffic volume/attempts. The non-compliant status indicates the endpoint is not
running the FortiClient application.
Entries for endpoints running the FortiClient application show much more information,
depending on what is available for the FortiClient application to gather. Detailed
information you can view includes endpoint hardware (CPU and model name) and the
software running on the endpoints. You can adjust column settings and filters to display
this information in many different forms.
From the endpoints list, you can view information for each endpoint, temporarily exempt
end points from endpoint NAC, and restore exempted end points to their blocked state.
Figure 425: Endpoints list (showing one endpoint that does not have FortiClient software
installed)
Enable Application Detection Enable to check applications on the endpoint against an
application detection list.
Application Detection List Select the application detection list to use.
View
Exempt Temporarily
Refresh
Non-Compliant
Non-Compliant
But Temporarily
Exempted
Restore to Blocked
State
Monitoring endpoints Endpoint NAC
694 01-410-89802-20091022
Refresh Update the list.
Status Display Compliant or Non-compliant endpoints or Both. Compliant
endpoints are running the minimum required version of FortiClient or a
more recent version. To configure the minimum required version of
FortiClient, see Configuring FortiClient installer download and version
enforcement on page 688.
The Status column displays a gray icon if the endpoint is non-compliant
and a green icon if the endpoint is compliant. The Status column
displays a green icon with an hourglass if the endpoint is non-compliant
but has been temporarily exempted.
endpoints.
on page 57.
View icon View details about a selected endpoint. Select this icon to display the
information about the endpoint found by the FortiClient application.
Exempt Temporarily icon Exempt the selected endpoint from endpoint NAC. This means an
endpoint that is blocked and added to the endpoint list can temporarily
access network services through the FortiGate unit. When you select
this icon you can specify how long the end point is exempted from
endpoint NAC. The default exempt duration is 600 seconds.
Restore to Blocked State
icon
Resume blocking access for a temporarily exempted endpoint.
Information columns Select Column Settings determine which of the following columns to
display. All information that appears in the columns is reported by the
FortiClient application running on the endpoint, unless otherwise noted.
AV signature The version of the FortiClient antivirus signatures installed on the
endpoint.
Computer Manufacturer The name of the manufacturer of the endpoint.
Computer Model The model name of the endpoint.
CPU Model The CPU running on the endpoint.
Description The description of the endpoint.
Detected Software The software applications detected on this endpoint. See Configuring
application detection lists on page 689.
You can control the applications that appear in the Detected Software
column by editing the Detected Software filter. See Adding filters to
FortiClient Version The version of the FortiClient application running on the endpoint.
Host Name The host name of the endpoint.
Installed FCT Features The FortiClient features enabled on the endpoint.
IP Address The IP address of the endpoint as found from the communication
session. The FortiClient application is not required to obtain this
information.
Last User The last user to log in to the endpoint.
Last Update The time that the status of the endpoint was last verified by the
FortiGate unit. The FortiClient application is not required to obtain this
information.
Endpoint NAC Monitoring endpoints
01-410-89802-20091022 695
Memory Size The amount of memory installed on the endpoint.
OS Version The version of the operating system running on the endpoint.
System Uptime The system up time of the endpoint.
Traffic Volume/Attempts If the endpoint is compliant, this column displays the amount of data
passed through the FortiGate unit by communication sessions
originating from the endpoint. If the endpoint is non-compliant, this
column displays the number of times the endpoint has attempted to
connect through the FortiGate unit. The FortiClient application is not
required to obtain this information.
User The name of the active user account on the endpoint.
Monitoring endpoints Endpoint NAC
696 01-410-89802-20091022
Wireless Controller Configuration overview
01-410-89802-20091022 697
Wireless Controller
Most FortiGate units, but not FortiWiFi models, can act as a wireless network controller,
managing the wireless Access Point (AP) functionality of FortiWiFi units. All units must be
running the most recent FortiOS 4.0 firmware.
You create virtual access points that can be associated with multiple physical access
points. Clients can roam amongst the physical access points, extending the range of the
wireless network.
Configuration overview
Enabling the wireless controller
Configuring FortiWiFi units as managed access points
Configuring a virtual wireless access point
Configuring a physical access point
Configuring DHCP for your wireless LAN
Configuring firewall policies for the wireless LAN
Monitoring wireless clients
Monitoring rogue APs
Configuration overview
To set up a wireless network using the Wireless Controller feature, you need to:
Enable the wireless controller, if it is not already enabled.
Configure FortiWiFi units to be managed by the wireless controller.
Configure each virtual access point (VAP). A VAP has the SSID and security
configuration settings you would find on a wireless access point device. Optionally, you
can limit the number of simultaneous wireless clients who can use this VAP.
Configure each physical access point (AP). The AP settings include the radio settings
and rogue AP scan settings. You select the VAPs that will be carried on the physical
access point. Optionally, you can limit the number of simultaneous clients this AP will
accept.
Configure DHCP service to provide addresses to your wireless clients.
Configure firewall policies to enable communication between the wireless LAN and
other networks.
Enabling the wireless controller
The wireless controller feature is hidden by default on some FortiGate models.
To enable the wireless controller
2 Select Enable Wireless Controller.
3 Select Apply.
If you disable the Wireless Controller feature, all of the related configuration is discarded.
Configuring FortiWiFi units as managed access points Wireless Controller
698 01-410-89802-20091022
Configuring FortiWiFi units as managed access points
You also need to enable each FortiWiFi unit to act as a managed physical access point
(AP). You can do this in the CLI on each unit as follows:
set wi r el ess- t er mi nal enabl e
end
The wireless functionality of a FortiWiFi unit in wireless terminal mode cannot be
controlled from the unit itself.
If there are firewall devices between the wireless controller FortiGate unit and the
managed FortiWiFi units, make sure that ports 5246 and 5247 are open. These ports
carry, respectively, the encrypted control channel data and the wireless network data. If
needed, you can change these ports in the CLI:
set wi r el ess- cont r ol l er - por t <por t _i nt > (access controller)
set wi r el ess- t er mi nal - por t <por t _i nt > (access point)
end
These commands set the control channel port. The data channel port is always the control
port plus one. The port setting must match on the access controller and all access points.
Configuring a virtual wireless access point
A Virtual Access Point (VAP) defines the SSID and security settings for a wireless LAN.
For each VAP, the FortiGate unit creates a virtual network interface. You create firewall
policies to control traffic between the VAP interface and other networks. Users need the
correct security settings to connect to the access point, and they can also be required to
authenticate to use a firewall policy.
To configure a virtual access point
1 Go to Wireless Controller > Virtual AP, select Create New, and enter the following
information:
Figure 426: Configuring a virtual access point
Name Enter a name to identify the VAP. This is also the name of the virtual
network interface you will use in firewall policies.
SSID Enter the wireless service set identifier (SSID) or network name for this
wireless interface. Users who want to use the wireless network must
configure their computers with this network name.
Wireless Controller Configuring a physical access point
01-410-89802-20091022 699
2 Select OK.
Configuring a physical access point
The access controller needs to be configured to identify the FortiWiFi unit that provides
the physical access point and the radio settings for the wireless LAN.
To configure a physical access point
1 Go to Wireless Controller > Physical AP, select Create New, and enter the following
information:
SSID Broadcast Select to broadcast the SSID. Broadcasting the SSID enables clients to
connect to your wireless network without first knowing the SSID. For better
security, do not broadcast the SSID.
Security mode Select the security mode for the wireless interface. Wireless users must
use the same security mode to be able to connect to this wireless
interface.
None has no security. Any wireless user can connect to the wireless
network.
WEP64 64-bit web equivalent privacy (WEP). To use WEP64 you must
enter a Key containing 10 hexadecimal digits (0?9 a?f) and inform wireless
users of the key.
WEP128 128-bit WEP. To use WEP128 you must enter a Key
containing 26 hexadecimal digits (0-9 a-f) and inform wireless users of the
key.
WPA Wi-Fi protected access (WPA) security. To use WPA you must
select a data encryption method. You must also enter a pre-shared key
containing at least eight characters or select a RADIUS server. If you
select a RADIUS server, the wireless clients must have accounts on the
RADIUS server.
WPA2 WPA with more security features. To use WPA2 you must select
a data encryption method and enter a pre-shared key containing at least
eight characters or select a RADIUS server. If you select a RADIUS server
the wireless clients must have accounts on the RADIUS server.
WPA2 Auto the same security features as WPA2, but also accepts
wireless clients using WPA security. To use WPA2 Auto you must select a
data encryption method You must also enter a pre-shared key containing
at least 8 characters or select a RADIUS server. If you select a RADIUS
server the wireless clients must have accounts on the RADIUS server.
Data Encryption Select TKIP or AES encryption as appropriate for the capabilities of your
wireless clients. This is available for WPA security modes.
Key Index Many wireless clients can configure up to four WEP keys. Select which
key clients must use.with this access point. This is available when you
select a WEP Security Mode.
Key Enter the encryption key that the clients must use. This is available when
you select a WEP Security Mode.
Authentication Select one of:
Pre-shared key Enter the pre-shared key that clients must use.
RADIUS Server Select the RADIUS server that will authenticate the
clients.
These settings are available when you select a WAP Security Mode.
Maximum Clients Enter the maximum number of clients permitted to connect simultaneously.
Enter 0 for no limit.
Configuring a physical access point Wireless Controller
700 01-410-89802-20091022
Figure 427: Configuring a physical access point
2 Select OK.
Serial Number Enter the serial number of the FortiWiFi unit. This field is completed
automatically if the AP discovers this AC and registers itself.
Name Enter a name for the physical AP.
Admin Select one of the following:
Discovery This is the setting for APs that have discovered this AC and
registered themselves. To use such an AP, select Enabled.
Disabled Do not manage this AP.
Enabled Manage this AP.
Last Error The last error message, if any, for this AP.
Rogue AP Scan Rogue AP scanning detects other APs and reports them on the Wireless
Controller > Rogue AP page.
Select one of the following:
Dedicated AP performs scanning only and does not provide service.
Background AP performs scanning during idle periods while acting as
an AP.
Disabled Do not perform scanning. Scanning can reduce performance.
Radio Select the wireless frequency band. Keep in mind the capabilities of your
users wireless cards or devices.
Geography Select your country or region. This determines which channels are
available.
Channel Select a channel for your wireless network or select Auto. The channels
that you can select depend on the Geography setting.
TX Power Set the transmitter power level. The higher the number, the larger the area
the AP will cover.
Maximum Clients Enter the maximum number of clients permitted to connect simultaneously
to this physical AP. Enter 0 for no limit.
Virtual AP In the Available list, select the virtual APs to be carried on this physical AP
and then select the right-arrow button to move them to the Selected list.
Wireless Controller Configuring DHCP for your wireless LAN
01-410-89802-20091022 701
Configuring DHCP for your wireless LAN
Go to System > DHCP > Service to configure DHCP services to provide IP addresses to
your wireless clients. Your Virtual Access Point is listed as an interface. See Configuring
DHCP services on page 200.
Configuring firewall policies for the wireless LAN
For your VAP clients to communicate with other networks, including other wireless LANs,
you must have appropriate firewall policies. Your VAP has a virtual interface of the same
name that you can select as the source or destination interface in firewall policies.
Monitoring wireless clients
Go to Wireless Controller > Wireless Client to view information about the wireless clients
of your managed access points.
Refresh Update the information in the table.
endpoints.
on page 57.
Information columns Actual columns displayed depends on Column Settings.
Association Time How long the client has been connected to this access point.
Bandwidth Rx Received bandwidth used by the client, in Kbps.
Bandwidth Tx Transmit bandwidth used by the client, in Kbps.
Bandwidth Tx/Rx Bandwidth Rx +Bandwidth Tx.
Idle Time The total time this session that the client was idle.
IP The IP address assigned to the wireless client.
MAC The MAC address of the wireless client.
Physical AP The name of the physical access point with which the client is
associated.
Signal Strength/Noise The signal-to-noise ratio in deciBels calculated from signal strength and
noise level.
Virtual AP The name of the virtual access point with which the client is associated.
Monitoring rogue APs Wireless Controller
702 01-410-89802-20091022
Monitoring rogue APs
Go to Wireless Controller > Rogue AP to view information about detected APs. The list is
divided into sections:
Unknown Access Points
Rogue Access Points
Accepted Access Points
Unknown Access Points are detected access points that have not been designated as
either Rogue or Accepted.
Figure 428: Rogue Access Point list
Refresh Interval Set time between information updates. none means no updates.
Refresh Updates displayed information now.
Inactive Access Points Select which inactive access points to show: all, none, those detected
less than one hour ago, or those detected less than one day ago.
Online A green checkmark indicates an active access point. A grey X indicates
that the access point is inactive.
SSID The wireless service set identifier (SSID) or network name for the
wireless interface.
Signal Strength /Noise The signal strength and noise level.
Rate The data rate of the access point.
First Seen The data and time when the FortiWifi unit first detected the access point.
Last Seen The data and time when the FortiWifi unit last detected the access point.
Mark as Accepted AP Select the icon to move this entry to the Accepted Access Points list.
Mark as Rogue AP Select the icon to move this entry to the Rogue Access Points list.
Forget AP Return item to Unknown Access Points list from Accepted Access Points
list or Rogue Access Points list.
Log&Report
01-410-89802-20091022 703
Log&Report
FortiGate units provide extensive logging capabilities for traffic, system and network
protection functions. They also allow you to compile reports from the detailed log
information gathered. Reports provide historical and current analysis of network activity to
help identify security issues that will reduce and prevent network misuse and abuse.
This section provides an introduction to FortiGate logging and reporting. For more
information see the Logging and Reporting in FortiOS 4.0.
For better log storage and retrieval, the FortiGate unit can send log messages to a
FortiAnalyzer unit. FortiAnalyzer units provide integrated log collection, analysis tools and
data storage. Detailed log reports provide historical as well as current analysis of network
activity. Detailed log reports also help identify security issues, reducing network misuse
and abuse. The FortiGate unit can send all log message types, including quarantine files
and DLP archives, to a FortiAnalyzer unit for storage. The FortiAnalyzer unit can upload
log files to an FTP server for archival purposes. For more information about configuring
the FortiGate unit to send log messages to a FortiAnalyzer unit, see Remote logging to a
FortiAnalyzer unit on page 704.
If you have a subscription for the FortiGuard Analysis and Management Service, your
FortiGate unit can send logs to a FortiGuard Analysis server. This service provides
another way to store and view logs, as well as archiving email messages. For more
information, see the FortiGuard Analysis and Management Service Administration Guide.
For details and descriptions of log messages and formats, see the FortiGate Log Message
Reference.
This section provides information about how to enable logging, view log messages, and
configure reports. If you have VDOMs enabled, see Using virtual domains on page 125
for more information.
Configuring how a FortiGate unit stores logs
Configuring Alert Email
Configuring Event logging
Accessing and viewing log messages
Viewing DLP Archives
Viewing the File Quarantine list
Configuring FortiAnalyzer report schedules
Viewing Executive Summary reports from SQL logs
Viewing FortiAnalyzer reports
Viewing basic traffic reports
Log severity levels
Log types
Example configuration: logging all FortiGate traffic
Configuring how a FortiGate unit stores logs Log&Report
704 01-410-89802-20091022
Configuring how a FortiGate unit stores logs
The type and frequency of log messages you intend to save determines the type of log
storage to use. For example, if you want to log traffic and content logs, you need to
configure the FortiGate unit to log to a FortiAnalyzer unit or syslog server. The FortiGate
system memory is unable to log traffic and content logs because of their frequency and
large file size.
Storing log messages to one or more locations, such as a FortiAnalyzer unit or syslog
server, may be a better solution for your logging requirements than the FortiGate system
memory. Configuring your FortiGate unit to log to a FortiGuard Analysis server may also
be a better log storage solution if you do not have a FortiAnalyzer unit and want to create
reports.
Remote logging to a FortiAnalyzer unit
Remote logging to the FortiGuard Analysis and Management Service
Remote logging to a syslog server
Local logging to memory
Local logging to disk
Remote logging to a FortiAnalyzer unit
FortiAnalyzer units are network devices that provide integrated log collection, analysis
tools and data storage. Detailed log reports provide historical as well as current analysis of
network activity to help identify security issues and reduce network misuse and abuse.
You can configure the FortiGate unit to log up to three FortiAnalyzer units. The FortiGate
unit sends logs to all three FortiAnalyzer units. Each FortiAnalyzer unit stores the same
information. Logging to multiple FortiAnalyzer units provides real-time backup protection in
the event one of the FortiAnalyzer units fails. You can configure logging to multiple
FortiAnalyzer units only in the CLI.
Figure 429: Configuring remote logging to the FortiAnalyzer unit
Note: If the FortiGate unit is in transparent mode, certain settings and options for logging
may not be available because certain features do not support logging, or are not available
in transparent mode. For example, SSL VPN events are not available in transparent mode.
Expand
Arrow
Log&Report Configuring how a FortiGate unit stores logs
01-410-89802-20091022 705
To configure the FortiGate unit to send logs to the FortiAnalyzer unit
1 Go to Log&Report > Log Config > Log Setting.
2 Select the expand arrow beside Remote Logging & Archiving to reveal the available
options.
3 Select FortiAnalyzer.
4 From the Minimum log level list, select one of the following:
5 Enter the IP address of the FortiAnalyzer unit.
6 Select Apply.
The FortiAnalyzer unit needs to be configured to receive logs from the FortiGate unit
after you have configured log settings on the FortiGate unit. Contact a FortiAnalyzer
administrator to complete the configuration.
Testing the FortiAnalyzer configuration
After configuring FortiAnalyzer settings, test the connection between the FortiGate unit
and FortiAnalyzer unit to verify both devices are communicating properly. During testing,
the FortiGate unit displays information about specific settings for transmitting and
receiving logs, reports, DLP archive and quarantine files.
The FortiGate unit must learn the IP address of the FortiAnalyzer unit before testing the
connection. A false test report failure may result if testing the connection occurs before the
FortiGate unit learns the IP address of the FortiAnalyzer unit.
To test the connection, go to Log&Report > Log Config > Log Setting, expand Remote
Logging options, and then select Test Connectivity.
Figure 430: Test Connectivity with FortiAnalyzer
Emergency The system in unusable.
Alert Immediate action is required.
Critical Functionality is affected.
Error An erroneous condition exists and functionality is probably affected.
Warning Functionality might be affected.
Notification Information about normal events.
Information General information about system operations.
Debug Information used for diagnosing or debugging the FortiGate unit.
Note: You cannot configure a FortiAnalyzer unit to be a backup solution for the FortiGuard
Analysis server, and vice versa. If you require a backup solution for one of these logging
devices, using a syslog server or WebTrends server.
706 01-410-89802-20091022
You can also test the connection status between the FortiGate unit and the FortiAnalyzer
unit by using the following CLI command:
execut e l og f or t i anal yzer t est - connect i vi t y
The command displays the connection status and the amount of disk usage in percent.
Remote logging to the FortiGuard Analysis and Management Service
You can configure logging to a FortiGuard Analysis server after registering for the
FortiGuard Analysis and Management Service on the Fortinet support web site. Fortinet
recommends verifying that the connection is working properly before configuring logging
to a FortiGuard Analysis server.
You can enable FortiGate features from the FortiGate web-based manager. For more
information, see Log types on page 728. Logging traffic, as well as summary and email
DLP archiving, is also available.
To log to a FortiGuard Analysis server
1 Go to Log&Report > Log Config.
2 Select the expand arrow beside Remote Logging to reveal the available options.
3 Select FortiGuard Analysis Service.
4 Enter the account ID in the Account ID field.
FortiAnalyzer
(Hostname)
The name of the FortiAnalyzer unit. The default name of a FortiAnalyzer unit is
its product name, for example, FortiAnalyzer-400.
FortiGate
(Device ID)
The serial number of the FortiGate unit.
Registration
Status
The status of whether or not the FortiGate unit is registered with the
FortiAnalyzer unit. If the FortiGate unit is unregistered, it may not have full
privileges. For more information, see the FortiAnalyzer Administration Guide.
Connection
Status
The connection status between FortiGate and FortiAnalyzer units. A green
check mark indicates there is a connection and a gray X indicates there is no
connection.
Disk Space (MB) The amount of disk space, in MB, on the FortiAnalyzer unit for logs.
Allocated
Space
The amount of the FortiAnalyzer unit hard drive space
designated for logs, including quarantine files and DLP archives.
Used Space The amount of used space.
Total Free
Space
The amount of unused space.
Privileges The permissions of the device for sending and viewing logs, reports, DLP
archives, and quarantined logs.
Tx indicates the FortiGate unit is allowed to transmit log packets to the
FortiAnalyzer unit.
Rx indicates the FortiGate unit is allowed to display reports and logs stored
on the FortiAnalyzer unit.
A check mark indicates the FortiGate unit has permissions to send or view log
information and reports. An X indicates the FortiGate unit is not allowed to send
or view log information.
Note: The test connectivity feature also provides a warning when a FortiGate unit requires
a higher-end FortiAnalyzer unit or when the maximum number of VDOMs/FortiGate units
has been reached on the FortiAnalyzer unit.
Log&Report Configuring how a FortiGate unit stores logs
01-410-89802-20091022 707
5 Select one of the following:
6 Select a severity level.
7 Select Apply.
Remote logging to a syslog server
A syslog server is a remote computer running syslog software and is an industry standard
for logging. Syslog is used to capture log information provided by network devices. The
syslog server is both a convenient and flexible logging device, since any computer
system, such as Linux, Unix, and Intel-based Windows can run syslog software.
When configuring logging to a syslog server, you need to configure the facility and log file
format, normal or Comma Separated Values (CSV). The CSV format contains commas
whereas the normal format contains spaces. Logs saved in the CSV file format can be
viewed in a spread-sheet application, while logs saved in normal format are viewed in a
text editor (such as Notepad) because they are saved as plain text files.
Configuring a facility easily identifies the device that recorded the log file.
Figure 431: Remote logging to a syslog server
Overwrite oldest
logs
Deletes the oldest log entry and continues logging when the maximum log
disk space is reached.
Do not log Stops log messages going to the FortiGuard Analysis server when the
maximum log disk space is reached.
Note: If more than one syslog server is configured, the syslog servers and their settings
appear on the Log Settings page. You can configure multiple syslog servers in the CLI
using the conf i g l og {sysl og | sysl og2 | sysl og3} set t i ngs CLI command.
Note: From the FortiGate CLI you can enable reliable delivery of syslog messages using
the r el i abl e option of the conf i g l og {sysl og | sysl og2 | sysl og3}
set t i ngs command. The FortiGate unit implements the RAW profile of RFC 3195 for
reliable delivery of log messages. Reliable syslog protects log information through
authentication and data encryption and ensures that the log messages are reliably
delivered in the correct order. This feature is disabled by default.
IP/FQDN The IP address or fully qualified domain name of the syslog server. For
example, the FQDN could be log.example.com.
Port The port number for communication with the syslog server, typically port 514.
Minimum log level The FortiGate unit logs all messages at and above the logging severity level
you select. For more information about the logging levels, see Log severity
levels on page 727.
708 01-410-89802-20091022
To configure the FortiGate unit to send logs to a syslog server
2 Select the check box beside Syslog.
3 Select the expand arrow beside the check box to reveal the Syslog options.
4 Enter the appropriate information for the syslog server.
5 Select Apply.
Local logging to memory
The FortiGate system memory has a limited capacity for log messages. The FortiGate
system memory displays only the most recent log entries. It does not store traffic and
content logs in system memory due to their size and the frequency of log entries. When
the system memory is full, the FortiGate unit overwrites the oldest messages. All log
entries are cleared when the FortiGate unit restarts.
Figure 432: Configuring local logging to memory
To configure the FortiGate unit to save logs in memory
2 Select Local Logging & Archiving and select the check box beside Memory.
3 Select Minimum log level for memory logs
The FortiGate unit logs all messages at and above the logging severity level you
select. For more information about the logging levels, see Log severity levels on
page 727.
Local logging to disk
If your FortiGate unit contains a hard disk you can configure logging to disk. You can
specify the minimum log level and how the FortiGate unit handles local logging if the hard
disk becomes full.
For local logs, the SQL log storage format is the default for all log types except content
archiving and traffic logs. This is the only format from which you can generate reports.
Content archiving is not available in SQL format. You can enable SQL format logging for
traffic logs, but this can cause some loss of logs because SQL format writing is slower
than the compressed format.
Facility Facility indicates to the syslog server the source of a log message. By
default, FortiGate reports Facility as local7. You may want to change Facility
to distinguish log messages from different FortiGate units.
Enable CSV Format If you enable CSV format, the FortiGate unit produces the log in Comma
Separated Value (CSV) format. If you do not enable CSV format the
FortiGate unit produces plain text files.
Log&Report Configuring Alert Email
01-410-89802-20091022 709
Figure 433: Configuring local logging to disk
To configure the FortiGate unit to save logs on the local hard disk
2 Select Local Logging & Archiving and select the check box beside Disk.
3 Select Minimum log level for memory logs
The FortiGate unit logs all messages at and above the logging severity level you
select. For more information about the logging levels, see Log severity levels on
page 727.
4 Change the When log disk is full setting if required.
5 Change the Log rolling settings if required.
6 Select which log message types are saved as SQL logs.
7 Select Apply.
Configuring Alert Email
You can use the Alert Email feature to monitor logs for log messages, and to send email
notification about a specific activity or event logged. For example, if you require
notification about administrators logging in and out, you can configure an alert email that is
sent whenever an administrator logs in and out.
You can also base alert email messages on the severity levels of the logs.
To configure alert email go to Log&Report > Log Config > Alert E-mail. Enter the
information the FortiGate unit needs to send email. Select Test Connectivity to confirm
that you can receive alert email messages from the FortiGate unit.
Then configure Alert Email options to control when the FortiGate unit sends alert email.
Configuring Alert Email Log&Report
710 01-410-89802-20091022
Figure 434: Alert Email options
SMTP Server The name/address of the SMTP email server.
Email from The email address the alert messages will come from.
Email to Enter up to three email address recipients for the alert email message.
Authentication Select the authentication Enable check box to enable SMTP
authentication.
SMTP user Enter the user name for logging on to the SMTP server to send alert
email messages. You need to do this only if you have enabled the
SMTP authentication.
Password Enter the password for logging on to the SMTP server to send alert
email. You need to do this only if you selected SMTP authentication.
Send alert email for the
following
Select to have the alert email sent for one or multiple events that
occur, such as an administrator logging in and out.
Interval Time
(1-9999 minutes)
Enter the minimum time interval between consecutive alert emails.
Use this to rate-limit the volume of alert emails.
Intrusion detected Select if you require an alert email message based on attempted
intrusion detection.
Virus detected Select if you require an alert email message based on virus detection.
Web access blocked Select if you require an alert email message based on blocked web
sites that were accessed.
HA status changes Select if you require an alert email message based on HA status
changes.
Log&Report Configuring Event logging
01-410-89802-20091022 711
Configuring Event logging
The Event Log records management and activity events, such as when a configuration
has changed, or VPN and High Availability (HA) events occur.
When you are logged into VDOMs that are in transparent mode, or if all VDOMs are in
transparent mode, certain options may not be available such as VIP ssl event or CPU and
memory usage event. You can enable event logs only when you are logged in to a VDOM;
you cannot enable event logs in the root VDOM.
To enable the event logging go to Log&Report > Log Config > Event Log. Select the
Enable check box. Select one or more of the following events and select Apply.
Violation traffic
detected
Select if you require an alert email message based on violated traffic
that is detected by the FortiGate unit.
Firewall authentication
failure
Select if you require an alert email message based on firewall
authentication failures.
SSL VPN login failure Select if you require an alert email message based on any SSL VPN
logins that failed.
Administrator
login/logout
Select if you require an alert email message based on whether
administrators log in or out.
IPSec tunnel errors Select if you require an alert email message based on whether there is
an error in the IPSec tunnel configuration.
L2TP/PPTP/PPPoE
errors
Select if you require an alert email message based on errors that
occurred in L2TP, PPTP, or PPPoE.
Configuration changes Select if you require an alert email message based on any changes
made to the FortiGate configuration.
FortiGuard license
expiry time (1-100
days)
Enter the number of days before the FortiGuard license expiry time
notification is sent.
FortiGuard log quota
usage
Select if you require an alert email message based on the FortiGuard
Analysis server log disk quota getting full.
Disk Usage Select if you require an alert email when the internal hard disk or AMC
disk reaches a disk usage level. You can set the disk usage level at
which the alert email is sent.
Send alert email for logs
based on severity
Select if you want to send an alert email that is based on a specified
log severity, such as warning.
Minimum log level Select a log severity from the list. For more information about log
severity levels, see Log severity levels on page 727.
System activity event All system-related events, such as ping server failure and gateway status.
IPSec negotiation
event
All IPSec negotiation events, such as progress and error reports.
DHCP service event All DHCP-events, such as the request and response log.
L2TP/PPTP/PPPoE
service event
All protocol-related events, such as manager and socket creation
processes.
Admin event All administrative events, such as user logins, resets, and configuration
updates.
HA activity event All high availability events, such as link, member, and state information.
Firewall
authentication event
All firewall-related events, such as user authentication.
Configuring Event logging Log&Report
712 01-410-89802-20091022
Data Leak Prevention log
Data Leak Prevention (DLP) provides additional information for administrators that can
better analyze and detect data leaks. You can enable logging of your configured settings
for Data Leak Prevention in a protection profile.
Before enabling logging of DLP events, verify that the correct DLP sensor is available for
what you want to log. A DLP sensor is required for both logging and DLP archiving of DLP
events. You cannot apply multiple DLP sensors for logging or DLP archiving of DLP
events.
To enable logging of Data Leak Prevention settings
2 Select the expand arrow to view the policy list for a policy.
3 Select Edit beside the policy that you want.
4 Select the expand arrow to view the Data Leak Prevention options.
5 Select the check box next to the sensor list.
6 Select a sensor from the list.
7 Select the expand arrow to view the Logging options.
8 Select the Data Leak Prevention Log DLP check box.
Application Control log
This log file includes IPS, IM/P2P and VoIP events that the FortiGate unit records. The
application control log also includes some IPS activities.
Before enabling logging of Application Control events, verify that the correct application
control list is available for what you want to log. An application control list is required for
logging application control events.
To enable logging of Application Control settings
2 Select Edit beside the protection profile that you want.
3 Select the Expand arrow to expand Application Control.
4 Select the check box beside the application control list.
5 Select a list from the application control list.
Pattern update event All pattern update events, such as antivirus and IPS pattern updates and
update failures.
SSL VPN user
authentication event
All user authentication events for an SSL VPN connection, such as logging
in, logging out and timeout due to inactivity.
SSL VPN
administration event
All administration events related to SSL VPN, such as SSL configuration
and CA certificate loading and removal.
SSL VPN session
event
All session activity such as application launches and blocks, timeouts, and
verifications.
VIP ssl event All server-load balancing events happening during SSL sessions, especially
details about handshaking.
VIP server health
monitor event
All related VIP server health monitor events that occur when the VIP health
monitor is configured, such as an interface failure.
CPU & memory
usage (every 5 min)
All real-time CPU and memory events, at 5-minute intervals.
Log&Report Configuring Event logging
01-410-89802-20091022 713
6 Select the expand arrow to expand the Logging options.
7 Select the Log Application Control check box.
Antivirus log
The Antivirus log records virus incidents in Web, FTP, and email traffic. For example,
when the FortiGate unit detects an infected file, blocks a file type, or blocks an oversized
file or email that is logged, it records an antivirus log. You can also apply filters to
customize what the FortiGate unit logs, which are:
Viruses The FortiGate unit logs all virus infections.
Blocked Files The FortiGate unit logs all instances of blocked files.
Oversized Files/Emails The FortiGate unit logs all instances of files and email
messages exceeding defined thresholds.
AV Monitor The FortiGate unit logs all instances of viruses, blocked files, and
oversized files and email. This applies to HTTP, FTP, IMAP, POP3, SMTP, and IM
traffic.
To enable antivirus logs
3 Select the expand arrow beside Logging to reveal the available options.
4 Select the antivirus events you want logged.
5 Select OK.
Web filter log
The Web Filter log records HTTP FortiGuard log rating errors including web content
filtering actions.
To enable web filter logs
4 Select the web filtering events to log.
5 Select the FortiGuard Web Filtering Rating Errors (HTTP only) check box, to log
FortiGuard filtering.
6 Select OK.
Email filter log
The Email Filter log records blocking of email address patterns and content in SMTP,
IMAP, POP3, SMTPS, IMAPS, and POP3S traffic.
To enable the Spam log
4 Select Log Spam.
5 Select OK.
Accessing and viewing log messages Log&Report
714 01-410-89802-20091022
Attack log (IPS)
The Attack (IPS) log records attacks detected and prevented by the FortiGate unit. The
FortiGate unit logs the following:
Attack Signature The FortiGate unit logs all detected and prevented attacks based
on the attack signature, and the action taken by the FortiGate unit.
Attack Anomaly The FortiGate unit logs all detected and prevented attacks based
on unknown or suspicious traffic patterns, and the action taken by the FortiGate unit.
You can view attack log messages from either the Memory or Remote tab.
To enable the attack logs
4 Select Log Intrusions under IPS.
5 Select OK.
Accessing and viewing log messages
You can use the Log Access feature in the FortiGate web-based manager to view logs
stored in memory, on a hard disk, stored on a FortiAnalyzer unit running FortiAnalyzer 3.0,
and on the FortiGuard Analysis server.
To view log messages go to Log&Report > Log Access and then select:
Remote to view log messages stored on a FortiAnalyzer unit or the FortiGuard
Analysis and Management Service
Memory to view log messages stored in FortiGate unit system memory
Disk to view log messages stored on a hard disk such as an internal hard disk or an
AMC hard disk.
Log Access provides tabs for viewing logs according to these locations. Each tab provides
options for viewing log messages, such as search and filtering options, and choice of log
type. The Remote tab displays logs stored on either the FortiGuard Analysis server or
FortiAnalyzer unit, whichever one is configured for logging.
Log information is displayed in the Log Access menu. Different tabs in Log Access display
log information stored on the FortiAnalyzer unit, FortiGate system memory and hard disk if
available, including the FortiGuard Analysis server.
The columns that appear reflect the content found in the log file. The top portion of the Log
Access page includes navigational features to help you move through the log messages
and locate specific information.
To view log messages, go to Log&Report > Log Access and then select the tab that
corresponds to the log storage device used: Remote, Memory or Disk. If you are logging
to the FortiGate units hard disk, select Edit beside a rolled log file to view log messages.
Note: Make sure attack signature and attack anomaly DoS sensor settings are enabled to
log the attack. The logging options for the signatures included with the FortiGate unit are
set by default. Ensure any custom signatures also have the logging option enabled. For
more information, see Intrusion Protection on page 523.
Log&Report Accessing and viewing log messages
01-410-89802-20091022 715
Figure 435: Viewing log messages
Accessing logs stored in memory
You can access logs stored in the FortiGate system memory from the Memory tab. The
traffic log type is not available in the Log Type list because the FortiGate system memory
is unable to store them; however, you can view attack logs.
To view log messages in the FortiGate memory buffer, go to Log&Report > Log Access >
Memory, and then select a log type from the Log Type list.
Log Type Select the type of log you want to view. Some log files, such as the traffic log,
cannot be stored to memory due to the volume of information logged.
Current Page By default, the first page of the list of items is displayed. The total number of
pages displays after the current page number. For example, if 3/54 appears,
you are currently viewing page 3 of 54 pages.
To view pages, select the left and right arrows to display the first, previous,
next, or last page.
To view a specific page, enter the page number in the field and then press
Enter.
For more information, see Using page controls on web-based manager lists
on page 60.
Column Settings Select to add or remove columns. This changes what log information appears
in Log Access. For more information, see Column settings on page 718.
Raw or Formatted By default, log messages are displayed in Formatted mode. Select Formatted
to view log messages in Raw mode, without columns. When in Raw mode,
select Formatted to switch back to viewing log messages organized in
columns.
When log messages are displayed in Formatted view, you can customize the
columns, or filter log messages.
Clear All Filters Clear all filter settings. For more information, see Filtering log messages on
page 719.
Current
Page
716 01-410-89802-20091022
Accessing logs stored on the hard disk
You can access logs stored on the hard disk if your FortiGate unit has a hard disk. Logs
stored on the hard disk are available for viewing in the Disk tab. You can view, navigate,
and download logs stored on the hard disk.
To access log files on the hard disk, go to Log&Report > Log Access > Disk, and then
select a log type from the Log Type list. The FortiGate unit displays a list of rolled log files.
You can view log messages when you select the View icon.
Figure 436: Viewing log files stored on the FortiGate hard disk
Accessing logs stored on the FortiAnalyzer unit
You can view and navigate through logs saved to the FortiAnalyzer unit. For information
about configuring the FortiGate unit to send log files to the FortiAnalyzer unit, see
Logs accessed on a remote logging device such as the FortiAnalyzer unit, automatically
appear in the Remote tab.
To access log files on the FortiAnalyzer unit, go to Log&Report > Log Access, select the
Remote tab, and select a log type from the Log Type list.
Log Type Select the type of log you want to view. Some log files, such as the traffic log,
cannot be stored to memory due to the volume of information logged.
Refresh Refresh the displayed log messages.
File name The names of the log files of the displayed log type stored on the FortiGate hard
disk.
When a log file reaches its maximum size, the FortiGate unit saves the log files
with an incremental number, and starts a new log file with the same name. For
example, if the current attack log is alog.log, any subsequent saved logs appear
as alog.n, where n is the number of rolled logs.
Size (bytes) The size of the log file in bytes.
Last access
time
The time a log message was recorded on the FortiGate unit. The time is in the
format name of day mont h dat e hh: mm: ss yyyy, for example Fr i Feb
16 12: 30: 54 2007.
Clear log icon Clear the current log file. Clearing deletes only the current log messages of that
log file. The log file is not deleted.
Download icon Download the log file or rolled log file. Select either Download file in Normal
format or Download file in CSV format. Select Return to return to the Disk tab
page. Downloading the current log file includes only current log messages.
View icon View a log files log messages.
Delete icon Delete rolled logs. Fortinet recommends to download the rolled log file before
deleting it because the rolled log file cannot be retrieved after deleting it.
Clear log
Download
Delete View
Log&Report Accessing and viewing log messages
01-410-89802-20091022 717
Figure 437:Viewing log files stored on the FortiAnalyzer unit
Accessing logs stored on the FortiGuard Analysis and Management Service
You can access log files stored on the FortiGuard Analysis server from the FortiGate web-
based manager, if you have subscribed to FortiGuard Analysis and Management Service.
After enabling logging to the FortiGuard Analysis server, a Remote tab appears in the Log
Access menu. For more information about viewing real-time and historical log files, see
the FortiGuard Analysis and Management Service Guide.
To access log files on the FortiGuard Analysis server, go to Log&Report > Log Access,
select the Remote tab, and then select a log type from the Log Type list.
Customizing the display of log messages
By customizing the display of log messages, you can view certain parts or different
formats of log messages. For example, log messages can be viewed in Formatted or Raw
view. In Formatted view, you can customize the columns, or filter log messages. In Raw
view, the log message appears as it would in the log file.
Filtering is also another way to customize the display of log messages. By using the filter
icon, you can display specific information of log messages. For example, you may want to
display only event log messages that have a severity level of alert.
Log Type Select the type of log you want to view.
Refresh Refresh the displayed log messages.
Current Page By default, the first page of the list of items is displayed. The total number of
pages appears after the current page number. For example, if 3/54 appears,
you are currently viewing page 3 of 54 pages.
To view pages, select the left and right arrows to display the first, previous, next,
or last page.
To view a specific page, enter the page number in the field and then press
Enter.
For more information, see Using page controls on web-based manager lists
on page 60.
Column Settings Select to add or remove columns. This changes what log information appears in
Log Access. For more information, see Column settings on page 718.
Raw or Formatted By default, log messages is displayed in Formatted mode. Select Formatted to
view log messages in Raw mode, without columns. When in Raw mode, select
Formatted to switch back to viewing log messages organized in columns.
When log messages are displayed in Formatted view, you can customize the
columns, or filter log messages.
Clear All Filters Clear all filter settings. For more information, see Filtering log messages on
page 719.
Current
Page
Note: The FortiAnalyzer unit must be running firmware version 3.0 or higher to view logs
from the FortiGate unit.
Note: For more information about filtering log messages, see Adding filters to web-based
718 01-410-89802-20091022
Column settings
By using Column Settings, you can customize the view of log messages in Formatted
view. By adding columns, changing their order, or removing them, you can view only the
log information you want.
The Column Settings feature is available only in Formatted view.
Figure 438: Column settings for viewing log messages
To customize the columns
1 Go to Log&Report > Log Access.
2 Select the tab to view logs from, Memory, Disk or Remote.
3 Select a log type from the Log Type list.
4 Select the View icon if you are viewing a log file on a FortiAnalyzer unit.
5 Select the Column Settings icon.
6 Select a column name in the Available fields list and then select one of the following to
change the views of the log information:
7 Select OK.
-> Select the right arrow to move selected fields from the Available fields list to
the Show these fields in this order list.
<- Select the left arrow to move selected fields from the Show these fields in this
order list to the Available fields list.
Move up Move the selected field up one position in the Show these fields in this order
list.
Move down Move the selected field down one position in the Show these fields in this
order list.
Note: The Detailed Information column provides the entire raw log entry and is needed only
if the log contains information not available in any of the other columns. The VDOM column
displays which VDOM the log was recorded in.
You can view the device ID and device name when customizing columns. The device ID
provides the identification name of the device. The device name is the host name that you
configured for the FortiGate unit, for example Headquarters.
Log&Report Viewing DLP Archives
01-410-89802-20091022 719
Filtering log messages
You can filter log messages by selecting the Filter icon to display specific information
about log messages. The filter settings that are applied remain until you log out of the
web-based manager. Log filters automatically reset to default settings when you log into
the web-based manager.
Figure 439: Log filters
To filter log messages
1 Go to Log&Report > Log Access.
2 Select the tab to view logs from, Memory, Remote or Disk.
3 Select a log type from the Log Type list.
4 Select the Filter icon in the column to view logs.
5 Select Enable to enable filtering for the column.
6 Enter the information as appropriate. Fields vary between type.
For more information about using the filter icons to filter log messages, see Adding
filters to web-based manager lists on page 57.
7 Select OK.
8 Select the columns to filter in the Filter list.
You can also select the columns that appear in the Filter list instead of selecting the
actual column.
You can view log messages in Raw format only after configuring the filters. If you want to
delete all filter settings, select the Clear All Filters that is located under the Filters list.
Viewing DLP Archives
Go to Log & Report > DLP Archive to view all DLP archived content stored on a
FortiAnalyzer unit or the FortiGuard Analysis and Management server.
The DLP Archive menu is only visible if:
You have configured the FortiGate unit for remote logging and archiving to a
FortiAnalyzer unit. See Remote logging to a FortiAnalyzer unit on page 704.
You have subscribed to the FortiGuard Analysis and Management Service. See the
FortiGuard Analysis and Management Service Administration Guide.
Select the following tabs to view DLP archives for one of these protocols.
E-mail to view POP3, IMAP, SMTP, POP3S, IMAPS, SMTPS, and spam email
archives.
Web to view HTTP and HTTPS archives.
FTP to view FTP archives.
IM to view AIM, ICQ, MSN, and Yahoo! archives.
Filter icon
(enabled)
Filter icon
(disabled)
Viewing the File Quarantine list Log&Report
720 01-410-89802-20091022
VoIP to view session control (SIP, SIMPLE and SCCP) archives.
If you need to view logs in Raw format, select Raw beside the Column Settings icon. For
more information, see Column settings on page 718.
For information about configuring DLP archiving, see DLP archiving on page 580.
Viewing the File Quarantine list
The Quarantined Files list displays information about each quarantined file because of
virus infection or file blocking. Sort the files by file name, date, service, status, duplicate
count (DC), or time to live (TTL). Filter the list to view only quarantined files with a specific
status or from a specific service.
To view the Quarantined Files list, go to UTM > AntiVirus > Quarantined Files.
Figure 440: File Quarantine list
The file quarantine list displays the following information about each quarantined file:
Source Either FortiAnalyzer or Local disk, depending where you configure to
quarantined files to be stored.
Sort by Sort the list. Choose from: Status, Service, File Name, Date, TTL, or Duplicate
Count. Select Apply to complete the sort.
Filter Filter the list. Choose either Status (infected, blocked, or heuristics) or Service
(IMAP, POP3, SMTP, FTP, HTTP, IM, or NNTP). Select Apply to complete the
filtering. Heuristics mode is configurable through the CLI only.
If your FortiGate unit supports SSL content scanning and inspection Service can
also be IMAPS, POP3S, SMTPS, or HTTPS.
Apply Select to apply the sorting and filtering selections to the list of quarantined files.
Delete Select to delete the selected files.
Page Controls Use the controls to page through the list. For details, see Using page controls
on web-based manager lists on page 60.
Remove All
Entries
Removes all quarantined files from the local hard disk.
This icon only appears when the files are quarantined to the hard disk.
File Name The file name of the quarantined file.
Date The date and time the file was quarantined, in the format dd/mm/yyyy hh:mm.
This value indicates the time that the first file was quarantined if duplicates are
quarantined.
Log&Report Configuring FortiAnalyzer report schedules
01-410-89802-20091022 721
Configuring FortiAnalyzer report schedules
You can configure a FortiAnalyzer report schedule from FortiGate logs in the web-based
manager or CLI. You need to configure a report layout before configuring a report
schedule. Contact a FortiAnalyzer administrator before configuring report schedules from
the FortiGate unit to verify that the appropriate report layout is configured. Report layouts
can only be configured from the FortiAnalyzer unit.
For information about how to configure a report layout, see the FortiAnalyzer
The following procedure describes how to clone a report schedule. When you clone a
report schedule, a duplicate of the original is used as a basis for a new one.
To view the list of report schedules, go to Log&Report > Report Config.
To configure a report schedule, go to Log&Report > Report Config, select Create New,
enter the appropriate information and then select OK.
Service The service from which the file was quarantined (HTTP, FTP, IMAP, POP3,
SMTP, IM, NNTP, IMAPS, POP3S, SMTPS, or HTTPS).
Status The reason the file was quarantined: infected, heuristics, or blocked.
Status
Description
Specific information related to the status, for example, File is infected with
W32/Klez.h or File was stopped by file block pattern.
DC Duplicate count. A count of how many duplicates of the same file were
quarantined. A rapidly increasing number can indicate a virus outbreak.
TTL Time to live in the format hh:mm. When the TTL elapses, the FortiGate unit
labels the file as EXP under the TTL heading. In the case of duplicate files, each
duplicate found refreshes the TTL.
The TTL information is not available if the files are quarantined on a
FortiAnalyzer unit.
Upload status Y indicates the file has been uploaded to Fortinet for analysis, N indicates the
file has not been uploaded.
This option is available only if the FortiGate unit has a local hard disk.
Download icon Select to download the corresponding file in its original format.
Submit icon Select to upload a suspicious file to Fortinet for analysis.
Note: Duplicates of files (based on the checksum) are not stored, only counted. The TTL
value and the duplicate count are updated each time a duplicate of a file is found.
Note: Make sure to check the Report Title of the report displayed on the FortiAnalyzer page
before printing.
FortiAnalyzer reports are available only when in a VDOM.
Configuring FortiAnalyzer report schedules Log&Report
722 01-410-89802-20091022
Figure 441: Report schedules in Report Config
General report schedule settings
Create New Create a new report schedule.
Name The name of the report schedule.
Description The comment made when the report schedule was created.
Report Layout The name of the report layout used for the report schedule.
Schedule When the report schedule will be generated. The time depends on
what time period was selected when the report schedule was created:
once, daily, or specified days of the week.
For example, if you select monthly, the days of the month and time
(hh:mm) will appear in the format Monthly 2, 10, 21, 12:00.
Delete and Edit icons Delete or edit a report schedule in the list.
Clone icons Create a duplicate of the report schedule and use it as a basis for a
new report schedule.
Report schedule configuration settings
Name Enter a name for the schedule.
Description Enter a description for the schedule. This is optional.
Report Layout Select a configured report layout from the list. You must apply a report
layout to a report schedule. For more information, see the
FortiAnalyzer Administration Guide.
Language Select the language you want used in the report schedule from the list.
Delete
Edit
Clone
Log&Report Configuring FortiAnalyzer report schedules
01-410-89802-20091022 723
To clone a report schedule
1 Go to Log&Report > Report Config.
2 Select Clone in the same row of the report schedule that will be the basis of a new
report schedule.
3 Rename the report schedule.
The report schedule is renamed, for example, CloneOfFGT_100A.
4 Enter the appropriate information and select OK.
You can use the Log&Report menu to configure FortiAnalyzer report schedules and to
view generated FortiAnalyzer reports. You can also configure basic traffic reports, which
use the log information stored in your FortiGate system memory to present basic traffic
information in a graphical format.
Schedule Select one of the following to have the report generate once only,
daily, weekly, or monthly at a specified date or time period.
Once Select to have the report generated only once.
Daily Select to generate the report every date at the same time, and then
enter the hour and minute time period for the report. The format is
hh:mm.
These Days Select to generate the report on specified days of the week, and then
select the days of the week check boxes.
These Dates Select to generate the report on a specific day or days of the month,
and then enter the days with a comma to separate them. For example,
if you want to generate the report on the first day, the 21st day and
30th day, enter: 1, 21, 30.
Log Data Filtering You can specify the following variables for the report:
Virtual Domain Select to create a report based on virtual domains. Enter a specific
virtual domain to include in the report.
User Select to create a report based on a network user. Enter the user or
users in the field, separated by spaces. If a name or group name
contains a space, if should be specified between quotes, for example,
user 1.
Group Select to create a report based on a group of network users, defined
locally. Enter the name of the group or groups in the field.
LDAP Query Select the LDAP Query check box and then select an LDAP directory
or Windows Active Directory group from the list.
Time Period Select to include the time period of the logs to include in the report.
Relative to Report
Runtime
Select a time period from the list. For example, this year.
Specify Select to specify the date, day, year and time for the report to run.
From Select the beginning date and time of the log time range.
To Select the ending date and time of the log time range.
Output Select the format you want the report to be in and if you want to apply
an output template.
Output Types Select the type of file format for the generated report. You can choose
from PDF, MS Word, Text, and MHT.
Email/Upload Select the check box if you want to apply a report output template from
the list.
This list is empty if a report output template does not exist. For more
information, see the FortiAnalyzer Administration Guide.
Note: FortiAnalyzer reports do not appear if the FortiGate unit is not connected to a
FortiAnalyzer unit, or if the FortiAnalyzer unit is not running firmware 3.0 or higher.
Viewing Executive Summary reports from SQL logs Log&Report
724 01-410-89802-20091022
Viewing Executive Summary reports from SQL logs
On FortiGate units that contain a hard drive, you can display Executive Summary reports
based on logs stored in an SQL database. The log messages are stored in text format in
the database.
To enable SQL logging go to Log&Report > Log Config. Select Local Logging & Archiving
and then select the types of logs to enable SQL logging for. See Local logging to disk on
page 708.
To view, select, and customize Executive Summary reports go to Log&Report > Report
Access > Executive Summary. There are many default reports that you can select and
customize in the web-based manager. You can customize reports by selecting the report
update schedule and location in the Executive Summary.
You can also customize the appearance of existing reports and create new reports from
the FortiGate CLI using the conf i g r epor t CLI commands.
To add a report to the Executive Summary
1 Go to Log&Report > Report Access > Executive Summary.
2 Select Add Widget.
Figure 442: Adding a new report widget
3 Enter the following information and select OK:
The report updates at the configured time. To update the report immediately, select the
Refresh icon near the right end of the widget title bar. You can also select the Edit icon
to change the report update schedule.
Viewing FortiAnalyzer reports
After the FortiAnalyzer unit generates the report, it appears on the Report Access page.
All reports are listed on the page, including the rolled reports. A list displays the generated
report schedules as well as other reports that the FortiAnalyzer unit generated.
To view reports, go to Log&Report > Report Access and select a report name in the
Report Files column. You can also select the expand arrow to view the rolled report and
view the entire report. After viewing the report, select Historical Reports to return to the
list.
Widgets Select a report from the list.
Schedule Configure the update time for the report.
Select Daily and enter the hour of the day or select Weekly and enter
the day of the week and the hour of the day.
Display Column Select where to display the report, either first or second column of the
Executive Summary.
Log&Report Viewing basic traffic reports
01-410-89802-20091022 725
Figure 443: Generated reports displayed in Report Access
Printing your FortiAnalyzer report
After the FortiAnalyzer unit generates the report, you may want to print the report to have
as a hardcopy reference or for a presentation. To print a FortiAnalyzer report, go to
Log&Report > Report Access, select the report you want printed from the list and then
select Print.
Viewing basic traffic reports
The FortiGate unit uses collected log information and presents it in a graphical format to
show network usage for a number of services. The charts show the bytes used for the
service traffic.
To view basic traffic reports, go to Log&Report > Report Access > Memory.
Report Files The name of the generated report. Select the name to view the report.
You can also select the expand arrow to view the report and the select the rolled
report to view the report.
Date The date the report was generated on.
Size(bytes) The size of the report in bytes.
Other Formats Displays the formats PDF, RTF or MHT or all if these formats were chosen in the
report schedule.
Viewing basic traffic reports Log&Report
726 01-410-89802-20091022
Figure 444: Viewing the basic traffic report
Time Period Select a time range to view for the graphical analysis. You can choose from
one day, three days, one week or one month. The default is one day. When
you refresh your browser or go to a different menu, the settings revert to
default.
Services By default all services are selected. When you refresh your browser or go to
a different menu, all services revert to default settings. Clear the check
boxes beside the services you do not want to include in the graphical
analysis.
Browsing
DNS
Email
FTP
Gaming
Instant Messaging
Newsgroups
P2P
Streaming
TFTP
VoIP
Generic TCP
Generic UDP
Generic ICMP
Generic IP
Log&Report Log severity levels
01-410-89802-20091022 727
The report is not updated in real-time. You can refresh the report by selecting the Memory
tab.
Configuring the graphical view
The FortiGate basic traffic report includes a wide range of services you can monitor. For
example, you can choose to view only email services for the last three days.
To change the graphical information
1 Go to Log&Report > Report Access > Memory.
2 Select the time period to include in the graph from the Time Period list.
3 Clear the services to exclude them from the graph. All services are selected by default.
4 Select Apply.
The graph refreshes and displays the content you specified in the above procedure.
The Top Protocols Ordered by Total Volume graph does not change.
Log severity levels
You can define what severity level the FortiGate unit records logs at when you configure
the logging location. The FortiGate unit logs all messages at and above the logging
severity level you select. For example, if you select Error, the unit logs Error, Critical, Alert
and Emergency level messages.
Bandwidth Per
Service
This bar graph is based on what services you select, and is updated when
you select Apply. The graph is based on date and time, which is the current
date and time.
Top Protocols
Ordered by Total
Volume
This bar graph displays the traffic volume for various protocols, in
decreasing order of volume. The bar graph does not update when you
select different services and then select Apply.
Note: The data used to present the graphs is stored in the FortiGate system memory.
When the FortiGate unit is reset or rebooted, the data is erased.
Note: If you require a more specific and detailed report, you can configure a simple report
from the FortiAnalyzer web-based manager or CLI. The FortiAnalyzer unit can generate
over 140 different reports providing you with more options than the FortiGate unit provides.
If you need to configure a FortiAnalyzer report schedule, see Configuring FortiAnalyzer
report schedules on page 721.
Log types Log&Report
728 01-410-89802-20091022
Log types
The FortiGate unit provides a wide range of features to log, enabling you to better monitor
activity that is occurring on your network. For example, you can enable logging of IM/P2P
features, to obtain detailed information on the activity occurring on your network where
IM/P2P programs are used.
Before enabling FortiGate features, you need to configure what type of logging device will
store the logs. For more information, see Configuring how a FortiGate unit stores logs on
page 704.
This topic also provides details on each log type and explains how to enable logging of the
log type.
Traffic log
The Traffic log records all the traffic to and through the FortiGate interfaces. You can
configure logging of traffic controlled by firewall policies and for traffic between any source
and destination addresses. You can also filter to customize the traffic logged:
Allowed traffic The FortiGate unit logs all traffic that is allowed according to the
firewall policy settings.
Violation traffic The FortiGate unit logs all traffic that violates the firewall policy
settings.
If you are logging other-traffic, the FortiGate unit will incur a higher system load because
other-traffic logs log individual traffic packets. Fortinet recommends logging firewall
policy traffic since it minimizes the load. Logging other-traffic is disabled by default.
Table 63: Log severity levels
Levels Description Generated by
0 - Emergency The system has become unstable. Event logs, specifically administrative
events, can generate an emergency
severity level.
1 - Alert Immediate action is required. Attack logs are the only logs that generate
an Alert severity level.
2 - Critical Functionality is affected. Event, antivirus, and email filter logs.
3 - Error An error condition exists and
functionality could be affected.
Event and email filter logs.
4 - Warning Functionality could be affected. Event and antivirus logs.
5 - Notification Information about normal events. Traffic and web filter logs.
6 - Information General information about system
operations.
DLP archive, event, and email filter logs.
6 - Debug Displays debugging messages. The Debug severity level is rarely used. It
is the lowest log severity level and usually
contains some firmware status information
that is useful when the FortiGate unit is
not functioning properly. Debug log
messages are generated by all types of
FortiGate features.
Note: If the FortiGate unit is in transparent mode, certain settings and options for logging
may not be available because they are not available in transparent mode. For example,
SSL VPN events are not available in transparent mode.
Log&Report Example configuration: logging all FortiGate traffic
01-410-89802-20091022 729
Firewall policy traffic logging records the traffic that is both permitted and denied by the
firewall policy, based on the protection profile. Firewall policy traffic logging records
packets that match the policy.
To enable firewall policy traffic logging
2 Select the expand arrow to view the policy list for a policy.
3 Select Edit beside the policy that you want.
If required, create a new firewall policy by selecting Create New. For more information,
see Firewall Policy on page 363.
4 Select Log Allowed Traffic.
5 Select OK.
Example configuration: logging all FortiGate traffic
You can use the following procedure to configure your FortiGate unit record traffic log
messages for all traffic. This procedure enables traffic logging for all FortiGate interfaces
that receive traffic. However, traffic logging may not log traffic that would otherwise be
dropped by the FortiGate unit. To record log messages for this traffic, you can add an IPS
Sensor that includes predefined IPS signatures that can detect and log traffic that would
otherwise be dropped by the FortiGate unit.
To log all traffic received by a FortiGate unit
1 Enter the following CLI command to enable logging of failed connection attempts to the
FortiGate unit that use TCP/IP ports other than the TCP/IP ports configured for
management access:
set l ocal deny enabl e
end
2 Enter the following CLI command to set global header checking to strict.
set check- pr ot ocol - header st r i ct
end
Strict header checking detects invalid raw IP packets by validating packet checksums
and also checks IP headers to make sure they adhere to current standards. The
default setting is loose which is usually appropriate for most environments. Loose
header checking improves performance while meeting most organizations
requirements.
3 Enter the following CLI commands to enable traffic logging for all of the FortiGate
interfaces that receive traffic. The following commands enable traffic logging on port1
and port2. You should repeat these commands for all other FortiGate unit interfaces
that receive traffic.
edi t por t 1
set l og enabl e
Note: You need to set the logging severity level to Notification when configuring a logging
location to record traffic log messages. Traffic log messages generally have a severity level
no higher than Notification. If VDOMs are in transparent mode, make sure that VDOM
allows access for enabling traffic logs.
Example configuration: logging all FortiGate traffic Log&Report
730 01-410-89802-20091022
next
edi t por t 2
set l og enabl e
end
4 Use the following command to enable logging of other traffic.
conf i g l og sysl ogd f i l t er
set ot her - t r af f i c enabl e
end
5 Go to UTM > Intrusion Protection > IPS Sensor and select Create New to add an IPS
Sensor.
Edit the IPS Sensor and select Add Pre-defined Override to add the following
predefined IPS signatures to the sensor.
Invalid.Protocol.Header
TCP.Bad.Flags
TCP.Invalid.Packet.Size
Enable each of these signatures, set Action to Block and enable Logging.
6 Enter the following CLI commands to add a DoS policy (called an interface policy in the
CLI) that includes the IPS Sensor.
conf i g f i r ewal l i nt er f ace- pol i cy
edi t 1
set i nt er f ace <i nt er f ace_name>
set sr caddr al l
set dst addr al l
set ser vi ce ANY
set i ps- sensor - st at us enabl e
set i ps- sensor <sensor _name>
end
Where <sensor _name>is the name of the IPS sensor added above.
Index
01-410-89802-20091022 731
Index
Symbols
Numerics
802.3ad aggregate interface
creating, 159
A
accept action
firewall policy, 683, 684
access profile, See admin profile, 257
accessing logs stored in hard disk, 716
action
email filter banned word, 564
email filter IP address, 567
firewall policy, 367
action type
email filter email address, 569
active sessions
HA statistics, 212
add signature to outgoing email
protection profile, 479
adding, configuring or defining
admin profile, 258
administrative access to interface, 165
administrator account, 244
administrator password, 246
administrator settings, 261
antispam advanced options, 570
antispam email address list, 568, 570
antispam IP address, 567
antispam IP address list, 566
antivirus file filter list, 515, 516
antivirus file patterns, 516
antivirus file quarantine, 516
antivirus log, 713
antivirus quarantine options, 518
antivirus scanning options, 477
application control options, 489
attack log (IPS), 714
authentication settings, 667
authentication, firewall policy, 372
autosubmit list, 517
banned word list, 563, 564
basic traffic report, graphical view, 727
BFD, 351
BFD on BGP, 352
BFD on OSPF, 353
BGP settings, 346
CA certificates, 286
Certificate Revocation List (CRL), 288
cipher suite, 627
combined IP pool and virtual IP, 440
custom firewall service, 406
custom service, firewall, 406
custom signatures, 527
customized CLI console, 68
DHCP interface settings, 161
DHCP relay agent, 201
DHCP server, 201
Directory Service server, 654, 655
Directory Service user groups, 660
DoS sensors, 538
Dynamic DNS on an interface, 163
dynamic virtual IP, 434
email filter log, 713
email filtering options, 485
event logs, 711
fail-open, IPS, 540
firewall address, 397
firewall address group, 399
firewall policy, 366, 367, 418, 419
firewall policy traffic logging, 728
firewall policy, modem connections, 175
firewall protection profile, 474
firewall schedule, 411
firewall service group, 408
firewall user groups, 659
firewall virtual IP, 421
firmware upgrade, 295
firmware version, 87
FortiAnalyzer report schedules, 721
FortiGuard override options for a user group, 664
FortiGuard Web Filtering options, 483
FortiWiFi-50B settings, 190, 191
FortiWiFi-60B settings, 190, 191
gateway for default route, 320
HA, 205
HA device priority, 212
HA subordinate unit host name, 212
health check monitor, 451
IM/P2P/VoIP applications, older versions, 646
interface settings, 151
inter-VDOM links, 136
IP pool, 440
IPS log (attack), 714
IPS options, 480
IPS sensor filters, 532
IPS sensors, 529
IPSec encryption policy, 376
IPSec VPN concentrator, 617
IPSec VPN phase 1, 606
IPSec VPN phase 1 advanced options, 608
IPSec VPN phase 2, 611
IPSec VPN phase 2 advanced options, 611
IPv6 support, 264
LDAP authentication, 249
LDAP server, 649, 650
license key, 311
local ratings, 556
local URL block categories, 555
local user account, 644
log message display, 717
logging options, 489
logging to a FortiAnalyzer unit, 704
logging to a FortiGuard Analysis server, 706
logging to a Syslog server, 707
logging to memory, 708
Index
732 01-410-89802-20091022
MAC filter list, 194
modem connections, firewall policy, 175
modem interface, 170
MTU size, 167
multicast settings, 348
NAT virtual IP, 428
OCSP certificates, 285
one-time schedule, 413
OSPF areas, 343
OSPF AS, 339
OSPF basic settings, 340
OSPF interface, operating parameters, 344
OSPF networks, 344
OSPF settings, advanced, 342
override server, 308
password, 246
password, administrator, 246
peer users and peer groups, 657
PKI authentication, 252
policy, 367, 372
policy route, 329
PPPoE or PPPoA interface settings, 162
PPTP range, 621, 623
PPTP VPN, 621, 623
push updates, 309
RADIUS authentication, 247
RADIUS server, 648
recurring schedule, 412
redundant interface, 160
redundant mode, 173
remote authentication, 246
RIP settings, advanced, 336
RIP settings, basic, 334
RIP-enabled interface, 337
scripts, 299
secondary IP address, 167
server load balance port forwarding virtual IP, 459
server load balance virtual IP, 454
SIP advanced features, 502
SNMP community, 214, 215
socket-size, IPS, 540
SSL VPN options, firewall policy, 376
SSL VPN settings, 626
SSL VPN user groups, 660
standalone mode, 174
static NAT port forwarding, IP address and port range, 432
static NAT port forwarding, single address and port, 431
static NAT virtual IP, IP address range, 429
static route, adding to routing table, 320
subnet object, 110
system administrators, 241
system certificates, 283
system configuration backup and restore, 290
system configuration backup and restore, FortiManager,
292
system configuration, central management options, 293
system status widgets, 68
system time, 86
TACACS+authentication, 251
TACACS+server, 652, 653
topology diagram, 110, 111
updates for FDN and FortiGuard services, 302
URL filter list, 548, 550
URL overrides, 553
user authentication settings, 667
user group, 661
user groups, 658
VDOM configuration settings, 127, 134
VDOM configuration settings, advanced, 131
VDOM configuration settings, global, 129
VDOM interface, 135
VDOM, new, 133
VIP group, 436
virtual IP, 426
virtual IP group, 436
virtual IP, port translation only, 435
virtual IPSec interface, 164
VPN firewall policy-based internet browsing, 616
VPN route-based internet browsing, 616
web content filter list, 545, 546
web filtering options, 480
wireless interface, 191
zone, 170
address
firewall address group, 398
list, 397
address group, 398
adding, 399
creating new, 398
list, 398
Address Name
admin
admin profile
CLI commands list, 256
configuring, 258
viewing list, 257
administrative access
changing, 50
interface settings, 157, 165, 168
monitoring logins, 264
administrative distance, 314
administrative interface. See web-based manager
administrator
assigning to VDOM, 138
administrator account
admin, 49
admin profile, 254
configuring, 244
netmask, 246
administrator login
disclaimer, 232
administrator password
changing, 49
administrator settings, 261
administrators
viewing list, 243
administrators, monitoring, 264
Advanced Mezzanine Card (AMC), 74
AFS3, advanced file security encrypted file
AFS3, 402
age limit
quarantine, 519
Index
01-410-89802-20091022 733
aggregate interface
creating, 159
AH, predefined service, 402
alert email, 709
options, 709
SMTP user, 710
alert message console
viewing, 76
ALG
SIP, 495
allow inbound
IPSec firewall policy, 376
allow outbound
allow web sites when a rating error occurs
allowed
web category report, 558
AMC
bridge module, 99
configuring AMC modules, 98
AMC module, 149
configuring, 98
antispam
port 53, 305
port 8888, 305
antispam email address list
adding, 568
viewing, 568
antispam IP address list
viewing, 566
antispam. See also Email filter, 559
antivirus
av_failopen, 520
CLI configuration, 520
configure antivirus heuristic, 520
file block, 513
file block list, 515
heuristics, 520
optimize, 520
quarantine, 516
quarantine files list, 720
scanning large files, 521
splice, 478, 487
streaming mode, 478, 487
system global av_failopen, 520
system global optimize, 520
virus list, 519
antivirus and attack definitions, 307
antivirus options
antivirus updates, 307
manual, 91
through a proxy server, 308
ANY
service, 402
AOL
service, 402
append tag format
append tag to location
application control, 595
statistics, 600
application level gateway
SIP, 495
application list
SIP, 502
archiving
spam email, 585
area border router (ABR), 338, 343
ARP, 426, 446
proxy ARP, 426, 446
AS
OSPF, 338
ASM-CX4, 99
ASM-cx4, 99
ASM-FX2, 99
attack updates
manual, 91
scheduling, 307
Authentication
IPSec VPN, phase 2, 612
authentication
client certificates and SSL VPN, 627
configuring remote authentication, 246
defining settings, 667
MD5, 344
RIP, 338
server certificate and SSL VPN, 627
Authentication Algorithm
IPSec VPN, manual key, 614, 616
Authentication Key
IPSec VPN, manual key, 616
Authentication Method
Auto Key
IPSec VPN, 605
Autokey Keep Alive
autonomous system (AS), 338, 346
AutoSubmit
quarantine, 519
autosubmit list
configuring, 517
enabling uploading, 517
quarantine files, 517
av_failopen
antivirus, 520
B
back to HA monitor
HA statistics, 211
backing up
3.0 config to FortiUSB, 115
3.0 configuration, 114
config using web-based manager, 3.0, 114
configuration, 52
backup (redundant) mode
modem, 171
backup and restore, system maintenance, 290
Index
734 01-410-89802-20091022
backup mode
modem, 173
band
wireless setting, 191
bandwidth
guaranteed, 418
maximum, 418, 676, 681
banned word
character set, 483
banned word (email filter)
action, 564
adding words to the banned word list, 564
catalog, 562
language, 564
pattern, 564
banned word (spam filter)
language, 564
list, 563
pattern, 564
pattern type, 564
banned word check
banned word list
creating new, 563
banned word list catalog
viewing, 562
beacon interval
BFD
configuring on BGP, 352
configuring on OSPF, 353
disabling, 352
BGP
AS, 346
flap, 346
graceful restart, 346
MED, 346
RFC 1771, 346
service, 402
settings, viewing, 346
stabilizing the network, 346
black/white list, 565
blackhole route, 315
blackhole routing, 158
block, 504
block login (IM)
blocked
Boot Strap Router (BSR), 348
BOOTP, 203
branch, 508
bridge mode, 99
bridge module
AMC, 99
button bar
features, 51
C
CA certificates
importing, 286
viewing, 286
catalog
banned word, 562
content filter, 545
email address back/white list, 568
IP address black/white list, 565
URL filter, 548
viewing file pattern, 514
category
category block
configuration options, 552
reports, 557
central management, 260
revision control, 261
Certificate Name
certificate, security. See system certificate
certificate, server, 627
certificate. See system certificates
channel
character set
converting, 483
DLP, 483
email filter, 483
web filtering, 483
CIDR, 28, 266, 395, 679
cipher suite
SSL VPN, 627
CLI, 47
admin profile, 256
connecting to from the web-based manager, 51
CLI command
PPTP tunnel setup, 623
CLI configuration
antivirus, 520
customizing CLI console, 68
using in web-based manager, 79
web category block, 557
CLI console, 79
client certificates
SSL VPN, 627
client comforting, 479
cluster member, 209
cluster members list, 210
priority, 210
role, 210
cluster unit
disconnecting from a cluster, 212
code, 407
column settings, 718
configuring, 61
using with filters, 63
comfort clients
Index
01-410-89802-20091022 735
comforting
client, 479
command line interface (CLI), 24
comments
comments, documentation, 30
concentrator
adding, 617
equivalent for route-based VPN, 604
IPSec tunnel mode, 617
IPSec VPN, policy-based, 617
Concentrator Name
IPSec VPN, concentrator, 617
config antivirus heuristic
CLI command, 520
configuration
backing up the configuration, 52
configuring
WAN optimization peer, 680
WAN optimization rule, 675
connecting
modem, dialup account, 175
web-based manager, 48
conservation mode, 220
conserve mode, 76
contact information
SNMP, 214
contacting customer support, 51
content archiving
DLP archiving, 580
content block
catalog, 545
web filter, 544
content filtering
character set, 483
content filtering mode
HTTPS, 477
content scanning
SSL, 469
content streams
replacement messages, 225
CPU load, 132
CPU usage
HA statistics, 211
CRL (Certificate Revocation List)
importing, 288
viewing, 287
custom service
adding, 406
adding a TCP or UDP custom service, 406
list, 406
custom signatures
intrusion protection, 527
viewing, 527
customer service, 29, 132
customer support
contacting, 51
customized GUI
PPTP tunnel setup, 621
CVSPSERVER, concurrent versions system proxy server,
402
cx4, 99
D
dashboard, 47, 67
dashboard statistics
data encryption
data leak prevention sensor, 488
data leak protection, 575
compound rule, 591
rule, 586
sensor, 575
date
daylight saving changes, 86
DC
DCE-RPC
firewall service, 402
Dead Peer Detection
default
password, 24
default gateway, 318
default route, 318
Designated Routers (DR), 348
destination
firewall policy, 367, 370, 375, 378
destination IP address
system status, 83
destination NAT
SIP, 496
destination network address translation (DNAT)
virtual IPs, 423, 424
destination port, custom services, 407
device priority
HA, 207
subordinate unit, 212
DH Group
DHCP
and IP Pools, 371
configuring relay agent, 201
configuring server, 201
servers and relays, 199
service, 200
system, 199
transparent mode, 199
viewing address leases, 203
DHCP (Dynamic Host Configuration Protocol)
configuring on an interface, 161
service, 402
DHCP6
service, 402
DHCP-IPSec
diagnose
commands, 51
diagram
topology viewer, 107
Index
736 01-410-89802-20091022
dialup VPN
monitor, 618
Directory Service
configuring server, 654, 655
FSAE, 655
disclaimer
administrator login, 232
disconnecting
modem, dialup account, 175
disk space
quarantine, 519
display content meta-information on dashboard
protection profile option, 489
display content meta-information on the system dashboard
Distinguished Name
query, 652
DLP
archiving, 580
character set, 483
content archiving, 580
DLP archive
viewing, 91, 586, 719
DLP archiving, 580
DLP. See data leak protection
DNAT
virtual IPs, 423, 424
DNS
service, 402
split, 177, 180
documentation
commenting on, 30
Fortinet, 30
domain name, 396
DoS policy, 379
configuring, 381, 384
viewing, 380
DoS sensor, 537
IPS, 480
list, 538
SCCP, 501
SIP, 501
dotted-decimal notation, 343
double NAT, 440
downgrading. See also reverting
3.0 using the CLI, 121
3.0 using web-based manager, 120
download
duplicates
Dynamic DNS
monitor, 618
network interface, 163
VPN IPSec monitor, 618
dynamic IP pool
SIP, 497
dynamic resources
VDOM resource limits, 139, 140
dynamic routing, 333
OSPF, 338
PIM, 348
dynamic virtual IP
adding, 434
E
ECMP, 315
eip
vpn pptp, 623, 624
email
oversize threshold, 478
email address
action type, 569
adding to the email address list, 570
back/white list catalog, 568
BWL check, protection profile, 487
list, email filter, 568
pattern type, 569
email alert, 709
email filter, 559
adding words to the banned word list, 564
email address list, 568
IP address, 565
IP address list, 566
Perl regular expressions, 571
email filtering options
enable FortiGuard Web Filtering
enable FortiGuard Web Filtering overrides
Enable perfect forward secrecy (PFS)
Enable replay detection
enable session pickup
HA, 208
Encryption
Encryption Algorithm
IPSec VPN, manual key, 614, 615
Encryption Key
end IP
IP pool, 440
enhanced reliability, 205
Equal Cost Multipath (ECMP), 315
equal-cost multi-path (ECMP), 322
ESP
service, 402
example
source IP address and IP pool address matching, 438
exclude range
adding to DHCP server, 203
expire
system status, 83
expired
subscription, 303
Index
01-410-89802-20091022 737
explicit mode
WAN optimization, 679
exported server certificates
importing, 283
external interface
virtual IP, 426
external IP address
virtual IP, 427
external service port
virtual IP, 427
F
fail-open, CLI command for IPS, 540
FDN
attack updates, 239
HTTPS, 306
override server, 304
port 443, 306
port 53, 305
port 8888, 305
port forwarding connection, 309
proxy server, 308
push update, 304
troubleshooting connectivity, 306
updating antivirus and attack definitions, 307
FDS, 300
file block
antivirus, 513
default list of patterns, 513
list, antivirus, 515
file name
file pattern
catalog, 514
quarantine autosubmit list, 517
filter
filtering information on web-based manager lists, 57
IPS sensor, 532
using with column settings, 63
web-based manager lists, 57
FINGER
service, 402
firewall, 363, 395, 401, 411, 421, 467
address list, 397
configuring, 363, 395, 467
configuring firewall service, 401
configuring service group, 408
configuring virtual IP, 421
configuring, schedule, 411
custom service list, 406
overview, 363, 395, 401, 467
overview, firewall schedule, 411
overview, virtual IP, 421
policy list, 366
policy matching, 363
predefined services, 401
virtual IP list, 425
firewall address
adding, 397
address group, 398
address name, 398
create new, 397
IP range/subnet, 398
list, 397
name, 397
subnet, 398
firewall address group
adding, 399
available addresses, 400
group name, 400
members, 400
firewall IP pool list, 439
firewall IP pool options, 440
firewall policy
accept action, 683, 684
action, 367
adding, 367
adding a protection profile, 468
allow inbound, 376
allow outbound, 376
authentication, 372, 379
changing the position in the policy list, 364, 677
comments, 372, 379
configuring, 367
creating new, 366, 418, 419
deleting, 364, 677
destination, 367, 370, 375, 378
example, 389
guaranteed bandwidth, 418
ID, 367
inbound NAT, 376
insert policy before, 367, 676
list, 366
log traffic, 372, 375, 379
matching, 363
maximum bandwidth, 418, 676, 681
modem, 175
moving, 364, 677
multicast, 365
outbound NAT, 376
schedule, 367, 370
service, 367, 371
source, 367, 370, 378
SSL VPN options, 376
traffic priority, 676, 681
traffic shaping, 371, 375, 379
user groups, 659
firewall protection profile
default protection profiles, 468
list, 469
options, 474
Index
738 01-410-89802-20091022
firewall service
AFS3, 402
AH, 402
ANY, 402
AOL, 402
BGP, 402
CVSPSERVER, 402
DCE-RPC, 402
DHCP, 402
DHCP6, 402
DNS, 402
ESP, 402
FINGER, 402
FTP, 402
FTP_GET, 402
FTP_PUT, 402
GOPHER, 402
GRE, 402
group list, 408
H323, 403
HTTP, 403
HTTPS, 403
ICMP_ANY, 403
IKE, 403
IMAP, 403
INFO_ADRESS, 403
INFO_REQUEST, 403
Internet-Locator-Service, 403
IRC, 403
L2TP, 403
LDAP, 403
MGCP, 403
MS-SQL, 403
MYSQL, 403
NetMeeting, 403
NFS, 403
NNTP, 403
NTP, 403
ONC-RPC, 404
OSPF, 404
PC-Anywhere, 404
PING, 404
PING6, 404
POP3, 404
PPTP, 404
QUAKE, 404
RAUDIO, 404
REXEC, 404
RIP, 404
RLOGIN, 404
RSH, 404
RTSP, 404
SAMBA, 404
SCCP, 405
SIP, 405
SIP-MSNmessenger, 405
SMTP, 405
SNMP, 405
SOCKS, 405
SQUID, 405
SSH, 405
SYSLOG, 405
TALK, 405
TCP, 405
TELNET, 405
TFTP, 405
TIMESTAMP, 405
UDP, 405
UUCP, 405
VDOLIVE, 405
viewing custom service list, 406
viewing list, 401
VNC, 405
WAIS, 405
WINFRAME, 406
WINS, 406
X-WINDOWS, 406
firmware
reverting to previous version, 89
upgrading to a new version, 88
viewing, 294
firmware version, 88
fixed port
IP pool, 438
FortiAnalyzer, 23, 704
accessing logs, 716
configuring report schedules, 721
logging to, 704
printing reports, 725
VDOM, 126
FortiBridge, 23
FortiClient, 23
system maintenance, 290
FortiGate documentation
commenting on, 30
FortiGate SNMP event, 217
FortiGate-ASM-CX4, 99
FortiGate-ASM-FB4, 149
FortiGate-ASM-FX2, 99
FortiGuard, 23
Antispam, 24
Antivirus, 24
changing the host name, 557
configuring FortiGuard Web filtering options, 483
manually configuring definition updates, 91
override options for user group, 664
report allowed, 558
report blocked, 558
report category, 558
report profiles, 558
report range, 558
report type, 558
reports, 557
web filter, 552
FortiGuard Analysis Service
accessing logs on FortiGuard Analysis server, 717
FortiGuard Antispam
email checksum check, 486
IP address check, 486
FortiGuard Distribution Network. See FDN
FortiGuard Distribution Server. See FDS
FortiGuard Intrusion Prevention System (IPS), 72
FortiGuard Management Services
remote management options, 293
Index
01-410-89802-20091022 739
FortiGuard Services, 300
antispam service, 301
configuring antispam service, 301
configuring updates for FDN and services, 302
configuring web filter service, 301
FortiGuard Management and Analysis Services, 301
licenses, 70, 301
management and analysis service options, 306
support contract, 302
web filtering, 301
web filtering and antispam options, 305
FortiMail, 23
FortiManager, 23
FortiManager Management Services
Fortinet
customer service, 132
Fortinet customer service, 29
Fortinet documentation, 30
Fortinet Family Products, 23
Fortinet Knowledge Center, 30
Fortinet MIB, 217, 221
Fortinet product
registering, 52
FortiWiFi-50B
wireless settings, 190
FortiWiFi-60B
wireless settings, 190
fragmentation threshold
FSAE
Directory Service server, 655
FTP
service, 402
FTP_GET
service, 402
FTP_PUT
service, 402
fully qualified domain name (FQDN), 396
FX2, 99
G
geography
GOPHER
service, 402
graceful restart, 346
graphical user interface. See web-based manager
grayware
GRE, 338
service, 402
group name
HA, 208
grouping services, 408
groups
user, 658
guaranteed bandwidth
traffic shaping, 418
GUI. See web-based manager
H
H323
service, 403
HA, 205, 210
changing cluster unit host names, 210
cluster member, 210
configuring, 205
device priority, 207
disconnecting a cluster unit, 212
enable session pickup, 208
group name, 208
hash map, 208
heartbeat interface, 208
host name, 210
interface monitoring, 208
mode, 207
password, 208
port monitor, 208
router monitor, 360
routes, 360
session pickup, 208
subordinate unit device priority, 212
subordinate unit host name, 212
VDOM partitioning, 206, 208
viewing HA statistics, 211
HA statistics
active sessions, 212
back to HA monitor, 211
CPU usage, 211
intrusion detected, 212
memory usage, 212
monitor, 211
network utilization, 212
refresh every, 211
status, 211
total bytes, 212
total packets, 212
unit, 211
up time, 211
virus detected, 212
HA virtual clustering, 206
health check monitor
configuring, 451
heartbeat, HA
interface, 208
HELO DNS lookup
help
navigating using keyboard shortcuts, 55
searching the online help, 54
using FortiGate online help, 52
heuristics
antivirus, 520
quarantine, 521
high availability (HA), 205
high availability See HA, 205
host name
changing, 87
changing for a cluster, 210
viewing, 87
Index
740 01-410-89802-20091022
hostname
HTTP, 451
service, 403
virus scanning large files, 521
HTTPS, 47, 239
service, 403
HTTPS content filtering mode, 477
hub-and-spoke
IPSec VPN (see also concentrator), 604
I
ICMP custom service, 407
code, 407
protocol type, 407
type, 407
ICMP echo request, 451
ICMP_ANY
service, 403
ID
idle timeout
changing for the web-based manager, 50
IEEE 802.11a, channels, 188
IEEE 802.11b, channels, 189
IEEE 802.11g, channels, 189
IEEE 802.3ad, 159
IKE
service, 403
IMAP
service, 403
inbound NAT
index number, 28
INFO_ADDRESS
service, 403
INFO_REQUEST
service, 403
insert policy before
inspection
SSL, 469
installation, 24
interface
adding system settings, 151
administrative access, 157, 165, 168
administrative status, 149
configuring administrative access, 165
GRE, 338
loopback, 149, 316
modem, configuring, 170
MTU, 157
proxy ARP, 426, 446
wireless, 187
WLAN, 187
Interface Mode, 151
interface monitoring, 208
HA, 208
internet browsing
IPSec VPN configuration, 616
Internet-Locator-Service
service, 403
introduction
Fortinet documentation, 30
intrusion detected
HA statistics, 212
intrusion protection
custom signature list, 527
DoS sensor list, 538
DoS sensor, protection profile, 480
fail-open, CLI command for IPS, 540
filter, 532
IPS sensor list, 529
IPS sensor, protection profile, 480
predefined signature list, 525
protection profile options, 480
protocol decoder, 528
protocol decoder list, 528
signatures, 524
socket-size, CLI command for IPS, 540
Intrusion Protection definitions, 91
IP
virtual IP, 425
IP address
action, antispam, 567
antispam black/white list catalog, 565
BWL check, protection profile, 487
defining PPTP range, 621, 623
email filter, 565
list, email filter, 566
PPTP user group, 621, 623
IP address, configuring secondary, 167
IP custom service, 408
protocol number, 408
protocol type, 408
IP pool
adding, 440
configuring, 440
creating new, 440
DHCP, 371
end IP, 440
fixed port, 438
IP range/subnet, 440, 441
list, 439
name, 440, 441
options, 440
PPPoE, 371
proxy ARP, 426, 446
SIP, 497
start IP, 440
IP range/subnet
IP pool, 440, 441
IPS
see intrusion protection
IPS sensor
filter, 532
options, protection profile, 480
IPS sensors
creating, 529
Index
01-410-89802-20091022 741
IPSec, 338
IPSec firewall policy
allow inbound, 376
allow outbound, 376
inbound NAT, 376
outbound NAT, 376
IPSec Interface Mode
IPSec VPN
adding manual key, 614
authentication for user group, 658
Auto Key list, 605
concentrator list, 617
configuring phase 1, 606
configuring phase 1 advanced options, 608
configuring phase 2, 611
configuring phase 2 advanced options, 611
configuring policy-, route-based Internet browsing, 616
Manual Key list, 614
monitor list, 618
remote gateway, 658
route-based vs policy-based, 604
IPv6, 264, 316
IPv6 support
settings, 263
IRC
service, 403
K
Keepalive Frequency
key
license, 311
keyboard shortcut
online help, 55
Keylife
L
L2TP, 659
service, 403
language
changing the web-based manager language, 49
spam filter banned word, 564
web content block, 546
web-based manager, 49, 263
LDAP
service, 403
user authentication, 644
LDAP Distinguished Name query, 652
LDAP server
authentication, 246
configuring authentication, 249
license key, 311
licenses
viewing, 70
limit
VDOM resources, 139
lists
using web-based manager, 57
load balancer, 445
local certificates
options, 281
viewing, 280
Local Gateway IP
Local ID
Local Interface
local ratings
configuring, 556
local ratings list
viewing, 555
Local SPI
local user, 644
local user account
configuring, 644
log
attack anomaly, 714
attack signature, 714
column settings, 718
raw or formatted, 715
to FortiAnalyzer, 704
traffic, firewall policy, 372, 375, 379
log traffic
log types, 728
antivirus, 713
attack, 714
email filter, 713
event, 711
traffic, 728
web filter, 713
Index
742 01-410-89802-20091022
logging, 716
accessing logs in memory, 715
accessing logs on FortiAnalyzer unit, 716
accessing logs on FortiGuard Analysis server, 717
alert email, configuring, 709
applying through protection profile, 489
basic traffic reports, 725
blocked files, 490
configuring FortiAnalyzer report schedules, 721
configuring graphical system memory report, 727
content block, 490
customizing display of log messages, 717
DLP archive, 719
FortiGuard Analysis server, 706
intrusions, 491
invalid domain name warnings, 490
log severity levels, 727
log types, 728
oversized files/emails, 490
printing FortiAnalyzer reports, 725
rating errors, 490
searching, filtering logs, 719
SIP, 501
spam, 490
storing logs, 704
testing FortiAnalyzer configuration, 705
to a FortiAnalyzer unit, 704
to memory, 708
to syslog server, 707
URL block, 490
viewing DLP archives, 586, 719
viewing raw or formatted logs, 715
viruses, 490
logging out
loopback interface, 149, 316
lost password
recovering, 49, 245, 246
low disk space
quarantine, 519
M
MAC address
filtering, 193
MAC filter
wireless, 193
MAC filter list
configuring, 194
viewing, 194
major version, 88
Management Information Base (MIB), 213
management VDOM, 135, 139
Manual Key
IPSec VPN, 614
map to IP
virtual IP, 425
map to port
virtual IP, 425, 427
matched content, 453
matching
max filesize to quarantine
quarantine, 519
firewall policy, 418, 676, 681
MD5
OSPF authentication, 344, 345
Members
IPSec VPN, concentrator, 617
memory, 132
memory usage
HA statistics, 212
menu
web-based manager menu, 56
MGCP
service, 403
mheader, 570
MIB, 221
FortiGate, 217
RFC 1213, 217
RFC 2665, 217
minor version, 88
Mode
mode
HA, 207
operation, 24
modem
adding firewall policies, 175
backup mode, 173
connecting and disconnecting to dialup account, 175
redundant (backup) mode, 171
standalone mode, 171, 174
viewing status, 176
modem interface
configuring, 170
monitor
administrator logins, 264
HA statistics, 211
IPSec VPN, 618
routing, 359
monitored ports, 477
monitoring
moving a firewall policy, 364, 677
MS-CHAP, 648
MS-CHAP-V2, 648
MS-SQL
service, 403
MTU size, 157, 167
multicast, 348
multicast destination NAT, 350
multicast policy, 365
multicast settings
overriding, 350
viewing, 348
Multi-Exit Discriminator (MED), 346
MYSQL
service, 403
Index
01-410-89802-20091022 743
N
Name
IP pool, 440, 441
NAPT, 385
NAT
in transparent mode, 442
inbound, IPSec firewall policy, 376
multicast, 350
NAPT, 385
outbound, IPSec firewall policy, 376
port selection, 385
preserving SIP NAT IP, 505
push update, 309
SIP, 495
SIP contact headers, 506
symmetric, 424
NAT virtual IP
adding for single IP address, 428
adding static NAT virtual IP for IP address range, 429
Nat-traversal
netmask
NetMeeting
service, 403
network
Network Address Port Translation, 385
network address translation (NAT), 422
Network Attached Storage (NAS), 248
Network Time Protocol, 87
network utilization
HA statistics, 212
NFS
service, 403
NNTP
service, 403
not registered
subscription, 303
notification, 709
Not-so-stubby Area (NSSA), 343
not-so-stubby area (NSSA), 360
Novel edirectory, 654
NTP, 87
service, 403
sync interval, 87
synchronizing with an NTP server, 87
O
object identifier (OID), 221
OCSP certificates
importing, 285
OFTP connection, 74
ONC-RPC
service, 404
one-time schedule
adding, 413
configuring, 413
creating new, 412
list, 412
start, 413
stop, 413
online help
content pane, 53
keyboard shortcuts, 55
navigation pane, 53
search, 54
using FortiGate online help, 52
operation mode, 24, 238
operational history
viewing, 90
optimize
antivirus, 520
OSPF
area ID, 344
AS, 341
Dead Interval, 346
dead packets, 346
GRE, 345
Hello Interval, 346
Hello protocol, 338
interface definition, 344
IPSec, 345
link-state, 338
LSA, 345
multiple interface parameter sets, 345
neighbor, 338
network, 341
network address space, 345
NSSA, 343, 360
path cost, 339
regular area, 343
service, 404
settings, 340
stub, 343
virtual lan, 344
virtual link, 343
VLAN, 345
OSPF AS, 338
defining, 339
outbound NAT
override server
adding, 308
oversize threshold, 478
oversized file/email
P
P1 Proposal
IPSec phase 1, 609
P2 Proposal
packets
VDOM, 126
Index
744 01-410-89802-20091022
page controls
PAP, 648
pass fragmented email
password
administrator, 24
configuring authentication password, 246
HA, 208
recovering lost password, 49, 245, 246
PAT
virtual IPs, 422
patch number, 88
pattern, 28
default list of file block patterns, 513
pattern type
email filter email address, 569
PC-Anywhere
service, 404
peer group
configuring, 657
Peer option
peer user
configuring, 657
Perl regular expressions
email filter, 571
persistence, 449
Phase, 611
phase 1
IPSec VPN, 606, 611
phase 1 advanced options
IPSec VPN, 608
phase 2
IPSec VPN, 611
phase 2 advanced options
IPSec VPN, 611
PIM
BSR, 348
dense mode, 348
DR, 348
RFC 2362, 348
RFC 3973, 348
RP, 348
sparse mode, 348
PING, 451
service, 404
PING6
pinholing
RTP, 504
SIP, 504
PKI, 656
authentication, 252
policy
accept action, 683, 684
action, 367
adding, 367
allow inbound, 376
allow outbound, 376
changing the position in the policy list, 364, 677
comments, 372, 379
configuring, 367
creating new, 366, 418, 419
deleting, 364, 677
destination, 367
DoS, 379
example, 389
ID, 367
inbound NAT, 376
insert policy before, 367, 676
list, 366
log traffic, 372, 375, 379
matching, 363
move, 364, 677
multicast, 365
outbound NAT, 376
schedule, 367, 370
service, 367, 371
sniffer, 382
source, 367
SSL VPN options, 376
policy route
moving in list, 332
policy-based routing, 328
POP3
service, 404
port
NAT, 385
port 53, 305
port 8888, 305
port 9443, 309
port address translation
virtual IPs, 422
port forwarding, 422
port monitor
HA, 208
port monitoring, 208
PPPoE
and IP Pools, 371
PPPoE (Point-to-Point Protocol over Ethernet)
RFC 2516, 162
PPTP, 621, 659
service, 404
PPTP IP address
user group, 621, 623
PPTP range
defining addresses, 621, 623
PPTP tunnel setup
CLI command, 623
customized GUI, 621
Index
01-410-89802-20091022 745
predefined services, 401
predefined signature
default action, 526
list, 525
Pre-shared Key
pre-shared key
priority
cluster members, 210
private key
importing, 283, 284
product registration, 52
products, family, 23
profile
category block reports, 558
proposal
IPSec phase 1, 609
protection profile
add signature to outgoing email, 479
adding to a firewall policy, 468
allow web sites when a rating error occurs, 484
antivirus options, 477
append tag format, 488
append tag to location, 488
banned word check, 487
block login (IM), 489
category, 485
comfort clients, 478
dashboard statistics, 488
default protection profiles, 468
display content meta-information on dashboard, 489
display content meta-information on the system
dashboard options, 488
DoS sensor, 480
email address BWL check, 487
email filtering options, 485
enable FortiGuard Web Filtering, 484
enable FortiGuard Web Filtering overrides, 484
file block, 478
FortiGuard Antispam IP address check, 486
FortiGuard email checksum check, 486
HELO DNS lookup, 487
IP address BWL check, 487
IPS sensor, 480
IPS sensor options, 480
list, 469
logging, blocked files, 490
logging, content block, 490
logging, intrusions, 491
logging, invalid domain name warnings, 490
logging, oversized files/emails, 490
logging, rating errors, 490
logging, spam, 490
logging, URL block, 490
logging, viruses, 490
options, 474
oversized file/email, 478
pass fragmented email, 478
provide details for blocked HTTP errors, 484
quarantine, 478
rate images by URL, 484
rate URLs by domain and IP address, 485
return email DNS check, 487
safe search, 482
scan (default protection profile), 468
spam action, 487
strict (default protection profile), 468
strict blocking (HTTP only), 485
tag format, 488
tag location, 488
unfiltered (default protection profile), 468
virus scan, 478
web (default protection profile), 468
web filtering options, 480, 542
web resume download block, 482
web URL block, 481
protocol
number, custom service, 408
OSPF Hello, 338
service, 402
system status, 83
type, custom service, 407
virtual IP, 427
protocol decoder, 528
list, 528
Protocol Independent Multicast (PIM), 348
protocol recognition, 477
protocol type, 408
provide details for blocked HTTP errors
proxy
SIP, 493
proxy ARP, 426, 446
FortiGate interface, 426, 446
IP pool, 426, 446
proxy server, 308
push updates, 308
push update, 304
configuring, 308
external IP address changes, 309
IP address changes, 309
management IP address changes, 309
Q
QUAKE
service, 404
quarantine
age limit, 519
antivirus, 516
autosubmit list file pattern, 517
configuring, 518
configuring the autosubmit list, 517
enable AutoSubmit, 519
enabling uploading autosubmit file patterns, 517
heuristics, 521
low disk space, 519
max filesize to quarantine, 519
options, 519
Index
746 01-410-89802-20091022
quarantine files list
antivirus, 720
apply, 720
date, 720
DC, 721
download, 721
duplicates, 721
file name, 720
filter, 720
service, 721
sorting, 720
status, 721
status description, 721
TTL, 721
upload status, 721
query, 652
Quick Mode Selector
R
RADIUS
configuring server, 648
servers, 647
viewing server list, 647
WPA Radius, 193
RADIUS authentication
VDOM, 139
RADIUS server
range
web category reports, 558
rate images by URL
rate limiting
SCCP, 501
SIMPLE, 501
SIP, 499, 500, 501
rate URLs by domain and IP address
RAUDIO
service, 404
read & write access level
administrator account, 86, 88, 243
read only access level
administrator account, 86, 243, 246
real servers
configuring, 450
monitoring, 453
recurring schedule
adding, 412
configuring, 412
creating new, 411
list, 411
select, 412
start, 412
stop, 412
redirect
SIP, 493
redundant interface
adding system settings, 160
redundant mode
configuring, 173
refresh every
HA statistics, 211
registering
Fortinet product, 52
regular administrator, 241
regular expression, 28
relay
DHCP, 199, 201
reliable
delivery of syslog messages, 707
remote administration, 165, 239
remote certificates
options, 284
viewing, 284
Remote Gateway
IPSec manual key setting, 615
remote peer
manual key configuration, 614
Remote SPI
remote user authentication, 647
Rendezvous Point (RP), 348
replacement messages, 225
report
basic traffic, 725
configuring report schedules, 721
FortiAnalyzer, printing, 725
FortiGuard, 557
type, category block, 558
viewing FortiAnalyzer reports, 724
web category block, 557
resource limits
dynamic resources, 139, 140
static resources, 139, 140
VDOM, 139
resource usage
VDOM, 141
restoring 3.0 configuration, 123
using the CLI, 123
using web-based manager, 123
return email DNS check
Reverse Path Forwarding (RPF), 350
REXEC
RFC, 348
RFC 1058, 334
RFC 1213, 213, 217
RFC 1215, 219
RFC 1321, 344
RFC 1349, 331
RFC 1771, 346
RFC 2132, 203
RFC 2362, 348
RFC 2385, 346
RFC 2453, 334
Index
01-410-89802-20091022 747
RFC 2460, 265
RFC 2516, 162
RFC 2543, 508
RFC 2665, 213, 217
RFC 3509, 339
RFC 3973, 348
RFC 5237, 330
RFC 791, 331
RIP
authentication, 338
hop count, 334
RFC 1058, 334
RFC 2453, 334
service, 404
settings, viewing, 334
split horizon, 337
version 1, 334
version 2, 334
RLOGIN
service, 404
role
cluster members, 210
route
HA, 360
route flapping, 326
router monitor
HA, 360
routing
blackhole, 315
configuring, 182
ECMP, 315
loopback interface, 316
monitor, 359
static, 316
routing policy
protocol number, 330
routing table, 359
searching, 361
RSH
RTP, 495
pinholing, 504
RTS threshold
RTSP
S
safe search, 482
SAMBA
service, 404
scan
default protection profile, 468
SCCP
DoS sensor, 501
rate limiting, 501
schedule
antivirus and attack definition updates, 307
one-time schedule list, 412
organizing schedules into groups, 413
recurring schedule list, 411
schedule group
adding, 413
scheduled updates
screen resolution
minimum recommended, 47
search
online help, 54
online help wildcard, 54
safe searching, 482
searching
routing table, 361
Secure Copy (SCP), 263
security
MAC address filtering, 193
security certificates. See system certificates
security mode
select
sensor
DoS, 537
IPS, 529
separate server certificates
importing, 284
server
DHCP, 199
server certificate, 627
server certificates
importing, 283, 284
server health, 453
server load balance port forwarding virtual IP
adding, 459
server load balance virtual IP
adding, 454
service
AH, 402
ANY, 402
AOL, 402
BGP, 402
custom service list, 406
CVSPSERVER, 402
DCE-RPC, 402
DHCP, 200, 402
DHCP6, 402
DNS, 402
ESP, 402
FINGER, 402
FTP, 402
FTP_GET, 402
FTP_PUT, 402
GOPHER, 402
GRE, 402
group, 408
H323, 403
HTTPS, 403
Index
748 01-410-89802-20091022
ICMP_ANY, 403
IKE, 403
IMAP, 403
INFO_ADDRESS, 403
INFO_REQUEST, 403
Internet-Locator-Service, 403
IRC, 403
L2TP, 403
LDAP, 403
MGCP, 403
MS-SQL, 403
MYSQL, 403
NetMeeting, 403
NFS, 403
NNTP, 403
NTP, 403
ONC-RPC, 404
organizing services into groups, 409
OSPF, 404
PC-Anywhere, 404
PING, 404
PING6, 404
POP3, 404
PPTP, 404
predefined, 401
QUAKE, 404
RAUDIO, 404
REXEC, 404
RIP, 404
RLOGIN, 404
RSH, 404
RTSP, 404
SAMBA, 404
SCCP, 405
service name, 402
SIP, 405
SIP-MSNmessenger, 405
SMTP, 405
SNMP, 405
SOCKS, 405
SQUID, 405
SSH, 405
SYSLOG, 405
TALK, 405
TCP, 405
TELNET, 405
TFTP, 405
TIMESTAMP, 405
UDP, 405
UUCP, 405
VDOLIVE, 405
VNC, 405
WAIS, 405
WINFRAME, 406
WINS, 406
X-WINDOWS, 406
service group, 408
adding, 408, 409
create new, 408
list, 408
service port
virtual IP, 425
service set identifier (SSID), 146
Session Initiation Protocol. See SIP
session list
viewing, 82
session pickup
HA, 208
set time
time
set the time, 86
settings, 191
administrators, 261
IPv6 support, 263
timeout, 263
Shortest Path First (SPF), 339
signatures
custom, intrusion protection signatures, 527
SIMPLE
rate limiting, 501
SIP, 493
accepting register response, 505
ALG, 495
application level gateway, 495
application list, 502
archiving communication, 504
blocking requests, 504
configuring advanced features, 502
contact headers and NAT, 506
controlling client connection, 505
destination NAT, 496
different source and destination NAT for SIP and RTP, 497
DoS sensor, 501
enabling, 499, 500, 501, 502
logging, 501
NAT, 495
NAT with dynamic IP pool, 497
operating modes, 493
preserving NAT IP, 505
proxy, 493
rate limiting, 499, 500, 501
redirect, 493
RTP pinholing, 504
service, 405
source NAT, 495
support workflow, 498
turning on tracking, 503
VoIP, 493
sip
vpn pptp, 624
SIP requests, 504
SIP support workflow, 498
SIP-MSNmessenger
service, 405
Skinny Call Control Protocol. See SCCP
SMTP
service, 405
user, 710
SMTPS, 231
SNAT
virtual IPs, 423
sniffer policy, 382
viewing, 383
Index
01-410-89802-20091022 749
SNMP
configuring community, 215
contact information, 214
event, 217
manager, 213, 215
MIB, 221
MIBs, 217
queries, 216
RFC 12123, 217
RFC 1215, 219
RFC 2665, 217
service, 405
traps, 217, 218
v3, 213
SNMP Agent, 214
SNMP communities, 214
socket-size, CLI command for IPS, 540
SOCKS
service, 405
sorting
URL filter list, 551
source
source IP address
system status, 83
source IP port
system status, 83
source NAT
SIP, 495
source port, 407
spam action
spam email
archiving, 585
spam filter
adding an email address or domain to the email address
list, 570
banned word list, 563
see email filter, 485
spam filter, see email filter, 559
spilt DNS, 177, 180
splice, 478, 487
split-DNS, 177, 180
SQUID
service, 405
SSH, 239
service, 405
SSID
SSID broadcast
SSL
content inspection, 469
content scanning, 469
inspection, 469
service definition, 403, 404
SSL VPN
checking client certificates, 627
configuring settings, 626
default web portal, 628
setting the cipher suite, 627
specifying server certificate, 627
specifying timeout values, 627
web-only mode, 625
SSL VPN Client Certificate, 376
SSL VPN login message, 236
SSL VPN web portal, 627
default, 628
standalone mode
modem, 171, 174
start
IP pool, 440
static default route, 318
static IP
monitor, 618
static NAT port forwarding
adding for IP address and port range, 432
adding for single address and port, 431
static resources
VDOM resource limits, 139, 140
static route
adding, 320
adding policy, 329
concepts, 313
creating, 316
default gateway, 318
default route, 318
editing, 316
moving in list, 332
overview, 313
policy, 328
policy list, 329
selecting, 314
table building, 314
table priority, 315
table sequence, 315
viewing, 316
statistics
viewing, 91
viewing HA statistics, 211
status
HA statistics, 211
interface, 149
vpn pptp, 624
status description
stop
streaming mode, 478, 487
strict
strict blocking (HTTP only)
Index
750 01-410-89802-20091022
string, 28
stub
OSPF area, 343
subnet
adding object, 110
subscription
expired, 303
not registered, 303
valid license, 303
super administrator, 241
switch mode, 150
sync interval
NTP, 87
synchronize
with NTP Server, 87
SYSLOG
service, 405
syslog
reliable, 707
system administrators, 241
system certificate
FortiGate unit self-signed security certificate, 48
system certificates
CA, 286
CRL, 287
importing, 283
OCSP, 285
requesting, 281, 282
viewing, 280
system configuration, 205
system DHCP see also DHCP, 199
system global av_failopen
antivirus, 520
system global optimize
antivirus, 520
system idle timeout, 239
system information
viewing, 69
system maintenance
advanced, 296
backup and restore, 290
creating scripts, 299
enabling push updates, 308
firmware, 294
firmware upgrade, 295
managing configuration, 289
push update through a NAT device, 309
remote FortiManager options, 292
remote management options, 293
scripts, 298
uploading scripts, 299
USB disks, 296
VDOM, 290
system resources
viewing, 75
system status
viewing, 68
system status widgets
customizing, 68
system time
configuring, 86
system wireless. See wireless
T
TACACS+
TACACS+server
tag format
tag location
TALK
service, 405
TCP, 451
service, 405
TCP custom service, 407
adding, 406
destination port, 407
protocol type, 407
source port, 407
technical support, 29, 132
TELNET
service, 405
TFTP
service, 405
threshold
oversize, 478
time
configuring, 86
timeout
settings, 263
timeout values
specifying for SSL VPN, 627
TIMESTAMP
service, 405
top attacks
viewing, 83
top sessions
viewing, 80
top viruses
viewing, 83
total bytes
HA statistics, 212
total packets
HA statistics, 212
tracking
SIP, 503
traffic history
viewing, 84
Traffic Priority, 676, 681
traffic priority
traffic shaping, 676, 681
traffic reports
viewing, 725
Index
01-410-89802-20091022 751
traffic shaping
configuring, 417
guaranteed bandwidth and maximum bandwidth, 415
priority, 416
transparent mode
IP pools, 442
NAT, 442
VDOMs, 126
VIP, 442
virtual IP, 442
traps
SNMP, 218
troubleshooting
FDN connectivity, 306
trusted host
administrators options, 246
security issues, 254
TTL
tunnel mode
SSL VPN, SSL VPN
tunnel mode, 625
Tunnel Name
Tx Power
type, 407
virtual IP, 426
U
UDP custom service, 407
adding, 406
destination port, 407
protocol type, 407
source port, 407
UDP service, 405
unfiltered
unit
HA statistics, 211
unit operation
viewing, 73
up time
HA statistics, 211
update
push, 308
upgrading
3.0 using web-based manager, 117
4.0 using the CLI, 118
backing up using the CLI, 3.0, 114
firmware, 88
FortiGate unit to 3.0, 117
using the web-based manager, 117
using web-based manager, 3.0, 114
upload status
URL block
adding a URL to the web filter block list, 550
configuring overrides, 553
local categories, 555
web filter, 547
URL filter
adding new list, 548
catalog, 548
sorting in list, 551
viewing list, 549
URL formats, 550
USB disk, 290
auto-install, 296
backup and restore configuration, 289
formatting, 296
user authentication
overview, 643
PKI, 656
remote, 647
user group
configuring, 661
PPTP source IP address, 621, 623
user groups
configuring, 658
Directory Service, 660
firewall, 659
SSL VPN, 660
viewing, 661
usrgrp
vpn pptp, 624
UTF-8
character set, 483
UUCP
service, 405
V
valid license, 303
value parse error, 28
VDOLIVE
service, 405
VDOM
adding interface, 135
assigning administrator, 138
assigning interface, 137
configuration settings, 127
dynamic resource limits, 139, 140
enabling multiple VDOMs, 130
FortiAnalyzer, 126
license key, 311
limited resources, 132
management VDOM, 135
maximum number, 132
NAT/Route, 126
packets, 126
RADIUS authentication, 139
resource limits, 139
resource usage, 141
static resource limits, 139, 140
Index
752 01-410-89802-20091022
VDOM partitioning
HA, 208
verifying
downgrade to 2.80 MR11, 121
upgrade to 4.0, 119
viewing
address group list, 398
admin profiles list, 257
administrators, 264
administrators list, 243
Alert Message Console, 76
antispam email address list catalog, 568
antispam IP address list, 566
antispam IP address list catalog, 565
antivirus file filter list, 515
antivirus file pattern list catalog, 514
antivirus list, 519
antivirus quarantined files list, 720
banned word list, 563
banned word list catalog, 562
BGP settings, 346
CA certificates, 286
certificates, 280
CRL (Certificate Revocation List), 287
custom service list, firewall service, 406
custom signatures, 527
DHCP address leases, 203
DLP archive, 91
DLP archives, 586, 719
DoS sensor list, 538
firewall policy list, 366
firewall service group list, 408
firewall service list, 401
firmware, 294
FortiAnalyzer reports, 724
FortiGuard support contract, 302
HA statistics, 211
hostname, 87
IP pool list, 440
IPS sensor list, 529
IPS sensor options, 480
IPSec VPN auto key list, 605
IPSec VPN concentrator list, 617
IPSec VPN manual key list, 614
IPSec VPN monitor list, 618
LDAP server list, 649
licenses, 70
local ratings list, 555
modem status, 176
multicast settings, 348
one-time schedule list, 412
operational history, 90
protection profile list, 469
protocol decoder list, 528
RADIUS server list, 647
recurring schedule list, 411
remote certificates, 284
RIP settings, 334
routing information, 359
session list, 82
static route, 316
statistics, 91
system information, 69
system resources, 75
system status, 68
system topology, 107
TACACS+server, 652
top attacks, 83
top sessions, 80
top viruses, 83
traffic history, 84
traffic reports, 725
unit operation, 73
URL filter list, 549
URL filter list catalog, 548
URL override list, 552
user group list, 661
VIP group list, 436
virtual IP group list, 436
virtual IP list, 425
virtual IP pool list, 440
web content block list, 545
web content filter list, 545
web content filter list catalog, 545
wireless monitor, 195
viewport, 108
VIP
VIP group
configuring, 436
Virtual IP
configuring, 426
create new, 425, 436
destination network address translation (DNAT), 423, 424
external interface, 426
external IP address, 427
external service port, 427
IP, 425
list, 425
map to IP, 425
map to port, 425, 427
NAT, 422
PAT, 422
port address translation, 422
protocol, 427
server down, 453
service port, 425
SNAT, 423
source network address translation, 423
type, 426
virtual IP group
configuring, 436
virtual IP group list
viewing, 436
virtual IP, port translation only
adding, 435
virtual IPSec
configuring interface, 164
virtual servers
configuring, 446
virus detected
HA statistics, 212
Index
01-410-89802-20091022 753
virus list, 519
virus name, 237
virus protection. See antivirus
virus scan
VLAN
jumbo frames, 167
OSPF, 344
VNC
service, 405
VoIP
SIP, 493
VoIP security, 495
VPN IPSec (see also IPSec VPN), 603
VPN PPTP, 621
VPN SSL. See SSL VPN
VPN tunnel
IPSec VPN, firewall policy, 376
VPN, IPSec
VPNs, 621
W
WAIS
service, 405
WAN optimization
explicit mode, 679
monitoring, 682
WAN optimization peer
configuring, 680
WAN optimization rule
configuring, 675
web
web category block
changing the host name, 557
report allowed, 558
report blocked, 558
report category, 558
report profiles, 558
report range, 558
report type, 558
reports, 557
web content block
language, 546
pattern type, 546
web content filter
web filter, 546
web content filter list
web filter, 545
web equivalent privacy, 193
web filter, 541
adding a URL to the web URL block list, 550
character set, 483
configuring the web content filter list, 546
configuring the web URL block list, 550
content block, 544
filter interaction, 542
FortiGuard, 552
protection profile options, 542
URL block, 547
URL category, 305
web content filter list, 545
web URL block list, 549
web filtering
safe search, 482
web filtering options
web filtering service, 237
web portal
SSL VPN,SSL VPN web portal
customize, 627
web resume download block
web site, content category, 236
Web UI. See web-based manager
web URL block
configuring the web URL block list, 550
list, 549
list, web filter, 549
web-based manager, 47, 48
changing the language, 49
connecting to the CLI, 51
idle timeout, 50
IPv6 support, 263
language, 49, 263
logging out, 55
online help, 52
pages, 55
screen resolution, 47
using the menu, 56
using web-based manager lists, 57
web-only mode
SSL VPN, 625
WEP, 192
WEP128, 187, 193
WEP64, 187, 193
WiFi protected access, 193
wild cards, 28
wildcard
online help search, 54
Windows Active Directory, 654
WINFRAME
service, 406
WINS
service, 406
Index
754 01-410-89802-20091022
wireless
band, 191
beacon interval, 191
channel, 191
configuration, 187
data encryption, 193
fragmentation threshold, 193
geography, 191
interface, 187
key, 193
MAC filter, 193
operation mode, 191
pre-shared key, 193
RADIUS server, 193
RTS threshold, 193
security, 192
security mode, 193
settings FortiWiFi-50B, 190
settings FortiWiFi-60A, 190
settings FortiWiFi-60AM, 190
settings FortiWiFi-60B, 190
SSID, 192
SSID broadcast, 192
Tx power, 191
viewing monitor, 195
WLAN
interface, 187
WLAN interface
adding to a FortiWiFi-50B, 191
adding to a FortiWiFi-60A, 191
adding to a FortiWiFi-60AM, 191
adding to a FortiWiFi-60B, 191
WPA, 187, 192, 193
WPA Radius
wireless security, 193
WPA2, 187, 193
WPA2 Auto, 187, 193
WPA2 Radius
wireless security, 193
X
X.509 security certificates. See system certificates
XAuth
X-Forwarded-For (XFF), 183
X-WINDOWS
service, 406
Z
zones
configuring, 170
www.fortinet.com
www.fortinet.com

Fortigate Admin

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fortigate Admin

Uploaded by

Copyright:

Available Formats

FortiGate

Version 4.0 MR1

You might also like